mirror of
https://github.com/systemd/systemd
synced 2024-10-15 12:34:37 +00:00
unit: turn off mount propagation for udevd
Keep mounts done by udev rules private to udevd. Also, document how MountFlags= may be used for this.
This commit is contained in:
parent
b5640d8245
commit
c2c13f2df4
|
@ -962,13 +962,43 @@
|
|||
<option>shared</option>,
|
||||
<option>slave</option> or
|
||||
<option>private</option>, which
|
||||
control whether the file system
|
||||
namespace set up for this unit's
|
||||
processes will receive or propagate
|
||||
new mounts. See
|
||||
control whether mounts in the file
|
||||
system namespace set up for this
|
||||
unit's processes will receive or
|
||||
propagate mounts or unmounts. See
|
||||
<citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
||||
for details. Default to
|
||||
<option>shared</option>.</para></listitem>
|
||||
for details. Defaults to
|
||||
<option>shared</option>. Use
|
||||
<option>shared</option> to ensure that
|
||||
mounts and unmounts are propagated
|
||||
from the host to the container and
|
||||
vice versa. Use <option>slave</option>
|
||||
to run processes so that none of their
|
||||
mounts and unmounts will propagate to
|
||||
the host. Use <option>private</option>
|
||||
to also ensure that no mounts and
|
||||
unmounts from the host will propagate
|
||||
into the unit processes'
|
||||
namespace. Note that
|
||||
<option>slave</option> means that file
|
||||
systems mounted on the host might stay
|
||||
mounted continously in the unit's
|
||||
namespace, and thus keep the device
|
||||
busy. Note that the file system
|
||||
namespace related options
|
||||
(<varname>PrivateTmp=</varname>,
|
||||
<varname>PrivateDevices=</varname>,
|
||||
<varname>ReadOnlyDirectories=</varname>,
|
||||
<varname>InaccessibleDirectories=</varname>
|
||||
and
|
||||
<varname>ReadWriteDirectories=</varname>)
|
||||
require that mount and unmount
|
||||
propagation from the unit's file
|
||||
system namespace is disabled, and
|
||||
hence downgrade
|
||||
<option>shared</option> to
|
||||
<option>slave</option>.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
|
|
@ -1125,15 +1125,13 @@ int config_parse_exec_mount_flags(const char *unit,
|
|||
return log_oom();
|
||||
|
||||
if (streq(t, "shared"))
|
||||
flags |= MS_SHARED;
|
||||
flags = MS_SHARED;
|
||||
else if (streq(t, "slave"))
|
||||
flags |= MS_SLAVE;
|
||||
flags = MS_SLAVE;
|
||||
else if (streq(w, "private"))
|
||||
flags |= MS_PRIVATE;
|
||||
flags = MS_PRIVATE;
|
||||
else {
|
||||
log_syntax(unit, LOG_ERR, filename, line, EINVAL,
|
||||
"Failed to parse mount flag %s, ignoring: %s",
|
||||
t, rvalue);
|
||||
log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Failed to parse mount flag %s, ignoring: %s", t, rvalue);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -387,6 +387,7 @@ int setup_namespace(
|
|||
drop_duplicates(mounts, &n);
|
||||
}
|
||||
|
||||
if (n > 0) {
|
||||
/* Remount / as SLAVE so that nothing now mounted in the namespace
|
||||
shows up in the parent */
|
||||
if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
|
||||
|
@ -403,8 +404,11 @@ int setup_namespace(
|
|||
if (r < 0)
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
/* Remount / as the desired mode */
|
||||
/* Remount / as the desired mode. Not that this will not
|
||||
* reestablish propagation from our side to the host, since
|
||||
* what's disconnected is disconnected. */
|
||||
if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0) {
|
||||
r = -errno;
|
||||
goto fail;
|
||||
|
@ -413,9 +417,11 @@ int setup_namespace(
|
|||
return 0;
|
||||
|
||||
fail:
|
||||
if (n > 0) {
|
||||
for (m = mounts; m < mounts + n; ++m)
|
||||
if (m->done)
|
||||
umount2(m->path, MNT_DETACH);
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
|
|
@ -21,3 +21,4 @@ Sockets=systemd-udevd-control.socket systemd-udevd-kernel.socket
|
|||
Restart=always
|
||||
RestartSec=0
|
||||
ExecStart=@rootlibexecdir@/systemd-udevd
|
||||
MountFlags=slave
|
||||
|
|
Loading…
Reference in a new issue