[systemd-devel] [PATCH] nspawn: spawn shell under specified --user

[Lennart Poettering]

On Mon, 27.06.11 14:50, Michal Vyskocil (mvyskocil at suse.cz) wrote:

> On Mon, Jun 27, 2011 at 02:01:27PM +0200, Lennart Poettering wrote:
> > On Fri, 24.06.11 14:39, Michal Vyskocil (mvyskocil at suse.cz) wrote:
> > 
> > > Add -u/--user option, which changes the effective and real user and
> > > group id to the new value. The user must exists in the chroot, otherwise
> > > it will fail. Both username and user id are accepted.
> > 
> > Sounds sensible, though I do wonder about the ultimate usefulness of
> > this given that this requires user settings configured on the host
> > systems in a way that makes sense in the container too. (i.e. the $HOME
> > and UID/GID of the user must be in sync in host and in container). Or am
> > I missing something?
> 
> Yes, that's the requirements - user must exists in chroot. But I don't
> see any need why the uid/gid must be the same. All things are done after
> chroot("."), so in the context of container.

Hmm, I wonder if this might turn out to be a problem, since the NSS
modules form the container might not be compatible with the host glibc
which we are using.

Hmm, given the rigorous compat logic glibc includes this might be safe,
so let's merge it. If it breaks, then we can still revisit the issue.

> > Please work the other way here. Use "safe_atou()" first on the
> > username, and if that works it's a numeric uid. If it doesn't try
> > getpwnam(). Code that already does this you find in get_user_creds() in
> > execute.c.
> 
> Reading your code the get_user_creds seems to be a perfect for the user-switching in
> nspawn as well. What about move it to another location like src/util.c
> and use it from both execute.c and nspawn.c?

Yupp, go ahead!

Thanks,

Lennart

-- 
Lennart Poettering - Red Hat, Inc.