refactor(linux-client): remove FIREZONE_ID from example systemd file #4714
Conversation
In this specific case it doesn't hurt, but when we go to make the Deb package, the ID can't go there.
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Terraform Cloud Plan Output |
Performance Test ResultsTCP
UDP
|
| @@ -23,19 +23,19 @@ ProtectKernelModules=true | |||
| ProtectKernelTunables=true | |||
| # Docs say it's useless when running as root, but defense-in-depth | |||
| ProtectProc=invisible | |||
| ProtectSystem=full | |||
| ProtectSystem=strict | |||
There was a problem hiding this comment.
This makes more of the FS read-only to the service
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem=
| RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX | ||
| RestrictNamespaces=true | ||
| RestrictRealtime=true | ||
| RestrictSUIDSGID=true | ||
| StateDirectory=dev.firezone.client |
There was a problem hiding this comment.
This asks systemd to make /var/lib/dev.firezone.client and mount it for us, since we're trying to minimize our own access to the FS
| SystemCallArchitectures=native | ||
| # TODO: Minimize | ||
| SystemCallFilter=@aio @basic-io @file-system @io-event @ipc @network-io @signal @system-service | ||
| UMask=177 | ||
| UMask=077 |
There was a problem hiding this comment.
I think directories have to be u+x in order to do anything? Whatever I was doing to write the device ID file, it doesn't work with umask 177.
| if let Err(error) = match dns_control_method { | ||
| None => Ok(()), | ||
| Some(DnsControlMethod::EtcResolvConf) => etc_resolv_conf::configure(&dns_config) | ||
| .await | ||
| .map_err(Error::ResolvConf)?, | ||
| Some(DnsControlMethod::NetworkManager) => configure_network_manager(&dns_config)?, | ||
| Some(DnsControlMethod::Systemd) => configure_systemd_resolved(&dns_config).await?, | ||
| .map_err(Error::ResolvConf), | ||
| Some(DnsControlMethod::NetworkManager) => configure_network_manager(&dns_config), | ||
| Some(DnsControlMethod::Systemd) => configure_systemd_resolved(&dns_config).await, | ||
| } { | ||
| panic!("Failed to control DNS: {error}"); |
There was a problem hiding this comment.
I ran into #4461 while working on this PR and this diff closes it
…one into refactor/move-firezone-id
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
| tokio::fs::remove_file(SOCK_PATH).await.ok(); | ||
| let listener = UnixListener::bind(SOCK_PATH).context("Couldn't bind UDS")?; | ||
| std::os::unix::fs::chown(SOCK_PATH, Some(ROOT_USER), Some(fz_gid.into())) | ||
| let sock_path = sock_path(); |
There was a problem hiding this comment.
I know some services use this as a guard against accidentally launching the service twice. Should we just bail out if we find an existing sock file here and ask the user to remove it instead?
There was a problem hiding this comment.
Maybe. If we can have systemd create it for us that would be cool, then it can also clean it up. I made an issue to look into it soon
For tests it doesn't hurt, but this will be used as a template for the systemd service we ship to production, and that can't have the ID there.
So I'm also cleaning up a few other problems I noticed:
/var/lib/dev.firezone.clientand/run/dev.firezone.clientfor us