Le mardi 23 août 2022 à 10:10 +0200, Bastien Durel a écrit :
> Le mardi 23 août 2022 à 07:38 +0200, Daniel Salzman a écrit :
> > Bastien,
> >
> > I suspect it's related to systemd service changes (main commit
> > https://gitlab.nic.cz/knot/knot-dns/-/commit/e152a4c21e0f34bece12eb68af61e54ab2f30d8d
> > ).
> > Especially the TemporaryFileSystem setting. You can try extending
> > it
> > with some /usr value. I will try to reproduce the issue using
> > softhsm.
> >
> > Daniel
>
> Hello,
>
> I can confirm removing the line "TemporaryFileSystem=/run:ro /var:ro"
> from unit make knot able to use the HSM key
>
> As /usr is not listed, it should be left untouched in the FS
> namespace,
> I'll try to dig a little bit more
>
I've straced the culprit :
1450856 stat("/run/pcscd/pcscd.comm", 0x7fb2a6a61b20) = -1 ENOENT (No such file
or directory)
With the given override, it works :
# /etc/systemd/system/knot.service.d/override.conf
[Service]
BindPaths=/run/pcscd
Hiding /run may be a little bit too strict ? The opensc-pkcs11 reads
the /run/pcscd/pcscd.comm socket, maybe other pkcs#11 modules uses
other files ?
Regards,
--
Bastien
--
