When PrivateTmp is enabled (true) for a service, it can't see any changes in mounts (neither mounts on new FS, no umounts of existsing FS). Furthermore, the service can read and write from/to files on a filesystem, which was unmounted after the service was started. At the moment I have httpd.service with PrivateTmp=true and sshd.service without PrivateTmp. # ps -ef | grep http root 652 1 0 09:10 ? 00:00:00 /usr/sbin/httpd -k start apache 654 652 0 09:10 ? 00:00:00 /usr/sbin/httpd -k start apache 655 652 0 09:10 ? 00:00:00 /usr/sbin/httpd -k start apache 656 652 0 09:10 ? 00:00:00 /usr/sbin/httpd -k start apache 657 652 0 09:10 ? 00:00:00 /usr/sbin/httpd -k start apache 658 652 0 09:10 ? 00:00:00 /usr/sbin/httpd -k start apache 659 652 0 09:10 ? 00:00:00 /usr/sbin/httpd -k start apache 660 652 0 09:10 ? 00:00:00 /usr/sbin/httpd -k start apache 661 652 0 09:10 ? 00:00:00 /usr/sbin/httpd -k start # ps -ef | grep sshd root 771 1 0 Jul11 ? 00:00:00 /usr/sbin/sshd -D I have a filesystem mounted as follows: # mount | grep image /dev/mapper/vg_myhost-lv_image_secure on /var/www/image_secure type ext4 (rw,relatime,seclabel,data=ordered) Now both services can see this FS: # cat /proc/652/mountinfo | grep image 207 205 253:6 / /var/www/image_secure rw,relatime - ext4 /dev/mapper/vg_myhost-lv_image_secure rw,seclabel,data=ordered # cat /proc/771/mountinfo | grep image 48 42 253:6 / /var/www/image_secure rw,relatime - ext4 /dev/mapper/vg_myhost-lv_image_secure rw,seclabel,data=ordered When I unmount /var/www/image_secure, the httpd service can't see the change, but sshd doesn't show this FS any more: # umount /var/www/image_secure # cat /proc/652/mountinfo | grep image 207 205 253:6 / /var/www/image_secure rw,relatime - ext4 /dev/mapper/vg_myhost-lv_image_secure rw,seclabel,data=ordered # cat /proc/771/mountinfo | grep image # Now I can still create/read/write files on /var/www/image_secure, that is on vg_myhost-lv_image_secure from apache. These files are not visible under my shell (/var/www/image_secure was unmounted, and ls -la shows empty directory), but they will show up after mounting /var/www/image_secure again. This is on: # cat /etc/issue Fedora release 17 (Beefy Miracle) Linux myhost 3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5 20:20:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux systemd-44-17.fc17.x86_64
Hmm, your root directory must probably be remounted shared: mount --make-shared / Does that make things work?
Thank you for the suggestion. Indeed, marking / and /var did help, but only until next reboot. Additionally, "mount --make-shared" must be called after filesystems were mounted, but before httpd.service was started. Is there any option to permanently mark a mountpoint as "shared"? I could't find any in fstab. Or is it possible only with another script/service which would start before httpd.service? I also found an option to make "slave" mount (--make-slave). From the docs: "When a slave mount is created, any mount within the original mount point is reflected in it". Maybe systemd should mark the mounts for services with PrivateTmp=true as slaves, so that any subsequent mounts within original filesystems would be reflected for the services?
Ultimately the kernel should be fixed to allow the shared setting to be specified like any other mount option, and we can just list it in fstab.
systemd 189 will now make the entire hierarchy shared early at boot. That should fix the issue.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.