shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-24 14:50:17 +03:00
Code

docs: clarify userns mapping when /proc/sys is rw

Browse Source
This commit is contained in:
Ivan Kruglov 2025-02-19 03:14:20 -08:00 committed by Daan De Meyer
parent a9178dbdd9
commit cd20d48c69
1 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
docs/CONTAINER_INTERFACE.md
View File

@ -24,16 +24,19 @@ manager, please consider supporting the following interfaces.
invoking systemd, and mount `/sys/`, `/sys/fs/selinux/` and `/proc/sys/`
read-only (the latter via e.g. a read-only bind mount on itself) in order
to prevent the container from altering the host kernel's configuration
settings. (As a special exception, if your container has network namespaces
settings. As a special exception, if your container has network namespaces
enabled, feel free to make `/proc/sys/net/` writable. If it also has user, ipc,
uts and pid namespaces enabled, the entire `/proc/sys` can be left writable).
systemd and various other subsystems (such as the SELinux userspace) have
been modified to behave accordingly when these file systems are read-only.
(It's OK to mount `/sys/` as `tmpfs` btw, and only mount a subset of its
sub-trees from the real `sysfs` to hide `/sys/firmware/`, `/sys/kernel/` and
so on. If you do that, make sure to mark `/sys/` read-only, as that
condition is what systemd looks for, and is what is considered to be the API
in this context.)
uts and pid namespaces enabled, the entire `/proc/sys` can be left writable.
However, in the latter case, an appropriate userns mapping should exist to
map the root user inside the container to an unprivileged user on the
host. Otherwise, the root user inside the container could modify the host's
kernel settings. systemd and various other subsystems (such as the SELinux
userspace) have been modified to behave accordingly when these file systems
are read-only. (It's OK to mount `/sys/` as `tmpfs` btw, and only mount a
subset of its sub-trees from the real `sysfs` to hide `/sys/firmware/`,
`/sys/kernel/` and so on. If you do that, make sure to mark `/sys/`
read-only, as that condition is what systemd looks for, and is what is
considered to be the API in this context.)
3. Pre-mount `/dev/` as (container private) `tmpfs` for the container and bind
mount some suitable TTY to `/dev/console`. If this is a pty, make sure to