|
|
|
|
@ -73,7 +73,7 @@ bind_opts=""
|
|
|
|
|
user_on_host=$run_as
|
|
|
|
|
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
|
|
|
|
private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
|
|
|
|
|
bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well
|
|
|
|
|
bind_opts="idmap"
|
|
|
|
|
user_on_host=$((private_users + run_as))
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
@ -90,6 +90,12 @@ for input in $(find /dev/input -type c); do
|
|
|
|
|
sudo -A setfacl -m u:$user_on_host:rw- $input
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
# Bind-mounts defined by the user (possibly in the container-specific config file)
|
|
|
|
|
# Format should be "src:target". target cannot be omitted
|
|
|
|
|
for mount in ${CONTAINER_BIND_MOUNTS[@]}; do
|
|
|
|
|
SYSTEMD_NSPAWN_EXTRA_ARGS+=" --bind=$mount:$bind_opts"
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
|
|
|
|
--private-users=$private_users --private-users-ownership=map \
|
|
|
|
|
`# DNS (when containers do not have their own netns)` \
|
|
|
|
|
|
