[systemd-devel] Private network namespace and /etc/resolv.conf

serenissi serenissi at inventati.org
Wed Sep 18 04:08:40 UTC 2024 

man systemd.exec:

    PrivateMounts=
    Takes a boolean parameter.
    When turned on, this executes three operations for each invoked
    process: a new CLONE_NEWNS namespace is created, after which all
    existing mounts are remounted to MS_SLAVE to disable propagation
    from the unit's processes to the host (but leaving propagation in
    the opposite direction in effect). Finally, the mounts are remounted
    again to the propagation mode configured with MountFlags=, see below.

    *File system namespaces are set up individually for each process
    forked off by the service manager. Mounts established in the
    namespace of the process created by ExecStartPre= will hence be
    cleaned up automatically as soon as that process exits and will not
    be available to subsequent processes forked off for ExecStart= (and
    similar applies to the various other commands configured for units).
    *Similarly, JoinsNamespaceOf= does not permit sharing kernel mount
    namespaces between units, it only enables sharing of the /tmp/ and
    /var/tmp/ directories.

    Other file system namespace unit settings — PrivateTmp=,
    PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyPaths=,
    InaccessiblePaths=, ReadWritePaths=, BindPaths=, BindReadOnlyPaths=,
    … — also enable file system namespacing in a fashion equivalent to
    this option. Hence it is primarily useful to explicitly request this
    behaviour if none of the other settings are used.

    This option is only available for system services, or for services
    running in per-user instances of the service manager in which case
    PrivateUsers= is implicitly enabled (requires unprivileged user
    namespaces support to be enabled in the kernel via the
    "kernel.unprivileged_userns_clone=" sysctl).


And TemporaryFileSystem implies PrivateMounts ofc.


On 9/14/24 17:06, Thomas Köller wrote:
> I am writing a service that does the following:
>
> 1. Uses 'NetworkNamespacePath = /var/run/netns/vpnlink'
>
> 2. Uses 'TemporaryFileSystem = %E' to create it's own /etc
>
> 3. Runs the 'dhclient' command to configure a network interface
>
> The dhclient command is supposed to create (or modifiy) 
> /etc/resolv.conf, but it does not:
>
> Sep 14 13:18:53 yoga dhclient[10128]: DHCPACK of 10.33.56.46 from 
> 10.33.63.254 (xid=0xa148446c)
> Sep 14 13:18:53 yoga dhclient[10159]: DHCP action:
> Sep 14 13:18:53 yoga dhclient[10159]:   Reason = BOUND, interface = 
> wlan_builtin, media type = *unset*
> Sep 14 13:18:53 yoga dhclient[10159]:   new address = 10.33.56.46, old 
> address = *unset*, requested address = *unset*
> Sep 14 13:18:55 yoga dhclient[10128]: bound to 10.33.56.46 -- renewal 
> in 1602 seconds.
> Sep 14 13:18:55 yoga cat[10191]: cat: /etc/resolv.conf: No such file 
> or directory
>
> The lines generating the above output are:
>
> ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
> ExecStartPre = cat /etc/resolv.conf
>
> In an attempt at diagnosing the problem, I changed the dhclient 
> command to a simple 'echo':
>
> #ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
> ExecStartPre = sh -c 'echo \'test\' >%E/resolv.conf'
> ExecStartPre = cat %E/resolv.conf
>
> Again, the file is not created, although the echo command executes 
> without error.
>
>     Process: 10980 ExecStartPre=sh -c echo 'test' >/etc/resolv.conf 
> (code=exited, status=0/SUCCESS)
>     Process: 10981 ExecStartPre=cat /etc/resolv.conf (code=exited, 
> status=1/FAILURE)
>
> I suspect the file /etc/resolv.conf is somehow treated as special, is 
> this correct? The interface I am trying to set up lives in the 
> 'vpnlink' network namespace and must do so. What are my options?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240918/7ebdac52/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20257A7131FFF28B.asc
Type: application/pgp-keys
Size: 652 bytes
Desc: OpenPGP public key
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240918/7ebdac52/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240918/7ebdac52/attachment.sig>

More information about the systemd-devel mailing list