On Tue, Feb 11, 2025 at 5:53 PM Steve Traylen <steve.traylen@xxxxxxx> wrote:
Units like "systemd-resolved.service" contain with good reason:
"ProtectSystem=strict"
This of course bind mounts mounted filesystems into the units userspace.
"strict" is
"If set to "strict" the entire file system hierarchy is mounted
read-only, except for the API file system subtrees /dev/, /proc/ and /sys/"
Can these filesystems /dev, /proc, /sys be extended globally somewhere?
AFAIK, extending this list would only mean those filesystems get bind-mounted RW, not that they don't get bind-mounted at all.
There is the perfectly good: "InaccessiblePaths=-/cvmfs" which does a
great job of not mounting /cvmfs into the name space but alas this
is a per unit setting of course AFAIK.
Motivation here is that when "funny" filesystems (think /afs, /cvmfsm,
... /eos ) go "bad" for what ever reason this can stop "reload
systemd-resolved.service" being restarted as remount is bad. I've not
tried but can may be reproduce with something more standard like a stale
/nfs.
Any way to set a default for InaccessiblePaths= or equivalent to stop
these FSs being bind mounted in ever.
I was about to suggest that configs in "-.service.d/" would apply to all service units (as extension from the recently added "someprefix-.service.d/" feature). But of course not all services live in a mount namespace, and not all of them *want* to live in a mount namespace... and I don't think there is a way to define InaccessiblePaths= only for those which already have namespacing active in some way.
Mantas Mikulėnas
