After the recent tweaks required for OpenRC and hawser to get along, I've now been confronted by a Rocky Linux issue this time with hawser & systemd-executor. Same or similar behaviour should be exhibited on Fedora and RHEL.
I've done the troubleshooting, and I suggest maybe an entry in the readme.MD along these lines might save others from pulling at their hair :-)
Troubleshooting
SELinux: Permission denied (systemd-executor)
RHEL, Rocky Linux, and Fedora, you may see errors like this in journalctl
Failed at step NAMESPACE spawning /usr/local/bin/hawser: Permission denied
Failed to mount /run/systemd/mount-rootfs/run/docker.sock: Permission denied
This is caused by SELinux blocking systemd from creating a mount namespace for hardening when the Docker socket is involved. To fix this, ensure the following lines are commented out in your /etc/systemd/system/hawser.service:
# ProtectSystem=full
# ProtectHome=true
# ReadWritePaths=/run/docker.sock /data/stacks
Then reload and restart:
sudo systemctl daemon-reload
sudo systemctl restart hawser
After the recent tweaks required for OpenRC and hawser to get along, I've now been confronted by a Rocky Linux issue this time with hawser & systemd-executor. Same or similar behaviour should be exhibited on Fedora and RHEL.
I've done the troubleshooting, and I suggest maybe an entry in the readme.MD along these lines might save others from pulling at their hair :-)
Troubleshooting
SELinux: Permission denied (systemd-executor)
RHEL, Rocky Linux, and Fedora, you may see errors like this in
journalctlThis is caused by SELinux blocking
systemdfrom creating a mount namespace for hardening when the Docker socket is involved. To fix this, ensure the following lines are commented out in your/etc/systemd/system/hawser.service:Then reload and restart: