[systemd-devel] [nspawn] devpts not mounted with PrivateUsers

Tue, 18 Apr 2017 20:13:40 -0700 

Hi!


On the bug tracker guideline page it said that the systemd-devel-list
is also meant for support, so I hope it's okay to ask here this beginnger's
question:


== Environment:
  - systemd-232     (systemd-232-22_amd64)
  - Debian Stretch  (minbase + systemd + systemd-container + ...)


== Goal:
  - Run each nspawn-container with a dedicated user id.


== Unexpected behaviour:
Setting up and running nspawn based containers without any PrivateUsers-
setting works. The containers run using a random user-id. (Here I seem to 
misunderstand the manual as it says "false" is the default setting and 
therefore no mapping at all should happen.)

But as soon as I add a PrivateUsers=true or PrivateUsers=ID setting into the 
corresponding .nspawn-file, systemd fails while mounting devpts in the 
container.

Since I like the idea of having a dedicated user for each container (and 
therefore seeing his uid in ps & co on the host), I did the following:

== On the host:
$ groupadd -g3777036288 MY_GROUP
$ echo MY_GROUP:3777036288:65536 >> /etc/subgid
$ useradd -d/var/lib/machines/MY_CONTAINER -M -g3777036288 -u3777036288 MY_USER
$ echo MY_USER:3777036288:65536 >> /etc/subguid
$ chown MY_USER:MY_GROUP /var/lib/machines/MY_CONTAINER
$ echo -e "[Exec]\nPrivateUsers=true\n" > 
/etc/systemd/nspawn/MY_CONTAINER.nspawn
-OR-
$ echo -e "[Exec]\nPrivateUsers=3777036288\n" > 
/etc/systemd/nspawn/MY_CONTAINER.nspawn
$ machinectl start MY_CONTAINER

(The strangely looking ID represents the container in the upper 16 bits so 
that nspawn can use the lower 16 bits for the local uids. And not putting 
anything in /etc/sub?id doesn't change anything. But putting the IDs there is 
the correct way, right?)

Journalctl shows the following:

== On the host:
  systemd[1]: Starting Container MY_CONTAINER...
  systemd-nspawn[6345]: Selected user namespace base 3777036288 and range 65536.
  systemd-nspawn[6345]: Failed to mount n/a on 
/var/lib/machines/MY_CONTAINER/sys/fs/selinux (MS_BIND ""): No such file or 
directory
  systemd-nspawn[6345]: Failed to mount n/a on 
/var/lib/machines/MY_CONTAINER/sys/fs/selinux 
(MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""): Invalid argument
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to