nspawn: mount custom paths before writing to /etc

Consider such configuration: $ systemd-nspawn --read-only --timezone=copy --resolv-conf=copy-host \ --overlay="+/etc::/etc" <...> Assuming one wants `/` to be read-only, DNS and `/etc/localtime` to work. One way to do it is to create an overlay filesystem in `/etc/`. However, systemd-nspawn tries to create `/etc/resolv.conf` and `/etc/localtime` before mounting the custom paths, while `/` (and, by extension, `/etc`) is read-only. Thus it fails to create those files. Mounting custom paths before modifying anything in `/etc/` makes this possible. Full example: ``` $ debootstrap buster /var/lib/machines/t1 http://deb.debian.org/debian $ systemd-nspawn --private-users=false --timezone=copy --resolv-conf=copy-host --read-only --tmpfs=/var --tmpfs=/run --overlay="+/etc::/etc" -D /var/lib/machines/t1 ping -c 1 example.com Spawning container t1 on /var/lib/machines/t1. Press ^] three times within 1s to kill container. ping: example.com: Temporary failure in name resolution Container t1 failed with error code 130. ``` With the patch: ``` $ sudo ./build/systemd-nspawn --private-users=false --timezone=copy --resolv-conf=copy-host --read-only --tmpfs=/var --tmpfs=/run --overlay="+/etc::/etc" -D /var/lib/machines/t1 ping -qc 1 example.com Spawning container t1 on /var/lib/machines/t1. Press ^] three times within 1s to kill container. PING example.com (93.184.216.34) 56(84) bytes of data. --- example.org ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 110.912/110.912/110.912/0.000 ms Container t1 exited successfully. ```
author: Motiejus Jakštys <desired.mta@gmail.com> 2020-05-04 19:57:40 +0300
committer: Lennart Poettering <lennart@poettering.net> 2020-05-05 09:02:57 +0200
commit: 5c4deb9a5c29cf7b4f53009a1fb439b816cb3a34 (patch)
tree: 9671c44001ed9def493d2fc104f6668149ef02ef
parent: 848cfa74d275180c1c74213c4abc2ba04170e053 (diff)
download: systemd-5c4deb9a5c29cf7b4f53009a1fb439b816cb3a34.tar.gz
1 files changed, 10 insertions, 10 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index c2148596b7..43c6b6845e 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3486,6 +3486,16 @@ static int outer_child(
         if (r < 0)
                 return r;
 
+        r = mount_custom(
+                        directory,
+                        arg_custom_mounts,
+                        arg_n_custom_mounts,
+                        arg_uid_shift,
+                        arg_selinux_apifs_context,
+                        MOUNT_NON_ROOT_ONLY);
+        if (r < 0)
+                return r;
+
         r = setup_timezone(directory);
         if (r < 0)
                 return r;
@@ -3502,16 +3512,6 @@ static int outer_child(
         if (r < 0)
                 return r;
 
-        r = mount_custom(
-                        directory,
-                        arg_custom_mounts,
-                        arg_n_custom_mounts,
-                        arg_uid_shift,
-                        arg_selinux_apifs_context,
-                        MOUNT_NON_ROOT_ONLY);
-        if (r < 0)
-                return r;
-
         if (!arg_use_cgns) {
                 r = mount_cgroups(
                                 directory,
author	Motiejus Jakštys <desired.mta@gmail.com>	2020-05-04 19:57:40 +0300
committer	Lennart Poettering <lennart@poettering.net>	2020-05-05 09:02:57 +0200
commit	5c4deb9a5c29cf7b4f53009a1fb439b816cb3a34 (patch)
tree	9671c44001ed9def493d2fc104f6668149ef02ef
parent	848cfa74d275180c1c74213c4abc2ba04170e053 (diff)
download	systemd-5c4deb9a5c29cf7b4f53009a1fb439b816cb3a34.tar.gz