Yet another systemd fiasco
Yet another systemd fiasco
Posted Nov 19, 2014 8:40 UTC (Wed) by peter-b (subscriber, #66996)In reply to: Yet another systemd fiasco by javispedro
Parent article: Russ Allbery leaves the Debian technical committee
How on earth is this relevant to systemd? It's never called if named is running as a systemd service.
>> The systemd unit in Fedora does it: http://pkgs.fedoraproject.org/cgit/bind.git/tree/named.se...
> The Gentoo init script clearly clearly does some checks to warn the user if the configuration is inconsistent e.g. libgost enabled but not built. The Fedora unit file doesn't do it.
Yes it quite clearly does:
> ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf
>> So how do you run a BIND with SELinux hardening?
> Irrelevant.
How the heck is that irrelevant?
Posted Nov 19, 2014 9:02 UTC (Wed)
by javispedro (guest, #83660)
[Link] (2 responses)
The Gentoo initscript that has been mentioned above chroots BIND. The equivalent Fedora systemd unit file that also chroots is called chroot-named.service . That service unit file calls setup-named-chroot.sh indirectly via another service file called named-setup-chroot.service . The complexity of this two-initscript monster turns out to be comparable to the original Gentoo script despite losing functionality.
But again and again BIND is a bad example; I don't know of any init system doing great here.
> Yes it quite clearly does
> How the heck is that irrelevant?
Posted Nov 19, 2014 20:32 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
> But again and again BIND is a bad example; I don't know of any init system doing great here.
> What has "how to do SELinux labeling properly" got to do with init systems?
Posted Nov 19, 2014 22:23 UTC (Wed)
by javispedro (guest, #83660)
[Link]
Maybe we need a different example. There are some 3 line initscripts in Gentoo we could use as a starting point.
This feature-by-feature discussion is pointless. The point is that systemd is NOT objectively better than other init systems. It does some great things and it would be stupid to ignore those. Other init systems also DO abstract features, allowing more concise and declarative init scripts, and have done so for years or even a decade. We believe these designs are _subjectively_ more interesting (e.g. shell scripts that can be optionally sourced vs an all-knowing giant daemon that implements all kinds of settings togglable via .ini/.unit files is a _personal_ preference). systemd is, to put it simply, making our work harder by deciding to integrate a bunch of unrelated functionality that is becoming harder and harder to extricate from systemd itself. And all of this for no good reason. We had working NTP clients that did not need to integrate into the init system before. That's the only reason I complain about systemd. But we're trying to improve things.
> Systemd does great. It does not NEED a chroot at all because it can use namespacing.
> If you start BIND by doing "/etc/init.d/named start" then its environment is contaminated with your security labels
Yet another systemd fiasco
No. The Gentoo initscript also calls named-checkconf but, in addition, does additional checks, which are the ones I'm talking about.
What has "how to do SELinux labeling properly" got to do with init systems? Fedora/systemd does SELinux too! If you want to discuss whether SELinux is better or not than containers feel free to do so, but I won't participate. It's way too off topic.
Yet another systemd fiasco
That's just a compatibility script for old BIND installations.
Systemd does great. It does not NEED a chroot at all because it can use namespacing. Simply add: ProtectSystem=full and tweak ReadWriteDirectories if required ( http://www.freedesktop.org/software/systemd/man/systemd.e... ).
If you start BIND by doing "/etc/init.d/named start" then its environment is contaminated with your security labels. So many little things that systemd does correctly...
Yet another systemd fiasco
*rolls eyes*. Ok, so it's looking more and more like a bad example, because the systemd unit file that actually chroots BIND, like the Gentoo one you quoted, does not exist?
"HardenedGentoo+OpenRC does great. It does not NEED a chroot at all because it can use SELinux."
Correct. But that's not how you actually invoke initscripts in Gentoo, you just use the openrc wrappers, which do the right thing (google init_run).