Mailing List Archive

Rsyslog in chroot environment
Hi,
 
I would like to ask if somebody has similar configuration and run to same issues with new Debian11/Ubuntu22 system as I did.
 
I have a custom package for rsyslog which works fine on Debian10. I want run it on Debian11 or Ubuntu 22 but mount commands in ExecStartPre does not works. Or better they are executed without errors but mount points are not available. When I execute mount commands manually and then start service it looks good. But when server is restarted service cannot start due to missing mount points. Below is small snippet from file:


[Service]
...
ExecStartPre=-mount -o bind,ro /etc/myrsyslog /chroot/%i/etc/myrsyslog.d
ExecStart=/usr/sbin/myrsyslog-%i -n -f /etc/myrsyslog.d/myrsyslog-%i.conf
....
Any idea why mount commands are ignored?


Edit:


It works fine with systemd 245.4-4ubuntu3.18 but when I upgrade to 249.11-0ubuntu3.4 I can't mount anymore. Exit code for commands is "status=0/SUCCESS". Debug mode report more entries than on the previous version of systemd (not sure if logging was extended)


Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting / on /run/systemd/unit-root (MS_BIND|MS_REC "")...
Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/credentials
Sep 29 15:44:48 myhostname systemd[18647]: Successfully unmounted /run/systemd/unit-root/run/credentials/systemd-sysusers.service
Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/inaccessible/dir on /run/systemd/unit-root/run/credentials (MS_BIND|MS_REC "")...
Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/inaccessible/dir to /run/systemd/unit-root/run/credentials
Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/systemd/incoming
Sep 29 15:44:48 myhostname systemd[18647]: Followed source symlinks /run/systemd/propagate/myrsyslog ? /run/systemd/propagate/myrsyslog.
Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/propagate/mysrsyslog on /run/systemd/unit-root/run/systemd/incoming (MS_BIND "")...
Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/propagate/myrsyslog to /run/systemd/unit-root/run/systemd/incoming
Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials.
Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/systemd/incoming.
Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials


Basic folder structure is created with jailtool what is old package but I tried same with jailkit with same result.


 
Start/restart/stop of service was done with root user.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog in chroot environment [ In reply to ]
Make sure the network service is up and running before attempting mounts. You may have to add the following to the Unit section of the service file…

After=network.target

Regards,



> On Oct 13, 2022, at 09:37, Jozef Zajac via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> Hi,
>
> I would like to ask if somebody has similar configuration and run to same issues with new Debian11/Ubuntu22 system as I did.
>
> I have a custom package for rsyslog which works fine on Debian10. I want run it on Debian11 or Ubuntu 22 but mount commands in ExecStartPre does not works. Or better they are executed without errors but mount points are not available. When I execute mount commands manually and then start service it looks good. But when server is restarted service cannot start due to missing mount points. Below is small snippet from file:
>
>
> [Service]
> ...
> ExecStartPre=-mount -o bind,ro /etc/myrsyslog /chroot/%i/etc/myrsyslog.d
> ExecStart=/usr/sbin/myrsyslog-%i -n -f /etc/myrsyslog.d/myrsyslog-%i.conf
> ....
> Any idea why mount commands are ignored?
>
>
> Edit:
>
>
> It works fine with systemd 245.4-4ubuntu3.18 but when I upgrade to 249.11-0ubuntu3.4 I can't mount anymore. Exit code for commands is "status=0/SUCCESS". Debug mode report more entries than on the previous version of systemd (not sure if logging was extended)
>
>
> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting / on /run/systemd/unit-root (MS_BIND|MS_REC "")...
> Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/credentials
> Sep 29 15:44:48 myhostname systemd[18647]: Successfully unmounted /run/systemd/unit-root/run/credentials/systemd-sysusers.service
> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/inaccessible/dir on /run/systemd/unit-root/run/credentials (MS_BIND|MS_REC "")...
> Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/inaccessible/dir to /run/systemd/unit-root/run/credentials
> Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/systemd/incoming
> Sep 29 15:44:48 myhostname systemd[18647]: Followed source symlinks /run/systemd/propagate/myrsyslog ? /run/systemd/propagate/myrsyslog.
> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/propagate/mysrsyslog on /run/systemd/unit-root/run/systemd/incoming (MS_BIND "")...
> Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/propagate/myrsyslog to /run/systemd/unit-root/run/systemd/incoming
> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials.
> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/systemd/incoming.
> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials
>
>
> Basic folder structure is created with jailtool what is old package but I tried same with jailkit with same result.
>
>
>
> Start/restart/stop of service was done with root user.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog in chroot environment [ In reply to ]
Also, with systemd and SELinux the permissins that rsyslog has at startup are
different than if you start it manually as root.

David Lang

On Thu, 13 Oct 2022, John Chivian via rsyslog wrote:

> Make sure the network service is up and running before attempting mounts. You may have to add the following to the Unit section of the service file…
>
> After=network.target
>
> Regards,
>
>
>
>> On Oct 13, 2022, at 09:37, Jozef Zajac via rsyslog <rsyslog@lists.adiscon.com> wrote:
>>
>> Hi,
>>
>> I would like to ask if somebody has similar configuration and run to same issues with new Debian11/Ubuntu22 system as I did.
>>
>> I have a custom package for rsyslog which works fine on Debian10. I want run it on Debian11 or Ubuntu 22 but mount commands in ExecStartPre does not works. Or better they are executed without errors but mount points are not available. When I execute mount commands manually and then start service it looks good. But when server is restarted service cannot start due to missing mount points. Below is small snippet from file:
>>
>>
>> [Service]
>> ...
>> ExecStartPre=-mount -o bind,ro /etc/myrsyslog /chroot/%i/etc/myrsyslog.d
>> ExecStart=/usr/sbin/myrsyslog-%i -n -f /etc/myrsyslog.d/myrsyslog-%i.conf
>> ....
>> Any idea why mount commands are ignored?
>>
>>
>> Edit:
>>
>>
>> It works fine with systemd 245.4-4ubuntu3.18 but when I upgrade to 249.11-0ubuntu3.4 I can't mount anymore. Exit code for commands is "status=0/SUCCESS". Debug mode report more entries than on the previous version of systemd (not sure if logging was extended)
>>
>>
>> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting / on /run/systemd/unit-root (MS_BIND|MS_REC "")...
>> Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/credentials
>> Sep 29 15:44:48 myhostname systemd[18647]: Successfully unmounted /run/systemd/unit-root/run/credentials/systemd-sysusers.service
>> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/inaccessible/dir on /run/systemd/unit-root/run/credentials (MS_BIND|MS_REC "")...
>> Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/inaccessible/dir to /run/systemd/unit-root/run/credentials
>> Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/systemd/incoming
>> Sep 29 15:44:48 myhostname systemd[18647]: Followed source symlinks /run/systemd/propagate/myrsyslog ? /run/systemd/propagate/myrsyslog.
>> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/propagate/mysrsyslog on /run/systemd/unit-root/run/systemd/incoming (MS_BIND "")...
>> Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/propagate/myrsyslog to /run/systemd/unit-root/run/systemd/incoming
>> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials.
>> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/systemd/incoming.
>> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials
>>
>>
>> Basic folder structure is created with jailtool what is old package but I tried same with jailkit with same result.
>>
>>
>>
>> Start/restart/stop of service was done with root user.
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog in chroot environment [ In reply to ]
Hello,
 
Unit section had included follow:
 
After=remote-fs.target local-fs.target network-online.target
 
I edited service and run daemon-reload with follow entry:
 
After=remote-fs.target local-fs.target network-online.target network.target
 
Mentioned service was running:


systemctl status network.target
? network.target - Network
     Loaded: loaded (/lib/systemd/system/network.target; static)
 
     Active: active since Thu 2022-09-29 13:35:18 CEST; 1 week 6 days ago
 
But when I tried start rsyslog-myservice it just failed again.
 
Regards,
J.
 
Make sure the network service is up and running before attempting mounts.   You may have to add the following to the Unit section of the service file…

After=network.target

Regards,



> On Oct 13, 2022, at 09:37, Jozef Zajac via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> Hi,
>  
> I would like to ask if somebody has similar configuration and run to same issues with new Debian11/Ubuntu22 system as I did.
>  
> I have a custom package for rsyslog which works fine on Debian10. I want run it on Debian11 or Ubuntu 22 but mount commands in ExecStartPre does not works. Or better they are executed without errors but mount points are not available. When I execute mount commands manually and then start service it looks good. But when server is restarted service cannot start due to missing mount points. Below is small snippet from file:
>
>
> [Service]
> ...
> ExecStartPre=-mount -o bind,ro /etc/myrsyslog /chroot/%i/etc/myrsyslog.d
> ExecStart=/usr/sbin/myrsyslog-%i -n -f /etc/myrsyslog.d/myrsyslog-%i.conf
> ....
> Any idea why mount commands are ignored?
>
>
> Edit:
>
>
> It works fine with systemd 245.4-4ubuntu3.18 but when I upgrade to 249.11-0ubuntu3.4 I can't mount anymore. Exit code for commands is "status=0/SUCCESS". Debug mode report more entries than on the previous version of systemd (not sure if logging was extended)
>
>
> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting / on /run/systemd/unit-root (MS_BIND|MS_REC "")...
> Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/credentials
> Sep 29 15:44:48 myhostname systemd[18647]: Successfully unmounted /run/systemd/unit-root/run/credentials/systemd-sysusers.service
> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/inaccessible/dir on /run/systemd/unit-root/run/credentials (MS_BIND|MS_REC "")...
> Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/inaccessible/dir to /run/systemd/unit-root/run/credentials
> Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/systemd/incoming
> Sep 29 15:44:48 myhostname systemd[18647]: Followed source symlinks /run/systemd/propagate/myrsyslog ? /run/systemd/propagate/myrsyslog.
> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/propagate/mysrsyslog on /run/systemd/unit-root/run/systemd/incoming (MS_BIND "")...
> Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/propagate/myrsyslog to /run/systemd/unit-root/run/systemd/incoming
> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials.
> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/systemd/incoming.
> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials
>
>
> Basic folder structure is created with jailtool what is old package but I tried same with jailkit with same result.
>
>
>  
> Start/restart/stop of service was done with root user.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog <https://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/professional-services/ <http://www.rsyslog.com/professional-services/>
> What's up with rsyslog? Follow https://twitter.com/rgerhards <https://twitter.com/rgerhards>
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog in chroot environment [ In reply to ]
Selinux :
 
$getenforce
Command 'getenforce' not found, but can be installed with:
apt install selinux-utils
$ sestatus
Command 'sestatus' not found, but can be installed with:
apt install policycoreutils
$ selinuxenabled
Command 'selinuxenabled' not found, but can be installed with:
apt install selinux-utils
 
I cannot also start service with systemd under root after reboot. First I have to run manually mount commands. After that I can start/restart service without any issues. After next reboot of machine I have to manually mount and then it works fine again.
 
Also, with systemd and SELinux the permissins that rsyslog has at startup are
different than if you start it manually as root.

David Lang

On Thu, 13 Oct 2022, John Chivian via rsyslog wrote:

> Make sure the network service is up and running before attempting mounts.   You may have to add the following to the Unit section of the service file…
>
> After=network.target
>
> Regards,
>
>
>
>> On Oct 13, 2022, at 09:37, Jozef Zajac via rsyslog <rsyslog@lists.adiscon.com> wrote:
>>
>> Hi,
>>
>> I would like to ask if somebody has similar configuration and run to same issues with new Debian11/Ubuntu22 system as I did.
>>
>> I have a custom package for rsyslog which works fine on Debian10. I want run it on Debian11 or Ubuntu 22 but mount commands in ExecStartPre does not works. Or better they are executed without errors but mount points are not available. When I execute mount commands manually and then start service it looks good. But when server is restarted service cannot start due to missing mount points. Below is small snippet from file:
>>
>>
>> [Service]
>> ...
>> ExecStartPre=-mount -o bind,ro /etc/myrsyslog /chroot/%i/etc/myrsyslog.d
>> ExecStart=/usr/sbin/myrsyslog-%i -n -f /etc/myrsyslog.d/myrsyslog-%i.conf
>> ....
>> Any idea why mount commands are ignored?
>>
>>
>> Edit:
>>
>>
>> It works fine with systemd 245.4-4ubuntu3.18 but when I upgrade to 249.11-0ubuntu3.4 I can't mount anymore. Exit code for commands is "status=0/SUCCESS". Debug mode report more entries than on the previous version of systemd (not sure if logging was extended)
>>
>>
>> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting / on /run/systemd/unit-root (MS_BIND|MS_REC "")...
>> Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/credentials
>> Sep 29 15:44:48 myhostname systemd[18647]: Successfully unmounted /run/systemd/unit-root/run/credentials/systemd-sysusers.service
>> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/inaccessible/dir on /run/systemd/unit-root/run/credentials (MS_BIND|MS_REC "")...
>> Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/inaccessible/dir to /run/systemd/unit-root/run/credentials
>> Sep 29 15:44:48 myhostname systemd[18647]: Applying namespace mount on /run/systemd/unit-root/run/systemd/incoming
>> Sep 29 15:44:48 myhostname systemd[18647]: Followed source symlinks /run/systemd/propagate/myrsyslog ? /run/systemd/propagate/myrsyslog.
>> Sep 29 15:44:48 myhostname systemd[18647]: Bind-mounting /run/systemd/propagate/mysrsyslog on /run/systemd/unit-root/run/systemd/incoming (MS_BIND "")...
>> Sep 29 15:44:48 myhostname systemd[18647]: Successfully mounted /run/systemd/propagate/myrsyslog to /run/systemd/unit-root/run/systemd/incoming
>> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials.
>> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/systemd/incoming.
>> Sep 29 15:44:48 myhostname systemd[18647]: Remounted /run/systemd/unit-root/run/credentials
>>
>>
>> Basic folder structure is created with jailtool what is old package but I tried same with jailkit with same result.
>>
>>
>>
>> Start/restart/stop of service was done with root user.
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog <https://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/professional-services/ <http://www.rsyslog.com/professional-services/>
>> What's up with rsyslog? Follow https://twitter.com/rgerhards <https://twitter.com/rgerhards>
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog <https://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/professional-services/ <http://www.rsyslog.com/professional-services/>
> What's up with rsyslog? Follow https://twitter.com/rgerhards <https://twitter.com/rgerhards>
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog <https://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/professional-services/ <http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards <https://twitter.com/rgerhards>
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.