|
|
c2dfb7 |
From d9ae3222cfbd5d2a48e6dbade6617085cc76f1c1 Mon Sep 17 00:00:00 2001
|
|
|
c2dfb7 |
From: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
|
|
|
c2dfb7 |
Date: Tue, 25 Feb 2020 13:35:50 -0500
|
|
|
c2dfb7 |
Subject: [PATCH] resolved: Recover missing PrivateTmp=yes and
|
|
|
c2dfb7 |
ProtectSystem=strict
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
Since the commit b61e8046ebcb28225423fc0073183d68d4c577c4,
|
|
|
c2dfb7 |
systemd-resolved.service often fails to start with the following message:
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
Failed at step NAMESPACE spawning /usr/bin/mount: Read-only file system
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
This is because dropping DynamicUser=yes dropped implicit PrivateTmp=yes and
|
|
|
c2dfb7 |
also implicit After=systemd-tmpfiles-setup.service, and thus
|
|
|
c2dfb7 |
systemd-resolved.service can start before systemd-remount-fs.service. As a
|
|
|
c2dfb7 |
result, mount operations associated with PrivateDevices= can be performed to
|
|
|
c2dfb7 |
still read-only filesystems.
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
To fix this issue, it's better to recover PrivateTmp=yes and
|
|
|
c2dfb7 |
ProtectSystem=strict just as the upstream commit
|
|
|
c2dfb7 |
62fb7e80fcc45a1530ed58a84980be8cfafa9b3e (Revert "resolve: enable DynamicUser=
|
|
|
c2dfb7 |
for systemd-resolved.service").
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
Resolves: #1810869
|
|
|
c2dfb7 |
---
|
|
|
c2dfb7 |
units/systemd-resolved.service.in | 2 ++
|
|
|
c2dfb7 |
1 file changed, 2 insertions(+)
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
|
|
|
c2dfb7 |
index 6c2ad5ca86..aad1a53a5f 100644
|
|
|
c2dfb7 |
--- a/units/systemd-resolved.service.in
|
|
|
c2dfb7 |
+++ b/units/systemd-resolved.service.in
|
|
|
c2dfb7 |
@@ -28,7 +28,9 @@ WatchdogSec=3min
|
|
|
c2dfb7 |
User=systemd-resolve
|
|
|
c2dfb7 |
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
|
c2dfb7 |
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
|
c2dfb7 |
+PrivateTmp=yes
|
|
|
c2dfb7 |
PrivateDevices=yes
|
|
|
c2dfb7 |
+ProtectSystems=strict
|
|
|
c2dfb7 |
ProtectHome=yes
|
|
|
c2dfb7 |
ProtectControlGroups=yes
|
|
|
c2dfb7 |
ProtectKernelTunables=yes
|