Thank you very much for pointing this out! The systemd man pages are
quite a large body of text, and it isn't always obvious where to look
when confronted with a particular problem, so I missed that.
Am 18.09.24 um 06:08 schrieb serenissi:
man systemd.exec:
PrivateMounts=
Takes a boolean parameter.
When turned on, this executes three operations for each invoked
process: a new CLONE_NEWNS namespace is created, after which all
existing mounts are remounted to MS_SLAVE to disable propagation
from the unit's processes to the host (but leaving propagation in
the opposite direction in effect). Finally, the mounts are remounted
again to the propagation mode configured with MountFlags=, see below.
*File system namespaces are set up individually for each process
forked off by the service manager. Mounts established in the
namespace of the process created by ExecStartPre= will hence be
cleaned up automatically as soon as that process exits and will not
be available to subsequent processes forked off for ExecStart= (and
similar applies to the various other commands configured for units).
*Similarly, JoinsNamespaceOf= does not permit sharing kernel mount
namespaces between units, it only enables sharing of the /tmp/ and /
var/tmp/ directories.
Other file system namespace unit settings — PrivateTmp=,
PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyPaths=,
InaccessiblePaths=, ReadWritePaths=, BindPaths=, BindReadOnlyPaths=,
… — also enable file system namespacing in a fashion equivalent to
this option. Hence it is primarily useful to explicitly request this
behaviour if none of the other settings are used.
This option is only available for system services, or for services
running in per-user instances of the service manager in which case
PrivateUsers= is implicitly enabled (requires unprivileged user
namespaces support to be enabled in the kernel via the
"kernel.unprivileged_userns_clone=" sysctl).
And TemporaryFileSystem implies PrivateMounts ofc.
On 9/14/24 17:06, Thomas Köller wrote:
I am writing a service that does the following:
1. Uses 'NetworkNamespacePath = /var/run/netns/vpnlink'
2. Uses 'TemporaryFileSystem = %E' to create it's own /etc
3. Runs the 'dhclient' command to configure a network interface
The dhclient command is supposed to create (or modifiy) /etc/
resolv.conf, but it does not:
Sep 14 13:18:53 yoga dhclient[10128]: DHCPACK of 10.33.56.46 from
10.33.63.254 (xid=0xa148446c)
Sep 14 13:18:53 yoga dhclient[10159]: DHCP action:
Sep 14 13:18:53 yoga dhclient[10159]: Reason = BOUND, interface =
wlan_builtin, media type = *unset*
Sep 14 13:18:53 yoga dhclient[10159]: new address = 10.33.56.46, old
address = *unset*, requested address = *unset*
Sep 14 13:18:55 yoga dhclient[10128]: bound to 10.33.56.46 -- renewal
in 1602 seconds.
Sep 14 13:18:55 yoga cat[10191]: cat: /etc/resolv.conf: No such file
or directory
The lines generating the above output are:
ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
ExecStartPre = cat /etc/resolv.conf
In an attempt at diagnosing the problem, I changed the dhclient
command to a simple 'echo':
#ExecStartPre = dhclient -4 -pf ${PID} -lf ${LEASES} %i
ExecStartPre = sh -c 'echo \'test\' >%E/resolv.conf'
ExecStartPre = cat %E/resolv.conf
Again, the file is not created, although the echo command executes
without error.
Process: 10980 ExecStartPre=sh -c echo 'test' >/etc/resolv.conf
(code=exited, status=0/SUCCESS)
Process: 10981 ExecStartPre=cat /etc/resolv.conf (code=exited,
status=1/FAILURE)
I suspect the file /etc/resolv.conf is somehow treated as special, is
this correct? The interface I am trying to set up lives in the
'vpnlink' network namespace and must do so. What are my options?
--
Thomas Köller
Solitüder Bogen 18
24944 Flensburg
Mobil +49 176 48154684
