agent unit: allow writes to /usr/local/bin for self-update
Smoke caught this: ProtectSystem=full mounts /usr read-only so the agent couldn't write its own .new staging file or atomic-rename over the running binary. Adding /usr/local/bin to ReadWritePaths is the minimum diff that lets self-update work; the whole-dir grant is required because os.Rename needs write on the parent directory.
This commit is contained in:
@@ -52,7 +52,12 @@ ProtectSystem=full
|
|||||||
# whenever a new SecretsKey is minted, so we need a targeted
|
# whenever a new SecretsKey is minted, so we need a targeted
|
||||||
# write-exemption for that dir. No exemption for the rest of /etc:
|
# write-exemption for that dir. No exemption for the rest of /etc:
|
||||||
# the agent has no business editing /etc/passwd, /etc/sudoers, etc.
|
# the agent has no business editing /etc/passwd, /etc/sudoers, etc.
|
||||||
ReadWritePaths=/etc/restic-manager
|
#
|
||||||
|
# /usr/local/bin is writable so the self-update flow (P6-01) can
|
||||||
|
# atomic-rename a fresh binary over the running one. Permitting the
|
||||||
|
# whole directory (rather than just the binary path) is required
|
||||||
|
# because os.Rename takes a write lock on the parent dir.
|
||||||
|
ReadWritePaths=/etc/restic-manager /usr/local/bin
|
||||||
ProtectHostname=true
|
ProtectHostname=true
|
||||||
ProtectKernelTunables=true
|
ProtectKernelTunables=true
|
||||||
ProtectKernelModules=true
|
ProtectKernelModules=true
|
||||||
|
|||||||
Reference in New Issue
Block a user