[systemd-devel] Enter in systemd-nspawn as specific user
Lennart Poettering
lennart at poettering.net
Thu Oct 2 02:49:36 PDT 2014
On Thu, 02.10.14 11:09, Miroslav Suchy (msuchy at redhat.com) wrote:
> Hi,
> when I run systemd-nspawn, I become root user inside of that container.
> If I want to become specific user inside of that container, I have to do
> something like:
>
> /usr/bin/systemd-nspawn -D foo /bin/su -l mockbuild -c 'rpmbuild -root
> \'/build\' ...'
>
> which quickly go into escape-hell.
>
> Is there some better way to became specific user in container? Is it
> worth filing RFE? Because I'm afraid that becoming specific user depends
> on content of container and systemd-nspawn itself can not do much here.
> Correct?
There's nspawn's --user= switch which relies on glibc's "getent"
binary to be available in the container, which it will use to resolve
the username in the container's context and then change to it.
The getent binary has been part of glibc for a long time, but note
that we make use of "getent initgroups" which is a more recent
addition, to properly initialize the auxiliary group list. This does
not work on older glibc's, hence --user= currently doesn't work with
older distros in the container.
I'd be willing to merge a patch that downgrades the "getent
initgroups" error to a warning, and proceeds with execution, so that
on old userspaces --user= works at least as far as setresuid(), even
though the auxiliary group list might not be fully initialized when
old userspaces are booted. Given that properly initializing the
auxiliary group list is really just the correctness cherry on top, and
not that essential that should be OK behaviour (though properly
behaviour that should be documented in the man page).
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list