[systemd-devel] PrivateNetwork=true conflicts with Type=notify

[Lennart Poettering]

On Tue, 10.09.13 19:04, Pierre Schmitz (pierre at archlinux.de) wrote:

heya,

> when trying to disable network access to the PHP-FPM service I noticed
> that the service was no longer able to call back to systemd using
> Type=notify. Systemd then kills the service when reaching the timeout.
> It seems this could be a limitation by design in which case we might
> want to warn the user when attepmting such setup.

Uh, ah. Interesting. So we could actually do something about this, but
it would break things elsewhere...

So, the notification socket could either be an abstract namespace
AF_UNIX socket, or an AF_UNIX socket in the file system. If it is in the
file system, then it becomes unavailable as soon as the daemon
chroot()s. If it is in the abstract namespace it becomes unavailable as
soon as CLONE_NEWNET/PrivateNetworking=yes is used.

Due to the chroot() situation we changed a couple of times forth and
back between fs/abstract in the past (most recently
29252e9e5bad3b0bcfc45d9bc761aee4b0ece1da).

I am not sure what is the better choice here... We could of course have
two sockets, one in the fs and one in the abstract namespace, and then
pass the right one to the process depending on the setting of
PrivateNetworking=... But that would not work as soon as the daemon then
also decides to chroot()/RootDirectory= is used...

Tricky problem... I am a bit out of ideas. Anyone?

> On a side node: The private network systemd sets up for such services
> enables IPv6 even if this is disabled on the host using
> net.ipv6.conf.all.disable_ipv6=1. I cannot think of a scenario where
> this leads to trouble though.

Oh, that's interesting. This sounds like a kernel bug, as
net.ipv6.conf.all.disable_ipv6  doesn't really exist separate in the
child namespace... And if it does then it should inherit the aprents
default. EItherwise something to fix. Can you report to kernel bz, plz?

Lennart

-- 
Lennart Poettering - Red Hat, Inc.