Hardened service fails to start

brauner · January 21, 2022, 12:25pm

Yes, I sent a pull request to fix an issue there:

github.com/systemd/systemd

core/namespace: allow using ProtectSubset=pid and ProtectHostname=tru…

systemd:main ← brauner:2022-01-21.procsubset.pid

opened 12:14PM - 21 Jan 22 UTC

brauner

+5 -0

…e together If a service requests both ProtectSubset=pid and ProtectHostname=…true then it will currently fail to start. The ProcSubset=pid option instructs systemd to mount procfs for the service with subset=pid which hides all entries other than /proc/<pid>. Consequently trying to interact with the two files /proc/sys/kernel/{hostname,domainname} covered by ProtectHostname=true will fail. Fix this by only performing this check when ProtectSubset=pid is not requested. Essentially ProtectSubset=pid implies/provides ProtectHostname=true.

brauner · January 21, 2022, 12:43pm

One thing that could explain this if ProtectHostname=true was set in the container but not for the host synapse.service But if both override-hardened.conf are identical than that seems unlikely and afaict, the zz-lxc-service.conf thing doesn’t bring in ProtectHostname=true. Rather it’s set in override-hardened.conf. Can you double-check that ProtectHostname=true is present both on the host and in the container?

brauner · January 21, 2022, 12:44pm

What’s your systemd version on the host and systemd version in the container?

istobic · January 21, 2022, 1:03pm

I can confirm that ProtectHostname=true both in the container and on the host.
systemd host: 250.2-2
systemd container: 250-4

stgraber · January 21, 2022, 3:06pm

stgraber · January 21, 2022, 3:12pm

image-archlinux [Jenkins] is rebuilding now, the updated images will likely be live in a couple of hours.