On 2023-11-16 18:12 +0100, Michael Biebl wrote:
> Am 16.11.23 um 17:17 schrieb Sven Joachim:
>> Package: systemd
>> Version: 255~rc2-1
>> Severity: important
>> After upgrading systemd from 254.5-1 and rebooting, rsyslog failed
>> to
>> start on my system. These messages appear in the journal:
>> ,----
>> | Nov 16 16:58:10 localhost systemd[1]: Starting rsyslog.service - System
>> Logging Service...
>> | Nov 16 16:58:10 localhost (rsyslogd)[674]: Failed to create
>> | destination mount point node
>> | '/run/systemd/mount-rootfs/dev/xconsole', ignoring: Read-only file
>> | system
>> | Nov 16 16:58:10 localhost (rsyslogd)[674]: Failed to mount
>> | /dev/xconsole to /run/systemd/mount-rootfs/dev/xconsole: No such
>> | file or directory
>> | Nov 16 16:58:10 localhost (rsyslogd)[674]: rsyslog.service: Failed
>> | to set up mount namespacing: /dev/xconsole: No such file or
>> | directory
>> | Nov 16 16:58:10 localhost systemd[1]: rsyslog.service: Main process
>> exited, code=exited, status=226/NAMESPACE
>> | Nov 16 16:58:10 localhost systemd[1]: rsyslog.service: Failed with result
>> 'exit-code'.
>> | Nov 16 16:58:10 localhost systemd[1]: Failed to start rsyslog.service -
>> System Logging Service.
>> | Nov 16 16:58:10 localhost systemd[1]: rsyslog.service: Scheduled restart
>> job, restart counter is at 1.
>> `----
>> This gets repeated a few times, and after five restart attempts
>> systemd
>> gives up.
>> It should be noted that I have enabled forwarding messages to
>> xconsole
>> according to the the "Logging to xconsole" section in
>> /usr/share/doc/rsyslog/README.Debian, and the problem is obviously in
>> the bind mount for /dev/xconsole. Removing /dev/xconsole so that the
>> "BindPaths=-/dev/xconsole" statement in rsyslog.service has no effect
>> lets rsyslog start, but recreates the problem of #1053913.
>
> It appears, that PrivateTmp=yes was locked down further and is now
> remounted read-only (thanks bluca for the reference):
> https://github.com/systemd/systemd/commit/4a9e03aa6bb2cbd23dac00f2b2a7642cc79eaade
Thanks, I had suspected something along these lines.
> We basically have two options as I see it:
>
> a/ Drop PrivateDevices=yes from rsyslog.service
>
> b/ Move /dev/xconsole to run and turn /dev/xconsole into a symlink
>
>
> The latter b/ will require updates to the local copies in
> /etc/tmpfiles.d/ and /etc/rsyslog.d/
>
> They would look like this now:
>
> $ cat /etc/rsyslog.d/xconsole.conf
> daemon.*;mail.*;\
> news.err;\
> *.=debug;*.=info;\
> *.=notice;*.=warn |/run/xconsole
>
> $ cat /etc/tmpfiles.d/xconsole.conf
> # Type Path Mode UID GID Age Argument
> p /run/xconsole 0640 root adm
> L /dev/xconsole - - - - /run/xconsole
>
> Conceptually, moving the named pipe out of /dev and into /run is the
> cleaner solution I think. The /dev/xconsole symlink should make it
> reasonably backwards compatible.
>
> Thoughts?
I think b/ and an appropriate debian/NEWS entry in rsyslog are
preferable to softening security, even if it means some disruption for
the minority of users who still monitor logs via xconsole. But there
may be more complaints once the changes arrive in testing.
Personally I have made your proposed changes, and after restarting
rsyslog and xconsole everything works fine again.
Cheers,
Sven
