pxe: route dnsmasq lease + pid files into RuntimeDir
Without explicit dhcp-leasefile and pid-file, dnsmasq reaches for its distro defaults (/var/lib/misc/dnsmasq.leases, /run/dnsmasq.pid) — both outside the systemd unit's ReadWritePaths=/var/lib/vetting /var/log/vetting sandbox, causing 'Read-only file system' on every start. RuntimeDir is already writable by construction (Supervisor.Start mkdir's it), so writing both files there keeps dnsmasq entirely inside the sandbox. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -276,6 +276,12 @@ dhcp-host={{ .MAC }},set:known
|
|||||||
# DHCP range (broader subnet coverage is fine; allowlist above gates replies).
|
# DHCP range (broader subnet coverage is fine; allowlist above gates replies).
|
||||||
dhcp-range={{ .Cfg.DHCPRange }}
|
dhcp-range={{ .Cfg.DHCPRange }}
|
||||||
|
|
||||||
|
# Keep runtime state inside RuntimeDir so the systemd sandbox
|
||||||
|
# (ReadWritePaths=/var/lib/vetting ...) doesn't block writes to the
|
||||||
|
# distro defaults (/var/lib/misc/dnsmasq.leases, /run/dnsmasq.pid).
|
||||||
|
dhcp-leasefile={{ .Cfg.RuntimeDir }}/dhcp.leases
|
||||||
|
pid-file={{ .Cfg.RuntimeDir }}/dnsmasq.pid
|
||||||
|
|
||||||
# TFTP + HTTP boot (iPXE chainload).
|
# TFTP + HTTP boot (iPXE chainload).
|
||||||
enable-tftp
|
enable-tftp
|
||||||
tftp-root={{ .Cfg.TFTPRoot }}
|
tftp-root={{ .Cfg.TFTPRoot }}
|
||||||
|
|||||||
Reference in New Issue
Block a user