diff options
author | Motiejus Jakštys <desired.mta@gmail.com> | 2020-05-04 19:57:40 +0300 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2020-05-05 09:02:57 +0200 |
commit | 5c4deb9a5c29cf7b4f53009a1fb439b816cb3a34 (patch) | |
tree | 9671c44001ed9def493d2fc104f6668149ef02ef | |
parent | 848cfa74d275180c1c74213c4abc2ba04170e053 (diff) | |
download | systemd-5c4deb9a5c29cf7b4f53009a1fb439b816cb3a34.tar.gz |
nspawn: mount custom paths before writing to /etc
Consider such configuration:
$ systemd-nspawn --read-only --timezone=copy --resolv-conf=copy-host \
--overlay="+/etc::/etc" <...>
Assuming one wants `/` to be read-only, DNS and `/etc/localtime` to
work. One way to do it is to create an overlay filesystem in `/etc/`.
However, systemd-nspawn tries to create `/etc/resolv.conf` and
`/etc/localtime` before mounting the custom paths, while `/` (and, by
extension, `/etc`) is read-only. Thus it fails to create those files.
Mounting custom paths before modifying anything in `/etc/` makes this
possible.
Full example:
```
$ debootstrap buster /var/lib/machines/t1 http://deb.debian.org/debian
$ systemd-nspawn --private-users=false --timezone=copy --resolv-conf=copy-host --read-only --tmpfs=/var --tmpfs=/run --overlay="+/etc::/etc" -D /var/lib/machines/t1 ping -c 1 example.com
Spawning container t1 on /var/lib/machines/t1.
Press ^] three times within 1s to kill container.
ping: example.com: Temporary failure in name resolution
Container t1 failed with error code 130.
```
With the patch:
```
$ sudo ./build/systemd-nspawn --private-users=false --timezone=copy --resolv-conf=copy-host --read-only --tmpfs=/var --tmpfs=/run --overlay="+/etc::/etc" -D /var/lib/machines/t1 ping -qc 1 example.com
Spawning container t1 on /var/lib/machines/t1.
Press ^] three times within 1s to kill container.
PING example.com (93.184.216.34) 56(84) bytes of data.
--- example.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 110.912/110.912/110.912/0.000 ms
Container t1 exited successfully.
```
-rw-r--r-- | src/nspawn/nspawn.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index c2148596b7..43c6b6845e 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3486,6 +3486,16 @@ static int outer_child( if (r < 0) return r; + r = mount_custom( + directory, + arg_custom_mounts, + arg_n_custom_mounts, + arg_uid_shift, + arg_selinux_apifs_context, + MOUNT_NON_ROOT_ONLY); + if (r < 0) + return r; + r = setup_timezone(directory); if (r < 0) return r; @@ -3502,16 +3512,6 @@ static int outer_child( if (r < 0) return r; - r = mount_custom( - directory, - arg_custom_mounts, - arg_n_custom_mounts, - arg_uid_shift, - arg_selinux_apifs_context, - MOUNT_NON_ROOT_ONLY); - if (r < 0) - return r; - if (!arg_use_cgns) { r = mount_cgroups( directory, |