From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 24 Jul 2019 15:32:09 +0000 (+0200)
Subject: nspawn: allow --volatile=yes instances of -D /
X-Git-Tag: v243-rc1~19^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b35ca61ae27172a453faf6541d2d327bf8b0629a;p=thirdparty%2Fsystemd.git

nspawn: allow --volatile=yes instances of -D /
---

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index fed5c651ced..2542888c1e0 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4740,8 +4740,12 @@ static int run(int argc, char *argv[]) {
         if (arg_directory) {
                 assert(!arg_image);
 
-                if (path_equal(arg_directory, "/") && !arg_ephemeral) {
-                        log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
+                /* Safety precaution: let's not allow running images from the live host OS image, as long as
+                 * /var from the host will propagate into container dynamically (because bad things happen if
+                 * two systems write to the same /var). Let's allow it for the special cases where /var is
+                 * either copied (i.e. --ephemeral) or replaced (i.e. --volatile=yes|state). */
+                if (path_equal(arg_directory, "/") && !(arg_ephemeral || IN_SET(arg_volatile_mode, VOLATILE_YES, VOLATILE_STATE))) {
+                        log_error("Spawning container on root directory is not supported. Consider using --ephemeral, --volatile=yes or --volatile=state.");
                         r = -EINVAL;
                         goto finish;
                 }