diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-05-05 12:45:22 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-05-19 17:46:59 +0200 |
| commit | 2f8930449079403b26c9164b8eeac78d5af2c8df (patch) | |
| tree | 12494df27c9d5042be9f9f3ba4d4d9e36bab5515 /src/nspawn/nspawn-gperf.gperf | |
| parent | nspawn: export userns_mkdir() + userns_lchown() so that it can be used elsewh... (diff) | |
| download | systemd-2f8930449079403b26c9164b8eeac78d5af2c8df.tar.xz systemd-2f8930449079403b26c9164b8eeac78d5af2c8df.zip | |
nspawn: add new --bind-user= option for binding a host user into the container
This new option does three things for a host user specified via
--bind-user=:
1. Bind mount the home directory from the host directory into
/run/host/home/<username>
2. Install an additional user namepace UID/GID mapping mapping the host
UID/GID of the host user to an unused one from the container in the range
60514…60577.
3. Synthesize a user/group record for the user/group under the same name
as on the host, with minimized information, and the UID/GID set to
the mapped UID/GID. This data is written to /run/host/userdb/ where
nss-system will pick it up.
This should make sharing users and home directories from host into the
container pretty seamless, under some conditions:
1. User namespacing must be used.
2. The host UID/GID of the user/group cannot be in the range assigned to
the container (kernel already refuses this, as this would mean two
host UIDs/GIDs might end up being mapped to the same continer
UID/GID.
3. There's a free UID/GID in the aforementioned range in the container,
and the name of the user/group is not used in the container.
4. Container payload is new enough to include an nss-systemd version
that picks up records from /run/host/userdb/
Diffstat (limited to 'src/nspawn/nspawn-gperf.gperf')
| -rw-r--r-- | src/nspawn/nspawn-gperf.gperf | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/nspawn/nspawn-gperf.gperf b/src/nspawn/nspawn-gperf.gperf index 67a3682689..ea15e27148 100644 --- a/src/nspawn/nspawn-gperf.gperf +++ b/src/nspawn/nspawn-gperf.gperf @@ -69,6 +69,7 @@ Files.Overlay, config_parse_overlay, 0, 0 Files.OverlayReadOnly, config_parse_overlay, 1, 0 Files.PrivateUsersChown, config_parse_userns_chown, 0, offsetof(Settings, userns_ownership) Files.PrivateUsersOwnership, config_parse_userns_ownership, 0, offsetof(Settings, userns_ownership) +Files.BindUser, config_parse_bind_user, 0, offsetof(Settings, bind_user) Network.Private, config_parse_tristate, 0, offsetof(Settings, private_network) Network.Interface, config_parse_strv, 0, offsetof(Settings, network_interfaces) Network.MACVLAN, config_parse_strv, 0, offsetof(Settings, network_macvlan) |