-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Execute service in VRF #20451
Comments
It gets even worse when the service should run as non-root user. |
It makes sense to have a feature like that - please feel free to send a PR to implement it |
What would be preferable here – letting systemd delegate to I am not familiar with systemd internals as of yet (and neither with what For anyone else wondering, the relevant |
Implement the logic, we don't want to wrap the execution in an external binary. We already have all the logic required to create cgroup/namespaces, so it should be relatively simple to wire up. |
If someone decides to implement this, might also be worthwhile to add the possibility of running services inside network namespaces at the same time (or even inside a VRF inside a network namespace for that matter). This currently needs to be done in the exact same way, using an override file with |
One possible solution: https://jerryxiao.cc/archives/1004 |
@isjerryxiao a PR adding that would be more than lovely. |
The Would the sneaky |
Some services on my system have to run in a specific VRF to work properly.
For that, I would like to be able to set a variable
VRF=dc-services
in my unit.Instead, I currently adjust
ExecStart
, so for exampleExecStart=/usr/sbin/chronyd $DAEMON_OPTS
becomesExecStart=/usr/sbin/ip vrf exec dc-services /usr/sbin/chronyd $DAEMON_OPTS
.This however has some drawbacks. For example, the unit shipped with chrony on Debian uses
ProtectControlGroups=yes
. I have to unset that because otherwiseip
is unable to set the VRF. I consider this suboptimal.I was unable to find such an option in systemd 247 on Debian 11.
The text was updated successfully, but these errors were encountered: