[systemd-devel] Question for Private* options in systemd.exec

Sungbae Yoo sungbae.yoo at samsung.com
Tue Nov 24 23:58:15 PST 2015


> Typically this is because they are only useful for whole system containers,
> rather than service or application containment.
> 
> What services are you running that you want to be able to isolate this with?

I want a sandbox, which doen't allow to communicate between inside and outside.
At least ipc namespace is useful for this kind of sandbox.

> It can only do so by using systemd-nspawn,
> which generally assumes that you are providing a separate rootfs too.

I don't want to full system container.

> Private users have another problem on top,
> since there is no way to do a UID shift without modifying the filesystem,
> so it is only really manageable for full system containers.

You're right. I didn't think how to apply user namespace honestly.
user namespace scenario will be very complicated.

> I can't speak for whether they would be accepted,
> but a compelling reason for why you need them may help.

I'll write this on a reply mail to Lennart. please refer to.


Best regards,
Sungbae Yoo


More information about the systemd-devel mailing list