Re: Portable service binding a system port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Lennart, thanks a lot for your time and answer.

> Le 31 mars 2020 à 15:19, Lennart Poettering <lennart@xxxxxxxxxxxxxx> a écrit :
> 
> Ideally unbound would support socket activation, so that PID 1 can
> bind the socket and pass it in pre-bound.

Noted. I’ll give this a try as an exercise and see how it goes :)


> PrivateUsers=yes means userns, and only processes that have
> CAP_NET_BIND_SERVICE in the host user ns can bind on ports <
> 1024. PrivateUsers= user namespace do not have that, and hence cannot
> bind the port on the host.

Is this documented somewhere ?
Am I missing something obvious here ? :D


> Portable service profiles are best combined with socket activation to
> limit the privileged surface…

Mmh. Maybe systemd-nspawn would better suit my needs then. I’ll have a look at it again.


Anyway, thanks again for your help, explanations and advices.

-- 
François

_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux