On Wed, 11.09.13 13:49, Lennart Poettering (lenn...@poettering.net) wrote: > On Tue, 10.09.13 19:04, Pierre Schmitz (pie...@archlinux.de) wrote: > > heya, > > > when trying to disable network access to the PHP-FPM service I noticed > > that the service was no longer able to call back to systemd using > > Type=notify. Systemd then kills the service when reaching the timeout. > > It seems this could be a limitation by design in which case we might > > want to warn the user when attepmting such setup. > > Uh, ah. Interesting. So we could actually do something about this, but > it would break things elsewhere... > > So, the notification socket could either be an abstract namespace > AF_UNIX socket, or an AF_UNIX socket in the file system. If it is in the > file system, then it becomes unavailable as soon as the daemon > chroot()s. If it is in the abstract namespace it becomes unavailable as > soon as CLONE_NEWNET/PrivateNetworking=yes is used. > > Due to the chroot() situation we changed a couple of times forth and > back between fs/abstract in the past (most recently > 29252e9e5bad3b0bcfc45d9bc761aee4b0ece1da). > > I am not sure what is the better choice here... We could of course have > two sockets, one in the fs and one in the abstract namespace, and then > pass the right one to the process depending on the setting of > PrivateNetworking=... But that would not work as soon as the daemon then > also decides to chroot()/RootDirectory= is used... > > Tricky problem... I am a bit out of ideas. Anyone?
(for now I have documented this behaviour in the man pages.) Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel