On Tue, Feb 11, 2025 at 5:53 PM Steve Traylen <steve.tray...@cern.ch> wrote:
> > Units like "systemd-resolved.service" contain with good reason: > "ProtectSystem=strict" > > This of course bind mounts mounted filesystems into the units userspace. > > "strict" is > > "If set to "strict" the entire file system hierarchy is mounted > read-only, except for the API file system subtrees /dev/, /proc/ and /sys/" > > Can these filesystems /dev, /proc, /sys be extended globally somewhere? > AFAIK, extending this list would only mean those filesystems get bind-mounted RW, not that they don't get bind-mounted at all. There is the perfectly good: "InaccessiblePaths=-/cvmfs" which does a > great job of not mounting /cvmfs into the name space but alas this > is a per unit setting of course AFAIK. > > Motivation here is that when "funny" filesystems (think /afs, /cvmfsm, > ... /eos ) go "bad" for what ever reason this can stop "reload > systemd-resolved.service" being restarted as remount is bad. I've not > tried but can may be reproduce with something more standard like a stale > /nfs. > > Any way to set a default for InaccessiblePaths= or equivalent to stop > these FSs being bind mounted in ever. > I was about to suggest that configs in "-.service.d/" would apply to all service units (as extension from the recently added "someprefix-.service.d/" feature). But of course not all services live in a mount namespace, and not all of them *want* to live in a mount namespace... and I don't think there is a way to define InaccessiblePaths= only for those which already have namespacing active in some way. -- Mantas Mikulėnas
