My goalEnvironment wrote:
- Debian Stretch (minbase + systemd + systemd-container + ...)
- systemd-232 (systemd-232-22_amd64)
Run each nspawn-container with a dedicated user id.
Unexpected behaviour
Setting up and running nspawn based containers without any PrivateUsers-setting works. The containers run using a random user-id. (Here I seem to misunderstand the manual as it says "false" is the default setting and therefore no mapping at all should happen?)
But as soon as I add a PrivateUsers=true or PrivateUsers=ID setting into the corresponding .nspawn-file, systemd fails while mounting devpts in the container.
Since I like the idea of having a dedicated user for each container (and therefore seeing his uid in ps & co on the host), I did the following:
Code: Select all
# On the host:
$ groupadd -g3777036288 MY_GROUP
$ echo MY_GROUP:3777036288:65536 >> /etc/subgid
$ useradd -d/var/lib/machines/MY_CONTAINER -M -g3777036288 -u3777036288 MY_USER
$ echo MY_USER:3777036288:65536 >> /etc/subguid
$ chown MY_USER:MY_GROUP /var/lib/machines/MY_CONTAINER
$ echo -e "[Exec]\nPrivateUsers=true\n" > /etc/systemd/nspawn/MY_CONTAINER.nspawn
-OR-
$ echo -e "[Exec]\nPrivateUsers=3777036288\n" > /etc/systemd/nspawn/MY_CONTAINER.nspawn
$ machinectl start MY_CONTAINER
Journalctl shows the following:
Code: Select all
# On the host:
systemd[1]: Starting Container MY_CONTAINER...
systemd-nspawn[6345]: Selected user namespace base 3777036288 and range 65536.
systemd-nspawn[6345]: Failed to mount n/a on /var/lib/machines/MY_CONTAINER/sys/fs/selinux (MS_BIND ""): No such file or directory
systemd-nspawn[6345]: Failed to mount n/a on /var/lib/machines/MY_CONTAINER/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""): Invalid argument
systemd-nspawn[6345]: Failed to mount devpts on /var/lib/machines/MY_CONTAINER/dev/pts (MS_NOSUID|MS_NOEXEC "newinstance,ptmxmode=0666,mode=620,gid=3777036293"): Invalid argument
systemd[1]: systemd-nspawn@MY_CONTAINER.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: Failed to start Container MY_CONTAINER.
systemd[1]: systemd-nspawn@MY_CONTAINER.service: Unit entered failed state.
systemd[1]: systemd-nspawn@MY_CONTAINER.service: Failed with result 'exit-code'.
Code: Select all
# On the host:
$ grep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
Code: Select all
# On a successfully started container (no PrivateUsers setting, random uid):
$ grep pts /proc/mounts
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=32702469,mode=620,ptmxmode=666 0 0
devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
Thanks
PS: I wonder if this could be connected to https://github.com/systemd/systemd/issues/337?