diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | man/resolved.conf.xml | 2 | ||||
| -rw-r--r-- | man/systemd.exec.xml | 2 | ||||
| -rw-r--r-- | man/systemd.socket.xml | 2 | ||||
| -rw-r--r-- | src/nspawn/nspawn.c | 14 |
5 files changed, 18 insertions, 4 deletions
@@ -99,7 +99,7 @@ CHANGES WITH 232 in spe support unicode keymaps. Font and keymap configuration will now be copied to all allocated virtual consoles. - * FreeBSD's bhyve virtiualization is now detected. + * FreeBSD's bhyve virtualization is now detected. * Information recored in the journal for core dumps now includes the contents of /proc/mountinfo and the command line of the process at diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 7556c6ff31..a7710dcb44 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -206,7 +206,7 @@ <term><varname>Cache=</varname></term> <listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got queried earlier will return the previous result as long as it is still valid, and thus does not result in a new - network request. Be aware that that turning off caching comes at a performance penalty, which is particularly + network request. Be aware that turning off caching comes at a performance penalty, which is particularly high when DNSSEC is used.</para> <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f70e5c36d4..2054267b90 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -168,7 +168,7 @@ cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file system locations. In order to allow the service to write to certain directories, they have to be whitelisted - using <varname>ReadWritePaths=</varname>, but care must be taken so that that UID/GID recycling doesn't + using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't create security issues involving files created by the service. Use <varname>RuntimeDirectory=</varname> (see below) in order to assign a writable runtime directory to a service, owned by the dynamic user/group and removed automatically when the unit is terminated. Defaults to off.</para></listitem> diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 5b6045f69b..d759e17289 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -445,7 +445,7 @@ <varlistentry> <term><varname>MaxConnectionsPerSource=</varname></term> <listitem><para>The maximum number of connections for a service per source IP address. - This is is very similar to the <varname>MaxConnections=</varname> directive + This is very similar to the <varname>MaxConnections=</varname> directive above. Disabled by default.</para> </listitem> </varlistentry> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index c2733a19f8..a5d5180727 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1755,6 +1755,11 @@ static int setup_propagate(const char *root) { if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) return log_error_errno(errno, "Failed to make propagation mount read-only"); + /* machined will MS_MOVE into that directory, and that's only + * supported for non-shared mounts. */ + if (mount(NULL, q, NULL, MS_SLAVE, NULL) < 0) + return log_error_errno(errno, "Failed to make propagation mount slave"); + return 0; } @@ -2990,6 +2995,15 @@ static int outer_child( if (mount(directory, directory, NULL, MS_BIND|MS_REC, NULL) < 0) return log_error_errno(errno, "Failed to make bind mount: %m"); + /* Mark everything as shared so our mounts get propagated down. This is + * required to make new bind mounts available in systemd services + * inside the containter that create a new mount namespace. + * See https://github.com/systemd/systemd/issues/3860 + * Further submounts (such as /dev) done after this will inherit the + * shared propagation mode.*/ + if (mount(NULL, directory, NULL, MS_SHARED|MS_REC, NULL) < 0) + return log_error_errno(errno, "MS_SHARED|MS_REC failed: %m"); + r = recursive_chown(directory, arg_uid_shift, arg_uid_range); if (r < 0) return r; |