Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas:
Yes, but namespace persistence actually relies on filesystem access –
it's implemented as a bind-mount of the namespace file descriptor (onto
/run/netns for the 'ip netns' tool), as otherwise namespaces only exist
as long as processes that hold them.
So if you have any service options that cause a new *mount* namespace to
be created (preventing its filesystem mounts from being visible outside
the unit), then it cannot pin persistent network namespaces.
Quoting the manual page:
ProtectSystem=
Takes a boolean argument or the special values "full" or
"strict". If true, mounts the /usr/ and the boot loader directories
(/boot and /efi) read-only for processes invoked by this unit. If set
to "full", the /etc/ directory is mounted read-only, too.
No mention of /var or /run. Also, note that the bind mounts in in
/var/run/netns and /run/netns are actually created by 'ip netns add',
they just are't usable.
