From 2ce9555dc586559232c676d16a4226dcb0d786e0 Mon Sep 17 00:00:00 2001 From: Johannes 'josch' Schauer Date: Sun, 12 Apr 2020 09:10:30 +0200 Subject: [PATCH] expand docs for unshare mode --- mmdebstrap | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/mmdebstrap b/mmdebstrap index fe31c17..364484b 100755 --- a/mmdebstrap +++ b/mmdebstrap @@ -5139,12 +5139,29 @@ by the _apt user, then apt sandboxing will be automatically disabled. This mode uses Linux user namespaces to allow unprivileged use of chroot and creation of files that appear to be owned by the superuser inside the unshared -namespace. A directory chroot created with this mode will end up with wrong -ownership information. Choose to create a tarball instead. This mode requires -the sysctl C being set to C<1>. B. Refer to +namespace. A tarball created in this mode should be bit-by-bit identical to a +tarball created with the B mode. This mode requires the sysctl +C being set to C<1>. B. Refer to L +A directory chroot created with this mode will end up with wrong ownership +information. For correct ownership information, the directory must be accessed +from a user namespace with the right subuid/subgid offset, like so: + + $ lxc-usernsexec -- lxc-unshare -s 'MOUNT|PID|UTSNAME|IPC' -- \ + > /usr/sbin/chroot ./debian-rootfs /bin/bash + +Or without LXC: + + $ mmdebstrap --unshare-helper /usr/sbin/chroot ./debian-rootfs /bin/bash + +Or, if you don't mind using superuser privileges and have systemd-nspawn +available and you know your subuid/subgid offset (100000 in this example): + + $ sudo systemd-nspawn --private-users=100000 \ + > --directory=./debian-rootfs /bin/bash + =item B, B This mode will exec B again under C. A