Execute service in VRF #20451
Comments
|
It gets even worse when the service should run as non-root user. |
|
It makes sense to have a feature like that - please feel free to send a PR to implement it |
|
What would be preferable here – letting systemd delegate to I am not familiar with systemd internals as of yet (and neither with what For anyone else wondering, the relevant |
|
Implement the logic, we don't want to wrap the execution in an external binary. We already have all the logic required to create cgroup/namespaces, so it should be relatively simple to wire up. |
|
If someone decides to implement this, might also be worthwhile to add the possibility of running services inside network namespaces at the same time (or even inside a VRF inside a network namespace for that matter). This currently needs to be done in the exact same way, using an override file with |
|
One possible solution: https://jerryxiao.cc/archives/1004 |
|
@isjerryxiao a PR adding that would be more than lovely. |
|
The Would the sneaky |
Some services on my system have to run in a specific VRF to work properly.
For that, I would like to be able to set a variable
VRF=dc-servicesin my unit.Instead, I currently adjust
ExecStart, so for exampleExecStart=/usr/sbin/chronyd $DAEMON_OPTSbecomesExecStart=/usr/sbin/ip vrf exec dc-services /usr/sbin/chronyd $DAEMON_OPTS.This however has some drawbacks. For example, the unit shipped with chrony on Debian uses
ProtectControlGroups=yes. I have to unset that because otherwiseipis unable to set the VRF. I consider this suboptimal.I was unable to find such an option in systemd 247 on Debian 11.
The text was updated successfully, but these errors were encountered: