start: documented idmapped mounts

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/start.c b/src/lxc/start.c
index e4e7e365a769e8b4bd9b8889e052f64b7a834d8b..c83c0f72e0acc2198c875794662f8acf0491f7a2 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -2042,7 +2042,21 @@ int __lxc_start(struct lxc_handler *handler, struct lxc_operations *ops,
        }
 
        if (geteuid() == 0 && !lxc_list_empty(&conf->id_map)) {
-               /* If the backing store is a device, mount it here and now. */
+               /*
+                * This handles two cases: mounting real block devices and
+                * creating idmapped mounts. The block device case should be
+                * obivous, i.e. no real filesystem can currently be mounted
+                * from inside a user namespace.
+                *
+                * Idmapped mounts can currently only be created if the caller
+                * is privileged wrt to the user namespace in which the
+                * underlying block device has been mounted in. This basically
+                * (with few exceptions) means we need to be CAP_SYS_ADMIN in
+                * the initial user namespace since almost no interesting
+                * filesystems can be mounted inside of user namespaces. This
+                * is way we need to do the rootfs setup here. In the future
+                * this may change.
+                */
                if (idmapped_rootfs_mnt(&conf->rootfs) || rootfs_is_blockdev(conf)) {
                        ret = unshare(CLONE_NEWNS);
                        if (ret < 0) {