Hi Lennart,
On Mon, Jul 10, 2023 at 10:28:52AM +0200, Lennart Poettering wrote:
> On So, 09.07.23 20:14, Marc Haber (mh+systemd-devel@xxxxxxxxxxxx) wrote:
>
> > > It should suffice bind mounting just the notify socket, not the full
> > > dir.
> >
> > Is it intended behavior that an empty file is left at the "mount point"
> > (what Where= points to) after the unit was stopped?
>
> We need an inode we can overmount, and given that this is in /run/
> (hence inherently ephemeral) and a fixed path it shouldn't matter.
So this is intended. Good to know. I stumbled upon that.
> > If I set ProtectHome=yes, how do I give the user that bind runs as
> > access to its homedir? Is ReadWritePaths= the solution?
>
> ProtectHome= is about /home/ only, i.e. regular ("human") users, not
> about system users (i.e. uid < 1K). Your bind should *not* run as
> regular user, but as a system user of course, hence ProtectHome= is
> something you can just set, and don't need to be concerned about the
> system user's home dir.
In Debian, bind runs as user bind, which gets created as a system user
(uid < 1K, yes), and with /var/cache/bind as its home directory, which
is the directory where, for example, slave zone files get written to.
So, the running process needs to be able to access its "home directory"
during its operation even after dropping root.
> > [Mount]
> > What=/run/systemd
> > Where=/var/local/chroot/bind/run/systemd
> > Type=none
> > Options=bind
>
> Note that /run/ should always be a tmpfs, hence unless you mount a
> tmpfs to /var/local/chroot/bind/run/ first, the above is a bit ugly.
>
> Instead of this .mount unit, consider using in the .service file:
>
> TemporaryFileSystem=/var/local/chroot/bind/run
> BindPaths=/run/systemd/notify:/var/local/chroot/bind/run/systemd/notify
Ah, of course. I obviously didn't read BindPath's documentation
thoroughly enough. That is of course way better. Thanks for helping me
to read the docs.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Re: bind-mount of /run/systemd for chrooted bind9/named
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: bind-mount of /run/systemd for chrooted bind9/named
- From: Marc Haber <mh+systemd-devel@xxxxxxxxxxxx>
- Date: Mon, 10 Jul 2023 11:37:04 +0200
- In-reply-to: <ZKvBRGrIm7iywMGb@gardel-login>
- References: <ZKMY2hHcA3CBVw6p@torres.zugschlus.de> <ZKPaY1mkjKrdROcq@gardel-login> <ZKr5GzwVBFSCMlSt@torres.zugschlus.de> <ZKvBRGrIm7iywMGb@gardel-login>
- User-agent: Mutt/2.0.5 (2021-01-21)
- Follow-Ups:
- Re: bind-mount of /run/systemd for chrooted bind9/named
- From: Lennart Poettering
- Re: bind-mount of /run/systemd for chrooted bind9/named
- References:
- bind-mount of /run/systemd for chrooted bind9/named
- From: Marc Haber
- Re: bind-mount of /run/systemd for chrooted bind9/named
- From: Lennart Poettering
- Re: bind-mount of /run/systemd for chrooted bind9/named
- From: Marc Haber
- Re: bind-mount of /run/systemd for chrooted bind9/named
- From: Lennart Poettering
- bind-mount of /run/systemd for chrooted bind9/named
- Prev by Date: Re: bind-mount of /run/systemd for chrooted bind9/named
- Next by Date: Re: bind-mount of /run/systemd for chrooted bind9/named
- Previous by thread: Re: bind-mount of /run/systemd for chrooted bind9/named
- Next by thread: Re: bind-mount of /run/systemd for chrooted bind9/named
- Index(es):
 |