Re: [systemd-devel] Info about JoinsNamespaceOf, PrivateNetwork systemd directives
On 05/30/2016 06:04 PM, Lennart Poettering wrote: On Mon, 30.05.16 16:24, george Karakou (mad-proffes...@hotmail.com) wrote: Hi again, i am a bit curious about these two directives. Can somebody explain in a few words how are these implemented? Using linux network namespaces? Or simply put somehow services using these 2 directives are forbidden to bind to l3, l4 sockets and only allowed to communicate via unix domain sockets? Its an interesting feature, i thought i should give it a try. PrivateNetwork= simply runs a service in a new network namespace, and adds a loopback device to it, but nothing else. JoinsNamespaceOf= then allows you to run multiple services within the same namespace. Note that network namespaces cover AF_INET and AF_INET6 sockets, as well as abstract AF_UNIX socket, but not AF_UNIX sockets that are stored in the file system, those are namespaced via the filesystem namespaces logic. Lennart Thanks a lot, this clarifies it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Info about JoinsNamespaceOf, PrivateNetwork systemd directives
On Mon, 30.05.16 16:24, george Karakou (mad-proffes...@hotmail.com) wrote: > Hi again, i am a bit curious about these two directives. Can somebody > explain in a few words how are these implemented? Using linux network > namespaces? Or simply put somehow services using these 2 directives are > forbidden to bind to l3, l4 sockets and only allowed to communicate via unix > domain sockets? Its an interesting feature, i thought i should give it a > try. PrivateNetwork= simply runs a service in a new network namespace, and adds a loopback device to it, but nothing else. JoinsNamespaceOf= then allows you to run multiple services within the same namespace. Note that network namespaces cover AF_INET and AF_INET6 sockets, as well as abstract AF_UNIX socket, but not AF_UNIX sockets that are stored in the file system, those are namespaced via the filesystem namespaces logic. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Info about JoinsNamespaceOf, PrivateNetwork systemd directives
On 05/30/2016 04:32 PM, Mantas Mikulėnas wrote: On Mon, May 30, 2016 at 4:24 PM, george Karakou mailto:mad-proffes...@hotmail.com>> wrote: Hi again, i am a bit curious about these two directives. Can somebody explain in a few words how are these implemented? Using linux network namespaces? Or simply put somehow services using these 2 directives are forbidden to bind to l3, l4 sockets and only allowed to communicate via unix domain sockets? Its an interesting feature, i thought i should give it a try. Yes, they use network namespaces, the same kind as `ip netns` or `unshare --net`. Compare /proc//ns/net of affected processes. (RestrictAddressFamilies=, however, uses seccomp to forbid using certain types of sockets.) -- Mantas Mikulėnas mailto:graw...@gmail.com>> Well, thanks my use case was dbus and dbus activated services but i couldn't make udisks2 work using PrivateNetwork and dbus'es namespace. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Info about JoinsNamespaceOf, PrivateNetwork systemd directives
On Mon, May 30, 2016 at 4:24 PM, george Karakou wrote: > Hi again, i am a bit curious about these two directives. Can somebody > explain in a few words how are these implemented? Using linux network > namespaces? Or simply put somehow services using these 2 directives are > forbidden to bind to l3, l4 sockets and only allowed to communicate via > unix domain sockets? Its an interesting feature, i thought i should give it > a try. > Yes, they use network namespaces, the same kind as `ip netns` or `unshare --net`. Compare /proc//ns/net of affected processes. (RestrictAddressFamilies=, however, uses seccomp to forbid using certain types of sockets.) -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Info about JoinsNamespaceOf, PrivateNetwork systemd directives
Hi again, i am a bit curious about these two directives. Can somebody explain in a few words how are these implemented? Using linux network namespaces? Or simply put somehow services using these 2 directives are forbidden to bind to l3, l4 sockets and only allowed to communicate via unix domain sockets? Its an interesting feature, i thought i should give it a try. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
