nspawn: add ability to run nspawn without container locks applied

This adds a new undocumented env var $SYSTEMD_NSPAWN_LOCK. When set to "0",
nspawn will not attempt to lock the image.

Fixes: #4037

1 files changed, 14 insertions, 3 deletions

diff --git a/src/shared/machine-image.c b/src/shared/machine-image.c
index af102e3096..baf8713242 100644
--- a/src/shared/machine-image.c
+++ b/src/shared/machine-image.c
@@ -33,6 +33,7 @@
 #include "chattr-util.h"
 #include "copy.h"
 #include "dirent-util.h"
+#include "env-util.h"
 #include "fd-util.h"
 #include "fs-util.h"
 #include "hashmap.h"
@@ -724,12 +725,17 @@ int image_path_lock(const char *path, int operation, LockFile *global, LockFile
          * uses the device/inode number. This has the benefit that we
          * can even lock a tree that is a mount point, correctly. */
 
-        if (path_equal(path, "/"))
-                return -EBUSY;
-
         if (!path_is_absolute(path))
                 return -EINVAL;
 
+        if (getenv_bool("SYSTEMD_NSPAWN_LOCK") == 0) {
+                *local = *global = (LockFile) LOCK_FILE_INIT;
+                return 0;
+        }
+
+        if (path_equal(path, "/"))
+                return -EBUSY;
+
         if (stat(path, &st) >= 0) {
                 if (asprintf(&p, "/run/systemd/nspawn/locks/inode-%lu:%lu", (unsigned long) st.st_dev, (unsigned long) st.st_ino) < 0)
                         return -ENOMEM;
@@ -784,6 +790,11 @@ int image_name_lock(const char *name, int operation, LockFile *ret) {
         if (!image_name_is_valid(name))
                 return -EINVAL;
 
+        if (getenv_bool("SYSTEMD_NSPAWN_LOCK") == 0) {
+                *ret = (LockFile) LOCK_FILE_INIT;
+                return 0;
+        }
+
         if (streq(name, ".host"))
                 return -EBUSY;