Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chroot and reload daemon action #176

Closed
craig08 opened this issue Apr 25, 2017 · 2 comments
Closed

chroot and reload daemon action #176

craig08 opened this issue Apr 25, 2017 · 2 comments
Labels
question

Comments

@craig08
Copy link

craig08 commented Apr 25, 2017

When I reload the hitch daemon (in Ubuntu 16.04 systemd), I get following errors:

Apr 25 19:42:33 localhost systemd[1]: Reloading Hitch TLS unwrapping daemon.
Apr 25 19:42:33 localhost hitch[4035284]: Received SIGHUP: Initiating configuration reload.
Apr 25 19:42:33 localhost hitch[4035284]: 20170425T194233.871567 [4035284] Received SIGHUP: Initiating configuration reload.
Apr 25 19:42:33 localhost systemd[1]: Reloaded Hitch TLS unwrapping daemon.
Apr 25 19:42:33 localhost hitch[4035284]: Config reload failed: Unable to open configuration file '/etc/hitch/hitch.conf': No such file or directory
Apr 25 19:42:33 localhost hitch[4035284]: 20170425T194233.895107 [4035284] Config reload failed: Unable to open configuration file '/etc/hitch/hitch.conf': No such file or directory

After tracing code, I found that the reason was I had turned on the chroot config to /tmp, so the hitch service was actually jailed and unable to see the config file and the certificates outside.

I am wondering if this restriction can be solved, to have both chroot security and reloading mechanism.
@dridi dridi added the question label Apr 25, 2017
@dridi
Copy link
Member

dridi commented Apr 25, 2017

Maybe you could add/mount all the needed pieces in the "jail" before starting hitch?

@craig08
Copy link
Author

craig08 commented Apr 25, 2017

Hitch needs configuration file and certificates. I don't think it is secure to put my certificates together in the jail.

Besides, hitch still wants to chroot to the specified location after reload command. That is, if I specify /hitch as my chroot directory, after the first start, it changes its root to /hitch successfully. But after reload, it wants to chroot to /hitch under current root, that is /hitch/hitch.

Apr 25 20:41:40 localhost systemd[1]: Reloading Hitch TLS unwrapping daemon.
Apr 25 20:41:40 localhost hitch[428268]: Received SIGHUP: Initiating configuration reload.
Apr 25 20:41:40 localhost hitch[428268]: 20170425T204140.130764 [428268] Received SIGHUP: Initiating configuration reload.
Apr 25 20:41:40 localhost hitch[428268]: Config reload failed: Error in configuration file '', line 187: Unable to stat directory '/hitch': No such file or directory'.
Apr 25 20:41:40 localhost hitch[428268]: 20170425T204140.131366 [428268] Config reload failed: Error in configuration file '', line 187: Unable to stat directory '/hitch': No such file or directory'.
Apr 25 20:41:40 localhost systemd[1]: Reloaded Hitch TLS unwrapping daemon.

Not only chroot command will cascade, but also the location of configuration file and certificates. Thus if I use chroot with other than / directory, it is weird to put needed files in the jail if I want multiple reload action.

@daghf daghf closed this as completed in 9d9416b Apr 26, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dridi @craig08