Hi, > so, I’ve seen this before with a different package (bind9) and I’ve seen > this to gloriously fail because the systemd file was overzealous and > obviously even you didn’t test it before you sent it to me.
I'm sorry, I hit send prematurely, and it was meant as a sort of RFC. I've been using a very similar service file for at least a few months pn a few systems running BGP and OSPF so this isn't completely untested. > Unless the changed systemd file is extensively tested with ALL routing > protocols, there’s no way I am applying this as it is. I will reduce the patch to things that should be uncontroversial (you're right about overzealous being a bad thing). Bird already drops capabilities itself almost directly after startup (see https://salsa.debian.org/debian/bird2/-/blob/master/sysdep/linux/syspriv.h#L54-79) this would be the same as: User=bird Group=bird AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_BIND_SERVICE I believe that if bird is configured to log to a file inaccessible to bird:bird this might break, but bird might break anyway in that case if a reload is triggered. I will look into this. prepare-environment creates the runtime directory and fixes the ownership, this is equivalent to: RuntimeDirectory=bird These sandbox options should also not cause any trouble: # prevent access to /home ProtectHome=true # mount /usr, /boot, /efi read-only ProtectSystem=yes Some of the other options could be added and some of the others might introduce breakages in very rare cases or future changes to bird. Verifying the configuration as part of the reload works around `birdc configure` always exiting with 0 even if the configuration has an error. ExecReload=/usr/sbin/bird -p > Also, the package still supports sysv-rc, and I have no intention for > dropping the support and I would pretty much would like to keep the > configuration same for the time being. I don't want to suggest dropping support for sysv-rc. But yes, this change would duplicate the user and group name into systemd service file and that isn't ideal. I'm sorry for sending you a poor and untested patch, if you're not generally opposed to this sort of change I will create a proper patch and test it before sending it. bauen1 -- bauen1 https://dn42.bauen1.xyz/
