Skip to content

Gracefully handle ForeignUIDRange on systemd < 259 #4214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gourryinverse wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Gracefully handle ForeignUIDRange on systemd < 259 #4214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 14 additions & 4 deletions mkosi/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4128,7 +4128,15 @@ def build_image(context: Context) -> None:
elif context.config.output_format == OutputFormat.directory:
context.root.rename(context.staging / context.config.output_with_format)

if context.config.foreign_uid_range:
if (
context.config.foreign_uid_range
and systemd_tool_version("systemctl", sandbox=context.sandbox) < "259"
):
logging.warning(
"ForeignUIDRange=yes is set but systemd < 259 does not support foreign UID range mapping. "
"Skipping UID shift — virtiofsd will expose files as root-owned via --become-root."
)
elif context.config.foreign_uid_range:
with complete_step("Changing ownership to the foreign UID range"):
run(
[
Expand Down Expand Up @@ -5261,9 +5269,11 @@ def run_verb(args: Args, tools: Optional[Config], images: Sequence[Config], *, r
return

if (output := last.output_dir_or_cwd() / last.output).is_dir() and not is_foreign_uid_tree(output):
die(
"Can only operate on foreign UID range owned directory images",
hint="Add ForeignUIDRange=yes to [Build] and rebuild the image to use the foreign UID range",
logging.warning(
"Directory image is not foreign UID range owned. "
"virtiofsd will expose files as root-owned via --become-root. "
"For proper UID isolation, add ForeignUIDRange=yes to [Build] "
"and use systemd >= 259 for foreign UID range support."
)

run_vm = {
Expand Down
6 changes: 4 additions & 2 deletions mkosi/qemu.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@
from mkosi.log import ARG_DEBUG, die
from mkosi.partition import finalize_root, find_partitions
from mkosi.run import AsyncioThread, find_binary, run, spawn, workdir
from mkosi.tree import copy_tree, maybe_make_nocow, rmtree
from mkosi.tree import copy_tree, is_foreign_uid_tree, maybe_make_nocow, rmtree
from mkosi.user import INVOKING_USER
from mkosi.util import (
PathString,
Expand Down Expand Up @@ -395,7 +395,9 @@ def start_virtiofsd(
group=st.st_gid if st else None,
sandbox=config.sandbox(
options=[
"--bind" if uidmap else "--bind-foreign", directory, workdir(directory),
"--bind" if uidmap or not is_foreign_uid_tree(directory) else "--bind-foreign",
directory,
workdir(directory),
"--become-root",
],
),
Expand Down