Enable unprivilaged user namespace support on probetelemetry-01@ for systemd user unit isolation
There is nonstandard /proc/sys/kernel/unprivileged_userns_clone
patch on Debian kernel that prevents non-root user to create private user namespace. This is designed to reduce attack surface so that it makes it more difficult to trigger kernel vulnerabilities reside on code path that process (namespace local) privileged command from user space. However, this patch breaks systemd's unit isolation that depend on this to create unprivileged user namespace to create (namespace local) view of file system to enforce unit isolation.
This might have been a regression issue, as this issue wasn't there when the service is first deployed.
Please disable this patch and then test things are working with unshare -r
.
systemctl status --user torprobe.service
● torprobe.service - TorProbe
Loaded: loaded (/home/torprobe/.config/systemd/user/torprobe.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2022-08-10 14:37:40 UTC; 23h ago
Process: 560156 ExecStart=/home/torprobe/.config/torprobe/server (code=exited, status=217/USER)
Main PID: 560156 (code=exited, status=217/USER)
CPU: 2ms
Aug 10 14:37:40 probetelemetry-01 systemd[434818]: Started TorProbe.
Aug 10 14:37:40 probetelemetry-01 server[560156]: torprobe.service: Failed to set up user namespacing for unprivileged user: Operation not permitted
Aug 10 14:37:40 probetelemetry-01 systemd[560156]: torprobe.service: Failed at step USER spawning /home/torprobe/.config/torprobe/server: Operation not permitted
Aug 10 14:37:40 probetelemetry-01 systemd[434818]: torprobe.service: Main process exited, code=exited, status=217/USER
Aug 10 14:37:40 probetelemetry-01 systemd[434818]: torprobe.service: Failed with result 'exit-code'.