Re: [systemd-devel] Is ProtectHome=not working or am I doing something wrong?
2015-12-20 18:40 GMT+01:00 Reindl Harald: > InaccessibleDirectories=-/home Makes no difference here. Using InaccessibleDirectories, rsyslogd can still monitor and read the file in /home/michael. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Is ProtectHome=not working or am I doing something wrong?
Am 20.12.2015 um 19:06 schrieb Michael Biebl: 2015-12-20 18:40 GMT+01:00 Reindl Harald: InaccessibleDirectories=-/home Makes no difference here. Using InaccessibleDirectories, rsyslogd can still monitor and read the file in /home/michael sounds like a *serious* regression at least "systemd-222-10.fc23.x86_64" is not affected __ [root@srv-rhsoft:~]$ systemctl status rsyslog.service ? rsyslog.service - Syslog Service Loaded: loaded (/etc/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since So 2015-12-20 19:11:12 CET; 3s ago Process: 17940 ExecStartPost=/usr/bin/cat /home/harry/rsyslog-test (code=exited, status=1/FAILURE) Process: 17939 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=killed, signal=TERM) Main PID: 17939 (code=killed, signal=TERM) __ [root@srv-rhsoft:~]$ cat /etc/systemd/system/rsyslog.service [Unit] Description=Syslog Service After=network.service systemd-networkd.service network-online.target mysqld.service mysqld-dbmail.service [Service] EnvironmentFile=-/etc/sysconfig/rsyslog ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS ExecStartPost=/usr/bin/cat /home/harry/rsyslog-test Sockets=syslog.socket StandardOutput=null Restart=always RestartSec=5 TimeoutStopSec=1 CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYSLOG ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr InaccessibleDirectories=-/boot InaccessibleDirectories=-/home InaccessibleDirectories=-/media InaccessibleDirectories=-/root InaccessibleDirectories=-/run/user [Install] WantedBy=multi-user.target Alias=syslog.service signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Is ProtectHome=not working or am I doing something wrong?
2015-12-20 17:33 GMT+01:00 Michael Biebl: > # /etc/systemd/system/rsyslog.service.d/override.conf > [Unit] ... > Am I doing something wrong or is this a bug in systemd? Apparently the former. I mixed up [Unit] and [Service]. Should have checked the journal logs more carefully for errors. After moving Protect* to [Service] everything worked as expected. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Query regarding "EnvironmentFile"
On Sun, Dec 20, 2015 at 02:30:30PM +0100, Marc Haber wrote: > On Fri, Dec 18, 2015 at 05:00:32PM +0100, Michael Biebl wrote: > > and then tell admin to use systemctl edit > > [Unit] > > Environment=OPTS=-baz > > How would I do the equivalent of systemctl edit with a declarative > configuration management tool like puppet? You have to make sure directory /etc/systemd/system/nfs-ganesha.service.d/ exists, then inside you create something.conf file with above content. Alternatively you can create /etc/systemd/system/nfs-ganesha.service file with required customisation, using puppet. Afterwards you need to issue "systemctl daemon-reload" (or send signal to PID1) to have the changes read. -- Tomasz TorczOnce you've read the dictionary, xmpp: zdzich...@chrome.pl every other book is just a remix. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Query regarding "EnvironmentFile"
On Sun, Dec 20, 2015 at 02:34:15PM +0100, Tomasz Torcz wrote: > On Sun, Dec 20, 2015 at 02:30:30PM +0100, Marc Haber wrote: > > On Fri, Dec 18, 2015 at 05:00:32PM +0100, Michael Biebl wrote: > > > and then tell admin to use systemctl edit > > > [Unit] > > > Environment=OPTS=-baz > > > > How would I do the equivalent of systemctl edit with a declarative > > configuration management tool like puppet? > > You have to make sure directory /etc/systemd/system/nfs-ganesha.service.d/ > exists, then inside you create something.conf file with above content. Is that the documented interface equivalent to systemctl edit? Does the stability promise apply? > Afterwards you need to issue "systemctl daemon-reload" (or send signal > to PID1) to have the changes read. That's a regression over the old-fashioned way, but doable. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Query regarding "EnvironmentFile"
On Fri, Dec 18, 2015 at 05:00:32PM +0100, Michael Biebl wrote: > and then tell admin to use systemctl edit > [Unit] > Environment=OPTS=-baz How would I do the equivalent of systemctl edit with a declarative configuration management tool like puppet? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Policy Routing on a machine using systemd-networkd
*nudge* Is there really no option about this rather common issue? Greetings Marc On Tue, Dec 15, 2015 at 01:20:34PM +0100, Marc Haber wrote: > I would like to do policy routing on a router with ~ 10 interfaces > running Debian Linux and systemd. Networking is managed with ferm and > systemd-networkd. > > I now need Policy Routing. What is the recommended way to handle the > usual knot of iptables, ip rule and ip route statement in a clear and > beautiful way in a systemd environment? > > As far as I know, systemd-network has not yet implemented policy > routing, so the canonical way (for me, as a systemd newbie) to > implement this would be a sysv init script containing the needed > commands. > > What would be the "correct" way to do this in a systemd setup? > > Actually, I need something that does the following: > > o prevent a default route from being present in the main table (either > by preventing it from being set in the first place or removing it > idempotently) > o Establish a number of iptables rules to set fwmarks > o Establish a number of extra routing tables with a set of rules > o Establish a number of ip rule rules regarding source IP ranges or > fwmarks. > > How would I do that in systemd? Am I doing ok with a Type=oneshot > service unit with a bunch of ExecStart Options? Or is there another > recommended way? -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Query regarding "EnvironmentFile"
On Tue, Dec 15, 2015 at 05:59:11PM +, Simon Peeters wrote: > Why not do like normal people and use configmanagement to put the > right apache config on the right host? > This whole "-D testserver" and "" looks like an > ugly workaround for a lacking configmanagment system. And what is your business in deliberately breaking those ugly setups? If you want to educate people, be a teacher. If you want to bully people into doing things your way, be a team leader. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Query regarding "EnvironmentFile"
On Fri, Dec 11, 2015 at 03:59:54PM +0100, Reindl Harald wrote: > EnvironmentFile is a great way to make units flexible with sane > defaults and i am *not* talking about upstream or distributions here > > so taking away that option gains you nothing but breaks things for > no valid reason - it would only confirm people which hesitate to > adopt systemd because the fear that they can't rely on capabilities > it brings now because they may flippantly disappear Amen. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Query regarding "EnvironmentFile"
20.12.2015 16:47, Marc Haber пишет: > On Sun, Dec 20, 2015 at 02:34:15PM +0100, Tomasz Torcz wrote: >> On Sun, Dec 20, 2015 at 02:30:30PM +0100, Marc Haber wrote: >>> On Fri, Dec 18, 2015 at 05:00:32PM +0100, Michael Biebl wrote: and then tell admin to use systemctl edit [Unit] Environment=OPTS=-baz >>> >>> How would I do the equivalent of systemctl edit with a declarative >>> configuration management tool like puppet? >> >> You have to make sure directory /etc/systemd/system/nfs-ganesha.service.d/ >> exists, then inside you create something.conf file with above content. > > Is that the documented interface equivalent to systemctl edit? Does > the stability promise apply? > Yes to both. At the end that is exactly what "systemctl edit" does. >> Afterwards you need to issue "systemctl daemon-reload" (or send signal >> to PID1) to have the changes read. > > That's a regression over the old-fashioned way, but doable. > > Greetings > Marc > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Is ProtectHome=not working or am I doing something wrong?
Am 20.12.2015 um 17:33 schrieb Michael Biebl: I'm using systemd v228 and tried to lock down rsyslog a bit. For that I added # /etc/systemd/system/rsyslog.service.d/override.conf [Unit] ProtectSystem=yes ProtectHome=yes CapabilityBoundingSet=~CAP_SYS_ADMIN I thought ProtectHome=yes would deny rsyslog read access to /home, but it seems the rsyslogd process can read /home/michael/file1 without problems. Am I doing something wrong or is this a bug in systemd? looks like a bug, "yes" should take it away and "read-only" is supposed to just take away write-access, however the unit below should work i prefer "ReadOnlyDirectories" and "InaccessibleDirectories" in general _ [Unit] Description=Syslog Service After=network.service systemd-networkd.service network-online.target mysqld.service mysqld-dbmail.service [Service] EnvironmentFile=-/etc/sysconfig/rsyslog ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS Sockets=syslog.socket StandardOutput=null Restart=always RestartSec=5 TimeoutStopSec=1 CapabilityBoundingSet=CAP_SYSLOG ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr InaccessibleDirectories=-/boot InaccessibleDirectories=-/home InaccessibleDirectories=-/media InaccessibleDirectories=-/root InaccessibleDirectories=-/run/user [Install] WantedBy=multi-user.target Alias=syslog.service signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Is ProtectHome=not working or am I doing something wrong?
Hi, I'm using systemd v228 and tried to lock down rsyslog a bit. For that I added # /etc/systemd/system/rsyslog.service.d/override.conf [Unit] ProtectSystem=yes ProtectHome=yes CapabilityBoundingSet=~CAP_SYS_ADMIN I then went on to test it. For that I created the following rsyslog config which monitors a file in my users home directory: module(load="imfile") input(type="imfile" File="/home/michael/file1" StateFile="file1" Tag="tag1") I thought ProtectHome=yes would deny rsyslog read access to /home, but it seems the rsyslogd process can read /home/michael/file1 without problems. Am I doing something wrong or is this a bug in systemd? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel