diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-05-05 12:45:22 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-05-19 17:46:59 +0200 |
| commit | 2f8930449079403b26c9164b8eeac78d5af2c8df (patch) | |
| tree | 12494df27c9d5042be9f9f3ba4d4d9e36bab5515 /src/nspawn/nspawn-bind-user.h | |
| parent | 91181e075be46e9c919315f2e8f903a963754cb2 (diff) | |
| download | systemd-2f8930449079403b26c9164b8eeac78d5af2c8df.tar.gz | |
nspawn: add new --bind-user= option for binding a host user into the container
This new option does three things for a host user specified via
--bind-user=:
1. Bind mount the home directory from the host directory into
/run/host/home/<username>
2. Install an additional user namepace UID/GID mapping mapping the host
UID/GID of the host user to an unused one from the container in the range
60514…60577.
3. Synthesize a user/group record for the user/group under the same name
as on the host, with minimized information, and the UID/GID set to
the mapped UID/GID. This data is written to /run/host/userdb/ where
nss-system will pick it up.
This should make sharing users and home directories from host into the
container pretty seamless, under some conditions:
1. User namespacing must be used.
2. The host UID/GID of the user/group cannot be in the range assigned to
the container (kernel already refuses this, as this would mean two
host UIDs/GIDs might end up being mapped to the same continer
UID/GID.
3. There's a free UID/GID in the aforementioned range in the container,
and the name of the user/group is not used in the container.
4. Container payload is new enough to include an nss-systemd version
that picks up records from /run/host/userdb/
Diffstat (limited to 'src/nspawn/nspawn-bind-user.h')
| -rw-r--r-- | src/nspawn/nspawn-bind-user.h | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/nspawn/nspawn-bind-user.h b/src/nspawn/nspawn-bind-user.h new file mode 100644 index 0000000000..4352ce0ab2 --- /dev/null +++ b/src/nspawn/nspawn-bind-user.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +#include "user-record.h" +#include "group-record.h" +#include "nspawn-mount.h" + +typedef struct BindUserData { + /* The host's user/group records */ + UserRecord *host_user; + GroupRecord *host_group; + + /* The mapped records to place into the container */ + UserRecord *payload_user; + GroupRecord *payload_group; +} BindUserData; + +typedef struct BindUserContext { + BindUserData *data; + size_t n_data; +} BindUserContext; + +BindUserContext* bind_user_context_free(BindUserContext *c); + +DEFINE_TRIVIAL_CLEANUP_FUNC(BindUserContext*, bind_user_context_free); + +int bind_user_prepare(const char *directory, char **bind_user, uid_t uid_shift, uid_t uid_range, CustomMount **custom_mounts, size_t *n_custom_mounts, BindUserContext **ret); + +int bind_user_setup(const BindUserContext *c, const char *root); |