File tree Expand file tree Collapse file tree 1 file changed +12
-0
lines changed Expand file tree Collapse file tree 1 file changed +12
-0
lines changed Original file line number Diff line number Diff line change 9494 socket passing (i.e. sockets passed in via standard input and
9595 output, using <varname >StandardInput=socket</varname > in the
9696 service file).</para >
97+
98+ <para >All network sockets allocated through <filename >.socket</filename > units are allocated in the host's network
99+ namespace (see <citerefentry
100+ project =' man-pages' refentrytitle >network_namespaces</refentrytitle ><manvolnum >7</manvolnum ></citerefentry >). This
101+ does not mean however that the service activated by a configured socket unit has to be part of the host's network
102+ namespace as well. It is supported and even good practice to run services in their own network namespace (for
103+ example through <varname >PrivateNetwork=</varname >, see
104+ <citerefentry ><refentrytitle >systemd.exec</refentrytitle ><manvolnum >5</manvolnum ></citerefentry >), receiving only
105+ the sockets configured through socket-activation from the host's namespace. In such a set-up communication within
106+ the host's network namespace is only permitted through the activation sockets passed in while all sockets allocated
107+ from the service code itself will be associated with the service's own namespace, and thus possibly subject to a a
108+ much more restrictive configuration.</para >
97109 </refsect1 >
98110
99111 <refsect1 >
You can’t perform that action at this time.
0 commit comments