man/systemd-nspawn.xml

@@ -624,10 +624,11 @@
         provides protection against accidental destructive operations only.</para>
 
         <para>Note that if credentials are used in combination with a non-root <option>--user=</option>
-        (e.g.: <option>--set-credential=</option> or <option>--load-credential=</option>), then
+        (e.g.: <option>--set-credential=</option>, <option>--load-credential=</option> or
-        <option>--no-new-privileges=yes</option> must be used, and <option>--boot</option> or
+        <option>--import-credential=</option>), then <option>--no-new-privileges=yes</option> must be used, and
-        <option>--as-pid2</option> must not be used, as the credentials would otherwise be unreadable
+        <option>--boot</option> or <option>--as-pid2</option> must not be used, as the credentials would
-        by the container due to missing privileges after switching to the specified user.</para></listitem>
+        otherwise be unreadable by the container due to missing privileges after switching to the specified
+        user.</para></listitem>
       </varlistentry>
 
       <varlistentry>

src/dissect/dissect.c

@@ -2178,6 +2178,9 @@ static int run(int argc, char *argv[]) {
                         if (arg_loop_ref || arg_loop_ref_auto) /* yes, the 2nd check is strictly speaking redundant, given the normalization we did above, but let's be explicit here */
                                 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "--loop-ref=/--loop-ref-auto not supported when operating via systemd-mountfsd.");
 
+                        if (verity_settings_set(&arg_verity_settings))
+                                return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Externally configured verity settings not supported when operating via systemd-mountfsd.");
+
                         /* Don't run things in private userns, if the mount shall be attached to the host */
                         if (!IN_SET(arg_action, ACTION_MOUNT, ACTION_WITH)) {
                                 userns_fd = nsresource_allocate_userns(/* name= */ NULL, NSRESOURCE_UIDS_64K); /* allocate 64K users by default */

src/include/override/sys/mount.h

@@ -36,7 +36,8 @@ extern int umount(const char *__special_file);
 /* Unmount a filesystem.  Force unmounting if FLAGS is set to MNT_FORCE.  */
 extern int umount2(const char *__special_file, int __flags);
 
-/* Open the filesystem referenced by FS_NAME so it can be configured for mounting. */
+/* Open the filesystem referenced by FS_NAME so it can be configured for
+   mouting.  */
 /* Defined since glibc-2.36.
  * Supported since kernel v5.2 (24dcb3d90a1f67fe08c68a004af37df059d74005). */
 #if HAVE_FSOPEN

src/run-generator/run-generator.c

@@ -6,6 +6,7 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "generator.h"
+#include "glyph-util.h"
 #include "log.h"
 #include "proc-cmdline.h"
 #include "special.h"
@@ -114,11 +115,12 @@ static int generate(void) {
                 return log_error_errno(r, "Failed to create unit file %s: %m", p);
 
         /* And now redirect default.target to our new target */
-        return generator_add_symlink(
+        p = strjoina(arg_dest, "/" SPECIAL_DEFAULT_TARGET);
-                        arg_dest,
+        if (symlink("kernel-command-line.target", p) < 0)
-                        SPECIAL_DEFAULT_TARGET,
+                return log_error_errno(errno, "Failed to link unit file kernel-command-line.target %s %s: %m",
-                        /* dep_type= */ NULL,
+                                       glyph(GLYPH_ARROW_RIGHT), p);
-                        "kernel-command-line.target");
+
+        return 0;
 }
 
 static int run(const char *dest, const char *dest_early, const char *dest_late) {