rudder-relayd.service:步骤 NAMESPACE 失败 - 权限被拒绝

tag-icon tag-icon service proxmox debian-buster rudder relayd
rudder-relayd.service:步骤 NAMESPACE 失败 - 权限被拒绝

我正在尝试在工作中的 Debian buster 上使用 rudder-server,webapp 运行正常,但是其中一个 rudder 服务不起作用,而且我无法收到来自其他节点的报告:

● rudder-relayd.service - Rudder Relay Daemon
   Loaded: loaded (/usr/lib/systemd/system/rudder-relayd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2021-05-19 09:21:32 CEST; 1min 28s ago
  Process: 32493 ExecStart=/opt/rudder/bin/rudder-relayd (code=exited, status=226/NAMESPACE)
 Main PID: 32493 (code=exited, status=226/NAMESPACE)

May 19 09:21:32 rudder-v3 systemd[1]: Started Rudder Relay Daemon.
May 19 09:21:32 rudder-v3 systemd[32493]: rudder-relayd.service: Failed to set up mount namespacing: Permission denied
May 19 09:21:32 rudder-v3 systemd[32493]: rudder-relayd.service: Failed at step NAMESPACE spawning /opt/rudder/bin/rudder-relayd: Permission denied
May 19 09:21:32 rudder-v3 systemd[1]: rudder-relayd.service: Main process exited, code=exited, status=226/NAMESPACE
May 19 09:21:32 rudder-v3 systemd[1]: rudder-relayd.service: Failed with result 'exit-code'.

我的 Debian buster 是 Proxmox 服务器上的一个容器(不是非特权容器),一切都是最新的,但我更改了服务的配置但没有成功:

# vi /usr/lib/systemd/system/rudder-relayd.service
[Unit]
Description=Rudder Relay Daemon
After=network-online.target

[Service]
PrivateTmp=false
NoNewPrivileges=yes
PrivateDevices=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false
ReadWritePaths=/var/rudder/reports /var/rudder/inventories /var/rudder/shared-files /var/rudder/cfengine-community/state
ExecStart=/opt/rudder/bin/rudder-relayd
ExecReload=/opt/rudder/bin/rudder relay reload
# Do not restart on known errors, which won't get fixed by themselves
RestartPreventExitStatus=2 3
User=rudder-relayd
Group=rudder

[Install]
RequiredBy=rudder-server.service
WantedBy=multi-user.target

当我执行“/opt/rudder/bin/rudder-relayd”时,没有任何错误:

 INFO relayd: Starting rudder-relayd 6.2.7
 INFO relayd: Read configuration from "/opt/rudder/etc/relayd/"
 INFO relayd::data::node: Parsing nodes list from "/var/rudder/lib/relay/nodeslist.json"
 INFO relayd::api: Starting API on 127.0.0.1:3030
 INFO relayd::input::watch: Starting file watcher on "/var/rudder/reports/incoming"
 INFO relayd: Skipping inventory as it is disabled
 INFO relayd: Server started

该目录的权限为:

# ls -al /opt/rudder/bin/
[..]
-rwxr-xr-x  1 root root 8429816 Nov 22  2017 rudder-relayd
[..]

所有其他舵服务都运行良好,我甚至可以使用管理员帐户访问舵界面。我已经能够接受待处理的节点,但似乎如果舵中继服务关闭,我就无法收到合规性报告,并且会出现以下消息:

Error occured when contacting internal remote-run API to apply classes on Node 'root': (HTTP code 503)

我的测试简要总结:

  • 仅使用以下行更改 rudder-relayd.service 配置“PrivateTmp=false\NoNewPrivileges=yes“ 添加 ;
  • 不直接更改服务文件配置,而是用以下方法覆盖它systemctl edit rudder-relayd.service
  • 每次修改此文件后,我都会使用以下命令重新加载守护进程“systemctl 守护进程重新加载”
  • 在另一个具有相同选项的容器上安装 Rudder(仍然出现相同的错误),在非特权容器上安装 Rudder(这个错误停止了,但出现了其他错误,我不希望这是解决方案);

谢谢

答案1

我认为您应该在主机上使用 lxc 启用嵌套模式,我认为使用以下命令:

lxc config set <id> security.nesting true

答案2

您可以尝试禁用依赖于命名空间的强化选项,即ProtectSystem和。ReadWritePathsPrivateTmp

相关内容