mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-02-18 00:17:39 +01:00
4bb8ab15a7
Root cause: pulse-sensor-proxy runs with strict systemd hardening that prevents access to Proxmox corosync IPC (abstract UNIX sockets). When pvecm fails with IPC errors, the code incorrectly treated it as "standalone mode" and only discovered localhost addresses, rejecting legitimate cluster members and external nodes. Changes: 1. **Distinguish IPC failures from true standalone mode** - Detect ipcc_send_rec and access control list errors specifically - These indicate a cluster exists but isn't accessible (LXC, systemd restrictions) - Return error to disable cluster validation instead of misusing standalone logic 2. **Graceful degradation when cluster validation fails** - When cluster IPC is unavailable, fall through to permissive mode - Log debug message suggesting allowed_nodes configuration - Allows requests to proceed rather than blocking all temperature monitoring 3. **Improve local address discovery for true standalone nodes** - Use Go's native net.Interfaces() instead of shelling out to 'ip addr' - More reliable and works with AF_NETLINK restrictions - Add helpful logging when only hostnames are discovered 4. **Systemd hardening adjustments** - Add AF_NETLINK to RestrictAddressFamilies (for net.Interfaces()) - Remove RemoveIPC=true (attempted fix for corosync, insufficient) - Add ReadWritePaths=-/run/corosync (optional path, corosync uses abstract sockets anyway) Result: Temperature monitoring now works in: - Clustered Proxmox hosts (falls back to permissive when IPC blocked) - LXC containers (correctly detects IPC failure, allows requests) - Standalone nodes (proper local address discovery with IPs) Workaround for maximum security: Configure allowed_nodes in /etc/pulse-sensor-proxy/config.yaml when cluster validation cannot be used.
59 lines
1.3 KiB
Desktop File
59 lines
1.3 KiB
Desktop File
[Unit]
|
|
Description=Pulse Sensor Proxy
|
|
Documentation=https://github.com/rcourtman/Pulse
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=pulse-sensor-proxy
|
|
Group=pulse-sensor-proxy
|
|
WorkingDirectory=/var/lib/pulse-sensor-proxy
|
|
ExecStart=/usr/local/bin/pulse-sensor-proxy
|
|
Restart=on-failure
|
|
RestartSec=5s
|
|
|
|
# Runtime dirs/sockets
|
|
RuntimeDirectory=pulse-sensor-proxy
|
|
RuntimeDirectoryMode=0775
|
|
UMask=0007
|
|
|
|
# Core hardening
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=read-only
|
|
ReadWritePaths=/var/lib/pulse-sensor-proxy
|
|
ReadWritePaths=-/run/corosync
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
ProtectClock=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectProc=invisible
|
|
ProcSubset=pid
|
|
LockPersonality=true
|
|
RestrictSUIDSGID=true
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
|
RestrictNamespaces=true
|
|
SystemCallFilter=@system-service
|
|
SystemCallErrorNumber=EPERM
|
|
CapabilityBoundingSet=
|
|
AmbientCapabilities=
|
|
KeyringMode=private
|
|
LimitNOFILE=1024
|
|
|
|
# Additional hardening (post-audit)
|
|
MemoryDenyWriteExecute=true
|
|
RestrictRealtime=true
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
SystemCallArchitectures=native
|
|
|
|
# Logging
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=pulse-sensor-proxy
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|