[systemd-devel] namespace problem
Andrei Borzenkov
arvidjaar at gmail.com
Thu Jul 18 13:02:42 UTC 2024
On Thu, Jul 18, 2024 at 4:00 PM Thomas Köller <thomas at koeller.dyndns.org> wrote:
>
> Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas:
> > Yes, but namespace persistence actually relies on filesystem access –
> > it's implemented as a bind-mount of the namespace file descriptor (onto
> > /run/netns for the 'ip netns' tool), as otherwise namespaces only exist
> > as long as processes that hold them.
> >
> > So if you have any service options that cause a new *mount* namespace to
> > be created (preventing its filesystem mounts from being visible outside
> > the unit), then it cannot pin persistent network namespaces.
>
> Quoting the manual page:
> ProtectSystem=
> Takes a boolean argument or the special values "full" or
> "strict". If true, mounts the /usr/ and the boot loader directories
> (/boot and /efi) read-only for processes invoked by this unit. If set
> to "full", the /etc/ directory is mounted read-only, too.
>
> No mention of /var or /run. Also, note that the bind mounts in in
> /var/run/netns and /run/netns are actually created by 'ip netns add',
> they just are't usable.
The problem is not which path is made read-only. The problem is, it
requires a new mount namespace and new mounts created by "ip netns" in
this namespace are not propagated back to the main namespace and are
not visible there.
More information about the systemd-devel
mailing list