diff options
author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2018-02-21 09:10:27 +0900 |
---|---|---|
committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2018-02-21 09:18:11 +0900 |
commit | c10b460b5a29ceb1073079a18a92c939c9855c67 (patch) | |
tree | bfd8c1afab80a46fface73a880d8714d8174a09c /man/systemd.exec.xml | |
parent | core: add new setting TemporaryFileSystem= (diff) | |
download | systemd-c10b460b5a29ceb1073079a18a92c939c9855c67.tar.gz systemd-c10b460b5a29ceb1073079a18a92c939c9855c67.tar.bz2 systemd-c10b460b5a29ceb1073079a18a92c939c9855c67.zip |
man: add documents for TemporaryFileSystem=
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 730a7d0d0..169a44963 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -933,6 +933,29 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> </varlistentry> <varlistentry> + <term><varname>TemporaryFileSystem=</varname></term> + + <listitem><para>Takes a space-separated list of mount points for temporary file systems (tmpfs). If set, a new file + system namespace is set up for executed processes, and a temporary file system is mounted on each mount point. + This option may be specified more than once, in which case temporary file systems are mounted on all listed mount + points. If the empty string is assigned to this option, the list is reset, and all prior assignments have no effect. + Each mount point may optionally be suffixed with a colon (<literal>:</literal>) and mount options such as + <literal>size=10%</literal> or <literal>ro</literal>. By default, each temporary file system is mounted + with <literal>nodev,strictatime,mode=0755</literal>. These can be disabled by explicitly specifying the corresponding + mount options, e.g., <literal>dev</literal> or <literal>nostrictatime</literal>.</para> + + <para>This is useful to hide files or directories not relevant to the processes invoked by the unit, while necessary + files or directories can be still accessed by combining with <varname>BindPaths=</varname> or + <varname>BindReadOnlyPaths=</varname>. See the example below.</para> + + <para>Example: if a unit has the following, + <programlisting>TemporaryFileSystem=/var:ro +BindReadOnlyPaths=/var/lib/systemd</programlisting> + then the invoked processes by the unit cannot see any files or directories under <filename>/var</filename> except for + <filename>/var/lib/systemd</filename> or its contents.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>PrivateTmp=</varname></term> <listitem><para>Takes a boolean argument. If true, sets up a new file system namespace for the executed |