diff --git a/python/scripts/sd_nspawn.py b/python/scripts/sd_nspawn.py index f80bcdc9..cb624d7d 100755 --- a/python/scripts/sd_nspawn.py +++ b/python/scripts/sd_nspawn.py @@ -83,21 +83,26 @@ def _add_dynamic_mounts(self, name): rw_mounts.add('/var/cache/pacman/pkg') for mount in rw_mounts: - # We need idmapping otherwise to ensure our user in the container - # is treated as the user on the host. - # While idmapping /dev mounts should be possible after - # https://git.kernel.org/linus/7a80e5b8c6fa7d0ae6624bd6aedc4a6a1cfc62fa, - # systemd-nspawn does not appear to support it and it should not be - # necessary due to our kvm.conf. - # idmapping virtiofs is not necessary either, although I am - # genuinely unsure as to why. - item = mount if mount.startswith( - ('/dev', os.environ['HOST_FOLDER'])) else f"{mount}:{mount}:idmap" - # If it is a temporary directory that does not exist already, just - # created it so that the next check passes. + # created it so that the next checks passes. if mount.startswith('/var/tmp'): Path(mount).mkdir(exist_ok=True) + + # '--bind-user' creates a specific uid_map entry for the host user + # to the container user, so idmapping is only necessary when a + # mount that is expected to be written to is not readable and + # writeable by the current user, such as '/var/cache/pacman/pkg', + # which needs to be written to as the host root user by the + # container root user. For mounts where the current user can read + # and write to, the mapping mentioned earlier makes everything work + # as expeced without 'idmap'. We special case HOST_FOLDER because + # the os.access check may not pass if the folder has not been + # automounted yet. + if mount == os.environ['HOST_FOLDER'] or os.access(mount, os.R_OK | os.W_OK): + item = mount + else: + item = f"{mount}:{mount}:idmap" + # The mount must exist on the host otherwise the container will not # start if Path(mount).exists():