munix: allow specifying any user ID / do not use host /etc/passwd, fixes #2
This commit is contained in:
Val Packett
parent
7c3c52df7e
commit
9256257abe
3 changed files with 22 additions and 8 deletions
24
munix
24
munix
|
|
@ -5,6 +5,8 @@ PASST_PATH=$(dirname $(which passt))
|
|||
HOST_OPENGL_DRIVER=/run/opengl-driver
|
||||
MICROVM_CLOSURE=
|
||||
MICROVM_COMMAND=()
|
||||
MICROVM_UID=1337
|
||||
MICROVM_GID=1337
|
||||
BWRAP_ARGS=()
|
||||
MUVM_ARGS=()
|
||||
GPU=1
|
||||
|
|
@ -15,6 +17,8 @@ export TMP=/tmp TMPDIR=/tmp TEMP=/tmp TEMPDIR=/tmp LC_ALL=C
|
|||
|
||||
while [ "$#" -gt 0 ]; do
|
||||
case "$1" in
|
||||
-u|--uid) MICROVM_UID="$2"; shift 2;;
|
||||
-g|--gid) MICROVM_GID="$2"; shift 2;;
|
||||
--no-gpu) GPU=0; shift 1;;
|
||||
--no-wayland) WAYLAND=0; shift 1;;
|
||||
--no-pipewire) PIPEWIRE=0; shift 1;;
|
||||
|
|
@ -95,7 +99,7 @@ else
|
|||
fi
|
||||
|
||||
exec bwrap --unshare-all --share-net \
|
||||
--uid 1001 --gid 1001 \
|
||||
--uid $MICROVM_UID --gid $MICROVM_GID \
|
||||
--tmpfs / \
|
||||
--dir /run --dir /var --symlink /run /var/run --dir /tmp \
|
||||
--proc /proc --ro-bind /sys /sys \
|
||||
|
|
@ -108,13 +112,23 @@ exec bwrap --unshare-all --share-net \
|
|||
--ro-bind /nix/store /nix/store \
|
||||
--ro-bind /run/systemd/resolve /run/systemd/resolve \
|
||||
--ro-bind /etc/resolv.conf /etc/resolv.conf \
|
||||
--ro-bind /etc/group /etc/group \
|
||||
--ro-bind /etc/passwd /etc/passwd \
|
||||
--file 11 /etc/passwd \
|
||||
--file 12 /etc/group \
|
||||
--dir "$XDG_RUNTIME_DIR" \
|
||||
--setenv PATH "/run/munix/muvm:/run/munix/passt:$MICROVM_CLOSURE/sw/bin" \
|
||||
"${BWRAP_ARGS[@]}" \
|
||||
muvm \
|
||||
-x /usr/bin/munix-init-root -X /usr/bin/munix-init-user --udevd-path="$MICROVM_CLOSURE/sw/bin/true" \
|
||||
"${MUVM_ARGS[@]}" \
|
||||
-e MICROVM_CLOSURE="$MICROVM_CLOSURE" \
|
||||
-i -t "${MICROVM_COMMAND[@]}"
|
||||
-e MICROVM_CLOSURE="$MICROVM_CLOSURE" -e MICROVM_UID="$MICROVM_UID" -e MICROVM_GID="$MICROVM_GID" \
|
||||
-i -t "${MICROVM_COMMAND[@]}" \
|
||||
11< <(cat <<EOF
|
||||
munix:x:$MICROVM_UID:$MICROVM_GID:Hypervisor:/:/run/current-system/sw/bin/nologin
|
||||
nobody:x:65534:65534:Unprivileged account:/var/empty:/run/current-system/sw/bin/nologin
|
||||
EOF
|
||||
) \
|
||||
12< <(cat <<EOF
|
||||
munix:x:$MICROVM_GID:
|
||||
nogroup:x:65534:
|
||||
EOF
|
||||
)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue