Bastien,
We propose this change
https://gitlab.nic.cz/knot/knot-dns/-/commit/5337b5e9e09919f619c655575c8d7173fa1b0066
Are you ok with that?
Daniel
On 8/23/22 11:03, Bastien Durel wrote:
Le mardi 23 août 2022 à 10:10 +0200, Bastien Durel a écrit :
Le mardi 23 août 2022 à 07:38 +0200, Daniel Salzman a écrit :
Bastien,
I suspect it's related to systemd service changes (main commit
https://gitlab.nic.cz/knot/knot-dns/-/commit/e152a4c21e0f34bece12eb68af61e54ab2f30d8d
).
Especially the TemporaryFileSystem setting. You can try extending
it
with some /usr value. I will try to reproduce the issue using
softhsm.
Daniel
Hello,
I can confirm removing the line "TemporaryFileSystem=/run:ro /var:ro"
from unit make knot able to use the HSM key
As /usr is not listed, it should be left untouched in the FS
namespace,
I'll try to dig a little bit more
I've straced the culprit :
1450856 stat("/run/pcscd/pcscd.comm", 0x7fb2a6a61b20) = -1 ENOENT (No such file
or directory)
With the given override, it works :
# /etc/systemd/system/knot.service.d/override.conf
[Service]
BindPaths=/run/pcscd
Hiding /run may be a little bit too strict ? The opensc-pkcs11 reads
the /run/pcscd/pcscd.comm socket, maybe other pkcs#11 modules uses
other files ?
Regards,
--
