AFAIK, -U
é basicamente incompatível com rw --bind
. A partir dos documentos:
Note that when this option is used in combination with --private-users, the resulting mount points will be owned by the nobody user. That's because the mount and its files and directories continue to be owned by the relevant host users and groups, which do not exist in the container, and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to make them read-only, using --bind-ro=.
Eu usei o nspawn para criar contêineres baseados no Ubuntu para construir o Yocto no meu host do Arch Linux. Quando o kernel do Arch ativou CONFIG_USER_NS=y
, precisei definir PrivateUsers=off
em meus arquivos /etc/systemd/nspawn/foo.nspawn
. (Além disso, adiciono um usuário com o mesmo UID no host e no contêiner, portanto, posso Bind=
e acessá-lo da mesma maneira no contêiner e no host.)