FS#52892 - Fail2ban namespace spawn failed using "Capabilities" step in wiki

Attached to Project: Community Packages
Opened by vindicator (vindicator) - Wednesday, 08 February 2017, 06:08 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 08 February 2017, 15:30 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
"fail2ban.service: Failed at step NAMESPACE spawning /usr/bin/fail2ban-client: No such file or directory"

Additional info:
* package version(s)
Name : fail2ban
Version : 0.9.6-2

* config and/or log files etc.
Following https://wiki.archlinux.org/index.php/Fail2ban#Capabilities
Reference: https://github.com/fail2ban/fail2ban/issues/1073

capabilities.conf:
*****
$ cat /etc/systemd/system/fail2ban.service.d/capabilities.conf
[Service]
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
ReadOnlyDirectories=/
ReadWriteDirectories=/var/run/fail2ban /var/lib/fail2ban /var/spool/postfix/maildrop /tmp /var/log/fail2ban
*****

journalctl:
*****
Feb 07 23:39:47 server systemd[1]: Starting Fail2Ban Service...
-- Subject: Unit fail2ban.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit fail2ban.service has begun starting up.
Feb 07 23:39:47 server systemd[24180]: fail2ban.service: Failed at step NAMESPACE spawning /usr/bin/fail2ban-client: No such file or directory
-- Subject: Process /usr/bin/fail2ban-client could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- The process /usr/bin/fail2ban-client could not be executed and failed.
--
-- The error number returned by this process is 2.
Feb 07 23:39:47 server systemd[1]: fail2ban.service: Control process exited, code=exited status=226
Feb 07 23:39:47 server systemd[1]: Failed to start Fail2Ban Service.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit fail2ban.service has failed.
--
-- The result is failed.
Feb 07 23:39:47 server systemd[1]: fail2ban.service: Unit entered failed state.
Feb 07 23:39:47 server systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Feb 07 23:39:47 server systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
Feb 07 23:39:47 server systemd[1]: Stopped Fail2Ban Service.
-- Subject: Unit fail2ban.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit fail2ban.service has finished shutting down.
Feb 07 23:39:47 server systemd[1]: Starting Fail2Ban Service...
*****

Steps to reproduce:
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 08 February 2017, 15:30 GMT
Reason for closing:  Not a bug
Additional comments about closing:  Configuration error
Comment by vindicator (vindicator) - Wednesday, 08 February 2017, 06:26 GMT
Removing "/var/spool/postfix/maildrop" "/var/log/fail2ban" from "ReadWriteDirectories" allowed the service to start.
The "NAMESPACE" spawn error seems to relate to the non-existence of a directory.
One might think if a directory doesn't exist, the service capability would just ignore it rather than produce a vague error (not specifying what file or directory does not exist).

The wiki DOES state the postfix directory may be different depending on how it was set up (assuming the application was installed), but the fail2ban log file location defaults to "/var/log". I'm guessing the user may want to adjust the "fail2ban.conf" and set the path to "logtarget = /var/log/fail2ban/fail2ban.log" (just so fail2ban can't write to any other log files in /var/log).

Loading...