[systemd-devel] Chroot jail for service with /proc, etc. already mounted

Lennart Poettering lennart at poettering.net
Mon Apr 4 09:20:29 PDT 2011


On Mon, 04.04.11 08:45, Albert Strasheim (fullung at gmail.com) wrote:

> Hello all
> 
> I was wondering if anyone had an example of a service unit that sets
> up a chroot jail with RootDirectory= but also mounts /proc, /sys and
> maybe a directory with some binaries and configuration inside it?

There is no such example, you still have to set up the chroot dir on
your own. There are simply too many variables in this to do that
automatically.

For example, not even /proc and /sys itself would be without
controversy, since some apps might need them, others not, and even
others only /proc but not /sys.

You can set up an env with a prestart script however.

> It feels like this should perhaps be possible with
> ReadWriteDirectories and ReadOnlyDirectories, but I can't get it
> working.

These options control namespaces not chroots. Also, they do not actually
duplicate things, they just modify what access the process in the
namespace can get on a directory.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list