shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-03 16:58:37 +03:00
Code

machine: introduce io.systemd.Machine.BindMount method (#35066)

Browse Source 
This PR introduces io.systemd.Machine.BindMount method which is
alternative to DBus's BindMountMachine.
This commit is contained in:
Daan De Meyer 2025-01-03 13:19:48 +01:00 committed by GitHub
commit b0e9ac018d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 118 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
src/machine/machine-varlink.c
View File

@ -12,6 +12,7 @@
#include "json-util.h"
#include "machine-varlink.h"
#include "machine.h"
#include "mount-util.h"
#include "path-util.h"
#include "pidref.h"
#include "process-util.h"
@ -728,3 +729,99 @@ int vl_method_map_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_m
return sd_varlink_reply(link, v);
}
typedef struct MachineMountParameters {
const char *name;
PidRef pidref;
char *src;
char *dest;
bool read_only;
bool mkdir;
} MachineMountParameters;
static void machine_mount_paramaters_done(MachineMountParameters *p) {
assert(p);
pidref_done(&p->pidref);
free(p->src);
free(p->dest);
}
int vl_method_bind_mount(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
static const sd_json_dispatch_field dispatch_table[] = {
VARLINK_DISPATCH_MACHINE_LOOKUP_FIELDS(MachineOpenParameters),
{ "source", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineMountParameters, src), SD_JSON_MANDATORY },
{ "destination", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineMountParameters, dest), 0 },
{ "readOnly", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineMountParameters, read_only), 0 },
{ "mkdir", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineMountParameters, mkdir), 0 },
VARLINK_DISPATCH_POLKIT_FIELD,
{}
};
Manager *manager = ASSERT_PTR(userdata);
_cleanup_(machine_mount_paramaters_done) MachineMountParameters p = {
.pidref = PIDREF_NULL
};
MountInNamespaceFlags mount_flags = 0;
uid_t uid_shift;
int r;
assert(link);
assert(parameters);
r = sd_varlink_dispatch(link, parameters, dispatch_table, &p);
if (r != 0)
return r;
/* There is no need for extra validation since json_dispatch_path() does path_is_valid() and path_is_absolute().*/
const char *dest = p.dest ?: p.src;
Machine *machine;
r = lookup_machine_by_name_or_pidref(link, manager, p.name, &p.pidref, &machine);
if (r == -ESRCH)
return sd_varlink_error(link, "io.systemd.Machine.NoSuchMachine", NULL);
if (r != 0)
return r;
if (machine->class != MACHINE_CONTAINER)
return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL);
r = varlink_verify_polkit_async(
link,
manager->bus,
"org.freedesktop.machine1.manage-machines",
(const char**) STRV_MAKE("name", machine->name,
"verb", "bind",
"src", p.src,
"dest", dest),
&manager->polkit_registry);
if (r <= 0)
return r;
r = machine_get_uid_shift(machine, &uid_shift);
if (r < 0)
return log_debug_errno(r, "Failed to get machine UID shift: %m");
if (uid_shift != 0) {
log_debug("Can't bind mount on container '%s' with user namespacing applied", machine->name);
return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL);
}
if (p.read_only)
mount_flags |= MOUNT_IN_NAMESPACE_READ_ONLY;
if (p.mkdir)
mount_flags |= MOUNT_IN_NAMESPACE_MAKE_FILE_OR_DIRECTORY;
const char *propagate_directory = strjoina("/run/systemd/nspawn/propagate/", machine->name);
r = bind_mount_in_namespace(
&machine->leader,
propagate_directory,
"/run/host/incoming/",
p.src,
dest,
mount_flags);
if (r < 0)
return log_debug_errno(r, "Failed to mount %s on %s in the namespace of machine '%s': %m", p.src, dest, machine->name);
return sd_varlink_reply(link, NULL);
}

1
src/machine/machine-varlink.h
View File

@ -27,3 +27,4 @@ int vl_method_kill(sd_varlink *link, sd_json_variant *parameters, sd_varlink_met
int vl_method_open(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
int vl_method_map_from(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
int vl_method_map_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
int vl_method_bind_mount(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);

1
src/machine/machined-varlink.c
View File

@ -774,6 +774,7 @@ static int manager_varlink_init_machine(Manager *m) {
"io.systemd.Machine.Open", vl_method_open,
"io.systemd.Machine.MapFrom", vl_method_map_from,
"io.systemd.Machine.MapTo", vl_method_map_to,
"io.systemd.Machine.BindMount", vl_method_bind_mount,
"io.systemd.MachineImage.List", vl_method_list_images,
"io.systemd.MachineImage.Update", vl_method_update_image,
"io.systemd.MachineImage.Clone", vl_method_clone_image,

14
src/shared/varlink-io.systemd.Machine.c
View File

@ -147,6 +147,18 @@ static SD_VARLINK_DEFINE_METHOD(
SD_VARLINK_FIELD_COMMENT("Machine's name which owns mapped UID/GID"),
SD_VARLINK_DEFINE_OUTPUT(machineName, SD_VARLINK_STRING, SD_VARLINK_NULLABLE));
static SD_VARLINK_DEFINE_METHOD(
BindMount,
VARLINK_DEFINE_MACHINE_LOOKUP_AND_POLKIT_INPUT_FIELDS,
SD_VARLINK_FIELD_COMMENT("The source directory/file on the host"),
SD_VARLINK_DEFINE_INPUT(source, SD_VARLINK_STRING, 0),
SD_VARLINK_FIELD_COMMENT("The destination directory/file in the container. If null, it's equal to 'source'"),
SD_VARLINK_DEFINE_INPUT(destination, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
SD_VARLINK_FIELD_COMMENT("If true, the bind mount shall be read-only"),
SD_VARLINK_DEFINE_INPUT(readOnly, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
SD_VARLINK_FIELD_COMMENT("The destination mount point shall be created first, if it is missing"),
SD_VARLINK_DEFINE_INPUT(mkdir, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE));
static SD_VARLINK_DEFINE_ERROR(NoSuchMachine);
static SD_VARLINK_DEFINE_ERROR(MachineExists);
static SD_VARLINK_DEFINE_ERROR(NoPrivateNetworking);
@ -187,6 +199,8 @@ SD_VARLINK_DEFINE_INTERFACE(
&vl_method_MapFrom,
SD_VARLINK_SYMBOL_COMMENT("Maps given host's UID/GID to a machine and corresponding UID/GID"),
&vl_method_MapTo,
SD_VARLINK_SYMBOL_COMMENT("Bind mounts a file or directory from the host into the container"),
&vl_method_BindMount,
SD_VARLINK_SYMBOL_COMMENT("No matching machine currently running"),
&vl_error_NoSuchMachine,
&vl_error_MachineExists,

2
test/units/TEST-13-NSPAWN.machined.sh
View File

@ -401,6 +401,8 @@ varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open
timeout 30 bash -c "until test -e /tmp/none-existent-file; do sleep .5; done"
grep -q "BAR" /tmp/none-existent-file
# io.systemd.Machine.BindMount is covered by testcase_check_machinectl_bind() in nspawn tests
# terminate machines
machinectl terminate long-running
# wait for the container being stopped, otherwise acquiring image metadata by io.systemd.MachineImage.List may fail in the below.

4
test/units/TEST-13-NSPAWN.nspawn.sh
View File

@ -796,7 +796,7 @@ EOF
testcase_machinectl_bind() {
local service_path service_name root container_name ec
local cmd='for i in $(seq 1 20); do if test -f /tmp/marker; then exit 0; fi; sleep .5; done; exit 1;'
local cmd='for i in $(seq 1 20); do if test -f /tmp/marker && test -f /tmp/marker-varlink; then exit 0; fi; sleep .5; done; exit 1;'
root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.machinectl-bind.XXX)"
create_dummy_container "$root"
@ -814,6 +814,8 @@ EOF
systemctl start "$service_name"
touch /tmp/marker
machinectl bind --mkdir "$container_name" /tmp/marker
touch /tmp/marker-varlink
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.BindMount "{\"name\": \"$container_name\", \"source\": \"/tmp/marker-varlink\", \"mkdir\": true}"
timeout 10 bash -c "while [[ '\$(systemctl show -P SubState $service_name)' == running ]]; do sleep .2; done"
ec="$(systemctl show -P ExecMainStatus "$service_name")"