[systemd-devel] Users and system namespaces
Ben Boeckel
mathstuf at gmail.com
Thu Jan 23 11:51:18 PST 2014
On Thu, Jan 23, 2014 at 11:43:52 -0800, David Timothy Strauss wrote:
> To join a namespace, you'll need a file descriptor for the namespace
> so you can run setns() [1]. It's possible to share a file descriptor
> by keeping it open while forking (which is how socket activation
> works) or passing it over a Unix domain socket [2].
Yeah, I'm aware; I was more interested in whether systemd would be
something I could have to it for me (using the declarative syntax)
rather than having a service sit around just for one fd to hand out[1].
I think some general ability to bring different services into namespaces
which get setup by another unit would be worthwhile in the long run, but
I only really have a use case for network sharing[2].
Thanks,
--Ben
[1]Plus, it'd probably be doing things with either D-Bus and PolicyKit
or a AF_UNIX socket with manual credential checking and that sounds like
a lot of stuff to code up just to hand out one fd when requested.
[2]I guess adding services to containers would be another, but you
already have a PID 1 in those anyways (the system/user boundary is the
sticking point here).
More information about the systemd-devel
mailing list