PrivateMounts setting
The property PrivateMounts is a systemd unit setting used for sandboxing. It is available since systemd 239.
Purpose: provides a separated mount namespace to the service
Why and when to use PrivateMounts
Systemd has the unit setting PrivateMounts to provides the service with a private mount namespace. Only the service will see this view of the mount points and it will not be propagated to the other services on the same host. Mount points visible on the host will still be propagated to service though.
Generic advice
This option can be useful to use, but typically is not needed if one or more of the following settings is already configured.
- BindPaths
- BindReadOnlyPaths
- InaccessiblePaths
- PrivateDevices
- PrivateTmp
- ProtectHome
- ProtectSystem
- ReadOnlyPaths
- ReadWritePaths
Values
Systemd unit setting PrivateMounts expects a boolean (yes/no or true/false).
Value | Intended action | Available since systemd version |
---|---|---|
no | normal access to mount points - default | 239 |
yes | provides mount namespace to service that is not propagated back to the host | 239 |
Example to show the current value of PrivateMounts for the ssh service:
systemctl show --property=PrivateMounts ssh.service