| 1 |
On Tue, Feb 18, 2020 at 1:22 PM Rich Freeman <rich0@g.o> wrote: |
| 2 |
|
| 3 |
> On Tue, Feb 18, 2020 at 2:06 PM Nikos Chantziaras <realnc@×××××.com> |
| 4 |
> wrote: |
| 5 |
> > |
| 6 |
> > It gets worse. The container reconfigured the keyboard shortcuts on the |
| 7 |
> > host! After booting a container, alt+Fn or alt+left/right on the host |
| 8 |
> > started switching to the linux text-mode console. I pressed alt+f2 to |
| 9 |
> > bring up the plasma search, I ended up on TTY2... ha ha. |
| 10 |
> > |
| 11 |
> > Remember how I said I'll use nspawn from now on? I take that back. Let's |
| 12 |
> > just say this thing is not even remotely production ready. |
| 13 |
> |
| 14 |
> Never had any issues with it, but I've never tried to use my host root |
| 15 |
> as the input filesystem. I suspect the issue is that this is giving |
| 16 |
> the container access to the host /dev, /sys and so on, and thus the |
| 17 |
> container isn't ending up being contained. Normally you don't go |
| 18 |
> mounting a host /dev inside a container image before launching it... |
| 19 |
> |
| 20 |
> -- |
| 21 |
> Rich |
| 22 |
> |
| 23 |
> |
| 24 |
|
| 25 |
@Nikos Chantziaras |
| 26 |
|
| 27 |
In case it helps you at all, here's an example nspawn configuration file |
| 28 |
that I've been using for quite a while. |
| 29 |
|
| 30 |
I have a skeleton filesystem tree in /var/lib/machines/multimedia-state |
| 31 |
that bind-mount read-writable stuff. |
| 32 |
Everything else is read-only bind-mounted from my root FS. I store things |
| 33 |
like samba configuration, and local state, there. For example, the |
| 34 |
container is a member of my samba4 domain controller. |
| 35 |
|
| 36 |
I use systemd-machined to launch this container at boot. |
| 37 |
|
| 38 |
mimir /etc/systemd/nspawn # cat multimedia.nspawn |
| 39 |
[Exec] |
| 40 |
PrivateUsers=false |
| 41 |
MachineID=131472ae68624b99b5ce0bf18194cda1 |
| 42 |
|
| 43 |
[Files] |
| 44 |
BindReadOnly=/bin/ |
| 45 |
BindReadOnly=/usr/ |
| 46 |
BindReadOnly=/var/ |
| 47 |
BindReadOnly=/lib/ |
| 48 |
BindReadOnly=/etc/ |
| 49 |
BindReadOnly=/sbin/ |
| 50 |
BindReadOnly=/lib64/ |
| 51 |
|
| 52 |
BindReadOnly=/var/lib/machines/multimedia-state/etc/fstab:/etc/fstab |
| 53 |
BindReadOnly=/var/lib/machines/multimedia-state/etc/hostname:/etc/hostname |
| 54 |
|
| 55 |
Bind=/var/lib/machines/multimedia-state/var/log/:/var/log/ |
| 56 |
Bind=/var/lib/machines/multimedia-state/var/lib/samba/:/var/lib/samba/ |
| 57 |
Bind=/var/lib/machines/multimedia-state/var/cache/samba/:/var/cache/samba/ |
| 58 |
Bind=/var/lib/machines/multimedia-state/etc/systemd/system/:/etc/systemd/system/ |
| 59 |
|
| 60 |
TemporaryFileSystem=/home/ |
| 61 |
TemporaryFileSystem=/var/tmp/ |
| 62 |
TemporaryFileSystem=/var/lib/machines/ |
| 63 |
|
| 64 |
Bind=/media/raid/multimedia/ |
| 65 |
|
| 66 |
[Network] |
| 67 |
MACVLAN=general |
Archives