3

I'm trying to use rudder-server on a Debian buster at work, the webapp works fine but one of the rudder services does'nt work and I can't receive reports from other nodes :

● rudder-relayd.service - Rudder Relay Daemon
   Loaded: loaded (/usr/lib/systemd/system/rudder-relayd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2021-05-19 09:21:32 CEST; 1min 28s ago
  Process: 32493 ExecStart=/opt/rudder/bin/rudder-relayd (code=exited, status=226/NAMESPACE)
 Main PID: 32493 (code=exited, status=226/NAMESPACE)

May 19 09:21:32 rudder-v3 systemd[1]: Started Rudder Relay Daemon.
May 19 09:21:32 rudder-v3 systemd[32493]: rudder-relayd.service: Failed to set up mount namespacing: Permission denied
May 19 09:21:32 rudder-v3 systemd[32493]: rudder-relayd.service: Failed at step NAMESPACE spawning /opt/rudder/bin/rudder-relayd: Permission denied
May 19 09:21:32 rudder-v3 systemd[1]: rudder-relayd.service: Main process exited, code=exited, status=226/NAMESPACE
May 19 09:21:32 rudder-v3 systemd[1]: rudder-relayd.service: Failed with result 'exit-code'.

My Debian buster is a container (Not Unpriviledged Container) on a Proxmox Server, everything is up to date and I've changed the service's configuration without success :

# vi /usr/lib/systemd/system/rudder-relayd.service
[Unit]
Description=Rudder Relay Daemon
After=network-online.target

[Service]
PrivateTmp=false
NoNewPrivileges=yes
PrivateDevices=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false
ReadWritePaths=/var/rudder/reports /var/rudder/inventories /var/rudder/shared-files /var/rudder/cfengine-community/state
ExecStart=/opt/rudder/bin/rudder-relayd
ExecReload=/opt/rudder/bin/rudder relay reload
# Do not restart on known errors, which won't get fixed by themselves
RestartPreventExitStatus=2 3
User=rudder-relayd
Group=rudder

[Install]
RequiredBy=rudder-server.service
WantedBy=multi-user.target

When I execute "/opt/rudder/bin/rudder-relayd" I do not have any errors :

 INFO relayd: Starting rudder-relayd 6.2.7
 INFO relayd: Read configuration from "/opt/rudder/etc/relayd/"
 INFO relayd::data::node: Parsing nodes list from "/var/rudder/lib/relay/nodeslist.json"
 INFO relayd::api: Starting API on 127.0.0.1:3030
 INFO relayd::input::watch: Starting file watcher on "/var/rudder/reports/incoming"
 INFO relayd: Skipping inventory as it is disabled
 INFO relayd: Server started

And the directory's rights are :

# ls -al /opt/rudder/bin/
[..]
-rwxr-xr-x  1 root root 8429816 Nov 22  2017 rudder-relayd
[..]

All of the other rudder services work fine and I can even access the rudder interface with my admin account. I've been able to accept pending nodes but it seems that if rudder-relayd service is off, I can't receive the compliance reports and this message appears :

Error occured when contacting internal remote-run API to apply classes on Node 'root': (HTTP code 503)

Brief summary of my tests :

  • Change rudder-relayd.service configuration with only the lines "PrivateTmp=false\NoNewPrivileges=yes" added ;
  • Not changing the service file configuration directly but override it with systemctl edit rudder-relayd.service
  • After every changes of this file I reload the daemon with "systemctl daemon-reload";
  • Install Rudder on another container with same options (still the same error), install rudder on a unprivileged container (this error stops but other appears and I don't want this to be the solution);

Thank you

Matias V
  • 41
  • 6

2 Answers2

4

I think you should enable nesting mode with lxc on the host, I think with this command:

lxc config set <id> security.nesting true
Vincent Membré
  • 406
  • 2
  • 9
  • 1
    The command "lxc" was not knowed by my host server so I've added the line "lxc.apparmor.allow_nesting: 1" to my container conf file and it worked ! Thank you ! I can receive reports now :) – Matias V May 19 '21 at 09:05
2

You could try to disable hardening options relying on namespaces, namely ProtectSystem, ReadWritePaths and PrivateTmp.

  • I've tried many different conf file, including one without `ProtectSystem`. `ReadWritePaths` and `PrivateTmp` were in the conf file by default, I could try this but the solution of the other comment to enable the nesting mode with lxc worked ! Thanks for your help :) – Matias V May 19 '21 at 09:13
  • 1
    Indeed, the nesting option is better as it allows keeping the hardening options. – Alexis Mousset May 19 '21 at 09:14