man: document NetworkNamespacePath=
This commit is contained in:
Lennart Poettering
parent
4ad9fb38a9
commit
4107452e51
|
|
@ -1100,7 +1100,29 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
|
||||||
|
|
||||||
<para>Note that the implementation of this setting might be impossible (for example if network namespaces are
|
<para>Note that the implementation of this setting might be impossible (for example if network namespaces are
|
||||||
not available), and the unit should be written in a way that does not solely rely on this setting for
|
not available), and the unit should be written in a way that does not solely rely on this setting for
|
||||||
security.</para></listitem>
|
security.</para>
|
||||||
|
|
||||||
|
<para>When this option is used on a socket unit any sockets bound on behalf of this unit will be
|
||||||
|
bound within a private network namespace. This may be combined with
|
||||||
|
<varname>JoinsNamespaceOf=</varname> to listen on sockets inside of network namespaces of other
|
||||||
|
services.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><varname>NetworkNamespacePath=</varname></term>
|
||||||
|
|
||||||
|
<listitem><para>Takes an absolute file system path refererring to a Linux network namespace
|
||||||
|
pseudo-file (i.e. a file like <filename>/proc/$PID/ns/net</filename> or a bind mount or symlink to
|
||||||
|
one). When set the invoked processes are added to the network namespace referenced by that path. The
|
||||||
|
path has to point to a valid namespace file at the moment the processes are forked off. If this
|
||||||
|
option is used <varname>PrivateNetwork=</varname> has no effect. If this option is used together with
|
||||||
|
<varname>JoinsNamespaceOf=</varname> then it only has an effect if this unit is started before any of
|
||||||
|
the listed units that have <varname>PrivateNetwork=</varname> or
|
||||||
|
<varname>NetworkNamespacePath=</varname> configured, as otherwise the network namespace of those
|
||||||
|
units is reused.</para>
|
||||||
|
|
||||||
|
<para>When this option is used on a socket unit any sockets bound on behalf of this unit will be
|
||||||
|
bound within the specified network namespace.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
|
||||||
|
|
@ -728,23 +728,18 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>JoinsNamespaceOf=</varname></term>
|
<term><varname>JoinsNamespaceOf=</varname></term>
|
||||||
|
|
||||||
<listitem><para>For units that start processes (such as
|
<listitem><para>For units that start processes (such as service units), lists one or more other units
|
||||||
service units), lists one or more other units whose network
|
whose network and/or temporary file namespace to join. This only applies to unit types which support
|
||||||
and/or temporary file namespace to join. This only applies to
|
the <varname>PrivateNetwork=</varname>, <varname>NetworkNamespacePath=</varname> and
|
||||||
unit types which support the
|
|
||||||
<varname>PrivateNetwork=</varname> and
|
|
||||||
<varname>PrivateTmp=</varname> directives (see
|
<varname>PrivateTmp=</varname> directives (see
|
||||||
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
||||||
for details). If a unit that has this setting set is started,
|
details). If a unit that has this setting set is started, its processes will see the same
|
||||||
its processes will see the same <filename>/tmp</filename>,
|
<filename>/tmp</filename>, <filename>/var/tmp</filename> and network namespace as one listed unit
|
||||||
<filename>/var/tmp</filename> and network namespace as one
|
that is started. If multiple listed units are already started, it is not defined which namespace is
|
||||||
listed unit that is started. If multiple listed units are
|
joined. Note that this setting only has an effect if
|
||||||
already started, it is not defined which namespace is joined.
|
<varname>PrivateNetwork=</varname>/<varname>NetworkNamespacePath=</varname> and/or
|
||||||
Note that this setting only has an effect if
|
<varname>PrivateTmp=</varname> is enabled for both the unit that joins the namespace and the unit
|
||||||
<varname>PrivateNetwork=</varname> and/or
|
whose namespace is joined.</para></listitem>
|
||||||
<varname>PrivateTmp=</varname> is enabled for both the unit
|
|
||||||
that joins the namespace and the unit whose namespace is
|
|
||||||
joined.</para></listitem>
|
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue