Re: namespace problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jul 18, 2024 at 4:00 PM Thomas Köller <thomas@xxxxxxxxxxxxxxxxxx> wrote:
>
> Am 18.07.24 um 14:04 schrieb Mantas Mikulėnas:
> > Yes, but namespace persistence actually relies on filesystem access –
> > it's implemented as a bind-mount of the namespace file descriptor (onto
> > /run/netns for the 'ip netns' tool), as otherwise namespaces only exist
> > as long as processes that hold them.
> >
> > So if you have any service options that cause a new *mount* namespace to
> > be created (preventing its filesystem mounts from being visible outside
> > the unit), then it cannot pin persistent network namespaces.
>
> Quoting the manual page:
>         ProtectSystem=
>             Takes a boolean argument or the special values "full" or
> "strict". If true, mounts the /usr/ and the boot loader directories
> (/boot and /efi) read-only for processes invoked by this unit. If set
>             to "full", the /etc/ directory is mounted read-only, too.
>
> No mention of /var or /run. Also, note that the bind mounts in in
> /var/run/netns and /run/netns are actually created by 'ip netns add',
> they just are't usable.

The problem is not which path is made read-only. The problem is, it
requires a new mount namespace and new mounts created by "ip netns" in
this namespace are not propagated back to the main namespace and are
not visible there.
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux