Title
#linux
sundsta

sundsta

04/03/2020, 11:21 PM
Starting with 4.1.1, I am unable to use the systemd
ProtectSystem=strict
feature. The daemon does not start, but no logs are produced. Does anyone know what changed between 4.0.2 and 4.1.1 that may have caused this? Here’s my full service unit config:
[Unit]
Description=The osquery Daemon
After=network.service syslog.service

[Service]
TimeoutStartSec=0
EnvironmentFile=/etc/default/osqueryd
ExecStartPre=/bin/sh -c "if [ ! -f $CONFIG_FILE ]; then echo {} > $CONFIG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi"
ExecStart=/usr/bin/osqueryd \
  --flagfile $FLAG_FILE \
  --config_path $CONFIG_FILE
Restart=on-failure
KillMode=process
KillSignal=SIGTERM
ProtectSystem=strict
ReadWritePaths=/var/osquery /var/run /var/tmp /tmp

[Install]
WantedBy=multi-user.target
theopolis

theopolis

04/03/2020, 11:44 PM
Do you mean the daemon does start?
sundsta

sundsta

04/03/2020, 11:48 PM
It does not start. This is all I get from journald
Apr 03 23:29:50 HOST systemd[1]: osqueryd.service: Start request repeated too quickly.
Apr 03 23:29:50 HOST systemd[1]: osqueryd.service: Failed with result 'exit-code'.
Apr 03 23:29:50 HOST systemd[1]: Failed to start The osquery Daemon.
theopolis

theopolis

04/03/2020, 11:51 PM
Recently we switched the kill mode to be control-group
11:55 PM
Sorry for terse responses (hands are full right now). The PR for that change has more context on the underlying issue
sundsta

sundsta

04/03/2020, 11:55 PM
On 4.1.1 it’s still set to process, and neither 4.2.0 or 4.1.1 work
theopolis

theopolis

04/03/2020, 11:55 PM
I think changing your service will fix the issue (fingers crossed)
11:56 PM
This is bug that shows up rarely
sundsta

sundsta

04/03/2020, 11:56 PM
Or 4.1.2 FWIW
12:05 AM
The weird thing is, if I remove the
ProtectSystem=strict
option the service starts. Then, after it has run successfully, I can add the strict setting back and restart the service and it continues to work.
s

seph

04/04/2020, 1:09 AM
I’m not super familiar with that option, but as documented:
If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev, /proc and /sys
Doesn’t that mean it can’t write it’s pid file or local database files? Does adding
--verbose
add any clues?
sundsta

sundsta

04/05/2020, 12:14 AM
I have granted it write access to
/var/osquery /var/run /var/tmp /tmp
(see the immediately following line in my config) which works on 3.3.2, 3.3.4, and 4.0.2. It is running as verbose in my test VM.
theopolis

theopolis

04/05/2020, 12:20 AM
Definitely change the KillMode regardless it fixes a but that was introduced somewhere in the 3.x line
12:20 AM
Fixes a bug*
sundsta

sundsta

04/05/2020, 12:35 AM
I have tested on 4.2.0 as well which includes the KillMode change
12:35 AM
I was using 4.1.1 as an example because the bug was introduced somewhere between 4.0.2 and 4.1.1