picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

man/systemd.exec: MountFlags=shared behaviour was changed (fixed?) 

The behaviour described *was* observed on Fedora 28
(systemd-238-9.git0e0aa59), with and without SELinux.  I don't actually
know why though!  It contradicts my understanding of the code, including an
explicit comment in the code.

Testing in a VM upgraded to v239-792-g1327f272d, this behaviour goes away.


Test case:

# /etc/systemd/system/mount-test.service
[Service]
MountFlags=shared
Type=oneshot
ExecStart=/usr/bin/ls -l /proc/1/ns/mnt /proc/self/ns/mnt
ExecStart=/usr/bin/grep ext4 /proc/self/mountinfo


Weird old behaviour: new mount namespace but / is fully shared.

lrwxrwxrwx. 1 root root 0 Sep 14 11:18 /proc/1/ns/mnt -> mnt:[4026531840]
lrwxrwxrwx. 1 root root 0 Sep 14 11:48 /proc/self/ns/mnt ->
mnt:[4026532851]

968 967 253:0 / / rw,relatime shared:1 - ext4 /dev/mapper/alan_dell_2016...


Current behaviour: / is not fully shared

lrwxrwxrwx. 1 root root 0 Sep 14 11:39 /proc/1/ns/mnt -> mnt:[4026531840]
lrwxrwxrwx. 1 root root 0 Sep 14 11:41 /proc/self/ns/mnt ->
mnt:[4026532329]

591 558 8:3 / / rw,relatime shared:313 master:1 - ext4 /dev/sda3 rw,secl...
This commit is contained in:
Alan Jenkins 2018-09-14 11:57:57 +01:00 committed by Lennart Poettering
parent 334415b16e
commit 923f910115
1 changed files with 1 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
man/systemd.exec.xml
View File

@ -1350,10 +1350,7 @@ RestrictNamespaces=~cgroup net</programlisting>
settings (see the discussion in <varname>PrivateMounts=</varname> above) will implicitly disable mount and
unmount propagation from the unit's processes towards the host by changing the propagation setting of all mount
points in the unit's file system namepace to <option>slave</option> first. Setting this option to
<option>shared</option> does not reestablish propagation in that case. Conversely, if this option is set, but
no other file system namespace setting is used, then new file system namespaces will be created for the unit's
processes and this propagation flag will be applied right away to all mounts within it, without the
intermediary application of <option>slave</option>.</para>
<option>shared</option> does not reestablish propagation in that case.</para>
<para>If not set but file system namespaces are enabled through another file system namespace unit setting
<option>shared</option> mount propagation is used, but — as mentioned — as <option>slave</option> is applied