PrivateNetwork setting
The property PrivateNetwork is a systemd unit setting used for sandboxing.
Purpose: Defines if access to the network interfaces of the host is possible
Why and when to use PrivateNetwork
With the systemd unit setting PrivateNetwork a new network namespace can be defined. If enabled, then this means that all network interfaces will be invisible to the service. Only a local interface ’lo’ will be available, preventing any network communications with the host.
Generic advice
For most services PrivateNetwork=yes is not an option when network communication is required. This option may however be useful for scripts that do not need any network access.
Caveats
Setting PrivateNetwork to yes will also set PrivateMounts to yes, unless PrivateMounts=no is specified. Before turning this on, investigate the impact of PrivateMounts.
If two services still need to communicate to each other, then this is possible using the JoinsNamespaceOf setting.
Testing
To see if a program works with this property, consider using the systemd-run command.
With the default boolean value of ’no’, all links will be visible.
# systemd-run --pty --property=PrivateNetwork=no ip link
Running as unit: run-p3085-i3385.service
Press ^] three times within 1s to disconnect TTY.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 52:52:52:bd:bd:bd brd ff:ff:ff:ff:ff:ff
altname enx525252bdbdbd
When set to boolean value ‘yes’, only the local interface will show up.
# systemd-run --pty --property=PrivateNetwork=yes ip link
Running as unit: run-p3079-i3379.service; invocation ID: fec3a19e27ba4226aeaba5a50a869b1e
Press ^] three times within 1s to disconnect TTY.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
Trying to ping a local device on the network will fail.
systemd-run --pty --property=PrivateNetwork=yes ping -c 1 192.168.1.1
Running as unit: run-p3106-i3406.service
Press ^] three times within 1s to disconnect TTY.
/usr/bin/ping: connect: Network is unreachable
Values
Systemd unit setting PrivateNetwork expects a boolean (yes/no or true/false).
Value | Intended action | Available since systemd version |
---|---|---|
no | normal access to network interfaces - default | 33 |
yes | create new network namespace, service will have no access to network interfaces of the host system | 33 |
Example to show the current value of PrivateNetwork for the ssh service:
systemctl show --property=PrivateNetwork ssh.service