On 16. 10. 24 19:45, Arthur de Jong wrote:
On Wed, 2024-10-16 at 15:40 +0200, David Koňařík wrote:
As far as I can tell, this is because the packaged systemd service
sets "ProtectSystem=strict", which remounts everything read-only,
including the PID file directory. I fixed this by setting
"ProtectSystem=full"; "ReadWritePaths=/run" also works.
Thanks for reporting this. Interestingly, this doesn't happen on my own
Debian unstable system.
That's strange. I checked an Incus container on another machine (with a
different host distro), and the same problem happened. But in a QEMU VM
with a Live CD of trixie, everything launched fine.
I tried reinstalling all packages in the container to hopefully rule out
a bad rootfs, but nothing changed.
I even tried launching an Incus container from a host trixie system, so
that it would have the "proper" kernel, and it's still broken there.
I didn't see any messages from systemd itself regarding the isolation,
so I don't know why it would behave differently. To me,
"ProtectSystem=strict" making even /run read-only seems like the way it
should work, so I don't know why it's sometimes not the case.
Can you check that this also works:
ProtectSystem=strict
StateDirectory=/run/nslcd
When I set this, systemd complains that StateDirectory is absolute; it
wants a relative path under /var/lib. Setting "RuntimeDirectory=nslcd"
instead still doesn't work, but now nslcd complains instead that "bind()
to /var/run/nslcd/socket failed: Permission denied".
By the way, why does nslcd.service run the daemon by calling a SysV
init shell script?
Mostly because the init script also runs k5start if nslcd.conf contains
Kerberos authentication options (further configurable through
/etc/default/nslcd).
Thanks for clearing that up. I'd personally have users enable k5start
themselves, but I suppose that's a difference in opinion/style.
Thanks,
David Koňařík
