man: document relationship of .socket units and network namespaces

Fixes: #10018
2018-10-29 20:20:37 +01:00 · 2018-10-29 20:20:37 +01:00 · 48e6dd3763
parent 53bd20ea06
commit 48e6dd3763
1 changed files with 12 additions and 0 deletions
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@ -94,6 +94,18 @@
    socket passing (i.e. sockets passed in via standard input and
    output, using <varname>StandardInput=socket</varname> in the
    service file).</para>
+
+    <para>All network sockets allocated through <filename>.socket</filename> units are allocated in the host's network
+    namespace (see <citerefentry
+    project='man-pages'><refentrytitle>network_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>). This
+    does not mean however that the service activated by a configured socket unit has to be part of the host's network
+    namespace as well.  It is supported and even good practice to run services in their own network namespace (for
+    example through <varname>PrivateNetwork=</varname>, see
+    <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>), receiving only
+    the sockets configured through socket-activation from the host's namespace. In such a set-up communication within
+    the host's network namespace is only permitted through the activation sockets passed in while all sockets allocated
+    from the service code itself will be associated with the service's own namespace, and thus possibly subject to a a
+    much more restrictive configuration.</para>
  </refsect1>

  <refsect1>