Hi all, I’ve been working recently on some changes to systemd-nspawn to get OSTree disk images running as containers. This hasn’t previously worked with images which use the recommended dracut integration (ostree- prepare-root and sysroot.mount) as systemd-nspawn doesn’t pivot the user’s chosen OSTree deployment to / in the container’s file system namespace. https://github.com/systemd/systemd/pull/5258 I’ve added a --pivot-sysroot option to systemd-nspawn which does the pivot root operation from ostree-prepare-root, so that systemd-nspawn effectively acts as the initramfs for such a disk image. What do people think? The alternative was to modify ostree-prepare-root so it could be used as PID 1 in the container, do the pivot, then chain through to /sbin/init. However, that means it’s going to trample all over the /dev, /proc and /var/run/journal mounts which systemd-nspawn has set up in the container; and it means that the container would not be able to run unprivileged, since ostree-prepare-root needs to be able to make changes to its mounts. It also means ostree-prepare-root needs to be statically linked (including against libc), since /lib doesn’t exist at that point in the container’s startup. With the above PR, you can run an OSTree image in a container with: sudo systemd-nspawn -i ~/image.raw \ --bind +/sysroot/ostree/deploy/$os/var:/var \ --pivot-sysroot /ostree/deploy/$os/deploy/$checksum.0 This could potentially be made simpler with a wrapper script in ostree.git, since the --bind option for /var is always going to be the same. Note that the ‘+’ syntax for --bind comes from systemd master: https://github.com/systemd/systemd/commit/86c0dd4a Philip
Attachment:
signature.asc
Description: This is a digitally signed message part