nspawn: document and test nested nspawn

Running systemd-nspawn within systemd-nspawn is currently possible. Let's make sure we don't regress.
2025-01-04 09:18:12 +03:00 · 2024-10-18 13:00:02 +01:00 · 2024-10-18 13:00:02 +01:00 · f53dcbf562
commit f53dcbf562
parent 562f7bde88
6 changed files with 77 additions and 5 deletions
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@ -1917,6 +1917,22 @@ After=sys-subsystem-net-devices-ens1.device</programlisting>
      --pivot-root=/ostree/deploy/$OS/deploy/$CHECKSUM:/sysroot \
      --bind=+/sysroot/ostree/deploy/$OS/var:/var</programlisting>
    </example>
+
+    <example>
+      <title>Run a container within a container</title>
+
+      <para>We're assuming that the outer container is in <filename index="false">./outer</filename> and
+      the inner container in <filename index="false">./outer/inner</filename>. The inner
+      <command>systemd-nspawn</command> will not be able to reach D-Bus, so we are passing flags to disable
+      some of its functionality.</para>
+
+      <programlisting># systemd-nspawn \
+      --directory outer --ephemeral --console interactive -- \
+      systemd-nspawn \
+      --directory inner --ephemeral --console interactive \
+      --register false --keep-unit --link-journal no -- \
+      echo OK</programlisting>
+    </example>
  </refsect1>

  <refsect1>
--- a/mkosi.conf
+++ b/mkosi.conf
@ -6,6 +6,7 @@ Dependencies=
        exitrd
        initrd
        minimal-base
+        minimal-systemd
        minimal-0
        minimal-1

@ -49,6 +50,7 @@ ExtraTrees=
        %O/minimal-1.root-%a-verity.raw:/usr/share/minimal_1.verity
        %O/minimal-1.root-%a-verity-sig.raw:/usr/share/minimal_1.verity.sig
        %O/minimal-base:/usr/share/TEST-13-NSPAWN-container-template
+        %O/minimal-systemd:/usr/share/TEST-13-NSPAWN-container-systemd-template
        %O/exitrd:/exitrd

 Initrds=%O/initrd
--- a/mkosi.images/minimal-systemd/mkosi.conf
+++ b/mkosi.images/minimal-systemd/mkosi.conf
@ -0,0 +1,27 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Config]
+Dependencies=minimal-base
+
+[Output]
+Format=directory
+
+[Content]
+BaseTrees=%O/minimal-base
+Bootable=no
+
+VolatilePackages=
+        systemd
+        systemd-boot
+        systemd-container
+        systemd-devel
+        systemd-journal-remote
+        systemd-libs
+        systemd-networkd
+        systemd-networkd-defaults
+        systemd-oomd-defaults
+        systemd-pam
+        systemd-resolved
+        systemd-tests
+        systemd-udev
+        systemd-ukify
--- a/test/TEST-13-NSPAWN/test.sh
+++ b/test/TEST-13-NSPAWN/test.sh
@ -11,9 +11,8 @@ TEST_FORCE_NEWIMAGE=1
 # shellcheck source=test/test-functions
 . "${TEST_BASE_DIR:?}/test-functions"

-test_append_files() {
-    local workspace="${1:?}"
-    local container="$workspace/usr/share/TEST-13-NSPAWN-container-template"
+_install_base_container() {
+    local container="${1:?}"

    # For virtual wlan interface.
    instmods mac80211_hwsim
@ -55,4 +54,14 @@ EOF
    chmod +x "$container/sbin/init"
 }

+test_append_files() {
+    local workspace="${1:?}"
+    local container="$workspace/usr/share/TEST-13-NSPAWN-container-template"
+    local container_systemd="$workspace/usr/share/TEST-13-NSPAWN-container-systemd-template"
+
+    _install_base_container "$container"
+    _install_base_container "$container_systemd"
+    initdir="$container_systemd" install_systemd
+}
+
 do_test "$@"
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@ -1214,4 +1214,21 @@ testcase_unpriv_fuse() {
                  bash -c 'cat <>/dev/fuse' 2>&1)" == *'cat: -: Operation not permitted' ]]
 }

+testcase_nested_nspawn() {
+    local root
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.nested_nspawn.XXX)"
+    create_dummy_container "$root" /usr/share/TEST-13-NSPAWN-container-systemd-template
+    mkdir "$root/inner"
+    create_dummy_container "$root/inner"
+
+    systemd-nspawn \
+        --directory="$root" --ephemeral --pipe -- \
+        systemd-nspawn \
+        --directory=/inner --ephemeral --pipe \
+        --register=false --keep-unit --link-journal=no -- \
+        echo OK
+
+    rm -fr "$root"
+}
+
 run_testcases
--- a/test/units/util.sh
+++ b/test/units/util.sh
@ -155,14 +155,15 @@ coverage_create_nspawn_dropin() {

 create_dummy_container() {
    local root="${1:?}"
+    local source="${2:-/usr/share/TEST-13-NSPAWN-container-template}"

-    if [[ ! -d /usr/share/TEST-13-NSPAWN-container-template ]]; then
+    if [[ ! -d "$source" ]]; then
        echo >&2 "Missing container template, probably not running in TEST-13-NSPAWN?"
        exit 1
    fi

    mkdir -p "$root"
-    cp -a /usr/share/TEST-13-NSPAWN-container-template/* "$root"
+    cp -a "$source"/* "$root"
    coverage_create_nspawn_dropin "$root"
 }