"read_only and user_namespacing may not be combined" - is that really true?

[xkxx]

Hello there,

Thanks for creating this nspawn driver for nomad! I've been playing around with it this weekend :)

I tried to enable read_only / volatile in a container and it refused to start, due to this validation rule:

nomad-driver-nspawn/nspawn/nspawn.go

Line 224 in 0217d36

return fmt.Errorf("volatile and user_namespacing may not be combined")

I've looked online and couldn't find any info about this, so I'm curious about your experience with these flags interacting with -U. I've not tried volatile because of a lack of suitable containers, but running systemd-nspawn directly with -U --read-only seems to work fine. Has there been a recently change in systemd that made this combination work?

Thanks,

xkxx

[JanMa]

Hey,

thanks for trying out my task driver :-) I ported the validation rules directly from the systemd-nspawn command.
You can see the relevant part here:

https://github.com/systemd/systemd/blob/bf47f71c1cd36c2b0eb5aeac4d8bdf58c67f2b33/src/nspawn/nspawn.c#L1803-L1811

It could be that on your machine using the -U flag does not use --private-users-ownership=chown but --private-users-ownership=map and that's why it works when you invoke systemd-nspawn directly. 🤔 I am not sure if there is a way to check which mode is available on a host first.

I guess you could also set user_namespacing to false in your Nomad config and then it should work.

Jan

[xkxx]

I did some more exploration and I think you are right.

With --read-only and --private-users-ownership=chown, systemd-nspawn fails with the error message you spoke of.
With -read-only and --private-users-ownership=map, systemd-nspawn doesn't complain.
With --read-ony and --private-users-ownership=auto, the result is like above.

So I can conclude that --readonly and --volatile are only a problem if --private-users-ownership=chown.

In the interest of allowing more powerful setups, I would advocate for allowing this :) These options are also a bit superfluous since most users would want user namespacing.

But I can also see the perspective of allowing the maximum compatibility of devices. If that's what you are going for, could we also expose a flag for --private-users=pick --private-users-ownership=auto that doesn't conflict with --readonly?

[JanMa]

I think the most convenient way for most users would be if the driver could check at runtime which ownership mode is chosen by systemd-nspawn and only throw the validation error if it's set to chown. But I also agree with you that exposing the raw private-users and private-users-ownership mode for more advanced use-cases might make sense. 👍

[JanMa]

I just committed 77ed615 to devel which gives you some more fine-grained control about how user namespacing is enabled in a container. I will make a new release in the next days which will include this commit. The automated checking of which ownership mode is chosen by systemd-nspawn turned out to be way to complicated 😁