2017-11-30 16:07 GMT+01:00 Michael Biebl <mbi...@gmail.com>: > 2017-11-30 9:35 GMT+01:00 Mantas Mikulėnas <graw...@gmail.com>: >> On Thu, Nov 30, 2017 at 10:31 AM, Michael Biebl <mbi...@gmail.com> wrote: >>> >>> 2017-11-30 6:52 GMT+01:00 Mantas Mikulėnas <graw...@gmail.com>: >>> > On Thu, Nov 30, 2017 at 5:27 AM, Michael Biebl <mbi...@gmail.com> wrote: >>> >> >>> >> [Service] >>> >> ProtectHome=yes >>> >> PrivateTmp=yes >>> >> PrivateDevices=yes >>> >> >>> >> ProtectSystem=strict >>> >> ReadWritePaths=/var/log >>> >> ReadWritePaths=/var/spool/rsyslog >>> >> ReadWritePaths=/proc/kmsg >>> > > >>> >>> I suspect it's related to ProtectSystem=strict, as with >>> ProtectSystem=full rsyslog seems to start successfully. But this is > >> Then I'm guessing ProtectSystem=strict overrides ReadWritePaths and makes >> /var/log read-only... I think I've seen other people have that problem >> recently. > > > *facepalm* > rsyslog.service by default uses StandardOutput=null, so I didn't see > the error messages in debug mode. > > After fixing that, it was rather obvious. > > *double facepalm* > rsyslog writes a pid file in /run and fails to start if it can't write > the pidfile. I will raise this upstream that maybe writing a pidfile > in socket activation / sd_notify mode is not really necessary and it > should stop doing that.
Filed https://github.com/rsyslog/rsyslog/issues/2143 for that > For now I used RuntimeDirectory=rsyslog and > ExecStart=/usr/sbin/rsyslogd -n -i /run/rsyslog/rsyslogd.pid > > So the complete rsyslog.service now looks like > > [Unit] > Description=System Logging Service > Requires=syslog.socket > Documentation=man:rsyslogd(8) > Documentation=http://www.rsyslog.com/doc/ > > [Service] > Type=notify > ExecStart=/usr/sbin/rsyslogd -n > StandardOutput=null > Restart=on-failure > > PrivateTmp=yes > PrivateDevices=yes > ProtectHome=yes > ProtectSystem=strict > ReadWritePaths=/var/log > ReadWritePaths=/var/spool/rsyslog > ReadWritePaths=/proc/kmsg > ReadWritePaths=/tmp > > RuntimeDirectory=rsyslog > > CapabilityBoundingSet=CAP_SYSLOG > CapabilityBoundingSet=CAP_NET_BIND_SERVICE > > ExecStart=/usr/sbin/rsyslogd -n -i /run/rsyslog/rsyslogd.pid > > [Install] > WantedBy=multi-user.target > Alias=syslog.service > > Feedback welcome on how to reasonably lock down rsyslog by default > without breaking commonly used functionality (like remote syslog) > > Regards, > Michael > -- > Why is it that all of the instruments seeking intelligent life in the > universe are pointed away from Earth? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel