diff options
author | Lennart Poettering <lennart@poettering.net> | 2017-02-16 13:59:13 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2017-02-17 10:22:28 +0100 |
commit | 7f43928ba6258c66296614dd46ff7600e0e47b5f (patch) | |
tree | 43390bfd9bfbe26059f252789950a8456615d67b /man | |
parent | 3aca8326bda2c6e8d8ddd99ef5cab63cc7a9af1c (diff) |
machined: refuse bind mounts on containers that have user namespaces applied
As the kernel won't map the UIDs this is simply not safe, and hence we
should generate a clean error and refuse it.
We can restore this feature later should a "shiftfs" become available in
the kernel.
Diffstat (limited to 'man')
-rw-r--r-- | man/machinectl.xml | 21 |
1 files changed, 8 insertions, 13 deletions
diff --git a/man/machinectl.xml b/man/machinectl.xml index b96aea1a48..7a159aecdc 100644 --- a/man/machinectl.xml +++ b/man/machinectl.xml @@ -518,19 +518,14 @@ <varlistentry> <term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term> - <listitem><para>Bind mounts a directory from the host into the - specified container. The first directory argument is the - source directory on the host, the second directory argument - is the destination directory in the container. When the - latter is omitted, the destination path in the container is - the same as the source path on the host. When combined with - the <option>--read-only</option> switch, a ready-only bind - mount is created. When combined with the - <option>--mkdir</option> switch, the destination path is first - created before the mount is applied. Note that this option is - currently only supported for - <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> - containers.</para></listitem> + <listitem><para>Bind mounts a directory from the host into the specified container. The first directory + argument is the source directory on the host, the second directory argument is the destination directory in the + container. When the latter is omitted, the destination path in the container is the same as the source path on + the host. When combined with the <option>--read-only</option> switch, a ready-only bind mount is created. When + combined with the <option>--mkdir</option> switch, the destination path is first created before the mount is + applied. Note that this option is currently only supported for + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers, + and only if user namespacing (<option>--private-users</option>) is not used.</para></listitem> </varlistentry> <varlistentry> |