-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(linux-client): remove FIREZONE_ID from example systemd file #4714
Conversation
In this specific case it doesn't hurt, but when we go to make the Deb package, the ID can't go there.
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Terraform Cloud Plan Output
|
Performance Test ResultsTCP
UDP
|
@@ -23,19 +23,19 @@ ProtectKernelModules=true | |||
ProtectKernelTunables=true | |||
# Docs say it's useless when running as root, but defense-in-depth | |||
ProtectProc=invisible | |||
ProtectSystem=full | |||
ProtectSystem=strict |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes more of the FS read-only to the service
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem=
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX | ||
RestrictNamespaces=true | ||
RestrictRealtime=true | ||
RestrictSUIDSGID=true | ||
StateDirectory=dev.firezone.client |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This asks systemd to make /var/lib/dev.firezone.client
and mount it for us, since we're trying to minimize our own access to the FS
SystemCallArchitectures=native | ||
# TODO: Minimize | ||
SystemCallFilter=@aio @basic-io @file-system @io-event @ipc @network-io @signal @system-service | ||
UMask=177 | ||
UMask=077 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think directories have to be u+x
in order to do anything? Whatever I was doing to write the device ID file, it doesn't work with umask 177.
if let Err(error) = match dns_control_method { | ||
None => Ok(()), | ||
Some(DnsControlMethod::EtcResolvConf) => etc_resolv_conf::configure(&dns_config) | ||
.await | ||
.map_err(Error::ResolvConf)?, | ||
Some(DnsControlMethod::NetworkManager) => configure_network_manager(&dns_config)?, | ||
Some(DnsControlMethod::Systemd) => configure_systemd_resolved(&dns_config).await?, | ||
.map_err(Error::ResolvConf), | ||
Some(DnsControlMethod::NetworkManager) => configure_network_manager(&dns_config), | ||
Some(DnsControlMethod::Systemd) => configure_systemd_resolved(&dns_config).await, | ||
} { | ||
panic!("Failed to control DNS: {error}"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran into #4461 while working on this PR and this diff closes it
…one into refactor/move-firezone-id
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
tokio::fs::remove_file(SOCK_PATH).await.ok(); | ||
let listener = UnixListener::bind(SOCK_PATH).context("Couldn't bind UDS")?; | ||
std::os::unix::fs::chown(SOCK_PATH, Some(ROOT_USER), Some(fz_gid.into())) | ||
let sock_path = sock_path(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know some services use this as a guard against accidentally launching the service twice. Should we just bail out if we find an existing sock file here and ask the user to remove it instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe. If we can have systemd create it for us that would be cool, then it can also clean it up. I made an issue to look into it soon
For tests it doesn't hurt, but this will be used as a template for the systemd service we ship to production, and that can't have the ID there.
So I'm also cleaning up a few other problems I noticed:
/var/lib/dev.firezone.client
and/run/dev.firezone.client
for us