[systemd-devel] nspawn '-U' overridden by setting PrivateUsersChown

[Kevin P. Fleming]

After using nspawn for a couple of years I finally realized that I
wasn't getting the PrivateUsersChown behavior that I expected, and
looked into it.

I'm using systemd 247 on Debian, which has the standard nspawn
template service unit file which includes '-U' (and
'--settings=override'). According to the manpage, this means that if
user namespacing is supported by the kernel (which it is in the
Bullseye 5.10 kernel), this is equivalent to specifying
'--private-users=pick --private-users-chown'. This was the behavior I
wanted, but it wasn't happening, all of the container filesystems had
UID/GIDs that matched the host ranges.

I do not remember why, but I was creating nspawn settings files (in
/etc/systemd/nspawn) for each container which included (among other
things) 'PrivateUsersChown=yes' in their 'Files' section. I assumed
this would not matter, since that setting was included in the '-U'
command-line argument for nspawn... but I was wrong.

It seems that including this causes nspawn to ignore the '-U'
command-line argument completely. Removing it, or adding
'PrivateUsers=pick' to the 'Exec' section of the settings file,
produces the desired result, so I've removed it.

I suspect this is just a matter of documentation, to let the user know
that if they specify any PrivateUsers-related options in the settings
file then '-U' will be ignored, even if the settings they specify are
the same ones that '-U' does.

Just for completeness, I tested this on Debian Bookworm as well, which
has systemd 251.7, and the behavior is unchanged.