fixup! python: Add script to work with systemd-nspawn

Signed-off-by: Nathan Chancellor <nathan@kernel.org>
nathanchance · Dec 26, 2024 · 50b3782 · 50b3782
1 parent 281f663
commit 50b3782
Showing 1 changed file with 17 additions and 12 deletions.
diff --git a/python/scripts/sd_nspawn.py b/python/scripts/sd_nspawn.py
@@ -83,21 +83,26 @@ def _add_dynamic_mounts(self, name):
             rw_mounts.add('/var/cache/pacman/pkg')
 
         for mount in rw_mounts:
-            # We need idmapping otherwise to ensure our user in the container
-            # is treated as the user on the host.
-            # While idmapping /dev mounts should be possible after
-            # https://git.kernel.org/linus/7a80e5b8c6fa7d0ae6624bd6aedc4a6a1cfc62fa,
-            # systemd-nspawn does not appear to support it and it should not be
-            # necessary due to our kvm.conf.
-            # idmapping virtiofs is not necessary either, although I am
-            # genuinely unsure as to why.
-            item = mount if mount.startswith(
-                ('/dev', os.environ['HOST_FOLDER'])) else f"{mount}:{mount}:idmap"
-
             # If it is a temporary directory that does not exist already, just
-            # created it so that the next check passes.
+            # created it so that the next checks passes.
             if mount.startswith('/var/tmp'):
                 Path(mount).mkdir(exist_ok=True)
+
+            # '--bind-user' creates a specific uid_map entry for the host user
+            # to the container user, so idmapping is only necessary when a
+            # mount that is expected to be written to is not readable and
+            # writeable by the current user, such as '/var/cache/pacman/pkg',
+            # which needs to be written to as the host root user by the
+            # container root user. For mounts where the current user can read
+            # and write to, the mapping mentioned earlier makes everything work
+            # as expeced without 'idmap'. We special case HOST_FOLDER because
+            # the os.access check may not pass if the folder has not been
+            # automounted yet.
+            if mount == os.environ['HOST_FOLDER'] or os.access(mount, os.R_OK | os.W_OK):
+                item = mount
+            else:
+                item = f"{mount}:{mount}:idmap"
+
             # The mount must exist on the host otherwise the container will not
             # start
             if Path(mount).exists():