<para>The files listed with this
directive will be read shortly before
- the process is executed. Settings from
- these files override settings made
- with
+ the process is executed (more
+ specifically, this means after all
+ processes from a previous unit state
+ terminated. This means you can
+ generate these files in one unit
+ state, and read it with this option in
+ the next). Settings from these files
+ override settings made with
<varname>Environment=</varname>. If
the same variable is set twice from
these files, the files will be read in
for details.</para></listitem>
</varlistentry>
- <varlistentry>
- <term><varname>TCPWrapName=</varname></term>
- <listitem><para>If this is a
- socket-activated service, this sets the
- tcpwrap service name to check the
- permission for the current connection
- with. This is only useful in
- conjunction with socket-activated
- services, and stream sockets (TCP) in
- particular. It has no effect on other
- socket types (e.g. datagram/UDP) and
- on processes unrelated to socket-based
- activation. If the tcpwrap
- verification fails, daemon start-up
- will fail and the connection is
- terminated. See
- <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- for details. Note that this option may
- be used to do access control checks
- only. Shell commands and commands
- described in
- <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- are not supported.</para></listitem>
- </varlistentry>
-
<varlistentry>
<term><varname>CapabilityBoundingSet=</varname></term>
<option>shared</option>,
<option>slave</option> or
<option>private</option>, which
- control whether the file system
- namespace set up for this unit's
- processes will receive or propagate
- new mounts. See
+ control whether mounts in the file
+ system namespace set up for this
+ unit's processes will receive or
+ propagate mounts or unmounts. See
<citerefentry><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- for details. Default to
- <option>shared</option>.</para></listitem>
+ for details. Defaults to
+ <option>shared</option>. Use
+ <option>shared</option> to ensure that
+ mounts and unmounts are propagated
+ from the host to the container and
+ vice versa. Use <option>slave</option>
+ to run processes so that none of their
+ mounts and unmounts will propagate to
+ the host. Use <option>private</option>
+ to also ensure that no mounts and
+ unmounts from the host will propagate
+ into the unit processes'
+ namespace. Note that
+ <option>slave</option> means that file
+ systems mounted on the host might stay
+ mounted continously in the unit's
+ namespace, and thus keep the device
+ busy. Note that the file system
+ namespace related options
+ (<varname>PrivateTmp=</varname>,
+ <varname>PrivateDevices=</varname>,
+ <varname>ReadOnlyDirectories=</varname>,
+ <varname>InaccessibleDirectories=</varname>
+ and
+ <varname>ReadWriteDirectories=</varname>)
+ require that mount and unmount
+ propagation from the unit's file
+ system namespace is disabled, and
+ hence downgrade
+ <option>shared</option> to
+ <option>slave</option>.
+ </para></listitem>
</varlistentry>
<varlistentry>