[systemd-devel] Private network namespace and /etc/resolv.conf

Thomas Köller thomas at koeller.dyndns.org
Wed Sep 18 09:10:42 UTC 2024 

Thank you very much for pointing this out! The systemd man pages are 
quite a large body of text, and it isn't always obvious where to look 
when confronted with a particular problem, so I missed that.

Am 18.09.24 um 06:08 schrieb serenissi:
> man systemd.exec:
> 
>     PrivateMounts=
>     Takes a boolean parameter.
>     When turned on, this executes three operations for each invoked
>     process: a new CLONE_NEWNS namespace is created, after which all
>     existing mounts are remounted to MS_SLAVE to disable propagation
>     from the unit's processes to the host (but leaving propagation in
>     the opposite direction in effect). Finally, the mounts are remounted
>     again to the propagation mode configured with MountFlags=, see below.
> 
>     *File system namespaces are set up individually for each process
>     forked off by the service manager. Mounts established in the
>     namespace of the process created by ExecStartPre= will hence be
>     cleaned up automatically as soon as that process exits and will not
>     be available to subsequent processes forked off for ExecStart= (and
>     similar applies to the various other commands configured for units).
>     *Similarly, JoinsNamespaceOf= does not permit sharing kernel mount
>     namespaces between units, it only enables sharing of the /tmp/ and /
>     var/tmp/ directories.
> 
>     Other file system namespace unit settings — PrivateTmp=,
>     PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyPaths=,
>     InaccessiblePaths=, ReadWritePaths=, BindPaths=, BindReadOnlyPaths=,
>     … — also enable file system namespacing in a fashion equivalent to
>     this option. Hence it is primarily useful to explicitly request this
>     behaviour if none of the other settings are used.
> 
>     This option is only available for system services, or for services
>     running in per-user instances of the service manager in which case
>     PrivateUsers= is implicitly enabled (requires unprivileged user
>     namespaces support to be enabled in the kernel via the
>     "kernel.unprivileged_userns_clone=" sysctl).
> 
> 
> And TemporaryFileSystem implies PrivateMounts ofc.
> 
> 
> On 9/14/24 17:06, Thomas Köller wrote:
>> I am writing a service that does the following:
>>
>> 1. Uses 'NetworkNamespacePath = /var/run/netns/vpnlink'
>>
>> 2. Uses 'TemporaryFileSystem = %E' to create it's own /etc
>>
>> 3. Runs the 'dhclient' command to configure a network interface
>>
>> The dhclient command is supposed to create (or modifiy) /etc/ 
>> resolv.conf, but it does not:
>>
>> Sep 14 13:18:53 yoga dhclient[10128]: DHCPACK of 10.33.56.46 from 
>> 10.33.63.254 (xid=0xa148446c)
>> Sep 14 13:18:53 yoga dhclient[10159]: DHCP action:
>> Sep 14 13:18:53 yoga dhclient[10159]:   Reason = BOUND, interface = 
>> wlan_builtin, media type = *unset*
>> Sep 14 13:18:53 yoga dhclient[10159]:   new address = 10.33.56.46, old 
>> address = *unset*, requested address = *unset*
>> Sep 14 13:18:55 yoga dhclient[10128]: bound to 10.33.56.46 -- renewal 
>> in 1602 seconds.
>> Sep 14 13:18:55 yoga cat[10191]: cat: /etc/resolv.conf: No such file 
>> or directory
>>
>> The lines generating the above output are:
>>
>> ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
>> ExecStartPre = cat /etc/resolv.conf
>>
>> In an attempt at diagnosing the problem, I changed the dhclient 
>> command to a simple 'echo':
>>
>> #ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
>> ExecStartPre = sh -c 'echo \'test\' >%E/resolv.conf'
>> ExecStartPre = cat %E/resolv.conf
>>
>> Again, the file is not created, although the echo command executes 
>> without error.
>>
>>     Process: 10980 ExecStartPre=sh -c echo 'test' >/etc/resolv.conf 
>> (code=exited, status=0/SUCCESS)
>>     Process: 10981 ExecStartPre=cat /etc/resolv.conf (code=exited, 
>> status=1/FAILURE)
>>
>> I suspect the file /etc/resolv.conf is somehow treated as special, is 
>> this correct? The interface I am trying to set up lives in the 
>> 'vpnlink' network namespace and must do so. What are my options?
>>
>>

-- 
Thomas Köller
Solitüder Bogen 18
24944 Flensburg
Mobil +49 176 48154684

More information about the systemd-devel mailing list