[systemd-devel] Add filesystem paths to InaccessiblePaths globally for some paths ?

Tue Feb 11 16:03:13 UTC 2025

On Tue, Feb 11, 2025 at 5:53 PM Steve Traylen <steve.traylen at cern.ch> wrote:

>
> Units like "systemd-resolved.service" contain with good reason:
> "ProtectSystem=strict"
>
> This of course bind mounts mounted filesystems into the units userspace.
>
> "strict" is
>
> "If set to "strict" the entire file system hierarchy is mounted
> read-only, except for the API file system subtrees /dev/, /proc/ and /sys/"
>
> Can these filesystems /dev, /proc, /sys be extended globally somewhere?
>

AFAIK, extending this list would only mean those filesystems get
bind-mounted RW, not that they don't get bind-mounted at all.

There is the perfectly good: "InaccessiblePaths=-/cvmfs" which does a
> great job of not mounting /cvmfs into the name space but alas this
> is a per unit setting of course AFAIK.
>
> Motivation here is that when "funny" filesystems (think /afs, /cvmfsm,
> ... /eos ) go "bad" for what ever reason this can stop "reload
> systemd-resolved.service" being restarted as remount is bad. I've not
> tried but can may be reproduce with something more standard like a stale
> /nfs.
>
> Any way to set  a default for InaccessiblePaths= or equivalent to stop
> these FSs being bind mounted in ever.
>

I was about to suggest that configs in "-.service.d/" would apply to all
service units (as extension from the recently added
"someprefix-.service.d/" feature). But of course not all services live in a
mount namespace, and not all of them *want* to live in a mount namespace...
and I don't think there is a way to define InaccessiblePaths= only for
those which already have namespacing active in some way.

-- 
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20250211/f034c016/attachment.htm>