cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
left4me/deploy/files/usr/local/lib/systemd/system/left4me-web.service
mwiegand 1968684c03
fix(deploy): MountFlags=shared on web service for fuse mount propagation 
ProtectSystem=full + ReadWritePaths implicitly give the unit a private
mount namespace (systemd needs to remount /usr read-only). The default
namespace propagation is slave, so mounts the worker creates inside
never reach the host. The gameserver units (started via systemctl,
each with their own namespace) then inherit a host that lacks the
overlay, and their CHDIR into /var/lib/left4me/runtime/<name>/merged
fails.

Set MountFlags=shared so mount events propagate from the worker's
namespace back to the host, then onward to gameserver units at their
unshare time.

Verified on test box: nsenter -t <gunicorn-pid> -m mount showed the
fuse-overlayfs mount inside the worker but plain mount on the host
did not, while web unit had ProtectSystem=full + ReadWritePaths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 02:01:24 +02:00

31 lines
1.2 KiB
Desktop File
Raw Blame History

[Unit]
Description=left4me web application
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=left4me
Group=left4me
WorkingDirectory=/opt/left4me
Environment=HOME=/var/lib/left4me
Environment=PATH=/opt/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
EnvironmentFile=/etc/left4me/host.env
EnvironmentFile=/etc/left4me/web.env
ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 8 --bind 0.0.0.0:8000 'l4d2web.app:create_app()'
Restart=on-failure
RestartSec=3
# NoNewPrivileges intentionally not set: the worker invokes fusermount3
# (setuid-root) and sudo to run the systemctl wrapper.
# ProtectSystem=full + ReadWritePaths implicitly give this unit a
# private mount namespace. MountFlags=shared makes its mount events
# propagate back to the host so per-instance fuse-overlayfs mounts are
# visible to the gameserver units (which inherit host mounts at their
# own unshare time). Without it, the per-instance mount only exists
# inside the worker's namespace and the gameserver units fail CHDIR.
ProtectSystem=full
ReadWritePaths=/var/lib/left4me
MountFlags=shared
[Install]
WantedBy=multi-user.target
Reference in a new issue View git blame Copy permalink