https://github.com/osquery/osquery logo
Powered by
#linux
Title
# linux
s

sundsta

04/03/2020, 11:21 PM
Starting with 4.1.1, I am unable to use the systemd 
ProtectSystem=strict
feature. The daemon does not start, but no logs are produced. Does anyone know what changed between 4.0.2 and 4.1.1 that may have caused this? Here’s my full service unit config:
Copy code
[Unit]
Description=The osquery Daemon
After=network.service syslog.service

[Service]
TimeoutStartSec=0
EnvironmentFile=/etc/default/osqueryd
ExecStartPre=/bin/sh -c "if [ ! -f $CONFIG_FILE ]; then echo {} > $CONFIG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi"
ExecStart=/usr/bin/osqueryd \
  --flagfile $FLAG_FILE \
  --config_path $CONFIG_FILE
Restart=on-failure
KillMode=process
KillSignal=SIGTERM
ProtectSystem=strict
ReadWritePaths=/var/osquery /var/run /var/tmp /tmp

[Install]
WantedBy=multi-user.target
t

theopolis

04/03/2020, 11:44 PM
Do you mean the daemon does start?
s

sundsta

04/03/2020, 11:48 PM
It does not start. This is all I get from journald
Copy code
Apr 03 23:29:50 HOST systemd[1]: osqueryd.service: Start request repeated too quickly.
Apr 03 23:29:50 HOST systemd[1]: osqueryd.service: Failed with result 'exit-code'.
Apr 03 23:29:50 HOST systemd[1]: Failed to start The osquery Daemon.
t

theopolis

04/03/2020, 11:51 PM
Recently we switched the kill mode to be control-group
Sorry for terse responses (hands are full right now). The PR for that change has more context on the underlying issue
s

sundsta

04/03/2020, 11:55 PM
On 4.1.1 it’s still set to process, and neither 4.2.0 or 4.1.1 work
t

theopolis

04/03/2020, 11:55 PM
I think changing your service will fix the issue (fingers crossed)
This is bug that shows up rarely
s

sundsta

04/03/2020, 11:56 PM
Or 4.1.2 FWIW
The weird thing is, if I remove the 
ProtectSystem=strict
option the service starts. Then, after it has run successfully, I can add the strict setting back and restart the service and it continues to work.
s

seph

04/04/2020, 1:09 AM
I’m not super familiar with that option, but as documented:
Copy code
If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev, /proc and /sys
Doesn’t that mean it can’t write it’s pid file or local database files? Does adding 
--verbose
add any clues?
s

sundsta

04/05/2020, 12:14 AM
I have granted it write access to 
/var/osquery /var/run /var/tmp /tmp
(see the immediately following line in my config) which works on 3.3.2, 3.3.4, and 4.0.2. It is running as verbose in my test VM.
t

theopolis

04/05/2020, 12:20 AM
Definitely change the KillMode regardless it fixes a but that was introduced somewhere in the 3.x line
Fixes a bug*
s

sundsta

04/05/2020, 12:35 AM
I have tested on 4.2.0 as well which includes the KillMode change
I was using 4.1.1 as an example because the bug was introduced somewhere between 4.0.2 and 4.1.1
6 Views
Powered by