[systemd-devel] Schizophrenic systemd-resolved

[Sietse van Zanen]

What should be used for DNS? DECNET or Token ring maybe?

Jan 19 10:50:23  systemd-resolved[977]: Using degraded feature set UDP instead 
of TCP for DNS server ::c0:f7ff:fe31:b205.
Jan 19 10:52:21  systemd-resolved[977]: Using degraded feature set TCP instead 
of UDP for DNS server ::c0:f7ff:fe31:b205

-Sietse

Re: [systemd-devel] Waiting for (transient) hostname configuration

[Sietse van Zanen]

Why not add:

ExecStartPost=systemctl daemon-reload

to systemd-networkd-wait-online.service?


-Sietse


From: systemd-devel  on behalf of 
Alessio Igor Bogani 
Sent: Wednesday, April 20, 2022 12:54:11 PM
To: Lennart Poettering
Cc: systemd-devel@lists.freedesktop.org
Subject: Re: [systemd-devel] Waiting for (transient) hostname configuration

Hi Lennart,

On Tue, 19 Apr 2022 at 11:41, Lennart Poettering  wrote:
[...]
> the unit files are *loaded*, i.e. typically at earliest boot, long
> before they are actually *started*. Thus, if you change the hostname

I understand now. It was the evaluation time of the specifier that I
have missed. I have just realized that my question was dumb, sorry for
that.

[...]
> use. If you use systemd-networkd, then the
> sytemd-network-wait-online.service is what you want to use. If you
> enable that then network-online.target should be the point where DHCP
> is acquired and thus also the hostname in effect.

I use systemd-networkd and systemd-networkd-wait-online is enabled but
unfortunately it doesn't work anyway. I have also tried to request
systemd to execute systemd-hostnamed "Before = nss-lookup.target" (*)
without success.
I left the little shell script inside to ExecStart to solve my problem
waiting for a better solution.

Thanks Lennart for time, consideration and kindness.

Have a nice and safe day!

Ciao,
Alessio

(*) All my Units use "After = network-online.target nss-lookup.target"

[systemd-devel] EFI Boot default not honered

[Sietse van Zanen]

Hi,


After upgrading to 250, systemd efi boot is no longer honoring the default. 
Neither loader.conf default nor LoaderDefaultEntry EFI variable have any 
effect. Instead it defaults to the last entry (alphabetically)  in the entries/ 
directory.


Anybody els have this issue (or some ideas about it)?


-Sietse

[systemd-devel] Question about WATCHDOG

[Sietse van Zanen]

Hi,

I am writing a daemon script which uses sd_notify watchdog. This works fine, 
system will kill the if the process doesn't notify.

However, I have seen in 1 occasion where, due to a programming error, the 
script got stuck in a read and was not killed where it should have been.
So my question is, what does systemd actually do when the watchdog expires, 
which signal does it send?

-Sietse
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Systemd and kernel keyring

[Sietse van Zanen]

I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

In that case you cannot use the user keyring, as any key there will always be 
available to the user. You will either need to use the process keyring, or the 
session keyring for your service.

-Sietse


From: Dinesh Prasanth Moluguwan Krishnamoorthy 
Sent: Friday, December 7, 2018 20:47
To: Sietse van Zanen; systemd-devel@lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Oh damn! Yes. It worked!

So, my next question would be "how to avoid it?"

To expand a bit more:

I want to make these passwords inaccessible outside the systemd service
even by that USER. (or does it sound something contradictory?)

Regards,
Dinesh

On Fri, 2018-12-07 at 11:36 +0000, Sietse van Zanen wrote:
> It's probably exactly that, you are running the keyctl in a
> subprocess and that's why the key is not available in your logon
> session. Let's reproduce the issue shall we.
>
> First create a key for the user in a separate login session:
> [uglymotha@rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla
> @u
> 268450157
>
> We have no access to the key
> [uglymotha@rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> Because it was added in another session and our current session is
> not linked to my user keyring, this does not (always) happen
> automatically on login.
> [uglymotha@rdsan01 ~]$ keyctl show @u
> Keyring
> 1004152344 --alswrv  11109 65534  keyring: _uid.11109
>  268450157 --alswrv  11109 10513   \_ user: bla
>
> The current session keyring is still empty
> [uglymotha@rdsan01 ~]$ keyctl show @s
> Keyring
>  611271066 --alswrv  0 0  keyring: _ses
>
> So link the user keyring to our current session keyring
> [uglymotha@rdsan01 ~]$ keyctl link @u @s
>
> And we have access to the key.
> [uglymotha@rdsan01 ~]$ keyctl show @s
> Keyring
>  611271066 --alswrv  0 0  keyring: _ses
> 1004152344 --alswrv  11109 65534   \_ keyring: _uid.11109
>  268450157 --alswrv  11109 10513   \_ user: bla
> [uglymotha@rdsan01 ~]$ keyctl print 268450157
> bla
> [uglymotha@rdsan01 ~]$ keyctl unlink @u @s
> [uglymotha@rdsan01 ~]$ keyctl print 268450157
> keyctl_read_alloc: Permission denied
>
> -Sietse
>
> -Original Message-
> From: Dinesh Prasanth Moluguwan Krishnamoorthy 
> Sent: Thursday, 6 December, 2018 23:21
> To: Sietse van Zanen ;
> systemd-devel@lists.freedesktop.org
> Subject: Re: [systemd-devel] Systemd and kernel keyring
>
> Hi Sietse,
>
> I tried doing that, but I wasn't able to link it:
>
> [pkiuser@localhost]  $ keyctl show @u
> Keyring
>  461086211 --alswrv 17 65534  keyring: _uid.3
>  189019025 --alswrv 1717   \_ user: nuxwdog:user
> [pkiuser@localhost]  $ keyctl link 189019025 @s
> keyctl_link: Permission denied
>
>
> I achieve 2 by doing a subprocess call that runs `keyctl add user
>  Desc>  @u`
>
> Regards,
> Dinesh
>
> On Thu, 2018-12-06 at 11:57 +, Sietse van Zanen wrote:
> > Hi Dinesh,
> >
> > Did you do a 'keyctl link @us @s' after logging in?
> >
> > And could you tell me how you aceive 2. Because according to
> > documentation it is not possible to have systemd-ask-password
> > insert a
> > key into a users keylist:
> >   --keyname=
> > Configure a kernel keyring key name to use as cache for
> > the
> > password. If set, then the tool will try to push any collected
> > passwords into the
> > kernel keyring of the root user
> >
> > -Sietse
> > 
> > From: systemd-devel 
> > on
> > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <
> > dmolu...@redhat.com>
> > Sent: Thursday, December 6, 2018 04:11
> > To: systemd-devel@lists.freedesktop.org
> > Subject: [systemd-devel] Systemd and kernel keyring
> >
> > Hi team,
> >
> > I'm working on accessing kernel keyring in my application started
> > using systemd.
> >
> > The list of steps I'm doing:
> >
> > 1. Starting a systemd service with `KeyringMode=shared` as a
> > SPECIFIC
> > USER 2. In the `ExecStartPre`, I'm launching a subprocess that
> > invokes
> > `systemd-ask-password` to accept the input and store it in the
> > USER's
> > kernel keyring 3. In the main program started using `ExecStart`,
> > I'm
> > accessing the value stored in the keyring
> >
> > I'm able to access the values from my main program -- everything
> > works
> > as expecte

Re: [systemd-devel] Systemd and kernel keyring

[Sietse van Zanen]

It's probably exactly that, you are running the keyctl in a subprocess and 
that's why the key is not available in your logon session. Let's reproduce the 
issue shall we.

First create a key for the user in a separate login session:
[uglymotha@rdsan01 ~]$ sudo -H -u uglymotha keyctl add user bla bla @u
268450157

We have no access to the key
[uglymotha@rdsan01 ~]$ keyctl print 268450157
keyctl_read_alloc: Permission denied

Because it was added in another session and our current session is not linked 
to my user keyring, this does not (always) happen automatically on login.
[uglymotha@rdsan01 ~]$ keyctl show @u
Keyring
1004152344 --alswrv  11109 65534  keyring: _uid.11109
 268450157 --alswrv  11109 10513   \_ user: bla

The current session keyring is still empty
[uglymotha@rdsan01 ~]$ keyctl show @s
Keyring
 611271066 --alswrv  0 0  keyring: _ses

So link the user keyring to our current session keyring
[uglymotha@rdsan01 ~]$ keyctl link @u @s

And we have access to the key.
[uglymotha@rdsan01 ~]$ keyctl show @s 
Keyring
 611271066 --alswrv  0 0  keyring: _ses
1004152344 --alswrv  11109 65534   \_ keyring: _uid.11109
 268450157 --alswrv  11109 10513   \_ user: bla
[uglymotha@rdsan01 ~]$ keyctl print 268450157
bla
[uglymotha@rdsan01 ~]$ keyctl unlink @u @s
[uglymotha@rdsan01 ~]$ keyctl print 268450157
keyctl_read_alloc: Permission denied

-Sietse

-Original Message-
From: Dinesh Prasanth Moluguwan Krishnamoorthy  
Sent: Thursday, 6 December, 2018 23:21
To: Sietse van Zanen ; systemd-devel@lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Hi Sietse,

I tried doing that, but I wasn't able to link it:

[pkiuser@localhost]  $ keyctl show @u
Keyring
 461086211 --alswrv 17 65534  keyring: _uid.3
 189019025 --alswrv 17    17   \_ user: nuxwdog:user
[pkiuser@localhost]  $ keyctl link 189019025 @s
keyctl_link: Permission denied


I achieve 2 by doing a subprocess call that runs `keyctl add user   @u`

Regards,
Dinesh

On Thu, 2018-12-06 at 11:57 +, Sietse van Zanen wrote:
> Hi Dinesh,
> 
> Did you do a 'keyctl link @us @s' after logging in?
> 
> And could you tell me how you aceive 2. Because according to 
> documentation it is not possible to have systemd-ask-password insert a 
> key into a users keylist:
>  --keyname=
>    Configure a kernel keyring key name to use as cache for the 
> password. If set, then the tool will try to push any collected 
> passwords into the
>    kernel keyring of the root user
> 
> -Sietse
> 
> From: systemd-devel  on 
> behalf of Dinesh Prasanth Moluguwan Krishnamoorthy < 
> dmolu...@redhat.com>
> Sent: Thursday, December 6, 2018 04:11
> To: systemd-devel@lists.freedesktop.org
> Subject: [systemd-devel] Systemd and kernel keyring
> 
> Hi team,
> 
> I'm working on accessing kernel keyring in my application started 
> using systemd.
> 
> The list of steps I'm doing:
> 
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC 
> USER 2. In the `ExecStartPre`, I'm launching a subprocess that invokes 
> `systemd-ask-password` to accept the input and store it in the USER's 
> kernel keyring 3. In the main program started using `ExecStart`, I'm 
> accessing the value stored in the keyring
> 
> I'm able to access the values from my main program -- everything works 
> as expected! When I try to login as that specific user and do a 
> `keyctl show @u`, I find the entry.
> 
> However, when I try to do `keyctl print `, it throws 
> "Permission Denied" error. IIUC, this protects the keys in the keyring 
> from accessing outside the systemd service. Is it the desired 
> behaviour?
> 
> I have the sample systemd unit file available in [1].
> 
> [1]
> 
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> 
> Thanks,
> Dinesh
> 
> ___
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Systemd and kernel keyring

[Sietse van Zanen]

Dinesh,

That's linking the key to the session keyring. Also because you're adding keys 
in a subprocess you do  need to take care with setting correct permissions on 
the key. 

What does keyctl show @us say?

-Sietse


-Original Message-
From: Dinesh Prasanth Moluguwan Krishnamoorthy  
Sent: Thursday, 6 December, 2018 23:21
To: Sietse van Zanen ; systemd-devel@lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Hi Sietse,

I tried doing that, but I wasn't able to link it:

[pkiuser@localhost]  $ keyctl show @u
Keyring
 461086211 --alswrv 17 65534  keyring: _uid.3
 189019025 --alswrv 1717   \_ user: nuxwdog:user
[pkiuser@localhost]  $ keyctl link 189019025 @s
keyctl_link: Permission denied


I achieve 2 by doing a subprocess call that runs `keyctl add user   @u`

Regards,
Dinesh

On Thu, 2018-12-06 at 11:57 +, Sietse van Zanen wrote:
> Hi Dinesh,
> 
> Did you do a 'keyctl link @us @s' after logging in?
> 
> And could you tell me how you aceive 2. Because according to 
> documentation it is not possible to have systemd-ask-password insert a 
> key into a users keylist:
>  --keyname=
>Configure a kernel keyring key name to use as cache for the 
> password. If set, then the tool will try to push any collected 
> passwords into the
>kernel keyring of the root user
> 
> -Sietse
> 
> From: systemd-devel  on 
> behalf of Dinesh Prasanth Moluguwan Krishnamoorthy < 
> dmolu...@redhat.com>
> Sent: Thursday, December 6, 2018 04:11
> To: systemd-devel@lists.freedesktop.org
> Subject: [systemd-devel] Systemd and kernel keyring
> 
> Hi team,
> 
> I'm working on accessing kernel keyring in my application started 
> using systemd.
> 
> The list of steps I'm doing:
> 
> 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC 
> USER 2. In the `ExecStartPre`, I'm launching a subprocess that invokes 
> `systemd-ask-password` to accept the input and store it in the USER's 
> kernel keyring 3. In the main program started using `ExecStart`, I'm 
> accessing the value stored in the keyring
> 
> I'm able to access the values from my main program -- everything works 
> as expected! When I try to login as that specific user and do a 
> `keyctl show @u`, I find the entry.
> 
> However, when I try to do `keyctl print `, it throws 
> "Permission Denied" error. IIUC, this protects the keys in the keyring 
> from accessing outside the systemd service. Is it the desired 
> behaviour?
> 
> I have the sample systemd unit file available in [1].
> 
> [1]
> 
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service
> 
> Thanks,
> Dinesh
> 
> ___
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Systemd and kernel keyring

[Sietse van Zanen]

Hi Dinesh,

In that case I suggest you start by reading: 
http://man7.org/linux/man-pages/man7/keyrings.7.html

What does cat /proc/keys say?

-Sietse

-Original Message-
From: systemd-devel  On Behalf Of 
Dinesh Prasanth Moluguwan Krishnamoorthy
Sent: Thursday, 6 December, 2018 23:38
To: Lennart Poettering 
Cc: systemd-devel@lists.freedesktop.org
Subject: Re: [systemd-devel] Systemd and kernel keyring

Hi Lennart,

[pkiuser@localhost]  $ keyctl list @u
1 key in keyring:
114920030: --alswrv1717 user: nuxwdog:user

That's the attrs of the created key.I'm not sure how to read these attributes, 
though.

Regards,
Dinesh

On Thu, 2018-12-06 at 14:38 +0100, Lennart Poettering wrote:
> On Mi, 05.12.18 19:11, Dinesh Prasanth Moluguwan Krishnamoorthy (
> dmolu...@redhat.com) wrote:
> 
> > Hi team,
> > 
> > I'm working on accessing kernel keyring in my application started 
> > using systemd.
> > 
> > The list of steps I'm doing:
> > 
> > 1. Starting a systemd service with `KeyringMode=shared` as a 
> > SPECIFIC USER 2. In the `ExecStartPre`, I'm launching a subprocess 
> > that invokes `systemd-ask-password` to accept the input and store it 
> > in the USER's kernel keyring 3. In the main program started using 
> > `ExecStart`, I'm accessing the value stored in the keyring
> > 
> > I'm able to access the values from my main program -- everything 
> > works as expected! When I try to login as that specific user and do 
> > a `keyctl show @u`, I find the entry.
> > 
> > However, when I try to do `keyctl print `, it throws 
> > "Permission Denied" error. IIUC, this protects the keys in the 
> > keyring from accessing outside the systemd service. Is it the 
> > desired behaviour?
> 
> Hmm, maybe use "keyctl list @u" to see the key and its access mode?
> 
> Lennart
> 
> --
> Lennart Poettering, Red Hat

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Systemd and kernel keyring

[Sietse van Zanen]

Hi Dinesh,

Did you do a 'keyctl link @us @s' after logging in?

And could you tell me how you aceive 2. Because according to documentation it 
is not possible to have systemd-ask-password insert a key into a users keylist:
 --keyname=
   Configure a kernel keyring key name to use as cache for the 
password. If set, then the tool will try to push any collected passwords into 
the
   kernel keyring of the root user

-Sietse

From: systemd-devel  on behalf of 
Dinesh Prasanth Moluguwan Krishnamoorthy 
Sent: Thursday, December 6, 2018 04:11
To: systemd-devel@lists.freedesktop.org
Subject: [systemd-devel] Systemd and kernel keyring

Hi team,

I'm working on accessing kernel keyring in my application started using
systemd.

The list of steps I'm doing:

1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC
USER
2. In the `ExecStartPre`, I'm launching a subprocess that invokes
`systemd-ask-password` to accept the input and store it in the USER's
kernel keyring
3. In the main program started using `ExecStart`, I'm accessing the
value stored in the keyring

I'm able to access the values from my main program -- everything works
as expected! When I try to login as that specific user and do a `keyctl
show @u`, I find the entry.

However, when I try to do `keyctl print `, it throws "Permission
Denied" error. IIUC, this protects the keys in the keyring from
accessing outside the systemd service. Is it the desired behaviour?

I have the sample systemd unit file available in [1].

[1]
https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service

Thanks,
Dinesh

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] systemd-ask-password and kernel keyring

[Sietse van Zanen]

According to man:

   --keyname=
   Configure a kernel keyring key name to use as cache for the 
password. If set, then the tool will try to push any collected passwords into 
the
   kernel keyring of the root user


Why only  for user root and not the user running systemd-ask-password?

I am working on a project where a user will run a keyserver. currently I do the 
keyctl add etc manually, but it would be much nicer is system-ask-password 
could use the user's keyring.


-Sietse


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Permanent environment variable

[Sietse van Zanen]

try man systemd-system.conf


and especially

DefaultEnvironment=


-Sietse



From: systemd-devel  on behalf of 
deepan muthusamy 
Sent: Wednesday, September 12, 2018 15:16
To: Systemd
Subject: [systemd-devel] Permanent environment variable

How to set up environmental variable common for all system services.

For example,
If I set environment variable(Environment="variable=data") in mysystem.service 
file, it's scope is in that file only. I want that variable available to all 
service file. What should I do?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [Need Help]: What Systemd service directives to use

[Sietse van Zanen]

Hi Rajat,


PropagateReload should indeed only effect reloads of units, not stops or 
starts, that's what bindsto and partof are for. Systemd should protect against 
reload loops, but it may also give an error. I have not used this situation 
myself so test it.


-Sietse



From: rajat rastogi 
Sent: Thursday, August 30, 2018 11:24
To: Sietse van Zanen
Cc: systemd-devel@lists.freedesktop.org
Subject: Re: [systemd-devel] [Need Help]: What Systemd service directives to use

Hi Sietse,

Thanks for reply.

So if use mentioned directives as below

A.service file
--

PropagatesReloadTo=B

B.service file


PropagatesReloadTo=A

Will not it create a loop? If yes, how to avoid it.

I will re-phrase the requirements:

1. If process A is restarted then B should also be restarted

2. If process B is restarted then A should also be restarted

3. If process A is stopped then B should not be stopped

4. If process B is stopped then B should not be stopped

For the above requirements, I want to know, what directives I need to add to 
service files for A & B.

Regards,
Rajat

On Thu, Aug 30, 2018 at 1:19 PM Sietse van Zanen 
mailto:sie...@wizdom.nu>> wrote:
Hi Rajat,


Take a look at BindsTo, PartOf, PropagatesReloadTo, ReloadPropagatedFrom and 
<https://www.freedesktop.org/software/systemd/man/systemd.unit.html#PropagatesReloadTo=>
 OnFailure. I think a combination of these should achieve what you want,

https://www.freedesktop.org/software/systemd/man/systemd.unit.html#BindsTo=<https://www.freedesktop.org/software/systemd/man/systemd.unit.html#BindsTo>



-Sietse


From: systemd-devel 
mailto:systemd-devel-boun...@lists.freedesktop.org>>
 on behalf of rajat rastogi 
mailto:rajat1.i...@gmail.com>>
Sent: Thursday, August 30, 2018 09:07
To: 
systemd-devel@lists.freedesktop.org<mailto:systemd-devel@lists.freedesktop.org>
Subject: [systemd-devel] [Need Help]: What Systemd service directives to use

Hi,

My name is rajat.

I have below requirement:

There are 2 processes A and B.

For the mentioned processes, below behaviour is required:

1. If process A is restarted then B should also be restarted

2. If process B is restarted then A should also be restarted

For the above-desired behaviour, what Systemd directives I should use? How I 
can avoid circular dependency if any might appear?

Thanks and Regards,
Rajat Rastogi
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [Need Help]: What Systemd service directives to use

[Sietse van Zanen]

Hi Rajat,


Take a look at BindsTo, PartOf, PropagatesReloadTo, ReloadPropagatedFrom and 

 OnFailure. I think a combination of these should achieve what you want,

https://www.freedesktop.org/software/systemd/man/systemd.unit.html#BindsTo=



-Sietse


From: systemd-devel  on behalf of 
rajat rastogi 
Sent: Thursday, August 30, 2018 09:07
To: systemd-devel@lists.freedesktop.org
Subject: [systemd-devel] [Need Help]: What Systemd service directives to use

Hi,

My name is rajat.

I have below requirement:

There are 2 processes A and B.

For the mentioned processes, below behaviour is required:

1. If process A is restarted then B should also be restarted

2. If process B is restarted then A should also be restarted

For the above-desired behaviour, what Systemd directives I should use? How I 
can avoid circular dependency if any might appear?

Thanks and Regards,
Rajat Rastogi
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] udev script can't resolve host name

[Sietse van Zanen]

Jonathan,


Yes that is exactly the case. Look inside he unit filre, systemd-udevd.service. 
It contains lines like:

PrivateMounts=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=@system-service @module @raw-io
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes

I think the SystemCallFilter is your culplrit here. Removing it will probably 
make your script work, but it may also remove important protection.


-Sietse



From: systemd-devel  on behalf of 
Jonathan Kamens 
Sent: Wednesday, August 15, 2018 10:31
To: systemd-devel@lists.freedesktop.org
Subject: [systemd-devel] udev script can't resolve host name


Hi,

If I understand correctly, this mailing list can be used for questions about 
udev as well as about systemd. If that's not correct, somebody please let me 
know and I will go elsewhere (and if you know where that "elsewhere" should be, 
please let me know, that would be helpful!); I don't mean to use the list 
incorrectly.

I want to call a webhook inside a script run via a RUN directive in a udev rule.

When I try to do this, curl says it's unable to resolve the host name of the 
URL I am asking it to fetch.

To collect more data about the cause of this issue, I also tried doing a "ping 
-c 1 8.8.8.8" inside the script, and it gets, "sendmsg: Operation not 
permitted."

I assume this means udev scripts are running inside some sort of restricted 
environment or something, but I can't figure out what controls the restrictions 
on that environment, whether I can loosen them, or how.

I'm on Ubuntu 18.04.

Any advice?

Thank you,

Jonathan Kamens
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel