<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
man systemd.exec:<br>
<blockquote>
<p>PrivateMounts=<br>
Takes a boolean parameter.<br>
When turned on, this executes three operations for each invoked
process: a new CLONE_NEWNS namespace is created, after which all
existing mounts are remounted to MS_SLAVE to disable propagation
from the unit's processes to the host (but leaving propagation
in the opposite direction in effect). Finally, the mounts are
remounted again to the propagation mode configured with
MountFlags=, see below.<br>
<br>
<b>File system namespaces are set up individually for each
process forked off by the service manager. Mounts established
in the namespace of the process created by ExecStartPre= will
hence be cleaned up automatically as soon as that process
exits and will not be available to subsequent processes forked
off for ExecStart= (and similar applies to the various other
commands configured for units). </b>Similarly,
JoinsNamespaceOf= does not permit sharing kernel mount
namespaces between units, it only enables sharing of the /tmp/
and /var/tmp/ directories.<br>
<br>
Other file system namespace unit settings — PrivateTmp=,
PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyPaths=,
InaccessiblePaths=, ReadWritePaths=, BindPaths=,
BindReadOnlyPaths=, … — also enable file system namespacing in a
fashion equivalent to this option. Hence it is primarily useful
to explicitly request this behaviour if none of the other
settings are used.<br>
<br>
This option is only available for system services, or for
services running in per-user instances of the service manager in
which case PrivateUsers= is implicitly enabled (requires
unprivileged user namespaces support to be enabled in the kernel
via the "kernel.unprivileged_userns_clone=" sysctl).</p>
</blockquote>
<p><br>
</p>
<p>And TemporaryFileSystem implies PrivateMounts ofc.<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 9/14/24 17:06, Thomas Köller wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20bcbbab-ab85-45ef-827b-f5d856ae8d23@koeller.dyndns.org">I
am writing a service that does the following:
<br>
<br>
1. Uses 'NetworkNamespacePath = /var/run/netns/vpnlink'
<br>
<br>
2. Uses 'TemporaryFileSystem = %E' to create it's own /etc
<br>
<br>
3. Runs the 'dhclient' command to configure a network interface
<br>
<br>
The dhclient command is supposed to create (or modifiy)
/etc/resolv.conf, but it does not:
<br>
<br>
Sep 14 13:18:53 yoga dhclient[10128]: DHCPACK of 10.33.56.46 from
10.33.63.254 (xid=0xa148446c)
<br>
Sep 14 13:18:53 yoga dhclient[10159]: DHCP action:
<br>
Sep 14 13:18:53 yoga dhclient[10159]: Reason = BOUND, interface
= wlan_builtin, media type = *unset*
<br>
Sep 14 13:18:53 yoga dhclient[10159]: new address = 10.33.56.46,
old address = *unset*, requested address = *unset*
<br>
Sep 14 13:18:55 yoga dhclient[10128]: bound to 10.33.56.46 --
renewal in 1602 seconds.
<br>
Sep 14 13:18:55 yoga cat[10191]: cat: /etc/resolv.conf: No such
file or directory
<br>
<br>
The lines generating the above output are:
<br>
<br>
ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
<br>
ExecStartPre = cat /etc/resolv.conf
<br>
<br>
In an attempt at diagnosing the problem, I changed the dhclient
command to a simple 'echo':
<br>
<br>
#ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
<br>
ExecStartPre = sh -c 'echo \'test\' >%E/resolv.conf'
<br>
ExecStartPre = cat %E/resolv.conf
<br>
<br>
Again, the file is not created, although the echo command executes
without error.
<br>
<br>
Process: 10980 ExecStartPre=sh -c echo 'test'
>/etc/resolv.conf (code=exited, status=0/SUCCESS)
<br>
Process: 10981 ExecStartPre=cat /etc/resolv.conf (code=exited,
status=1/FAILURE)
<br>
<br>
I suspect the file /etc/resolv.conf is somehow treated as special,
is this correct? The interface I am trying to set up lives in the
'vpnlink' network namespace and must do so. What are my options?
<br>
<br>
<br>
</blockquote>
</body>
</html>