@@ -42,6 +42,10 @@ do this in 4 different ways:
4242 unprivileged user namespaces enabled,
4343 this can also be used with unprivileged singularity or apptainer.
4444
45+ In addition, this package contains a related tool called
46+ [ bindexec] ( #bindexec ) which starts a new user namespace with given
47+ bind mounts added.
48+
4549# Supported operating systems
4650
4751Operating systems currently supported by this package are Red Hat
@@ -370,3 +374,40 @@ $ mkfs.ext3 -F -O ^has_journal -d tmp scratch.img
370374By default the cvmfs logs are written to a top-level ` log ` directory, alongside
371375the top-level ` dist ` directory. The variable ` SINGCVMFS_LOGDIR ` can be used to
372376write them to a different directory, which will be created if it doesn't exist.
377+
378+ # bindexec
379+
380+ As a bonus, this package also includes a separate tool called ` bindexec `
381+ that accepts any set of bind mounts to add into a new unprivileged user
382+ mount namespace. The usage is much like ` cvmfsexec ` except that instead
383+ of cvmfs repository names you give it ` src:dest ` pairs where ` src ` is a
384+ source directory or file and ` dest ` is a destination path. For example:
385+
386+ ```
387+ $ bindexec /etc/motd:/var/lib/mydir/motd -- ls /var/lib/mydir
388+ motd
389+ ```
390+
391+ Like ` cvmfsexec ` , if no command is supplied after ` -- ` it runs an
392+ interactive shell.
393+
394+ Bind mounts require target destinations to exist, but if they are
395+ missing ` bindexec ` will automatically create them. This requires the
396+ fuse-overlayfs command to be in the PATH, although if there is demand
397+ for it a script for making that easily distributable as well will be
398+ supplied (probably through a ` makedist ` option).
399+
400+ Some system directories (` /proc ` , ` /sys ` , ` /dev ` , and ` /run ` ) are
401+ included as-is on top of the overlay so anything bound into those
402+ directories will not appear. In addition, any ` nfs ` filesystem types
403+ are automatically added on top of the overlay because they don't work
404+ properly through overlay, so no bind mounts will appear in those paths
405+ either.
406+
407+ ` bindexec ` always creates a new process namespace because that's the
408+ easiest way to make sure that the fuse-overlayfs process will exit when
409+ the command exits. This means that processes start over at pid 1 and no
410+ process can be seen outside of the namespace. Also because it is using
411+ an unprivileged user namespace, any files owned by anyone other than the
412+ current user will show up as being owned by ` nobody ` (just as it does in
413+ ` cvmfsexec ` ).
0 commit comments