diff options
| author | Lennart Poettering <lennart@poettering.net> | 2019-03-07 21:20:36 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-03-07 21:27:02 +0100 |
| commit | 4107452e510d1a33ef4f3313c07912c098c7ae98 (patch) | |
| tree | defde6a67fc5e92bf34da7968d34ac4c60ae6dd2 | |
| parent | run: make sure NetworkNamespacePath= can be used on the systemd-run cmdline (diff) | |
| download | systemd-4107452e510d1a33ef4f3313c07912c098c7ae98.tar.xz systemd-4107452e510d1a33ef4f3313c07912c098c7ae98.zip | |
man: document NetworkNamespacePath=
| -rw-r--r-- | man/systemd.exec.xml | 24 | ||||
| -rw-r--r-- | man/systemd.unit.xml | 27 |
2 files changed, 34 insertions, 17 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index b8843f1ea0..2ed8c38f37 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1100,7 +1100,29 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting> <para>Note that the implementation of this setting might be impossible (for example if network namespaces are not available), and the unit should be written in a way that does not solely rely on this setting for - security.</para></listitem> + security.</para> + + <para>When this option is used on a socket unit any sockets bound on behalf of this unit will be + bound within a private network namespace. This may be combined with + <varname>JoinsNamespaceOf=</varname> to listen on sockets inside of network namespaces of other + services.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>NetworkNamespacePath=</varname></term> + + <listitem><para>Takes an absolute file system path refererring to a Linux network namespace + pseudo-file (i.e. a file like <filename>/proc/$PID/ns/net</filename> or a bind mount or symlink to + one). When set the invoked processes are added to the network namespace referenced by that path. The + path has to point to a valid namespace file at the moment the processes are forked off. If this + option is used <varname>PrivateNetwork=</varname> has no effect. If this option is used together with + <varname>JoinsNamespaceOf=</varname> then it only has an effect if this unit is started before any of + the listed units that have <varname>PrivateNetwork=</varname> or + <varname>NetworkNamespacePath=</varname> configured, as otherwise the network namespace of those + units is reused.</para> + + <para>When this option is used on a socket unit any sockets bound on behalf of this unit will be + bound within the specified network namespace.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 82c63e1609..14418c359f 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -728,23 +728,18 @@ <varlistentry> <term><varname>JoinsNamespaceOf=</varname></term> - <listitem><para>For units that start processes (such as - service units), lists one or more other units whose network - and/or temporary file namespace to join. This only applies to - unit types which support the - <varname>PrivateNetwork=</varname> and + <listitem><para>For units that start processes (such as service units), lists one or more other units + whose network and/or temporary file namespace to join. This only applies to unit types which support + the <varname>PrivateNetwork=</varname>, <varname>NetworkNamespacePath=</varname> and <varname>PrivateTmp=</varname> directives (see - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> - for details). If a unit that has this setting set is started, - its processes will see the same <filename>/tmp</filename>, - <filename>/var/tmp</filename> and network namespace as one - listed unit that is started. If multiple listed units are - already started, it is not defined which namespace is joined. - Note that this setting only has an effect if - <varname>PrivateNetwork=</varname> and/or - <varname>PrivateTmp=</varname> is enabled for both the unit - that joins the namespace and the unit whose namespace is - joined.</para></listitem> + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for + details). If a unit that has this setting set is started, its processes will see the same + <filename>/tmp</filename>, <filename>/var/tmp</filename> and network namespace as one listed unit + that is started. If multiple listed units are already started, it is not defined which namespace is + joined. Note that this setting only has an effect if + <varname>PrivateNetwork=</varname>/<varname>NetworkNamespacePath=</varname> and/or + <varname>PrivateTmp=</varname> is enabled for both the unit that joins the namespace and the unit + whose namespace is joined.</para></listitem> </varlistentry> <varlistentry> |