On Wed, 28 Sep 2022 18:11:14 +1000 (AEST)
Michael Chapman <mike@xxxxxxxxxxxxxxxxx> wrote:
Sure, but this example is kind of useless as it doesn't bind-mount
anything into chroot.
We have already established (sorry, didn't post it to the whole list,
it seems):
1. After service fails to start, it doesn't properly unmount all mounts.
Quite some stuff tends to stay mounted. I assume it might also fail to
mount some maps.
2. Even if I move chroot dir outside of hierarchy that I bind-mount
through BindPaths ( like /CHROOTS/my_debug) after failed start it tends
to grow one or couple levels down (so I get
/CHROOTS/my_Debug/CHROOTS/my_debug etc etc) after failed start.
3.
If I manually bind-mount all the needed dirs into chroot dir before I
start the service, it runs fine ( minus the fact that it makes deeper
level maps into chroot )...
I'm running systemd-251.4 on gentoo and it has a couple of patches:
- 251-revert-fortify-source-3-fix.patch
- gentoo-generator-path-r2.patch"
- gentoo-systemctl-disable-sysv-sync-r1.patch"
- gentoo-journald-audit.patch"
On a first glance, none of those seems relevant to this case...
I run gentoo-hardened profile, in case that matters.
> > Is there a simple demo example that uses it that I could try ?
>
> This worked for me:
>
> $ cd /tmp/root
> $ cat hello.c
> #include <stdio.h>
>
> int main(void) {
> puts("Hello, world!");
> }
> $ clang -static -o hello hello.c
> $ cat /etc/systemd/system/hello.service
> [Service]
> Type=oneshot
> ExecStart=/hello
> RootDirectory=/tmp/root
> $ systemctl daemon-reload
> $ systemctl start hello.service
> $ systemctl status hello.service
> ○ hello.service
> Loaded: loaded (/etc/systemd/system/hello.service; static)
> Active: inactive (dead)
>
> Sep 28 18:07:35 hostname systemd[1]: Finished hello.service.
> Sep 28 18:08:54 hostname systemd[1]: Starting hello.service...
> Sep 28 18:08:54 hostname hello[510676]: Hello, world!
> Sep 28 18:08:54 hostname systemd[1]: hello.service: Deactivated
> successfully. Sep 28 18:08:54 hostname systemd[1]: Finished
> hello.service.
Re: jailrooting services with RootDirectory - how ?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: jailrooting services with RootDirectory - how ?
- From: Branko <brankob@xxxxxxxxxxxxxx>
- Date: Wed, 28 Sep 2022 08:40:56 +0000
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <8d5a623d-b344-1fcf-26fb-d956e61420b8@very.puzzling.org>
- Organization: S5Tehnika.net
- References: <20220928033517.3ffbcce4@\040none\041brane_wrks> <8d5a623d-b344-1fcf-26fb-d956e61420b8@very.puzzling.org>
- Follow-Ups:
- Re: jailrooting services with RootDirectory - how ?
- From: Michael Chapman
- Re: jailrooting services with RootDirectory - how ?
- References:
- jailrooting services with RootDirectory - how ?
- From: brankob
- Re: jailrooting services with RootDirectory - how ?
- From: Michael Chapman
- jailrooting services with RootDirectory - how ?
- Prev by Date: Re: jailrooting services with RootDirectory - how ?
- Next by Date: Re: jailrooting services with RootDirectory - how ?
- Previous by thread: Re: jailrooting services with RootDirectory - how ?
- Next by thread: Re: jailrooting services with RootDirectory - how ?
- Index(es):
 |