From edcfaef386495f1b9c62e8cce78478fd00ed9ce7 Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sat, 31 Dec 2022 15:26:51 -0500 Subject: [PATCH] app_containers: Move to using CONTAINER_BIND_MOUNTS for extra binds ...instead of the overly generic SYSTEMD_NSPAWN_EXTRA_ARGS variable. --- app_containers/.local/bin/run_app_container | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container index 5aabae3..0d08a15 100755 --- a/app_containers/.local/bin/run_app_container +++ b/app_containers/.local/bin/run_app_container @@ -73,7 +73,7 @@ bind_opts="" user_on_host=$run_as if [ "$CONTAINER_USE_USERNS" = true ]; then private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset - bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well + bind_opts="idmap" user_on_host=$((private_users + run_as)) fi @@ -90,6 +90,12 @@ for input in $(find /dev/input -type c); do sudo -A setfacl -m u:$user_on_host:rw- $input done +# Bind-mounts defined by the user (possibly in the container-specific config file) +# Format should be "src:target". target cannot be omitted +for mount in ${CONTAINER_BIND_MOUNTS[@]}; do + SYSTEMD_NSPAWN_EXTRA_ARGS+=" --bind=$mount:$bind_opts" +done + sudo -A systemd-nspawn -M $CONTAINER_NAME \ --private-users=$private_users --private-users-ownership=map \ `# DNS (when containers do not have their own netns)` \