nspawn: become a new root early

https://github.com/torvalds/linux/commit/036d523641c66bef713042894a17f4335f199e49

> vfs: Don't create inodes with a uid or gid unknown to the vfs
  It is expected that filesystems can not represent uids and gids from
  outside of their user namespace.  Keep things simple by not even
  trying to create filesystem nodes with non-sense uids and gids.

So, we actually should `reset_uid_gid` early to prevent https://github.com/systemd/systemd/pull/4223#issuecomment-252522955

$ sudo UNIFIED_CGROUP_HIERARCHY=no LD_LIBRARY_PATH=.libs .libs/systemd-nspawn -D /var/lib/machines/fedora-rawhide -U -b systemd.unit=multi-user.target

Spawning container fedora-rawhide on /var/lib/machines/fedora-rawhide.
Press ^] three times within 1s to kill container.
Child died too early.
Selected user namespace base 1073283072 and range 65536.
Failed to mount to /sys/fs/cgroup/systemd: No such file or directory

Details: https://github.com/systemd/systemd/pull/4223#issuecomment-253046519
Fixes: #4352

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 2cbe56395322e1d5d9ecf1f858ea912b2dd07119..295293858e7ea1146d0036d99fec51a5c72aa18f 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2684,6 +2684,10 @@ static int inner_child(
                 }
         }
 
+        r = reset_uid_gid();
+        if (r < 0)
+                return log_error_errno(r, "Couldn't become new root: %m");
+
         r = mount_all(NULL,
                       arg_userns_mode != USER_NAMESPACE_NO,
                       true,
@@ -2726,10 +2730,6 @@ static int inner_child(
                         return r;
         }
 
-        r = reset_uid_gid();
-        if (r < 0)
-                return log_error_errno(r, "Couldn't become new root: %m");
-
         r = setup_boot_id(NULL);
         if (r < 0)
                 return r;