Re: BindReadOnlyPaths statement in service file behaves unexpectedly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18.07.24 16:37, Thomas Köller wrote:
In a service file I am creating I use the BindReadOnlyPaths statement like this:


root@htpc:~# cat /etc/systemd/system/vpn.service
[Unit]
Before = systemd-networkd.service
After = network-setup.service
Requisite = network-setup.service
ConditionPathExists = /run/systemd/network/50-tap_vpn.network

[Service]
Type = exec
TemporaryFileSystem = /etc
BindReadOnlyPaths = /etc/ssh
BindReadOnlyPaths = /etc/wpa_supplicant
BindReadOnlyPaths = /etc/dhcp
BindReadOnlyPaths = /etc/passwd
BindReadOnlyPaths = /etc/hosts
BindReadOnlyPaths = /etc/nsswitch.conf
NetworkNamespacePath = /run/netns/vpnlink
ExecStart = sh -c 'wpa_supplicant -B -i wlan_usb -c /etc/wpa_supplicant/wpa_supplicant.conf; \
            dhclient -4 wlan_usb; \
            ssh -4 -i ~/.ssh/config-vpn -P vpn sarkovy'

[Install]
WantedBy = multi-user.target


The man page for systemd.exec states:

       BindPaths=, BindReadOnlyPaths=
           Configures unit-specific bind mounts. A bind mount makes a particular file or directory available at an additional place in the unit's view of the file system...

However, while the bind mounts for directories seem to work, those for individual files do not. I get complaints about systemd being unable to create the required mount points:

root@htpc:~# systemctl status vpn.service | cat
× vpn.service
     Loaded: loaded (/etc/systemd/system/vpn.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Thu 2024-07-18 16:21:25 CEST; 27s ago     Process: 1597 ExecStart=sh -c wpa_supplicant -B -i wlan_usb -c /etc/wpa_supplicant/wpa_supplicant.conf;              dhclient -4 wlan_usb;              ssh -4 -i ~/.ssh/config-vpn -P vpn sarkovy (code=exited, status=226/NAMESPACE)
   Main PID: 1597 (code=exited, status=226/NAMESPACE)
        CPU: 10ms

Jul 18 16:21:25 htpc systemd[1]: Starting vpn.service...
Jul 18 16:21:25 htpc (sh)[1597]: Failed to create destination mount point node '/run/systemd/mount-rootfs/etc/hosts', ignoring: Permission denied Jul 18 16:21:25 htpc (sh)[1597]: Failed to mount /etc/hosts to /run/systemd/mount-rootfs/etc/hosts: No such file or directory Jul 18 16:21:25 htpc (sh)[1597]: vpn.service: Failed to set up mount namespacing: /etc/hosts: No such file or directory Jul 18 16:21:25 htpc systemd[1]: vpn.service: Main process exited, code=exited, status=226/NAMESPACE Jul 18 16:21:25 htpc systemd[1]: vpn.service: Failed with result 'exit-code'.
Jul 18 16:21:25 htpc systemd[1]: Failed to start vpn.service.

Is there anyting I am doing wrong?


I now found that the problem only occurs with /etc/hosts, not with any other file, Inside the processe's namspaces, there is no /etc/hosts at all:

root@htpc:~# pgrep ssh
2470
root@htpc:~# nsenter -at 2470 /bin/sh
sh-5.2# ls /etc
dhcp  nsswitch.conf  passwd  resolv.conf  ssh  wpa_supplicant
sh-5.2#







[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux