Effects on systemd service units

Posted Jan 30, 2025 18:11 UTC (Thu) by nix (subscriber, #2304)
In reply to: Effects on systemd service units by kpfleming
Parent article: The trouble with the new uretprobes

I note that BIND removed its seccomp jail because of repeated instances of things like this hanging named and even hanging named before daemonization (often preventing boot from continuing).

The OpenSSH seccomp jail is the only one I know of in core daemons that hasn't hit disastrous problems and been ripped out.

Effects on systemd service units

Posted Jan 31, 2025 11:43 UTC (Fri) by taladar (subscriber, #68407) [Link]

A lot of those security technologies built into systemd can have some unexpected additional failure modes, e.g. the other day I had a failure in one of the services using some of the mount restrictions (PrivateTmp or something equally common, don't remember which one exactly) and the unit failed to start because the host also has a network mount that couldn't reach the CIFS server (was mounted and then lost contact rather) and so creating the new mount namespace failed.

It is unfortunate since I would prefer to use more of them in as many units as possible.