GitHub-Mirror/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2025-10-06 00:13:24 +02:00
Code Issues Releases Wiki Activity

doc: document /run/host/root/ as an optional bind mount for the host fs

Browse Source 
Container managers may want to bind mount the root filesystem
somewhere within the container. Security-wise, this is very much not
recommended, but it may be something application containers may want
to do nonetheless.

Ref: https://github.com/flatpak/flatpak/pull/6125#issuecomment-2759378603
This commit is contained in:
Ryan Brue
2025-07-28 11:46:22 -05:00
committed by Luca Boccassi
parent 72bf86663c
commit d7c7af28fb
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/CONTAINER_INTERFACE.md
View File

@@ -301,6 +301,12 @@ care should be taken to avoid naming conflicts. `systemd` (and in particular
may be used in combination with `/run/host/userdb/` above: one defines the may be used in combination with `/run/host/userdb/` above: one defines the
user record, the other contains the user's home directory. user record, the other contains the user's home directory.
12. The `/run/host/root/` directory may be used to bind mount the host root
filesystem. Binding the host's root filesystem into the container is a
major security hole: any container manager that maintains a security
boundary should not use this; however, if having the root filesystem in
the container is desired, this is a good place to mount it to.
## What You Shouldn't Do ## What You Shouldn't Do
1. Do not drop `CAP_MKNOD` from the container. `PrivateDevices=` is a commonly 1. Do not drop `CAP_MKNOD` from the container. `PrivateDevices=` is a commonly