[systemd-devel] Users and system namespaces

Ben Boeckel mathstuf at gmail.com
Thu Jan 23 10:54:05 PST 2014 

Hi,

As I mused on LWN[1] recently, I was wondering whether it was possible
to have user units be able to hook into namespaces (namely the
PrivateNetwork= and PrivateTmp= from systemd.exec(5) and more if other
namespacing options are added in the future).

I'm assuming that is not possible now to use JoinsNamespaceOf= (from
systemd.unit(5) across such boundaries since I see no way to limit which
users may do so.

The specific use case I'm looking to fulfill is to be able to set up VPN
for use for only specific service files (particularly user unit files).

My idea for how to implement it is to use a vpn.target directory to
collect everything then then following unit files:

vpn-namespace.service:
    PrivateNetwork=true
vpn-setup at .service:
    After=vpn-namespace.service
    Before=vpn.service
    ExecStart=/usr/local/bin/setup-vpn-ns %i $NS_TO_SETUP
vpn.service:
    JoinsNamespaceOf=vpn-namespace.service

The setup-vpn-ns script would create new interfaces to bridge over the
%i interface and clone the routing tables into it. I don't know how I
would get the name of the namespace setup in vpn-namespace.service
though (maybe something which does:

    systemctl set-environment VPN_NS=$( find-ns /proc/self/net )

in ExecStartPost= of vpn-namespace.service?).

It would be nice if, as a user, I could then start a service as a user
which JoinsNamespaceOf=system:vpn-namespace.service and
Wants=system:vpn.target (failing if it isn't already running) to create
user services which use the VPN rather than the default network setup
(my idea is to start a tmux server for this, but I guess something like
a custom Firefox profile instance could also be used).

What is needed (based on what I didn't see in the docs; probably not
exhaustive either):

  - ability for a system service to expose what namespace it just
    created (to avoid the set-environment hackery above);
  - a directive to list users and groups allowed to enter into
    namespaces created in a unit (something like
    "ExposeNamespaceToUsers=group:vpn,wheel" maybe?); and
  - a way for a systemd --user to get namespace file descriptors from
    PID 1.

Thoughts?

Thanks,

--Ben

[1]https://lwn.net/Articles/582046/

More information about the systemd-devel mailing list