mount namespace for backup jobs (by hand)

It's been ten years since I configured ?mount on demand backups to reduce the risk of my backups being zapped by mistake. Way back then I wanted to go one step further and use dedicated ?mount namespaces for backup jobs, but systemd didn't provide the necessary support (and still doesn't, despite the promisingly-named JoinsNameSpaceOf= configuration option.) I recently updated my setup to achieve this by hand. All backup jobs now have an extra pre-start instruction ExecStartPre=mkbackupns which runs a shell script to either set up a persistent mount namespace, or exit quietly if it already exists. #!/bin/bash set -euo pipefail nsdir=/var/namespaces nsfile=$nsdir/backup nsfilex="$(echo $nsfile | sed 's#/#\\/#'g)" private_propagation() { findmnt -o+PROPAGATION "$nsdir" | grep -q private } nsfs_is_mounted() { test "nsfs" = "$(awk "/$nsfilex/ { print \$3 }" /proc/mounts)" } if ! nsfs_is_mounted; then if ! private_propagation; then mkdir -p "$nsdir" mount --bind --make-private "$nsdir"…