On Fri, Jan 24, 2014 at 11:07:18 +0100, Lennart Poettering wrote: > On Thu, 23.01.14 13:54, Ben Boeckel (maths...@gmail.com) wrote: > > As I mused on LWN[1] recently, I was wondering whether it was possible > > to have user units be able to hook into namespaces (namely the > > PrivateNetwork= and PrivateTmp= from systemd.exec(5) and more if other > > namespacing options are added in the future). > > WHat to you mean by "user units"? THose run off an unprivileged "systemd > --user" instance? Or those run off PID 1 but with User= set?
systemd --user. Would it be possible to use User= to do this though from a system service? > Note that the whole namespacing thing is only available from systemd > instances that themesleves are privileged, i.e. only from PID 1... Hrm, true. > The privileges thing is quite limiting. Joining namespces from > unprivileged code is hard... You need some kind of setuid binary > transition there, but I wouldn't see how you would make that > happen... Probably some systemd-setns helper or whatever to shim in before the exec. > And the complexity gives me headaches... Agreed, but I was thinking that it'd be simpler to leverage systemd here than start up a container and make it "seamless" to the user session. Maybe there's a better approach available? --Ben _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel