On Tue, May 07, 2019 at 11:08:38AM +0200, Peter Viskup wrote:
> Running Debian9 with systemd 241-3~bpo9+1 from backports.
> Having trouble to start rsyslog service in chroot jail using the systemd
> service file with RootDirectory and User settings.
> Setting AmbientCapabilities=CAP_SYS_CHROOT does not help and still getting
> following errors:
>
> rsyslog-chroot@inst.service: Changing to the requested working directory
> failed: Operation not permitted
> rsyslog-chroot@inst.service: Failed at step CHROOT spawning
> /usr/sbin/rsyslogd: Operation not permitted
This seems to indicate that rsyslogd is trying to chdir() to some
directory it is not allowed to...
> rsyslog-chroot@inst.service: Main process exited, code=exited,
> status=210/CHROOT
>
> Any idea how to get it working properly? Starting without the User setting
> is working just fine.
No idea about systemd, but rsyslogd man page says:
OPTIONS
[...]
-C This prevents rsyslogd from changing to the root directory.
This is almost never a good idea in production use. This
option was introduced in support of the internal testbed.
So perhaps it's just rsyslogd trying (and failing) to chdir() to /
while in a chroot jail (surprise?). A run under strace might confirm
that. Setting option -C might help in debugging that.
Whether (assuming my shot in the dark is a hit) you /want/ to do
something the doc qualifies as being "almost never a good idea"
would be left as an exercise to the reader ;-)
HTH
-- t
Attachment:
signature.asc
Description: Digital signature