[systemd-devel] [PATCH 1/2] Add detect_userns to detect uid/gid shifts

[Tom Gundersen]

On Fri, Jan 9, 2015 at 12:55 AM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> I expect we'll run into some more problems when dealing with units that
> start with their own view of /dev since mknod in a userns isn't allowed
> but I haven't run into one of those yet so it's not very high on my list.
>
> Once that happens, I expect we can solve it either by again just
> ignoring the failure or by catching the failure and falling back to
> doing a bind-mount of the device in question from the parent /dev (which
> works fine in a userns and is what we do today for nested containers
> with LXC).

Ignoring the failure as in starting services with an empty /dev sounds
like it won't work. Also, just using the parent dev despite explicitly
being asked not to sounds dangerous (most of the time there won't be
much interesting stuff in /dev in a container, but that is not
guaranteed).

Bindmounting should obviously work, but might it not make even more
sense to fix mknod in the kernel (as there are likely to be more
places than just systemd that need fixing for this)? Even if it is
just a minimal fix along the lines of "allow mknod whenver mount
--bind would do the trick"? Based on the commit message here it sounds
like people would not be opposed to the idea:
<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=975d6b3932d43b87a48d2107264ed0c9a7541d8d>.

Cheers,

Tom