On Fri, Jun 7, 2024 at 12:43 PM Luca Boccassi <luca.bocca...@gmail.com> wrote:
> /run is expected though - if you want that, you need to bind mount it > explicitly. You normally don't want all of it, and the default > portable profile only picks the journal and dbus sockets and a couple > of other things, which is better: > > BindReadOnlyPaths=/dev/log /run/systemd/journal/socket > /run/systemd/journal/stdout > BindReadOnlyPaths=/etc/machine-id > BindReadOnlyPaths=-/etc/resolv.conf > BindReadOnlyPaths=/run/dbus/system_bus_socket Ok, but I still expect that, if sd_journal_print() works without additional service file entries before soft-reboot, it continues to work after soft-reboot, too. But I'm fine with adding the additional BindPaths to my service file. > > My demo: https://github.com/thkukuk/sec-counter > > Remove the BindReadOnlyPaths entry from > > portable-image/sec-counter.service and the service will stop writing > > to journald with sd_journal_print(). > > Note that you really don't want PrivateTmp=yes as that will bind it to > the previous /tmp from the host, which is recreated on softreboot, so > it will be leaked. You want TemporaryFileSystem=/tmp instead. Thanks for the hint. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany Managing Director: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
