[systemd-devel] namespace problem
Thomas Köller
thomas at koeller.dyndns.org
Thu Jul 18 12:43:34 UTC 2024
Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas:
> Yes, but namespace persistence actually relies on filesystem access –
> it's implemented as a bind-mount of the namespace file descriptor (onto
> /run/netns for the 'ip netns' tool), as otherwise namespaces only exist
> as long as processes that hold them.
>
> So if you have any service options that cause a new *mount* namespace to
> be created (preventing its filesystem mounts from being visible outside
> the unit), then it cannot pin persistent network namespaces.
Quoting the manual page:
ProtectSystem=
Takes a boolean argument or the special values "full" or
"strict". If true, mounts the /usr/ and the boot loader directories
(/boot and /efi) read-only for processes invoked by this unit. If set
to "full", the /etc/ directory is mounted read-only, too.
No mention of /var or /run. Also, note that the bind mounts in in
/var/run/netns and /run/netns are actually created by 'ip netns add',
they just are't usable.
More information about the systemd-devel
mailing list