diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-11-16 18:05:42 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-11-17 11:12:33 +0100 |
| commit | 994a6364d2dfcf5fa11ec26e81752fbe842428aa (patch) | |
| tree | 424d6fc595bb8a1df7051af2c8f6d7d5d7e5f3e3 /man/systemd-nspawn.xml | |
| parent | test-cgroup-util: skip cg hierarchy tests when necessary (#7371) (diff) | |
| download | systemd-994a6364d2dfcf5fa11ec26e81752fbe842428aa.tar.xz systemd-994a6364d2dfcf5fa11ec26e81752fbe842428aa.zip | |
man: document how nspawn's --bind= and --private-users interact
Fixes: #5900
Diffstat (limited to '')
| -rw-r--r-- | man/systemd-nspawn.xml | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 98ce1529de..1ef6567e48 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -806,7 +806,13 @@ <option>norbind</option> are allowed, controlling whether to create a recursive or a regular bind mount. Defaults to "rbind". Backslash escapes are interpreted, so <literal>\:</literal> may be used to embed colons in either path. This option may be specified multiple times for creating multiple independent bind - mount points. The <option>--bind-ro=</option> option creates read-only bind mounts.</para></listitem> + mount points. The <option>--bind-ro=</option> option creates read-only bind mounts.</para> + + <para>Note that when this option is used in combination with <option>--private-users</option>, the resulting + mount points will be owned by the <constant>nobody</constant> user. That's because the mount and its files and + directories continue to be owned by the relevant host users and groups, which do not exist in the container, + and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to + make them read-only, using <option>--bind-ro=</option>.</para></listitem> </varlistentry> <varlistentry> |