Systemd has a nice feature that is private temporary directory (/tmp). But it is not clear from the dense manual what are the correct ways to use it and implementation gotchas (get the feeling the manual is more a spec for devs and contributors)
Enabling this setting has the side effect of adding Requires= and After= dependencies on all mount units necessary to access /tmp and /var/tmp.
from https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
This is a little cryptic for non-systemd-insiders. I am assuming my filesystem, which for simplicity sake let's say i only have /, will receive a Requires=, guess it is left as an exercise to figure out what it will require... maybe i should put the homework tag here? :)
Starting on https://www.freedesktop.org/software/systemd/man/systemd.mount.html#x-systemd.requires=
But that doesn't sound right. It says that Requires= on mount units are only for hierarchy. I guess.
Let's move on to https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requires=
But this also does not explain anything. It only says that one unit may require another. I guess.
I'm (wildly) guessing it uses https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= So in my example the systemd unit mount for / will have a Requires=[BindPaths=[/tmp/systemd-noise,/tmp]] or however one writes that in systemd-speak?
let's ask systemd
# systemctl show httpd
...
Requires=system.slice sysinit.target -.mount tmp.mount
...
RequiresMountsFor=/tmp /var/tmp
Not very helpful either.
I'm trying to wrap my head mostly on:
1) how exactly systemd denies access to the actual /tmp on the filesystem. And
2) how the process (let's say a cgi running from a systemd started apache) can figure out where the /tmp it have access to is at?
0 Answers