PrivateMounts=
Takes a boolean parameter.
When turned on, this executes three operations for each invoked process: a new CLONE_NEWNS namespace is created, after which all existing mounts are remounted to MS_SLAVE to disable propagation from the unit's processes to the host (but leaving propagation in the opposite direction in effect). Finally, the mounts are remounted again to the propagation mode configured with MountFlags=, see below.
File system namespaces are set up individually for each process forked off by the service manager. Mounts established in the namespace of the process created by ExecStartPre= will hence be cleaned up automatically as soon as that process exits and will not be available to subsequent processes forked off for ExecStart= (and similar applies to the various other commands configured for units). Similarly, JoinsNamespaceOf= does not permit sharing kernel mount namespaces between units, it only enables sharing of the /tmp/ and /var/tmp/ directories.
Other file system namespace unit settings — PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyPaths=, InaccessiblePaths=, ReadWritePaths=, BindPaths=, BindReadOnlyPaths=, … — also enable file system namespacing in a fashion equivalent to this option. Hence it is primarily useful to explicitly request this behaviour if none of the other settings are used.
This option is only available for system services, or for services running in per-user instances of the service manager in which case PrivateUsers= is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the "kernel.unprivileged_userns_clone=" sysctl).
And TemporaryFileSystem implies PrivateMounts ofc.
I am writing a service that does the following:
1. Uses 'NetworkNamespacePath = /var/run/netns/vpnlink'
2. Uses 'TemporaryFileSystem = %E' to create it's own /etc
3. Runs the 'dhclient' command to configure a network interface
The dhclient command is supposed to create (or modifiy) /etc/resolv.conf, but it does not:
Sep 14 13:18:53 yoga dhclient[10128]: DHCPACK of 10.33.56.46 from 10.33.63.254 (xid=0xa148446c)
Sep 14 13:18:53 yoga dhclient[10159]: DHCP action:
Sep 14 13:18:53 yoga dhclient[10159]: Reason = BOUND, interface = wlan_builtin, media type = *unset*
Sep 14 13:18:53 yoga dhclient[10159]: new address = 10.33.56.46, old address = *unset*, requested address = *unset*
Sep 14 13:18:55 yoga dhclient[10128]: bound to 10.33.56.46 -- renewal in 1602 seconds.
Sep 14 13:18:55 yoga cat[10191]: cat: /etc/resolv.conf: No such file or directory
The lines generating the above output are:
ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
ExecStartPre = cat /etc/resolv.conf
In an attempt at diagnosing the problem, I changed the dhclient command to a simple 'echo':
#ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
ExecStartPre = sh -c 'echo \'test\' >%E/resolv.conf'
ExecStartPre = cat %E/resolv.conf
Again, the file is not created, although the echo command executes without error.
Process: 10980 ExecStartPre=sh -c echo 'test' >/etc/resolv.conf (code=exited, status=0/SUCCESS)
Process: 10981 ExecStartPre=cat /etc/resolv.conf (code=exited, status=1/FAILURE)
I suspect the file /etc/resolv.conf is somehow treated as special, is this correct? The interface I am trying to set up lives in the 'vpnlink' network namespace and must do so. What are my options?
Attachment:
OpenPGP_0x20257A7131FFF28B.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
