[systemd-devel] Question for Private* options in systemd.exec

Richard Maw richard.maw at codethink.co.uk
Tue Nov 24 04:57:59 PST 2015


On Tue, Nov 24, 2015 at 09:13:47AM +0000, Sungbae Yoo wrote:
> Hi,
> 
> I want to use namespaces in systemd services,
> so I'm trying to use Private* (such as PrivateNetwork, PrivateTmp) options.
> 
> But, I wonder that there are no PrivateIPC, PrivateUTS, and PrivateUser.

Typically this is because they are only useful for whole system containers,
rather than service or application containment.

What services are you running that you want to be able to isolate this with?

> How can the service has its own private ipc/uts/user namespace by just using systemd.exec options?

It can only do so by using systemd-nspawn,
which generally assumes that you are providing a separate rootfs too.

> Is there any reason why PrivateIPC/UTS/User options don't exist?

Part of it will be nobody needing them before.

Generally those containment options are only useful for full containers,
which `systemd-nspawn` handles.

Private users have another problem on top,
since there is no way to do a UID shift without modifying the filesystem,
so it is only really manageable for full system containers.

> If there is no reason, Can I make some patches to add these options?

I can't speak for whether they would be accepted,
but a compelling reason for why you need them may help.


More information about the systemd-devel mailing list