我正在尝试在工作中的 Debian buster 上使用 rudder-server,webapp 运行正常,但是其中一个 rudder 服务不起作用,而且我无法收到来自其他节点的报告:
● rudder-relayd.service - Rudder Relay Daemon
Loaded: loaded (/usr/lib/systemd/system/rudder-relayd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2021-05-19 09:21:32 CEST; 1min 28s ago
Process: 32493 ExecStart=/opt/rudder/bin/rudder-relayd (code=exited, status=226/NAMESPACE)
Main PID: 32493 (code=exited, status=226/NAMESPACE)
May 19 09:21:32 rudder-v3 systemd[1]: Started Rudder Relay Daemon.
May 19 09:21:32 rudder-v3 systemd[32493]: rudder-relayd.service: Failed to set up mount namespacing: Permission denied
May 19 09:21:32 rudder-v3 systemd[32493]: rudder-relayd.service: Failed at step NAMESPACE spawning /opt/rudder/bin/rudder-relayd: Permission denied
May 19 09:21:32 rudder-v3 systemd[1]: rudder-relayd.service: Main process exited, code=exited, status=226/NAMESPACE
May 19 09:21:32 rudder-v3 systemd[1]: rudder-relayd.service: Failed with result 'exit-code'.
我的 Debian buster 是 Proxmox 服务器上的一个容器(不是非特权容器),一切都是最新的,但我更改了服务的配置但没有成功:
# vi /usr/lib/systemd/system/rudder-relayd.service
[Unit]
Description=Rudder Relay Daemon
After=network-online.target
[Service]
PrivateTmp=false
NoNewPrivileges=yes
PrivateDevices=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false
ReadWritePaths=/var/rudder/reports /var/rudder/inventories /var/rudder/shared-files /var/rudder/cfengine-community/state
ExecStart=/opt/rudder/bin/rudder-relayd
ExecReload=/opt/rudder/bin/rudder relay reload
# Do not restart on known errors, which won't get fixed by themselves
RestartPreventExitStatus=2 3
User=rudder-relayd
Group=rudder
[Install]
RequiredBy=rudder-server.service
WantedBy=multi-user.target
当我执行“/opt/rudder/bin/rudder-relayd”时,没有任何错误:
INFO relayd: Starting rudder-relayd 6.2.7
INFO relayd: Read configuration from "/opt/rudder/etc/relayd/"
INFO relayd::data::node: Parsing nodes list from "/var/rudder/lib/relay/nodeslist.json"
INFO relayd::api: Starting API on 127.0.0.1:3030
INFO relayd::input::watch: Starting file watcher on "/var/rudder/reports/incoming"
INFO relayd: Skipping inventory as it is disabled
INFO relayd: Server started
该目录的权限为:
# ls -al /opt/rudder/bin/
[..]
-rwxr-xr-x 1 root root 8429816 Nov 22 2017 rudder-relayd
[..]
所有其他舵服务都运行良好,我甚至可以使用管理员帐户访问舵界面。我已经能够接受待处理的节点,但似乎如果舵中继服务关闭,我就无法收到合规性报告,并且会出现以下消息:
Error occured when contacting internal remote-run API to apply classes on Node 'root': (HTTP code 503)
我的测试简要总结:
- 仅使用以下行更改 rudder-relayd.service 配置“PrivateTmp=false\NoNewPrivileges=yes“ 添加 ;
- 不直接更改服务文件配置,而是用以下方法覆盖它systemctl edit rudder-relayd.service
- 每次修改此文件后,我都会使用以下命令重新加载守护进程“systemctl 守护进程重新加载”;
- 在另一个具有相同选项的容器上安装 Rudder(仍然出现相同的错误),在非特权容器上安装 Rudder(这个错误停止了,但出现了其他错误,我不希望这是解决方案);
谢谢
答案1
我认为您应该在主机上使用 lxc 启用嵌套模式,我认为使用以下命令:
lxc config set <id> security.nesting true
答案2
您可以尝试禁用依赖于命名空间的强化选项,即ProtectSystem
和。ReadWritePaths
PrivateTmp