Menu
▾
▴
libtirpc-devel
|
From: Petr V. <pv...@su...> - 2024-08-23 00:23:46
|
Hi, NOTE I'm not systemd expert, others may understand more. But trying to upstream various hardenings options which we have been using since 2021. Adding EnvironmentFile I tested locally today. systemd-tmpfiles-setup.service should be also safe. Kind regards, Petr Josue Ortega (1): man/rpcbind: Add Files section to manpage Petr Vorel (3): systemd/rpcbind.service.in: Add few default EnvironmentFile systemd/rpcbind.service.in: Add various hardenings options systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup man/rpcbind.8 | 8 ++++++++ systemd/rpcbind.service.in | 16 +++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) -- 2.45.2 |
|
From: Petr V. <pv...@su...> - 2024-08-23 00:23:42
|
From: Josue Ortega <jo...@de...> Previous commit added 3 non-default files, mention them in man page. Signed-off-by: Petr Vorel <pv...@su...> --- man/rpcbind.8 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/man/rpcbind.8 b/man/rpcbind.8 index fbf0ace..cdcdcfd 100644 --- a/man/rpcbind.8 +++ b/man/rpcbind.8 @@ -150,6 +150,14 @@ starts up. The state file is created when .Nm terminates. .El +.Sh FILES +The +.Nm +utility tries to load configuration file in following order: +.Bd -literal +.Pa /etc/rpcbind.conf +.Pa /etc/default/rpcbind +.Pa /etc/sysconfig/rpcbind .Sh NOTES All RPC servers must be restarted if .Nm -- 2.45.2 |
|
From: Petr V. <pv...@su...> - 2024-08-23 00:23:42
|
Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
where /var/run/rpcbind.lock cannot be created due missing /var/run/
directory. But the suggestion to add RequiresMountFor=... was
implemented in ee569be ("Fix boot dependency in systemd service file").
But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
/run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
1.2.6:
rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system
Adding systemd-tmpfiles-setup.service fixes it.
NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
systemd-tmpfiles-setup.service looks to me more specific).
openSUSE uses only After=sysinit.target as a result of #1117217 [3]
(also works).
[1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
[3] https://bugzilla.suse.com/show_bug.cgi?id=1117217
Signed-off-by: Petr Vorel <pv...@su...>
---
systemd/rpcbind.service.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
index 272e55a..771b944 100644
--- a/systemd/rpcbind.service.in
+++ b/systemd/rpcbind.service.in
@@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
# Make sure we use the IP addresses listed for
# rpcbind.socket, no matter how this unit is started.
Requires=rpcbind.socket
-Wants=rpcbind.target
+Wants=rpcbind.target systemd-tmpfiles-setup.service
+After=systemd-tmpfiles-setup.service
[Service]
ProtectSystem=full
--
2.45.2
|
|
[Libtirpc-devel] [RFC][PATCH rpcbind 3/4]
systemd/rpcbind.service.in: Add various hardenings options
From: Petr V. <pv...@su...> - 2024-08-23 00:23:47
|
We've been running rpcbind 1.2.6 with it in openSUSE since 2021. NOTE: In systemd < 244 (released Nov 2019) some of these options are unknown and will produce warnings, see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort Cc: Johannes Segitz <js...@su...> Signed-off-by: Petr Vorel <pv...@su...> --- systemd/rpcbind.service.in | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in index c5bbd5e..272e55a 100644 --- a/systemd/rpcbind.service.in +++ b/systemd/rpcbind.service.in @@ -10,6 +10,16 @@ Requires=rpcbind.socket Wants=rpcbind.target [Service] +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true Type=notify # distro can provide a drop-in adding EnvironmentFile=-/??? if needed. EnvironmentFile=-/etc/rpcbind.conf -- 2.45.2 |
|
From: Petr V. <pv...@su...> - 2024-08-23 00:23:46
|
Add some defaults so that distros can drop patches to configure it. * openSUSE and Fedora use /etc/sysconfig/rpcbind https://build.opensuse.org/projects/network/packages/rpcbind/files/0001-systemd-unit-files.patch?expand=1 https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.3-systemd-envfile.patch * Debian uses /etc/rpcbind.conf and /etc/default/rpcbind https://salsa.debian.org/debian/rpcbind/-/blob/buster/debian/rpcbind.service?ref_type=heads Add all these 3 in order: * /etc/rpcbind.conf * /etc/default/rpcbind * /etc/sysconfig/rpcbind Signed-off-by: Petr Vorel <pv...@su...> --- systemd/rpcbind.service.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in index c892ca8..c5bbd5e 100644 --- a/systemd/rpcbind.service.in +++ b/systemd/rpcbind.service.in @@ -12,6 +12,9 @@ Wants=rpcbind.target [Service] Type=notify # distro can provide a drop-in adding EnvironmentFile=-/??? if needed. +EnvironmentFile=-/etc/rpcbind.conf +EnvironmentFile=-/etc/default/rpcbind +EnvironmentFile=-/etc/sysconfig/rpcbind ExecStart=@_sbindir@/rpcbind $RPCBIND_OPTIONS @warmstarts_opt@ -f [Install] -- 2.45.2 |
|
From: Petr V. <pv...@su...> - 2024-08-23 01:01:52
|
Hi Steve,
> Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
> rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
> where /var/run/rpcbind.lock cannot be created due missing /var/run/
> directory. But the suggestion to add RequiresMountFor=... was
> implemented in ee569be ("Fix boot dependency in systemd service file").
> But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
> /run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
> 1.2.6:
> rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system
> Adding systemd-tmpfiles-setup.service fixes it.
> NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
> systemd-tmpfiles-setup.service looks to me more specific).
> openSUSE uses only After=sysinit.target as a result of #1117217 [3]
> (also works).
Reading RH #1117217 once more I wonder if old Fedora patch [4], which places
rpcbind.lock into /var/run/rpcbind/ would be a better solution:
configure.ac
- --with-statedir=ARG use ARG as state dir [default=/var/run/rpcbind]
+ --with-statedir=ARG use ARG as state dir [default=/run/rpcbind]
...
- with_statedir=/var/run/rpcbind
+ with_statedir=/run/rpcbind
src/rpcbind.c
-#define RPCBINDDLOCK "/var/run/rpcbind.lock"
+#define RPCBINDDLOCK RPCBIND_STATEDIR "/rpcbind.lock"
But I suppose other out-of-tree patch [5] is not a dependency for it, right?
Debian [6] and openSUSE [7] use more simpler version to move to /run. Maybe time
to upstream Fedora patch and distros will adopt it?
Kind regards,
Petr
> [1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
> [3] https://bugzilla.suse.com/show_bug.cgi?id=1117217
[4] https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.4-runstatdir.patch
[5] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-rundir.patch
[6] https://salsa.debian.org/debian/rpcbind/-/blob/master/debian/patches/run-migration?ref_type=heads
[7] https://build.opensuse.org/projects/openSUSE:Factory/packages/rpcbind/files/0001-change-lockingdir-to-run.patch?expand=1
> Signed-off-by: Petr Vorel <pv...@su...>
> ---
> systemd/rpcbind.service.in | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
> index 272e55a..771b944 100644
> --- a/systemd/rpcbind.service.in
> +++ b/systemd/rpcbind.service.in
> @@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
> # Make sure we use the IP addresses listed for
> # rpcbind.socket, no matter how this unit is started.
> Requires=rpcbind.socket
> -Wants=rpcbind.target
> +Wants=rpcbind.target systemd-tmpfiles-setup.service
> +After=systemd-tmpfiles-setup.service
> [Service]
> ProtectSystem=full
|
|
From: Steve D. <st...@re...> - 2024-08-30 15:40:38
|
Hey!
My apologies for taking so long to address these patches.
On 8/22/24 9:01 PM, Petr Vorel wrote:
> Hi Steve,
>
>> Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
>> rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
>> where /var/run/rpcbind.lock cannot be created due missing /var/run/
>> directory. But the suggestion to add RequiresMountFor=... was
>> implemented in ee569be ("Fix boot dependency in systemd service file").
>
>> But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
>> /run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
>> 1.2.6:
>
>> rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system
>
>> Adding systemd-tmpfiles-setup.service fixes it.
>
>> NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
>> systemd-tmpfiles-setup.service looks to me more specific).
>> openSUSE uses only After=sysinit.target as a result of #1117217 [3]
>> (also works).
>
> Reading RH #1117217 once more I wonder if old Fedora patch [4], which places
> rpcbind.lock into /var/run/rpcbind/ would be a better solution:
>
> configure.ac
> - --with-statedir=ARG use ARG as state dir [default=/var/run/rpcbind]
> + --with-statedir=ARG use ARG as state dir [default=/run/rpcbind]
> ...
> - with_statedir=/var/run/rpcbind
> + with_statedir=/run/rpcbind
>
> src/rpcbind.c
> -#define RPCBINDDLOCK "/var/run/rpcbind.lock"
> +#define RPCBINDDLOCK RPCBIND_STATEDIR "/rpcbind.lock"
>
> But I suppose other out-of-tree patch [5] is not a dependency for it, right?
I don't like out-of-tree patch but sometimes they are necessary
since I didn't what to force other distros to adapt what
I made Fedora use.
>
> Debian [6] and openSUSE [7] use more simpler version to move to /run. Maybe time
> to upstream Fedora patch and distros will adopt it?
It is time! :-) I'm all for distros to consolidate into one code
base... it is much easier to find bugs and support. IMHO.
Please send patches [6] and [7] in the correct patch form and
I will commit them and mostly like create another release.
Thank you.. for point these differences out!!
steved.
>
> Kind regards,
> Petr
>
>> [1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
>> [3] https://bugzilla.suse.com/show_bug.cgi?id=1117217
>
> [4] https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.4-runstatdir.patch
> [5] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-rundir.patch
> [6] https://salsa.debian.org/debian/rpcbind/-/blob/master/debian/patches/run-migration?ref_type=heads
> [7] https://build.opensuse.org/projects/openSUSE:Factory/packages/rpcbind/files/0001-change-lockingdir-to-run.patch?expand=1
>
>> Signed-off-by: Petr Vorel <pv...@su...>
>> ---
>> systemd/rpcbind.service.in | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>> diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
>> index 272e55a..771b944 100644
>> --- a/systemd/rpcbind.service.in
>> +++ b/systemd/rpcbind.service.in
>> @@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
>> # Make sure we use the IP addresses listed for
>> # rpcbind.socket, no matter how this unit is started.
>> Requires=rpcbind.socket
>> -Wants=rpcbind.target
>> +Wants=rpcbind.target systemd-tmpfiles-setup.service
>> +After=systemd-tmpfiles-setup.service
>
>> [Service]
>> ProtectSystem=full
>
|
|
From: Petr V. <pv...@su...> - 2024-08-30 16:51:32
|
Hi Steve,
> Hey!
> My apologies for taking so long to address these patches.
No problem, understand you're busy.
> On 8/22/24 9:01 PM, Petr Vorel wrote:
> > Hi Steve,
> > > Add Want/After systemd-tmpfiles-setup.service. This is taken from Fedora
> > > rpcbind-0.2.4-5.fc25 patch [1] which tried to handle bug #1401561 [2]
> > > where /var/run/rpcbind.lock cannot be created due missing /var/run/
> > > directory. But the suggestion to add RequiresMountFor=... was
> > > implemented in ee569be ("Fix boot dependency in systemd service file").
> > > But even with RequiresMountsFor=/run/rpcbind in rpcbind.service and
> > > /run/rpcbind.lock there is error on openSUSE Tumbleweed with rpcbind
> > > 1.2.6:
> > > rpcbind.service: Failed at step NAMESPACE spawning /usr/sbin/rpcbind: Read-only file system
> > > Adding systemd-tmpfiles-setup.service fixes it.
> > > NOTE: Debian uses for this purpose remote-fs-pre.target (also works, but
> > > systemd-tmpfiles-setup.service looks to me more specific).
> > > openSUSE uses only After=sysinit.target as a result of #1117217 [3]
> > > (also works).
> > Reading RH #1117217 once more I wonder if old Fedora patch [4], which places
> > rpcbind.lock into /var/run/rpcbind/ would be a better solution:
> > configure.ac
> > - --with-statedir=ARG use ARG as state dir [default=/var/run/rpcbind]
> > + --with-statedir=ARG use ARG as state dir [default=/run/rpcbind]
> > ...
> > - with_statedir=/var/run/rpcbind
> > + with_statedir=/run/rpcbind
> > src/rpcbind.c
> > -#define RPCBINDDLOCK "/var/run/rpcbind.lock"
> > +#define RPCBINDDLOCK RPCBIND_STATEDIR "/rpcbind.lock"
> > But I suppose other out-of-tree patch [5] is not a dependency for it, right?
> I don't like out-of-tree patch but sometimes they are necessary
> since I didn't what to force other distros to adapt what
> I made Fedora use.
Sure, let's drop this. I was also thinking to add this as a configuration issue,
but I suppose most of the distro maintainers are perfectly ok with this
directory patch.
> > Debian [6] and openSUSE [7] use more simpler version to move to /run. Maybe time
> > to upstream Fedora patch and distros will adopt it?
> It is time! :-) I'm all for distros to consolidate into one code
> base... it is much easier to find bugs and support. IMHO.
> Please send patches [6] and [7] in the correct patch form and
> I will commit them and mostly like create another release.
I'll do, thanks!
Kind regards,
Petr
> Thank you.. for point these differences out!!
> steved.
> > Kind regards,
> > Petr
> > > [1] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-service.patch
> > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1401561
> > > [3] https://bugzilla.suse.com/show_bug.cgi?id=1117217
> > [4] https://src.fedoraproject.org/rpms/rpcbind/blob/f41/f/rpcbind-0.2.4-runstatdir.patch
> > [5] https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind-0.2.4-systemd-rundir.patch
> > [6] https://salsa.debian.org/debian/rpcbind/-/blob/master/debian/patches/run-migration?ref_type=heads
> > [7] https://build.opensuse.org/projects/openSUSE:Factory/packages/rpcbind/files/0001-change-lockingdir-to-run.patch?expand=1
> > > Signed-off-by: Petr Vorel <pv...@su...>
> > > ---
> > > systemd/rpcbind.service.in | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > > diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
> > > index 272e55a..771b944 100644
> > > --- a/systemd/rpcbind.service.in
> > > +++ b/systemd/rpcbind.service.in
> > > @@ -7,7 +7,8 @@ RequiresMountsFor=@statedir@
> > > # Make sure we use the IP addresses listed for
> > > # rpcbind.socket, no matter how this unit is started.
> > > Requires=rpcbind.socket
> > > -Wants=rpcbind.target
> > > +Wants=rpcbind.target systemd-tmpfiles-setup.service
> > > +After=systemd-tmpfiles-setup.service
> > > [Service]
> > > ProtectSystem=full
|
|
From: Steve D. <st...@re...> - 2024-08-31 17:56:43
|
On 8/22/24 8:23 PM, Petr Vorel wrote: > Hi, > > NOTE I'm not systemd expert, others may understand more. > > But trying to upstream various hardenings options which we have been > using since 2021. Adding EnvironmentFile I tested locally today. > systemd-tmpfiles-setup.service should be also safe. > > Kind regards, > Petr > > Josue Ortega (1): > man/rpcbind: Add Files section to manpage > > Petr Vorel (3): > systemd/rpcbind.service.in: Add few default EnvironmentFile > systemd/rpcbind.service.in: Add various hardenings options > systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup > > man/rpcbind.8 | 8 ++++++++ > systemd/rpcbind.service.in | 16 +++++++++++++++- > 2 files changed, 23 insertions(+), 1 deletion(-) > Committed... (tag: rpcbind-1_2_8-rc1) steved. |
Thanks for helping keep SourceForge clean.
X