2014-01-23 18:54:05 UTC
As I mused on LWN recently, I was wondering whether it was possible
to have user units be able to hook into namespaces (namely the
PrivateNetwork= and PrivateTmp= from systemd.exec(5) and more if other
namespacing options are added in the future).
I'm assuming that is not possible now to use JoinsNamespaceOf= (from
systemd.unit(5) across such boundaries since I see no way to limit which
users may do so.
The specific use case I'm looking to fulfill is to be able to set up VPN
for use for only specific service files (particularly user unit files).
My idea for how to implement it is to use a vpn.target directory to
collect everything then then following unit files:
ExecStart=/usr/local/bin/setup-vpn-ns %i $NS_TO_SETUP
The setup-vpn-ns script would create new interfaces to bridge over the
%i interface and clone the routing tables into it. I don't know how I
would get the name of the namespace setup in vpn-namespace.service
though (maybe something which does:
systemctl set-environment VPN_NS=$( find-ns /proc/self/net )
in ExecStartPost= of vpn-namespace.service?).
It would be nice if, as a user, I could then start a service as a user
which JoinsNamespaceOf=system:vpn-namespace.service and
Wants=system:vpn.target (failing if it isn't already running) to create
user services which use the VPN rather than the default network setup
(my idea is to start a tmux server for this, but I guess something like
a custom Firefox profile instance could also be used).
What is needed (based on what I didn't see in the docs; probably not
- ability for a system service to expose what namespace it just
created (to avoid the set-environment hackery above);
- a directive to list users and groups allowed to enter into
namespaces created in a unit (something like
"ExposeNamespaceToUsers=group:vpn,wheel" maybe?); and
- a way for a systemd --user to get namespace file descriptors from