[Pkg-systemd-maintainers] Bug#739593: Bug#739593: Bug#739593: closed by Michael Stapelberg <stapelberg at debian.org> (Re: Bug#739593: systemd makes / shared by default)

Lennart Poettering lennart at poettering.net
Fri Feb 28 13:13:25 GMT 2014 

On Fri, 28.02.14 06:51, Martin Pitt (mpitt at debian.org) wrote:

> > We turned the default from PRIVATE to SHARED on request of the container
> > and security guys, since they want that if you mount something from the
> > host into a subdir of the container, it should just appear there,
> > because that's what most people would most likely expect.
> 
> Well, but conversely what scripts/people expected before that script
> was that something that you run under "unshare -m" really actually did
> what it says on the tin, namely that it really *does* have its private
> mount name space. Now it doesn't, and mounts done in that unshared
> process affect the system outside of it. I. e. all such programs now
> have to be changed to do that "mount --make-rprivate /" dance.

I have talked to Karel, he's thinking about adding
--propagation=slave|shared|private|none to unshare -m now, with a
default of "slave". Please ping him on IRC or so, so that he sees that
there is demand for that. With that change "unshare -m" should work for
everybody the same.

> > The kernel default for this is unlikely to change since they argue that
> > it breaks compatbility, which I kinda agree with. In systemd however, we
> > thought we'd better pick saner defaults.
> 
> That has the same net effect though, changing the global default?
> systemd and the kernel shouldn't have two different defaults,
> otherwise we'll eternally have scripts and programs with different
> expectations.

Well, we don't provide 100% compat anyway, just 99%. We are pretty sure
that the "shared" default makes a lot of sense though and that apps
that need their private setups need to be fixed anyway, so we took the
liberty to switch here, better earlier than later. Of course, that
worked for us quite well, since we already did this change 3y ago where
people probably didn't assume things about "unshare -m "so much yet...

Lennart

-- 
Lennart Poettering, Red Hat

More information about the Pkg-systemd-maintainers mailing list