github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #347] dnsmasq doesn't start #246

New issue

Closed

opened 2026-05-05 05:24:35 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 05:24:35 -06:00

Owner

Originally created by @curiosity-seeker on GitHub (Mar 3, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/347

I've created the following profile for dnsmasq:

noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-secret.inc
caps
seccomp
private
private-dev

After booting my computer dnsmasq is not active. systemctl status dnsmasq says:

● dnsmasq.service - A lightweight DHCP and caching DNS server
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/dnsmasq.service.d
           └─override.conf
   Active: failed (Result: exit-code) since Do 2016-03-03 12:17:23 CET; 33s ago
     Docs: man:dnsmasq(8)
  Process: 754 ExecStartPre=/usr/bin/firejail /usr/bin/dnsmasq --test (code=exited, status=1/FAILURE)

Mär 03 12:17:23 arch systemd[1]: Starting A lightweight DHCP and caching DNS server...
Mär 03 12:17:23 arch firejail[754]: Error mkdir:shm_create_firejail_dir(122): File exists
Mär 03 12:17:23 arch systemd[1]: dnsmasq.service: Control process exited, code=exited status=1
Mär 03 12:17:23 arch systemd[1]: Failed to start A lightweight DHCP and caching DNS server.
Mär 03 12:17:23 arch systemd[1]: dnsmasq.service: Unit entered failed state.
Mär 03 12:17:23 arch systemd[1]: dnsmasq.service: Failed with result 'exit-code'.

However, after executing sudo systemctl restart dnsmasq all is well! What could be the reason? What does the error above mean?

Note that I'm using firejail 0.9.39, but the problem also occurred with v. 0.9.38.

Originally created by @curiosity-seeker on GitHub (Mar 3, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/347 I've created the following profile for dnsmasq: ``` noblacklist /sbin noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-secret.inc caps seccomp private private-dev ``` After booting my computer dnsmasq is not active. systemctl status dnsmasq says: ``` ● dnsmasq.service - A lightweight DHCP and caching DNS server Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/dnsmasq.service.d └─override.conf Active: failed (Result: exit-code) since Do 2016-03-03 12:17:23 CET; 33s ago Docs: man:dnsmasq(8) Process: 754 ExecStartPre=/usr/bin/firejail /usr/bin/dnsmasq --test (code=exited, status=1/FAILURE) Mär 03 12:17:23 arch systemd[1]: Starting A lightweight DHCP and caching DNS server... Mär 03 12:17:23 arch firejail[754]: Error mkdir:shm_create_firejail_dir(122): File exists Mär 03 12:17:23 arch systemd[1]: dnsmasq.service: Control process exited, code=exited status=1 Mär 03 12:17:23 arch systemd[1]: Failed to start A lightweight DHCP and caching DNS server. Mär 03 12:17:23 arch systemd[1]: dnsmasq.service: Unit entered failed state. Mär 03 12:17:23 arch systemd[1]: dnsmasq.service: Failed with result 'exit-code'. ``` However, after executing `sudo systemctl restart dnsmasq` all is well! What could be the reason? What does the error above mean? Note that I'm using [firejail 0.9.39](https://aur.archlinux.org/packages/firejail-git), but the problem also occurred with v. 0.9.38.

gitea-mirror

2026-05-05 05:24:35 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 05:24:40 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 4, 2016):

Does it happen every time you start the computer?

@netblue30 commented on GitHub (Mar 4, 2016): Does it happen every time you start the computer?

gitea-mirror commented

2026-05-05 05:24:41 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Mar 4, 2016):

Yes, it happens always. I also tried to solve the problem by adding an After=dnscrypt-proxy.service entry to the [Unit] section in override.conf to make sure that dnsmasq starts after dnscrypt-proxy - but to no avail.

@curiosity-seeker commented on GitHub (Mar 4, 2016): Yes, it happens always. I also tried to solve the problem by adding an After=dnscrypt-proxy.service entry to the [Unit] section in override.conf to make sure that dnsmasq starts after dnscrypt-proxy - but to no avail.

gitea-mirror commented

2026-05-05 05:24:43 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 5, 2016):

Firejail needs some directories under /run, such as /run/firejail/mnt, /run/firejail/name etc. If the directories are not there, firejail will try to create them - it has root privileges when it does it. The only way this fails is /run was not mounted. At least on my Debian Jessie box I have /run mounted at startup by systemd as a temporary filesystem. I guess you have to start firejail after /run was mounted.

@netblue30 commented on GitHub (Mar 5, 2016): Firejail needs some directories under /run, such as /run/firejail/mnt, /run/firejail/name etc. If the directories are not there, firejail will try to create them - it has root privileges when it does it. The only way this fails is /run was not mounted. At least on my Debian Jessie box I have /run mounted at startup by systemd as a temporary filesystem. I guess you have to start firejail after /run was mounted.

gitea-mirror commented

2026-05-05 05:24:44 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Mar 6, 2016):

Hm, but the thing is that two firejailed instances of dnscrypt-proxy (using different DNS resolvers) are also started without problems. So it seems that the /run mount is not the culprit.

I should also add that I had used a firejailed dnsmasq until some months ago before I temporarily switched to unbound. It hadn't caused problems then but it does now. So something has changed in the meantime. But perhaps it's a systemd problem.

@curiosity-seeker commented on GitHub (Mar 6, 2016): Hm, but the thing is that two firejailed instances of dnscrypt-proxy (using different DNS resolvers) are also started without problems. So it seems that the /run mount is not the culprit. I should also add that I had used a firejailed dnsmasq until some months ago before I temporarily switched to unbound. It hadn't caused problems then but it does now. So something has changed in the meantime. But perhaps it's a systemd problem.

gitea-mirror commented

2026-05-05 05:24:46 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 6, 2016):

Let's leave it open for now, I'll try to reproduce it here.

@netblue30 commented on GitHub (Mar 6, 2016): Let's leave it open for now, I'll try to reproduce it here.

gitea-mirror commented

2026-05-05 05:24:47 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Mar 9, 2016):

Now the situation has changed: Lately dnsmasq loads properly but my first dnscrypt-proxy instance doesn't. Hence I think that it's a systemd problem - perhaps /etc/systemd/system/dnscrypt-proxy.service.d/override.conf is not read properly/fast enough during the boot process. It seems that it's not Firejail-related. I'm going to try if delaying the start of that service solves the problem.

@curiosity-seeker commented on GitHub (Mar 9, 2016): Now the situation has changed: Lately dnsmasq loads properly but my first dnscrypt-proxy instance doesn't. Hence I think that it's a systemd problem - perhaps /etc/systemd/system/dnscrypt-proxy.service.d/override.conf is not read properly/fast enough during the boot process. It seems that it's not Firejail-related. I'm going to try if delaying the start of that service solves the problem.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#246

No description provided.

Rows
Columns