Re: [systemd-devel] Portable service binding a system port
Hi, Lennart, thanks a lot for your time and answer. > Le 31 mars 2020 à 15:19, Lennart Poettering a écrit : > > Ideally unbound would support socket activation, so that PID 1 can > bind the socket and pass it in pre-bound. Noted. I’ll give this a try as an exercise and see how it goes :) > PrivateUsers=yes means userns, and only processes that have > CAP_NET_BIND_SERVICE in the host user ns can bind on ports < > 1024. PrivateUsers= user namespace do not have that, and hence cannot > bind the port on the host. Is this documented somewhere ? Am I missing something obvious here ? :D > Portable service profiles are best combined with socket activation to > limit the privileged surface… Mmh. Maybe systemd-nspawn would better suit my needs then. I’ll have a look at it again. Anyway, thanks again for your help, explanations and advices. -- François ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Portable service binding a system port
On Fr, 07.02.20 11:05, François (francois+syst...@kubler.org) wrote: > Hi, > > I’m finally answering my own question - well at least partially. > > I managed to identify the culprit : the `PrivateUsers=yes` directive. > > If I override it with a drop-in and set it to `no`, it works as expected and > I can successfully bind to port 53. > > But I still don’t understand why, especially since it’s part of the > default profile. Ideally unbound would support socket activation, so that PID 1 can bind the socket and pass it in pre-bound. PrivateUsers=yes means userns, and only processes that have CAP_NET_BIND_SERVICE in the host user ns can bind on ports < 1024. PrivateUsers= user namespace do not have that, and hence cannot bind the port on the host. Portable service profiles are best combined with socket activation to limit the privileged surface... Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Portable service binding a system port
Hi, I’m finally answering my own question - well at least partially. I managed to identify the culprit : the `PrivateUsers=yes` directive. If I override it with a drop-in and set it to `no`, it works as expected and I can successfully bind to port 53. But I still don’t understand why, especially since it’s part of the default profile. My unit file is as follow : > [Service] > ExecStart=/usr/bin/unbound -d > ExecReload=+/bin/kill -HUP $MAINPID > NotifyAccess=main > Type=notify > CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID > CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW > MemoryDenyWriteExecute=true > NoNewPrivileges=true > PrivateDevices=true > PrivateTmp=true > ProtectHome=true > ProtectControlGroups=true > ProtectKernelModules=true > ProtectSystem=strict > ConfigurationDirectory=unbound > RuntimeDirectory=unbound > RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX > RestrictRealtime=true > SystemCallArchitectures=native > SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount > @obsolete @resources > RestrictNamespaces=yes > LockPersonality=yes > RestrictSUIDSGID=yes My `override.conf` drop-in : > [Service] > User=unbound > Group=unbound > ConfigurationDirectoryMode=0440 > AmbientCapabilities=CAP_NET_BIND_SERVICE > PrivateUsers=no And I’m running with the default profile for portable services. Can someone help me understand why I have to explicitly disable `PrivateUsers` to make it work (ie: to be able to bind to a port < 1024) ? Thanks a lot, -- François ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Portable service binding a system port
Hi, I’m playing around with portables services and I’m trying to make unbound (the DNS resolver) work. Despite all my efforts these last days and some Google-Fu, I can’t make it work. It always fails when trying to bind the interface on port 53, with a « permission denied » message. The exact same config running directly on the host works. Binding to a port > 1024 also works. Here is the [Service] section of the .service file provided by the image : [Service] ExecStart=/usr/bin/unbound -d ExecReload=+/bin/kill -HUP $MAINPID ExecStop=+/bin/kill -TERM $MAINPID NotifyAccess=main Type=notify CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true ProtectHome=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=strict ConfigurationDirectory=unbound RuntimeDirectory=unbound BindReadOnlyPaths=/run/systemd/notify BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes DynamicUser=yes AmbientCapabilities=CAP_NET_BIND_SERVICE It’s attached with the default profile. Amongst the billion things I tried to make it work, I : - tried to confirm the AmbientCapabilities= directive in a local drop-in but without success ; - tried the « trusted » profile with no luck ; - tried to remove some directives or override them (don’t remember exactly what, I’ve spent like 50 hours on it :-/ ) Are there some « specials » restrictions for portable services ? What am I missing / misunderstanding ? Thanks a lot for your work, -- François ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel