picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

man: document NetworkNamespacePath=

This commit is contained in:
Lennart Poettering 2019-03-07 21:20:36 +01:00
parent 4ad9fb38a9
commit 4107452e51
2 changed files with 34 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
man/systemd.exec.xml
View File

@ -1100,7 +1100,29 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
<para>Note that the implementation of this setting might be impossible (for example if network namespaces are
not available), and the unit should be written in a way that does not solely rely on this setting for
security.</para></listitem>
security.</para>
<para>When this option is used on a socket unit any sockets bound on behalf of this unit will be
bound within a private network namespace. This may be combined with
<varname>JoinsNamespaceOf=</varname> to listen on sockets inside of network namespaces of other
services.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>NetworkNamespacePath=</varname></term>
<listitem><para>Takes an absolute file system path refererring to a Linux network namespace
pseudo-file (i.e. a file like <filename>/proc/$PID/ns/net</filename> or a bind mount or symlink to
one). When set the invoked processes are added to the network namespace referenced by that path. The
path has to point to a valid namespace file at the moment the processes are forked off. If this
option is used <varname>PrivateNetwork=</varname> has no effect. If this option is used together with
<varname>JoinsNamespaceOf=</varname> then it only has an effect if this unit is started before any of
the listed units that have <varname>PrivateNetwork=</varname> or
<varname>NetworkNamespacePath=</varname> configured, as otherwise the network namespace of those
units is reused.</para>
<para>When this option is used on a socket unit any sockets bound on behalf of this unit will be
bound within the specified network namespace.</para></listitem>
</varlistentry>
<varlistentry>

27
man/systemd.unit.xml
View File

@ -728,23 +728,18 @@
<varlistentry>
<term><varname>JoinsNamespaceOf=</varname></term>
<listitem><para>For units that start processes (such as
service units), lists one or more other units whose network
and/or temporary file namespace to join. This only applies to
unit types which support the
<varname>PrivateNetwork=</varname> and
<listitem><para>For units that start processes (such as service units), lists one or more other units
whose network and/or temporary file namespace to join. This only applies to unit types which support
the <varname>PrivateNetwork=</varname>, <varname>NetworkNamespacePath=</varname> and
<varname>PrivateTmp=</varname> directives (see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details). If a unit that has this setting set is started,
its processes will see the same <filename>/tmp</filename>,
<filename>/var/tmp</filename> and network namespace as one
listed unit that is started. If multiple listed units are
already started, it is not defined which namespace is joined.
Note that this setting only has an effect if
<varname>PrivateNetwork=</varname> and/or
<varname>PrivateTmp=</varname> is enabled for both the unit
that joins the namespace and the unit whose namespace is
joined.</para></listitem>
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
details). If a unit that has this setting set is started, its processes will see the same
<filename>/tmp</filename>, <filename>/var/tmp</filename> and network namespace as one listed unit
that is started. If multiple listed units are already started, it is not defined which namespace is
joined. Note that this setting only has an effect if
<varname>PrivateNetwork=</varname>/<varname>NetworkNamespacePath=</varname> and/or
<varname>PrivateTmp=</varname> is enabled for both the unit that joins the namespace and the unit
whose namespace is joined.</para></listitem>
</varlistentry>
<varlistentry>