Web lists-archives.com

Systemd with chroot and under unprivileged user




Running Debian9 with systemd 241-3~bpo9+1 from backports.
Having trouble to start rsyslog service in chroot jail using the systemd service file with RootDirectory and User settings.
Setting AmbientCapabilities=CAP_SYS_CHROOT does not help and still getting following errors:

 rsyslog-chroot@inst.service: Changing to the requested working directory failed: Operation not permitted
 rsyslog-chroot@inst.service: Failed at step CHROOT spawning /usr/sbin/rsyslogd: Operation not permitted
 rsyslog-chroot@inst.service: Main process exited, code=exited, status=210/CHROOT

Any idea how to get it working properly? Starting without the User setting is working just fine.
The workaround might be to set the $PrivDropToUser setting in rsyslog configutation.

Service file:
[Unit]
Description=System Logging Service in chroot /srv/%i
ConditionPathExists=/srv/%i

[Service]
Type=simple
User=eset
Group=eset
PermissionsStartOnly=true
WorkingDirectory=/var/spool/rsyslog
AmbientCapabilities=CAP_SYS_CHROOT
RootDirectory=/srv/%i
RootDirectoryStartOnly=true
ExecStart=/usr/sbin/rsyslogd -n
StandardOutput=journal

[Install]
WantedBy=multi-user.target
Alias=syslog-chroot.service

--
Peter