From: Lennart Poettering Date: Thu, 16 Nov 2017 17:05:42 +0000 (+0100) Subject: man: document how nspawn's --bind= and --private-users interact X-Git-Tag: v236~186^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=994a6364d2dfcf5fa11ec26e81752fbe842428aa;p=thirdparty%2Fsystemd.git man: document how nspawn's --bind= and --private-users interact Fixes: #5900 --- diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 98ce1529de0..1ef6567e48d 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -806,7 +806,13 @@ are allowed, controlling whether to create a recursive or a regular bind mount. Defaults to "rbind". Backslash escapes are interpreted, so \: may be used to embed colons in either path. This option may be specified multiple times for creating multiple independent bind - mount points. The option creates read-only bind mounts. + mount points. The option creates read-only bind mounts. + + Note that when this option is used in combination with , the resulting + mount points will be owned by the nobody user. That's because the mount and its files and + directories continue to be owned by the relevant host users and groups, which do not exist in the container, + and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to + make them read-only, using .