[systemd-devel] BindReadOnlyPaths statement in service file behaves unexpectedly

Thomas Köller thomas at koeller.dyndns.org
Thu Jul 18 14:37:49 UTC 2024 

In a service file I am creating I use the BindReadOnlyPaths statement 
like this:


root at htpc:~# cat /etc/systemd/system/vpn.service
[Unit]
Before = systemd-networkd.service
After = network-setup.service
Requisite = network-setup.service
ConditionPathExists = /run/systemd/network/50-tap_vpn.network

[Service]
Type = exec
TemporaryFileSystem = /etc
BindReadOnlyPaths = /etc/ssh
BindReadOnlyPaths = /etc/wpa_supplicant
BindReadOnlyPaths = /etc/dhcp
BindReadOnlyPaths = /etc/passwd
BindReadOnlyPaths = /etc/hosts
BindReadOnlyPaths = /etc/nsswitch.conf
NetworkNamespacePath = /run/netns/vpnlink
ExecStart = sh -c 'wpa_supplicant -B -i wlan_usb -c 
/etc/wpa_supplicant/wpa_supplicant.conf; \
             dhclient -4 wlan_usb; \
             ssh -4 -i ~/.ssh/config-vpn -P vpn sarkovy'

[Install]
WantedBy = multi-user.target


The man page for systemd.exec states:

        BindPaths=, BindReadOnlyPaths=
            Configures unit-specific bind mounts. A bind mount makes a 
particular file or directory available at an additional place in the 
unit's view of the file system...

However, while the bind mounts for directories seem to work, those for 
individual files do not. I get complaints about systemd being unable to 
create the required mount points:

root at htpc:~# systemctl status vpn.service | cat
× vpn.service
      Loaded: loaded (/etc/systemd/system/vpn.service; enabled; preset: 
disabled)
     Drop-In: /usr/lib/systemd/system/service.d
              └─10-timeout-abort.conf
      Active: failed (Result: exit-code) since Thu 2024-07-18 16:21:25 
CEST; 27s ago
     Process: 1597 ExecStart=sh -c wpa_supplicant -B -i wlan_usb -c 
/etc/wpa_supplicant/wpa_supplicant.conf;              dhclient -4 
wlan_usb;              ssh -4 -i ~/.ssh/config-vpn -P vpn sarkovy 
(code=exited, status=226/NAMESPACE)
    Main PID: 1597 (code=exited, status=226/NAMESPACE)
         CPU: 10ms

Jul 18 16:21:25 htpc systemd[1]: Starting vpn.service...
Jul 18 16:21:25 htpc (sh)[1597]: Failed to create destination mount 
point node '/run/systemd/mount-rootfs/etc/hosts', ignoring: Permission 
denied
Jul 18 16:21:25 htpc (sh)[1597]: Failed to mount /etc/hosts to 
/run/systemd/mount-rootfs/etc/hosts: No such file or directory
Jul 18 16:21:25 htpc (sh)[1597]: vpn.service: Failed to set up mount 
namespacing: /etc/hosts: No such file or directory
Jul 18 16:21:25 htpc systemd[1]: vpn.service: Main process exited, 
code=exited, status=226/NAMESPACE
Jul 18 16:21:25 htpc systemd[1]: vpn.service: Failed with result 
'exit-code'.
Jul 18 16:21:25 htpc systemd[1]: Failed to start vpn.service.

Is there anyting I am doing wrong?

More information about the systemd-devel mailing list