Re: Bind-Mount in ein chroot mit systemd
On Fri, 27 Oct 2023 12:42:27 +0200, Sven Hartge <sven@svenhartge.de>
wrote:
>Manuel Leiner <manuel.leiner@noris.net> wrote:
>
>> ich bin gerade mit Kollegen ebenfalls auf dieses Problem gestossen und
>> haben dafuer nun tatsaechlich einen funktionierenden Weg gefunden,
>> welcher in der Kombination von systemd + bind9 + chroot funktioniert.
>
>Wäre die Nutzung von "BindPaths=" (siehe systemd.exec(5)) nicht besser
>als die manuellen ExecStartPre-Statements, sofern man das Chroot auch
>von systemd erzeugen läßt?
Hier meine seit ein paar Wochen produktive Lösung:
|1 [1/4996]mh@torres:~ $ sudo systemctl cat bind9
|# /lib/systemd/system/named.service
|[Unit]
|Description=BIND Domain Name Server
|Documentation=man:named(8)
|After=network.target
|Wants=nss-lookup.target
|Before=nss-lookup.target
|
|[Service]
|Type=notify
|EnvironmentFile=-/etc/default/named
|ExecStart=/usr/sbin/named -f $OPTIONS
|ExecReload=/usr/sbin/rndc reload
|ExecStop=/usr/sbin/rndc stop
|Restart=on-failure
|
|[Install]
|WantedBy=multi-user.target
|Alias=bind9.service
|
|# /etc/systemd/system/named.service.d/options.conf
|[Service]
|ExecStart=
|ExecStart=/usr/sbin/named -f -u bind -c /etc/bind/named.conf -t /var/local/ch>
|
|
|# /etc/systemd/system/named.service.d/order.conf
|[Unit]
|After=network-online.target
|Wants=network-online.target
|
|
|# /etc/systemd/system/named.service.d/restart.conf
|[Unit]
|StartLimitIntervalSec=90s
|StartLimitBurst=5
|
|[Service]
|Restart=on-failure
|RestartSec=5s
|
|# /etc/systemd/system/named.service.d/security.conf
|[Service]
|WorkingDirectory=/var/local/chroot/bind
|# this would end up in a "too many symlinks" message.
|#RootDirectory=/
|ProtectProc=invisible
|ProcSubset=pid
|BindReadOnlyPaths=/run/systemd/notify:/var/local/chroot/bind/run/systemd/noti>
|BindReadOnlyPaths=/usr/share/dns:/var/local/chroot/bind/usr/share/dns
|User=bind
|Group=bind
|UMask=077
|CapabilityBoundingSet=cap_net_admin cap_net_bind_service cap_sys_chroot
|AmbientCapabilities= cap_net_admin cap_net_bind_service cap_sys_chroot
|NoNewPrivileges=true
|#not explicitly set: works automatically.
|#AppArmorProfile
|ProtectSystem=strict
|ProtectHome=yes
|# {Runtime,Cache,Configuration}Directory cannot be used
|# because our bind chroots itself and those directives only
|# create directories under the standard paths.
|#RuntimeDirectory=bind
|ReadWritePaths=/var/local/chroot/bind/run
|#CacheDirectory=bind
|ReadWritePaths=/var/local/chroot/bind/var/cache/bind
|#ConfigurationDirectory=bind
|ReadOnlyPaths=/
|InaccessiblePaths=-/lost+found
|NoExecPaths=/
|# /lib is necessary here, or execve will fail without indication for reason
|ExecPaths=/usr/sbin/named /usr/sbin/rndc /lib
|PrivateTmp=true
|PrivateDevices=true
|PrivateIPC=true
|# enabling PrivateUsers=true causes
|# "couldn't add command channel 127.0.0.1#953: permission denied"
|ProtectHostname=true
|ProtectClock=true
|ProtectKernelTunables=true
|ProtectKernelModules=true
|ProtectKernelLogs=true
|ProtectControlGroups=true
|RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET AF_INET6
|RestrictNamespaces=~user pid net uts mnt cgroup ipc
|LockPersonality=true
|MemoryDenyWriteExecute=true
|RestrictRealtime=true
|RestrictSUIDSGID=true
|RemoveIPC=true
|SystemCallFilter=~@mount @swap @resources @reboot @privileged @obsolete @modu>
|SystemCallFilter=chroot setuid
|SystemCallArchitectures=native
|[2/4996]mh@torres:~ $
Grüße
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: