Re: [systemd-devel] Is ProtectHome=not working or am I doing something wrong?

2015-12-20 Thread Michael Biebl 
2015-12-20 18:40 GMT+01:00 Reindl Harald :
> InaccessibleDirectories=-/home

Makes no difference here. Using InaccessibleDirectories, rsyslogd can
still monitor and read the file in /home/michael.

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Is ProtectHome=not working or am I doing something wrong?

2015-12-20 Thread Reindl Harald 



Am 20.12.2015 um 19:06 schrieb Michael Biebl:

2015-12-20 18:40 GMT+01:00 Reindl Harald :

InaccessibleDirectories=-/home


Makes no difference here. Using InaccessibleDirectories, rsyslogd can
still monitor and read the file in /home/michael


sounds like a *serious* regression
at least "systemd-222-10.fc23.x86_64" is not affected
__

[root@srv-rhsoft:~]$ systemctl status rsyslog.service
? rsyslog.service - Syslog Service
   Loaded: loaded (/etc/systemd/system/rsyslog.service; enabled; vendor 
preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since So 
2015-12-20 19:11:12 CET; 3s ago
  Process: 17940 ExecStartPost=/usr/bin/cat /home/harry/rsyslog-test 
(code=exited, status=1/FAILURE)
  Process: 17939 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS 
(code=killed, signal=TERM)

 Main PID: 17939 (code=killed, signal=TERM)
__

[root@srv-rhsoft:~]$ cat /etc/systemd/system/rsyslog.service
[Unit]
Description=Syslog Service
After=network.service systemd-networkd.service network-online.target 
mysqld.service mysqld-dbmail.service


[Service]
EnvironmentFile=-/etc/sysconfig/rsyslog
ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
ExecStartPost=/usr/bin/cat /home/harry/rsyslog-test
Sockets=syslog.socket
StandardOutput=null
Restart=always
RestartSec=5
TimeoutStopSec=1
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYSLOG
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr

InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/run/user

[Install]
WantedBy=multi-user.target
Alias=syslog.service




signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Is ProtectHome=not working or am I doing something wrong?

2015-12-20 Thread Michael Biebl 
2015-12-20 17:33 GMT+01:00 Michael Biebl :
> # /etc/systemd/system/rsyslog.service.d/override.conf
> [Unit]

...

> Am I doing something wrong or is this a bug in systemd?

Apparently the former. I mixed up [Unit] and [Service]. Should have
checked the journal logs more carefully for errors. After moving
Protect* to [Service] everything worked as expected.

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Query regarding "EnvironmentFile"

2015-12-20 Thread Tomasz Torcz 
On Sun, Dec 20, 2015 at 02:30:30PM +0100, Marc Haber wrote:
> On Fri, Dec 18, 2015 at 05:00:32PM +0100, Michael Biebl wrote:
> > and then tell admin to use systemctl edit
> > [Unit]
> > Environment=OPTS=-baz
> 
> How would I do the equivalent of systemctl edit with a declarative
> configuration management tool like puppet?

  You have to make sure directory /etc/systemd/system/nfs-ganesha.service.d/
exists, then inside you create something.conf file with above content.

  Alternatively you can create /etc/systemd/system/nfs-ganesha.service file
with required customisation, using puppet.

  Afterwards you need to issue "systemctl daemon-reload" (or send signal
to PID1) to have the changes read.

-- 
Tomasz TorczOnce you've read the dictionary,
xmpp: zdzich...@chrome.pl   every other book is just a remix.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Query regarding "EnvironmentFile"

2015-12-20 Thread Marc Haber 
On Sun, Dec 20, 2015 at 02:34:15PM +0100, Tomasz Torcz wrote:
> On Sun, Dec 20, 2015 at 02:30:30PM +0100, Marc Haber wrote:
> > On Fri, Dec 18, 2015 at 05:00:32PM +0100, Michael Biebl wrote:
> > > and then tell admin to use systemctl edit
> > > [Unit]
> > > Environment=OPTS=-baz
> > 
> > How would I do the equivalent of systemctl edit with a declarative
> > configuration management tool like puppet?
> 
>   You have to make sure directory /etc/systemd/system/nfs-ganesha.service.d/
> exists, then inside you create something.conf file with above content.

Is that the documented interface equivalent to systemctl edit? Does
the stability promise apply?

>   Afterwards you need to issue "systemctl daemon-reload" (or send signal
> to PID1) to have the changes read.

That's a regression over the old-fashioned way, but doable.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Query regarding "EnvironmentFile"

2015-12-20 Thread Marc Haber 
On Fri, Dec 18, 2015 at 05:00:32PM +0100, Michael Biebl wrote:
> and then tell admin to use systemctl edit
> [Unit]
> Environment=OPTS=-baz

How would I do the equivalent of systemctl edit with a declarative
configuration management tool like puppet?

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Policy Routing on a machine using systemd-networkd

2015-12-20 Thread Marc Haber 
*nudge*

Is there really no option about this rather common issue?

Greetings
Marc


On Tue, Dec 15, 2015 at 01:20:34PM +0100, Marc Haber wrote:
> I would like to do policy routing on a router with ~ 10 interfaces
> running Debian Linux and systemd. Networking is managed with ferm and
> systemd-networkd.
> 
> I now need Policy Routing. What is the recommended way to handle the
> usual knot of iptables, ip rule and ip route statement in a clear and
> beautiful way in a systemd environment?
> 
> As far as I know, systemd-network has not yet implemented policy
> routing, so the canonical way (for me, as a systemd newbie) to
> implement this would be a sysv init script containing the needed
> commands.
> 
> What would be the "correct" way to do this in a systemd setup?
> 
> Actually, I need something that does the following:
> 
> o prevent a default route from being present in the main table (either
>   by preventing it from being set in the first place or removing it
>   idempotently)
> o Establish a number of iptables rules to set fwmarks
> o Establish a number of extra routing tables with a set of rules
> o Establish a number of ip rule rules regarding source IP ranges or
>   fwmarks.
> 
> How would I do that in systemd? Am I doing ok with a Type=oneshot
> service unit with a bunch of ExecStart Options? Or is there another
> recommended way?

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Query regarding "EnvironmentFile"

2015-12-20 Thread Marc Haber 
On Tue, Dec 15, 2015 at 05:59:11PM +, Simon Peeters wrote:
> Why not do like normal people and use configmanagement to put the
> right apache config on the right host?
> This whole "-D testserver" and ""  looks like an
> ugly workaround for a lacking configmanagment system.

And what is your business in deliberately breaking those ugly setups?
If you want to educate people, be a teacher. If you want to bully
people into doing things your way, be a team leader.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Query regarding "EnvironmentFile"

2015-12-20 Thread Marc Haber 
On Fri, Dec 11, 2015 at 03:59:54PM +0100, Reindl Harald wrote:
> EnvironmentFile is a great way to make units flexible with sane
> defaults and i am *not* talking about upstream or distributions here
> 
> so taking away that option gains you nothing but breaks things for
> no valid reason - it would only confirm people which hesitate to
> adopt systemd because the fear that they can't rely on capabilities
> it brings now because they may flippantly disappear

Amen.

Greetings
Marc


-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Query regarding "EnvironmentFile"

2015-12-20 Thread Andrei Borzenkov 
20.12.2015 16:47, Marc Haber пишет:
> On Sun, Dec 20, 2015 at 02:34:15PM +0100, Tomasz Torcz wrote:
>> On Sun, Dec 20, 2015 at 02:30:30PM +0100, Marc Haber wrote:
>>> On Fri, Dec 18, 2015 at 05:00:32PM +0100, Michael Biebl wrote:
 and then tell admin to use systemctl edit
 [Unit]
 Environment=OPTS=-baz
>>>
>>> How would I do the equivalent of systemctl edit with a declarative
>>> configuration management tool like puppet?
>>
>>   You have to make sure directory /etc/systemd/system/nfs-ganesha.service.d/
>> exists, then inside you create something.conf file with above content.
> 
> Is that the documented interface equivalent to systemctl edit? Does
> the stability promise apply?
> 

Yes to both. At the end that is exactly what "systemctl edit" does.

>>   Afterwards you need to issue "systemctl daemon-reload" (or send signal
>> to PID1) to have the changes read.
> 
> That's a regression over the old-fashioned way, but doable.
> 
> Greetings
> Marc
> 

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Is ProtectHome=not working or am I doing something wrong?

2015-12-20 Thread Reindl Harald 



Am 20.12.2015 um 17:33 schrieb Michael Biebl:

I'm using systemd v228 and tried to lock down rsyslog a bit.

For that I added

# /etc/systemd/system/rsyslog.service.d/override.conf
[Unit]
ProtectSystem=yes
ProtectHome=yes
CapabilityBoundingSet=~CAP_SYS_ADMIN

I thought ProtectHome=yes would deny rsyslog read access to /home, but
it seems the rsyslogd process can read /home/michael/file1 without
problems.

Am I doing something wrong or is this a bug in systemd?


looks like a bug, "yes" should take it away and "read-only" is supposed 
to just take away write-access, however the unit below should work


i prefer "ReadOnlyDirectories" and "InaccessibleDirectories" in general
_

[Unit]
Description=Syslog Service
After=network.service systemd-networkd.service network-online.target 
mysqld.service mysqld-dbmail.service


[Service]
EnvironmentFile=-/etc/sysconfig/rsyslog
ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
Sockets=syslog.socket
StandardOutput=null
Restart=always
RestartSec=5
TimeoutStopSec=1
CapabilityBoundingSet=CAP_SYSLOG
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/run/user

[Install]
WantedBy=multi-user.target
Alias=syslog.service



signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Is ProtectHome=not working or am I doing something wrong?

2015-12-20 Thread Michael Biebl 
Hi,

I'm using systemd v228 and tried to lock down rsyslog a bit.

For that I added

# /etc/systemd/system/rsyslog.service.d/override.conf
[Unit]
ProtectSystem=yes
ProtectHome=yes
CapabilityBoundingSet=~CAP_SYS_ADMIN


I then went on to test it. For that I created the following rsyslog
config which monitors a file in my users home directory:

module(load="imfile")
input(type="imfile"
  File="/home/michael/file1"
  StateFile="file1"
  Tag="tag1")


I thought ProtectHome=yes would deny rsyslog read access to /home, but
it seems the rsyslogd process can read /home/michael/file1 without
problems.

Am I doing something wrong or is this a bug in systemd?
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel