F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services
Reindl Harald
h.reindl at thelounge.net
Wed Mar 26 17:59:51 UTC 2014
Am 26.03.2014 18:52, schrieb Stephen Gallagher:
> On 03/26/2014 11:30 AM, Reindl Harald wrote:
>> i just tried on F20 and "PrivateDevices" is not known sadly because
>> i have some services in mind where i would like that
>
>> Mär 26 15:51:55 testserver.rhsoft.net systemd[1]:
>> [/usr/lib/systemd/system/httpd.service:15] Unknown lvalue
>> 'PrivateDevices' in section 'Service'
>
> PrivateNetwork seems to have been around since at least 2012. The
> commit providing PrivateDevices[1] went upstream on January 20th.
correct and in use here for longer time
> According to
> git describe 7f112f50fea585411ea2d493b3582bea77eb4d6e
>
> we get v208-1612-g7f112f5 which means it went in 1,612 patches after
> v208 was released, so it's definitely not in F20 or RHEL 7 beta
which is just bad, after the announcement i planned to configure
postfix, dbmail, dovecot, httpd... on my local testmachine using
PrivateDevices=yes since /dev/urnadom and friends are statet as
available and test out if it is do-able in production
that said the announcement with words like "recent systemd" as
well as the documentation is just poor because it does nowhere
state the required systemd version which reflects the not care
about downstream or users attitude
maybe some people should look at postfix and it's documentation
as reference how sane docs are looking like and improvements
over years are done without breaking backwards compatibility
________________________________________________
http://www.freedesktop.org/software/systemd/man/systemd.exec.html
PrivateDevices=
Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and only adds API
pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no
physical devices such as /dev/sda. This is useful to securely turn off physical device access by the executed
process. Defaults to false. Enabling this option will also remove CAP_MKNOD from the capability bounding set for
the unit (see above), and set DevicePolicy=closed (see systemd.resource-control(5) for details). Note that using
this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite
direction continues to work). This means that this setting may not be used for services which shall be able to
install mount points in the main mount namespace.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140326/596f8309/attachment.sig>
More information about the devel
mailing list