diff options
| author | Lennart Poettering <lennart@poettering.net> | 2013-11-27 20:23:18 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2013-11-27 20:28:48 +0100 |
| commit | 613b411c947635136637f8cdd66b94512f761eab (patch) | |
| tree | 5e0713345af39de99409d2193be93ae9e760e1d2 /man | |
| parent | df41776d66b5b7467a5cf9c719b97b66d6534c8c (diff) | |
service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.exec.xml | 30 | ||||
| -rw-r--r-- | man/systemd.unit.xml | 31 |
2 files changed, 53 insertions, 8 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 8c44071d53..207592dda7 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -846,9 +846,9 @@ system namespace for the executed processes and mounts private <filename>/tmp</filename> and - <filename>/var/tmp</filename> directories - inside it, that are not shared by - processes outside of the + <filename>/var/tmp</filename> + directories inside it, that are not + shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between @@ -856,9 +856,17 @@ <filename>/tmp</filename> or <filename>/var/tmp</filename> impossible. All temporary data created - by service will be removed after service - is stopped. Defaults to - false.</para></listitem> + by service will be removed after + service is stopped. Defaults to + false. Note that it is possible to run + two or more units within the same + private <filename>/tmp</filename> and + <filename>/var/tmp</filename> + namespace by using the + <varname>JoinsNamespaceOf=</varname> + directive, see + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for details.</para></listitem> </varlistentry> <varlistentry> @@ -874,8 +882,14 @@ available to the executed process. This is useful to securely turn off network access by the executed - process. Defaults to - false.</para></listitem> + process. Defaults to false. Note that + it is possible to run two or more + units within the same private network + namespace by using the + <varname>JoinsNamespaceOf=</varname> + directive, see + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for details.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 2c8bfbef70..4dc427c305 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -657,6 +657,37 @@ </varlistentry> <varlistentry> + <term><varname>JoinsNamespaceOf=</varname></term> + + <listitem><para>For units that start + processes (such as service units), + lists one or more other units whose + network and/or temporary file + namespace to join. This only applies + to unit types which support the + <varname>PrivateNetwork=</varname> and + <varname>PrivateTmp=</varname> + directives (see + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> + for details). If a unit that has this + setting set is started its processes + will see the same + <filename>/tmp</filename>, + <filename>/tmp/var</filename> and + network namespace as one listed unit + that is started. If multiple listed + units are already started it is not + defined which namespace is + joined. Note that this setting only + has an effect if + <varname>PrivateNetwork=</varname> + and/or <varname>PrivateTmp=</varname> + is enabled for both the unit that + joins the namespace and the unit whose + namespace is joined.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>RequiresMountsFor=</varname></term> <listitem><para>Takes a space-separated |