Re: [systemd-devel] Newbie systemd-related question - how to run a service w/o anything but network?
El 26/07/12 06:09, Peter Lemenkov escribió: Hello All. I'm trying to write a systemd service for epmd (Erlang Port Mapper Daemon, if someone is curious). its only purpose is to open a TCP port 4369 at 0.0.0.0 and act as a simple messaging (very simple actually) bus between erlang nodes. I'd like to run it w/o anything and under a most restricted system account. So far I'm using this service: [Unit] Description=Erlang Port Mapper Daemon After=network.target [Service] User=nobody Group=nobody Type=simple PrivateTmp=true NoNewPrivileges=true ExecStart=/usr/bin/epmd ExecSop=/usr/bin/epmd -kill [Install] WantedBy=multi-user.target Could someone propose me something to restrict it further? it really doesn't need fs access, no exec, no /dev/* access, etc - just open socket and send/receive messages. Any advise will be very appreciated). You also need access to /dev/zero, /dev/null, /dev/urandom and to your OS 's nscd socket path, even if your program does not use them. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Newbie systemd-related question - how to run a service w/o anything but network?
On Thu, Jul 26, 2012 at 1:09 PM, Peter Lemenkov lemen...@gmail.com wrote: Hello All. I'm trying to write a systemd service for epmd (Erlang Port Mapper Daemon, if someone is curious). its only purpose is to open a TCP port 4369 at 0.0.0.0 and act as a simple messaging (very simple actually) bus between erlang nodes. I'd like to run it w/o anything and under a most restricted system account. So far I'm using this service: (Notice: Slightly off topic for systemd, but very on topic for EPMD...) Please be aware that starting `epmd` under a service monitoring system like systemd (or others) is not 100% possible under the current circumstances. For a detailed explanation please see the following thread on the Erlang mailing list: http://erlang.org/pipermail/erlang-questions/2011-October/061802.html The summary is that if someone starts an Erlang application before your `epmd` instance starts you'll end up with your `epmd` dieing and being restarted by systemd in a continuous loop, because each Erlang application tries to start its own `epmd` instance. (Thus there is a race condition here.) In the thread above I've found a workaround for this issue but it's not quite documented... On the other hand if you would modify `epmd` to use socket activation at least the issue will be less likely to happen. (It can still happen if someone starts the Erlang application even before systemd.) Hope it helps, Ciprian. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Newbie systemd-related question - how to run a service w/o anything but network?
On Thu, 16 Aug 2012 15:33:29 +0300 Ciprian Dorin Craciun ciprian.crac...@gmail.com wrote: On Thu, Jul 26, 2012 at 1:09 PM, Peter Lemenkov lemen...@gmail.com wrote: Hello All. I'm trying to write a systemd service for epmd (Erlang Port Mapper Daemon, if someone is curious). its only purpose is to open a TCP port 4369 at 0.0.0.0 and act as a simple messaging (very simple actually) bus between erlang nodes. I'd like to run it w/o anything and under a most restricted system account. So far I'm using this service: (Notice: Slightly off topic for systemd, but very on topic for EPMD...) Please be aware that starting `epmd` under a service monitoring system like systemd (or others) is not 100% possible under the current circumstances. For a detailed explanation please see the following thread on the Erlang mailing list: http://erlang.org/pipermail/erlang-questions/2011-October/061802.html The summary is that if someone starts an Erlang application before your `epmd` instance starts you'll end up with your `epmd` dieing and being restarted by systemd in a continuous loop, because each Erlang application tries to start its own `epmd` instance. (Thus there is a race condition here.) In the thread above I've found a workaround for this issue but it's not quite documented... On the other hand if you would modify `epmd` to use socket activation at least the issue will be less likely to happen. (It can still happen if someone starts the Erlang application even before systemd.) Other workarounds might be one of the recent patches proposed here on the list - either the one that controls failure exit code (provided epmd returns special code on such conflicts) or the one that stops restarts after some time, though I guess latter might be undesirable, since if epmd gets started along with some service, it might also be killed along with it at some point. Another semi-fix might be just rate-limiting the restarts, which should already be possible. Whole problem seem to be at least a bit superficial though - if every erlang daemon has Require=epmd.service, the only way to create it is by starting erlang stuff and epmd from some user session, which is also a way to break pretty much every other daemon which can only have one instance (e.g. starting mysqld by hand will break mysqld.service). -- Mike Kazantsev // fraggod.net signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Newbie systemd-related question - how to run a service w/o anything but network?
On 07/26/2012 12:09 PM, Peter Lemenkov wrote: Hello All. I'm trying to write a systemd service for epmd (Erlang Port Mapper Daemon, if someone is curious). its only purpose is to open a TCP port 4369 at 0.0.0.0 and act as a simple messaging (very simple actually) bus between erlang nodes. I'd like to run it w/o anything and under a most restricted system account. So far I'm using this service: [Unit] Description=Erlang Port Mapper Daemon After=network.target [Service] User=nobody Group=nobody Type=simple PrivateTmp=true NoNewPrivileges=true ExecStart=/usr/bin/epmd ExecSop=/usr/bin/epmd -kill [Install] WantedBy=multi-user.target Could someone propose me something to restrict it further? it really doesn't need fs access, no exec, no /dev/* access, etc - just open socket and send/receive messages. Any advise will be very appreciated). Hi, 1. change nobody to a custom user. Nobody is used by nfs for unmappable users, and thus should not be used for unprivileged daemons. 2. Type=simple is default, can be dropped. 3. Add RootDirectory=/var/empty 4. If you convert it to socket activation, then it won't even need the privilege to open sockets. 4. Add SystemCallFilter=recv,recvmsg,sendmsg,... (whatever is necessary). HTH, Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel