[systemd-devel] bind-mount of /run/systemd for chrooted bind9/named

Marc Haber mh+systemd-devel at zugschlus.de
Mon Jul 3 18:52:10 UTC 2023


Hi,

this is a user-level question from someone who wants to make use of
systemd but has not quite grown the gut feeling about which way is the
right way to go.

I am running bind 9 on more than a handful of systems providing name
services as recursive and/or authoritative name servers. As it has ben
recommended for two decades, I run bind in a chroot, using its own
feature to chroot itself after starting up (-t /path/to/chroot).

In Debian bookworm, the systemd units that come with Debian's bind9
package have recently changed from Type=simple to Type=notify.

Combined with named -t, this means that systemd will never notice that
the name daemon has correctly started up unless systemd's notify socket
is also reachable in the chroot. This in turn means that bind is
continuosly restarted by systemd. As a quick fix, I issue moiunt --bind
/run/systemd /path/to/chroot/run/systemd manually.

I am currently wondering which way is the preferred way to achive this
in a more clean way:

(1) go fully systemd
That would mean to get rid of bind's -t option completely but use
systemd's RootDirectory directive instead. I have not tried this but I
think that the bind community might be reluctant to support a setup like
that. In advantage, I could use the BindReadOnlyPaths directive to
directly manage the necessary bind mount to make the notify socket
accessible.

(2) try to preserve the classic setup
That would probably mean having a
/etc/systemd/system/var-local-bind-run-systemd.mount with the contents:
| [Mount]
| What=/run/systemd
| Where=/var/local/bind/run/systemd
| Type=none
| Options=bind
| 
| [Install]
| WantedBy=bind9.service
and adding a RequiresMountsFor=/var/local/bind/run/systemd to the
bind9.service.

This works as intended when I start up bind9, but when stopping the name
daemon, the bind mount still lingers around. I have not fully understood
the necessary systemd magic to have var-local-bind-run-systemd.mount
stopped whenever bind9.service stops. How would I do that?

How would you solve this issue? Method (1), Method (2), or one that I
didn't think of yet?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421


More information about the systemd-devel mailing list