From 923f9101157f63c99c08585f690c86a02aa4d626 Mon Sep 17 00:00:00 2001 From: Alan Jenkins Date: Fri, 14 Sep 2018 11:57:57 +0100 Subject: man/systemd.exec: MountFlags=shared behaviour was changed (fixed?) The behaviour described *was* observed on Fedora 28 (systemd-238-9.git0e0aa59), with and without SELinux. I don't actually know why though! It contradicts my understanding of the code, including an explicit comment in the code. Testing in a VM upgraded to v239-792-g1327f272d, this behaviour goes away. Test case: # /etc/systemd/system/mount-test.service [Service] MountFlags=shared Type=oneshot ExecStart=/usr/bin/ls -l /proc/1/ns/mnt /proc/self/ns/mnt ExecStart=/usr/bin/grep ext4 /proc/self/mountinfo Weird old behaviour: new mount namespace but / is fully shared. lrwxrwxrwx. 1 root root 0 Sep 14 11:18 /proc/1/ns/mnt -> mnt:[4026531840] lrwxrwxrwx. 1 root root 0 Sep 14 11:48 /proc/self/ns/mnt -> mnt:[4026532851] 968 967 253:0 / / rw,relatime shared:1 - ext4 /dev/mapper/alan_dell_2016... Current behaviour: / is not fully shared lrwxrwxrwx. 1 root root 0 Sep 14 11:39 /proc/1/ns/mnt -> mnt:[4026531840] lrwxrwxrwx. 1 root root 0 Sep 14 11:41 /proc/self/ns/mnt -> mnt:[4026532329] 591 558 8:3 / / rw,relatime shared:313 master:1 - ext4 /dev/sda3 rw,secl... --- man/systemd.exec.xml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'man/systemd.exec.xml') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index bc1c36fdfb..d763cb9e82 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1350,10 +1350,7 @@ RestrictNamespaces=~cgroup net settings (see the discussion in PrivateMounts= above) will implicitly disable mount and unmount propagation from the unit's processes towards the host by changing the propagation setting of all mount points in the unit's file system namepace to first. Setting this option to - does not reestablish propagation in that case. Conversely, if this option is set, but - no other file system namespace setting is used, then new file system namespaces will be created for the unit's - processes and this propagation flag will be applied right away to all mounts within it, without the - intermediary application of . + does not reestablish propagation in that case. If not set – but file system namespaces are enabled through another file system namespace unit setting – mount propagation is used, but — as mentioned — as is applied -- cgit v1.2.3