Re: BindReadOnlyPaths statement in service file behaves unexpectedly

[Thomas Köller <thomas@xxxxxxxxxxxxxxxxxx>]

On 18.07.24 16:37, Thomas Köller wrote:
> In a service file I am creating I use the BindReadOnlyPaths statement 
> like this:
>
>
> root@htpc:~# cat /etc/systemd/system/vpn.service
> [Unit]
> Before = systemd-networkd.service
> After = network-setup.service
> Requisite = network-setup.service
> ConditionPathExists = /run/systemd/network/50-tap_vpn.network
>
> [Service]
> Type = exec
> TemporaryFileSystem = /etc
> BindReadOnlyPaths = /etc/ssh
> BindReadOnlyPaths = /etc/wpa_supplicant
> BindReadOnlyPaths = /etc/dhcp
> BindReadOnlyPaths = /etc/passwd
> BindReadOnlyPaths = /etc/hosts
> BindReadOnlyPaths = /etc/nsswitch.conf
> NetworkNamespacePath = /run/netns/vpnlink
> ExecStart = sh -c 'wpa_supplicant -B -i wlan_usb -c 
> /etc/wpa_supplicant/wpa_supplicant.conf; \
>             dhclient -4 wlan_usb; \
>             ssh -4 -i ~/.ssh/config-vpn -P vpn sarkovy'
>
> [Install]
> WantedBy = multi-user.target
>
>
> The man page for systemd.exec states:
>
>        BindPaths=, BindReadOnlyPaths=
>            Configures unit-specific bind mounts. A bind mount makes a 
> particular file or directory available at an additional place in the 
> unit's view of the file system...
>
> However, while the bind mounts for directories seem to work, those for 
> individual files do not. I get complaints about systemd being unable 
> to create the required mount points:
>
> root@htpc:~# systemctl status vpn.service | cat
> × vpn.service
>      Loaded: loaded (/etc/systemd/system/vpn.service; enabled; preset: 
> disabled)
>     Drop-In: /usr/lib/systemd/system/service.d
>              └─10-timeout-abort.conf
>      Active: failed (Result: exit-code) since Thu 2024-07-18 16:21:25 
> CEST; 27s ago
>     Process: 1597 ExecStart=sh -c wpa_supplicant -B -i wlan_usb -c 
> /etc/wpa_supplicant/wpa_supplicant.conf;              dhclient -4 
> wlan_usb;              ssh -4 -i ~/.ssh/config-vpn -P vpn sarkovy 
> (code=exited, status=226/NAMESPACE)
>    Main PID: 1597 (code=exited, status=226/NAMESPACE)
>         CPU: 10ms
>
> Jul 18 16:21:25 htpc systemd[1]: Starting vpn.service...
> Jul 18 16:21:25 htpc (sh)[1597]: Failed to create destination mount 
> point node '/run/systemd/mount-rootfs/etc/hosts', ignoring: Permission 
> denied
> Jul 18 16:21:25 htpc (sh)[1597]: Failed to mount /etc/hosts to 
> /run/systemd/mount-rootfs/etc/hosts: No such file or directory
> Jul 18 16:21:25 htpc (sh)[1597]: vpn.service: Failed to set up mount 
> namespacing: /etc/hosts: No such file or directory
> Jul 18 16:21:25 htpc systemd[1]: vpn.service: Main process exited, 
> code=exited, status=226/NAMESPACE
> Jul 18 16:21:25 htpc systemd[1]: vpn.service: Failed with result 
> 'exit-code'.
> Jul 18 16:21:25 htpc systemd[1]: Failed to start vpn.service.
>
> Is there anyting I am doing wrong?


I now found that the problem only occurs with /etc/hosts, not with any 
other file, Inside the processe's namspaces, there is no /etc/hosts at all:

root@htpc:~# pgrep ssh
2470
root@htpc:~# nsenter -at 2470 /bin/sh
sh-5.2# ls /etc
dhcp  nsswitch.conf  passwd  resolv.conf  ssh  wpa_supplicant
sh-5.2#