[systemd-devel] Question for Private* options in systemd.exec
Sungbae Yoo
sungbae.yoo at samsung.com
Tue Nov 24 23:58:15 PST 2015
> Typically this is because they are only useful for whole system containers,
> rather than service or application containment.
>
> What services are you running that you want to be able to isolate this with?
I want a sandbox, which doen't allow to communicate between inside and outside.
At least ipc namespace is useful for this kind of sandbox.
> It can only do so by using systemd-nspawn,
> which generally assumes that you are providing a separate rootfs too.
I don't want to full system container.
> Private users have another problem on top,
> since there is no way to do a UID shift without modifying the filesystem,
> so it is only really manageable for full system containers.
You're right. I didn't think how to apply user namespace honestly.
user namespace scenario will be very complicated.
> I can't speak for whether they would be accepted,
> but a compelling reason for why you need them may help.
I'll write this on a reply mail to Lennart. please refer to.
Best regards,
Sungbae Yoo
More information about the systemd-devel
mailing list