Bug#787758: 'Failed at step NAMESPACE spawning' when using ReadOnlyDirectories in multi-instance service file
nusenu
nusenu at openmailbox.org
Thu Jun 4 22:12:43 BST 2015
> Can you find out what is different between the upgraded and fresh Debian
> installation?
systemd version is on both (fresh and upgraded) systems 215-17, what
else should I check?
> Can you post the complete service file you are using, please?
working service file
(to make it fail on upgraded systems, enable the 4 commented-out Read*
lines):
----------------------------------------
[Unit]
Description = Anonymizing overlay network for TCP
After = syslog.target network.target nss-lookup.target
[Service]
Type = simple
ExecStartPre = /usr/bin/tor -f /etc/tor/enabled/%i.torrc --verify-config
ExecStart = /usr/bin/tor -f /etc/tor/enabled/%i.torrc --runasdaemon 0
ExecReload = /bin/kill -HUP ${MAINPID}
KillSignal = SIGINT
TimeoutSec = 30
Restart = on-failure
#WatchdogSec = 1m
LimitNOFILE = 32768
## Hardening
PrivateTmp = yes
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = full
#ReadOnlyDirectories = /
#ReadWriteDirectories = /var/lib/tor
#ReadWriteDirectories = /var/log/tor
#ReadWriteDirectories = /var/run/tor
NoNewPrivileges = yes
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
PermissionsStartOnly=yes
AppArmorProfile=-system_tor
[Install]
WantedBy = multi-user.target
----------------------------------------
More information about the Pkg-systemd-maintainers
mailing list