agent unit: allow writes to /usr/local/bin for self-update
Smoke caught this: ProtectSystem=full mounts /usr read-only so the agent couldn't write its own .new staging file or atomic-rename over the running binary. Adding /usr/local/bin to ReadWritePaths is the minimum diff that lets self-update work; the whole-dir grant is required because os.Rename needs write on the parent directory.
This commit is contained in:
@@ -52,7 +52,12 @@ ProtectSystem=full
|
||||
# whenever a new SecretsKey is minted, so we need a targeted
|
||||
# write-exemption for that dir. No exemption for the rest of /etc:
|
||||
# the agent has no business editing /etc/passwd, /etc/sudoers, etc.
|
||||
ReadWritePaths=/etc/restic-manager
|
||||
#
|
||||
# /usr/local/bin is writable so the self-update flow (P6-01) can
|
||||
# atomic-rename a fresh binary over the running one. Permitting the
|
||||
# whole directory (rather than just the binary path) is required
|
||||
# because os.Rename takes a write lock on the parent dir.
|
||||
ReadWritePaths=/etc/restic-manager /usr/local/bin
|
||||
ProtectHostname=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
|
||||
Reference in New Issue
Block a user