diff options
| author | Luca Boccassi <bluca@debian.org> | 2022-03-09 02:07:34 +0000 |
|---|---|---|
| committer | Luca Boccassi <bluca@debian.org> | 2022-03-10 10:21:03 +0000 |
| commit | ea63a260d43c27a6b5b5ae471a8d4617bb7be447 (patch) | |
| tree | e6295e1c86974caabcf656b2bd2a9d30f69e47e6 /man/systemd.exec.xml | |
| parent | 4c0ab40ab8e173062db0d36a6007a047deb5abde (diff) | |
| download | systemd-ea63a260d43c27a6b5b5ae471a8d4617bb7be447.tar.gz | |
core: support MountAPIVFS and RootDirectory in user manager
The only piece missing was to somehow make /proc appear in the
new user+mount namespace. It is not possible to mount a new
/proc instance, not even with hidepid=invisible,subset=pid, in
a user namespace unless a PID namespace is created too (and also
at the same time as the other namespaces, it is not possible to
mount a new /proc in a child process that creates a PID namespace
forked from a parent that created a user+mount namespace, it has
to happen at the same time).
Use the host's /proc with a bind-mount as a fallback for this
case. User session services would already run with it, so
nothing is lost.
Diffstat (limited to 'man/systemd.exec.xml')
| -rw-r--r-- | man/systemd.exec.xml | 12 |
1 files changed, 3 insertions, 9 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 38220958b4..3b57f8d2f1 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -143,9 +143,7 @@ <title>Mounting logging sockets into root environment</title> <programlisting>BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout</programlisting> - </example> - - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + </example></listitem> </varlistentry> <varlistentry> @@ -276,9 +274,7 @@ <para>In order to allow propagating mounts at runtime in a safe manner, <filename>/run/systemd/propagate</filename> on the host will be used to set up new mounts, and <filename>/run/host/incoming/</filename> in the private namespace - will be used as an intermediate step to store them before being moved to the final mount point.</para> - - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + will be used as an intermediate step to store them before being moved to the final mount point.</para></listitem> </varlistentry> <varlistentry> @@ -364,9 +360,7 @@ <varname>InaccessiblePaths=</varname>, or under <filename>/home/</filename> and other protected directories if <varname>ProtectHome=yes</varname> is specified. <varname>TemporaryFileSystem=</varname> with <literal>:ro</literal> or - <varname>ProtectHome=tmpfs</varname> should be used instead.</para> - - <xi:include href="system-only.xml" xpointer="singular"/></listitem> + <varname>ProtectHome=tmpfs</varname> should be used instead.</para></listitem> </varlistentry> <varlistentry> |