Discussion:
RootDirectory combined with PrivateUsers=true
(too old to reply)
Victor Näslund
2017-08-27 15:46:13 UTC
Permalink
Raw Message
Hi,

Is it possible to combine these RootDirectory=/foo and PrivateUsers=true
directives?
I am getting the systemd error:


*● sectest.service - Sectests*
* Loaded: loaded (/usr/lib/systemd/system/sectest.service; disabled;
vendor preset: disabled)*
* Active: failed (Result: exit-code) since Sun 2017-08-27 15:30:04 UTC;
10ms ago*
* Process: 19128 ExecStart=/true (code=exited, status=217/USER)*
* Main PID: 19128 (code=exited, status=217/USER)*


I am not sure what exactly is wrong since it works with either PrivateUsers
or RootDirectory but not combined.

I am using latest fedora with:
systemd 233
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
default-hierarchy=hybrid

Here is my service file:

[Unit]
Description=Sectests

[Service]
Type=oneshot

RootDirectory=/chroot/
RootDirectoryStartOnly=true

PrivateUsers=true

# simply copied /usr/bin/true to /chroot/ and the libs and such to make a
chroot work as stated in the docs, it works without PrivateUsers but now
with.
ExecStart=/true

ExecReload=/bin/kill -s HUP $MAINPID

MountAPIVFS=true
PrivateDevices=true

KillSignal=SIGQUIT


[Install]
WantedBy=multi-user.target

---

Thanks in advance for any help.

Sincerely

Victor NÀslund
Greyhash AB
Lennart Poettering
2017-08-29 16:40:48 UTC
Permalink
Raw Message
Post by Victor Näslund
Hi,
Is it possible to combine these RootDirectory=/foo and PrivateUsers=true
directives?
*● sectest.service - Sectests*
* Loaded: loaded (/usr/lib/systemd/system/sectest.service; disabled;
vendor preset: disabled)*
* Active: failed (Result: exit-code) since Sun 2017-08-27 15:30:04 UTC;
10ms ago*
* Process: 19128 ExecStart=/true (code=exited, status=217/USER)*
* Main PID: 19128 (code=exited, status=217/USER)*
I am not sure what exactly is wrong since it works with either PrivateUsers
or RootDirectory but not combined.
They are definitely intended to work together, in fact when used
together they become most useful, as this means /etc/passwd inside of
the container can safely deviate from the host's /etc/passwd.

If this currently doesn't work, then please file a bug on github, so
that we have a look and fix this!

Lennart
--
Lennart Poettering, Red Hat
Loading...