[systemd-devel] Chroot jail for service with /proc, etc. already mounted
Lennart Poettering
lennart at poettering.net
Mon Apr 4 09:21:53 PDT 2011
On Mon, 04.04.11 16:59, Albert Strasheim (fullung at gmail.com) wrote:
>
> Hello
>
> On Mon, Apr 4, 2011 at 8:45 AM, Albert Strasheim <fullung at gmail.com> wrote:
> > I was wondering if anyone had an example of a service unit that sets
> > up a chroot jail with RootDirectory= but also mounts /proc, /sys and
> > maybe a directory with some binaries and configuration inside it?
>
> It seems I could write a program that runs under ExecStartPre= to
> prepare the environment, if I set RootDirectoryStartOnly=true and
> PermissionsStartOnly=true.
>
> Any alternatives would be appreciated.
There aren't any really. Right now this is how you should do things, and
RootDirectoryStartOnly= and PermissionsStartOnly have been added
precisely for reasons like this.
I mean, I'd love to make things a bit more automatic here, but I am not
sure we can do that safely in a way that would work globally and would
not at a gazillion of options to systemd unit files.
Suggestions always welcome!
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list