New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
execute: RuntimeDirectory= or friends always creates unnecessary mount namespace #7761
Comments
When logging in via SSH, the mount point is shown by
|
I wonder if this is related to 652bb26
|
/cc @yuwata |
… DynamicUser=no Only when DynamicUser=yes, RuntimeDirectory= or their friends imply BindPaths=. Fixes systemd#7761.
…namicUser=no The commit 6c47cd7 make RuntimeDirectory= or friends imply BindPaths=. But this is for the directories works well when DynamicUser= is set. So, it is not necessary to imply BindPaths= when DynamicUser= is not set. This removes the implication when DynamicUser=no. Fixes systemd#7761.
Hmm. I thought this is caused by that
I mount a USB memory on /mnt. However, the entry of /mnt in the output of
Also, the output of
@mbiebl Could you show the ssh.service file entirely? |
Ah, sorry, I misread this. To reproduce this, the device needs to be mounted from ssh session. |
I was thinking this might be a re-occurring problem with units, and there should be a NoNamespace=mount option (also NoNamespace=all or user or net,mount et cetera) that makes anything that depends on mount namespaces to fail. In the case of RuntimeDirectory= it might even use differn't code paths, "enumerate through /run whenever we assign a new dynamic UID to see if there's something owned by that UID, but that'd be kinda slow and ugly."-Lennart, the way that was described. |
@shawnl Indeed. |
@shawnl I will try to implement this. Does anyone already tackle this? |
RuntimeDirectory= or friend imply ReadWritePaths= or BindPaths=, and these create new mount namespace. When NoNewNamespace=yes or `mnt` is set, then RuntimeDirectory= without DynamicUser= does not imply ReadWritePaths=, then does not introduce new mount namespace. Fixes systemd#7761.
I've updated #7763, but this may be not right solution to fix this. Moreover, now I do not think this is a bug anymore. |
Hm, this worked with v235 though and we were promoting the usage of RuntimeDirectory over tmpfiles. What exactly changed in v236 that RuntimeDirectory now needs a new mount namespace? |
DynamicUser= needs it to be secure from uid re-use. This remains a bug in systemd and a regression. |
I think so as well, i.e that RuntimeDirectory= without DynamicUser= should continue to work as in v235. |
Ah, now I understand why 652bb26 causes this bug. OK. this is actually a bug, now I think. Sorry. I will try to fix it. |
…espace" This reverts commit 652bb26. Fixes systemd#7761.
I had same issue, took a while to understand why luksOpen and mount does not appear in transmission and samba. systemd-run mount -v /mnt/ |
…espace" This reverts commit 652bb26. Fixes systemd#7761. (cherry picked from commit 42b1d8e)
Submission type
systemd version the issue has been seen with
v236
Used distribution
Debian sid
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885325
In case of bug report: Expected behaviour you didn't see
A mount point that is mounted manually from a SSH session is visible to systemd service
In case of bug report: Unexpected behaviour you saw
login via SSH, mount a partition. That mount point is only visible withing the SSH session but not to systemd services.
In case of bug report: Steps to reproduce the problem
For testing purposes I created the following service:
Then I logged in locally on tty1, attached an USB disk, mounted it via
mount /dev/sdb1 /mnt/disk
, then ransystemctl start test.service
. Checking the journal, I get:Then I started a local SSH service, logged in as root via SSH (
ssh root@localhost
) , mounted the partition again, started the test service again. This time I get:As can be seen the /mnt/disk mount point is not visible to test.service
This appears to be a regression in v236 as reported by the downstream bug report.
The text was updated successfully, but these errors were encountered: