Hi, I’m playing around with portables services and I’m trying to make unbound (the DNS resolver) work. Despite all my efforts these last days and some Google-Fu, I can’t make it work. It always fails when trying to bind the interface on port 53, with a « permission denied » message. The exact same config running directly on the host works. Binding to a port > 1024 also works. Here is the [Service] section of the .service file provided by the image : [Service] ExecStart=/usr/bin/unbound -d ExecReload=+/bin/kill -HUP $MAINPID ExecStop=+/bin/kill -TERM $MAINPID NotifyAccess=main Type=notify CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true ProtectHome=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=strict ConfigurationDirectory=unbound RuntimeDirectory=unbound BindReadOnlyPaths=/run/systemd/notify BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes DynamicUser=yes AmbientCapabilities=CAP_NET_BIND_SERVICE It’s attached with the default profile. Amongst the billion things I tried to make it work, I : - tried to confirm the AmbientCapabilities= directive in a local drop-in but without success ; - tried the « trusted » profile with no luck ; - tried to remove some directives or override them (don’t remember exactly what, I’ve spent like 50 hours on it :-/ ) Are there some « specials » restrictions for portable services ? What am I missing / misunderstanding ? Thanks a lot for your work, -- François _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Portable service binding a system port
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Portable service binding a system port
- From: François <francois+systemd@xxxxxxxxxx>
- Date: Thu, 23 Jan 2020 13:56:09 +0100
- Follow-Ups:
- Re: Portable service binding a system port
- From: François
- Re: Portable service binding a system port
- Prev by Date: resolved and persistent routing domains
- Next by Date: elegant way to use a single mount unit file for multiple paths
- Previous by thread: resolved and persistent routing domains
- Next by thread: Re: Portable service binding a system port
- Index(es):
 |