On Tue, 10.09.13 19:04, Pierre Schmitz (pie...@archlinux.de) wrote: heya,
> when trying to disable network access to the PHP-FPM service I noticed > that the service was no longer able to call back to systemd using > Type=notify. Systemd then kills the service when reaching the timeout. > It seems this could be a limitation by design in which case we might > want to warn the user when attepmting such setup. Uh, ah. Interesting. So we could actually do something about this, but it would break things elsewhere... So, the notification socket could either be an abstract namespace AF_UNIX socket, or an AF_UNIX socket in the file system. If it is in the file system, then it becomes unavailable as soon as the daemon chroot()s. If it is in the abstract namespace it becomes unavailable as soon as CLONE_NEWNET/PrivateNetworking=yes is used. Due to the chroot() situation we changed a couple of times forth and back between fs/abstract in the past (most recently 29252e9e5bad3b0bcfc45d9bc761aee4b0ece1da). I am not sure what is the better choice here... We could of course have two sockets, one in the fs and one in the abstract namespace, and then pass the right one to the process depending on the setting of PrivateNetworking=... But that would not work as soon as the daemon then also decides to chroot()/RootDirectory= is used... Tricky problem... I am a bit out of ideas. Anyone? > On a side node: The private network systemd sets up for such services > enables IPv6 even if this is disabled on the host using > net.ipv6.conf.all.disable_ipv6=1. I cannot think of a scenario where > this leads to trouble though. Oh, that's interesting. This sounds like a kernel bug, as net.ipv6.conf.all.disable_ipv6 doesn't really exist separate in the child namespace... And if it does then it should inherit the aprents default. EItherwise something to fix. Can you report to kernel bz, plz? Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel