Bug 52039

Summary: With PrivateTmp enabled, the service doesn't see any changes in mounts
Product: systemd Reporter: Jedrzej Jajor <jedrzej>
Component: generalAssignee: systemd-bugs
Status: RESOLVED FIXED QA Contact: systemd-bugs
Severity: major    
Priority: medium CC: jedrzej
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Jedrzej Jajor 2012-07-13 07:32:47 UTC 
When PrivateTmp is enabled (true) for a service, it can't see any changes in mounts (neither mounts on new FS, no umounts of existsing FS).

Furthermore, the service can read and write from/to files on a filesystem, which was unmounted after the service was started.

At the moment I have httpd.service with PrivateTmp=true and sshd.service without PrivateTmp.

# ps -ef | grep http
root       652     1  0 09:10 ?        00:00:00 /usr/sbin/httpd -k start
apache     654   652  0 09:10 ?        00:00:00 /usr/sbin/httpd -k start
apache     655   652  0 09:10 ?        00:00:00 /usr/sbin/httpd -k start
apache     656   652  0 09:10 ?        00:00:00 /usr/sbin/httpd -k start
apache     657   652  0 09:10 ?        00:00:00 /usr/sbin/httpd -k start
apache     658   652  0 09:10 ?        00:00:00 /usr/sbin/httpd -k start
apache     659   652  0 09:10 ?        00:00:00 /usr/sbin/httpd -k start
apache     660   652  0 09:10 ?        00:00:00 /usr/sbin/httpd -k start
apache     661   652  0 09:10 ?        00:00:00 /usr/sbin/httpd -k start

# ps -ef | grep sshd
root       771     1  0 Jul11 ?        00:00:00 /usr/sbin/sshd -D

I have a filesystem mounted as follows:

# mount | grep image
/dev/mapper/vg_myhost-lv_image_secure on /var/www/image_secure type ext4 (rw,relatime,seclabel,data=ordered)

Now both services can see this FS:

# cat /proc/652/mountinfo  | grep image
207 205 253:6 / /var/www/image_secure rw,relatime - ext4 /dev/mapper/vg_myhost-lv_image_secure rw,seclabel,data=ordered


# cat /proc/771/mountinfo | grep image
48 42 253:6 / /var/www/image_secure rw,relatime - ext4 /dev/mapper/vg_myhost-lv_image_secure rw,seclabel,data=ordered


When I unmount /var/www/image_secure, the httpd service can't see the change, but sshd doesn't show this FS any more:

# umount /var/www/image_secure
# cat /proc/652/mountinfo | grep image
207 205 253:6 / /var/www/image_secure rw,relatime - ext4 /dev/mapper/vg_myhost-lv_image_secure rw,seclabel,data=ordered
# cat /proc/771/mountinfo | grep image
#

Now I can still create/read/write files on /var/www/image_secure, that is on vg_myhost-lv_image_secure from apache. These files are not visible under my shell (/var/www/image_secure was unmounted, and ls -la shows empty directory), but they will show up after mounting /var/www/image_secure again.

This is on:
# cat /etc/issue
Fedora release 17 (Beefy Miracle)

Linux myhost 3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5 20:20:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

systemd-44-17.fc17.x86_64
Comment 1 Lennart Poettering 2012-07-20 12:21:58 UTC 
Hmm, your root directory must probably be remounted shared:

mount --make-shared /

Does that make things work?
Comment 2 Jedrzej Jajor 2012-07-24 14:16:17 UTC 
Thank you for the suggestion. Indeed, marking / and /var did help, but only until next reboot. Additionally, "mount --make-shared" must be called after filesystems were mounted, but before httpd.service was started.

Is there any option to permanently mark a mountpoint as "shared"? I could't find any in fstab. Or is it possible only with another script/service which would start before httpd.service?

I also found an option to make "slave" mount (--make-slave). From the docs: "When a slave mount is created, any mount within the original mount point is reflected in it". Maybe systemd should mark the mounts for services with PrivateTmp=true as slaves, so that any subsequent mounts within original filesystems would be reflected for the services?
Comment 3 Lennart Poettering 2012-07-28 11:37:21 UTC 
Ultimately the kernel should be fixed to allow the shared setting to be specified like any other mount option, and we can just list it in fstab.
Comment 4 Lennart Poettering 2012-09-13 17:56:07 UTC 
systemd 189 will now make the entire hierarchy shared early at  boot. That should fix the issue.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.