From: Ivan Kruglov Date: Wed, 18 Dec 2024 18:06:36 +0000 (+0100) Subject: machine: introduce io.systemd.Machine.BindMount method X-Git-Tag: v258-rc1~1737^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d12b63f168a256c4bbed3bba71b21209ebc3c69a;p=thirdparty%2Fsystemd.git machine: introduce io.systemd.Machine.BindMount method --- diff --git a/src/machine/machine-varlink.c b/src/machine/machine-varlink.c index 1d2814b26a3..a88c2930cf2 100644 --- a/src/machine/machine-varlink.c +++ b/src/machine/machine-varlink.c @@ -12,6 +12,7 @@ #include "json-util.h" #include "machine-varlink.h" #include "machine.h" +#include "mount-util.h" #include "path-util.h" #include "pidref.h" #include "process-util.h" @@ -728,3 +729,99 @@ int vl_method_map_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_m return sd_varlink_reply(link, v); } + +typedef struct MachineMountParameters { + const char *name; + PidRef pidref; + char *src; + char *dest; + bool read_only; + bool mkdir; +} MachineMountParameters; + +static void machine_mount_paramaters_done(MachineMountParameters *p) { + assert(p); + + pidref_done(&p->pidref); + free(p->src); + free(p->dest); +} + +int vl_method_bind_mount(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) { + static const sd_json_dispatch_field dispatch_table[] = { + VARLINK_DISPATCH_MACHINE_LOOKUP_FIELDS(MachineOpenParameters), + { "source", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineMountParameters, src), SD_JSON_MANDATORY }, + { "destination", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineMountParameters, dest), 0 }, + { "readOnly", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineMountParameters, read_only), 0 }, + { "mkdir", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineMountParameters, mkdir), 0 }, + VARLINK_DISPATCH_POLKIT_FIELD, + {} + }; + + Manager *manager = ASSERT_PTR(userdata); + _cleanup_(machine_mount_paramaters_done) MachineMountParameters p = { + .pidref = PIDREF_NULL + }; + MountInNamespaceFlags mount_flags = 0; + uid_t uid_shift; + int r; + + assert(link); + assert(parameters); + + r = sd_varlink_dispatch(link, parameters, dispatch_table, &p); + if (r != 0) + return r; + + /* There is no need for extra validation since json_dispatch_path() does path_is_valid() and path_is_absolute().*/ + const char *dest = p.dest ?: p.src; + + Machine *machine; + r = lookup_machine_by_name_or_pidref(link, manager, p.name, &p.pidref, &machine); + if (r == -ESRCH) + return sd_varlink_error(link, "io.systemd.Machine.NoSuchMachine", NULL); + if (r != 0) + return r; + + if (machine->class != MACHINE_CONTAINER) + return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL); + + r = varlink_verify_polkit_async( + link, + manager->bus, + "org.freedesktop.machine1.manage-machines", + (const char**) STRV_MAKE("name", machine->name, + "verb", "bind", + "src", p.src, + "dest", dest), + &manager->polkit_registry); + if (r <= 0) + return r; + + r = machine_get_uid_shift(machine, &uid_shift); + if (r < 0) + return log_debug_errno(r, "Failed to get machine UID shift: %m"); + if (uid_shift != 0) { + log_debug("Can't bind mount on container '%s' with user namespacing applied", machine->name); + return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL); + } + + if (p.read_only) + mount_flags |= MOUNT_IN_NAMESPACE_READ_ONLY; + if (p.mkdir) + mount_flags |= MOUNT_IN_NAMESPACE_MAKE_FILE_OR_DIRECTORY; + + const char *propagate_directory = strjoina("/run/systemd/nspawn/propagate/", machine->name); + + r = bind_mount_in_namespace( + &machine->leader, + propagate_directory, + "/run/host/incoming/", + p.src, + dest, + mount_flags); + if (r < 0) + return log_debug_errno(r, "Failed to mount %s on %s in the namespace of machine '%s': %m", p.src, dest, machine->name); + + return sd_varlink_reply(link, NULL); +} diff --git a/src/machine/machine-varlink.h b/src/machine/machine-varlink.h index 984a8d8f3ed..401d8f5c682 100644 --- a/src/machine/machine-varlink.h +++ b/src/machine/machine-varlink.h @@ -27,3 +27,4 @@ int vl_method_kill(sd_varlink *link, sd_json_variant *parameters, sd_varlink_met int vl_method_open(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata); int vl_method_map_from(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata); int vl_method_map_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata); +int vl_method_bind_mount(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata); diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c index 104b841dd5e..68b31cf262d 100644 --- a/src/machine/machined-varlink.c +++ b/src/machine/machined-varlink.c @@ -774,6 +774,7 @@ static int manager_varlink_init_machine(Manager *m) { "io.systemd.Machine.Open", vl_method_open, "io.systemd.Machine.MapFrom", vl_method_map_from, "io.systemd.Machine.MapTo", vl_method_map_to, + "io.systemd.Machine.BindMount", vl_method_bind_mount, "io.systemd.MachineImage.List", vl_method_list_images, "io.systemd.MachineImage.Update", vl_method_update_image, "io.systemd.MachineImage.Clone", vl_method_clone_image, diff --git a/src/shared/varlink-io.systemd.Machine.c b/src/shared/varlink-io.systemd.Machine.c index 696d4020022..e66c0e74235 100644 --- a/src/shared/varlink-io.systemd.Machine.c +++ b/src/shared/varlink-io.systemd.Machine.c @@ -147,6 +147,18 @@ static SD_VARLINK_DEFINE_METHOD( SD_VARLINK_FIELD_COMMENT("Machine's name which owns mapped UID/GID"), SD_VARLINK_DEFINE_OUTPUT(machineName, SD_VARLINK_STRING, SD_VARLINK_NULLABLE)); +static SD_VARLINK_DEFINE_METHOD( + BindMount, + VARLINK_DEFINE_MACHINE_LOOKUP_AND_POLKIT_INPUT_FIELDS, + SD_VARLINK_FIELD_COMMENT("The source directory/file on the host"), + SD_VARLINK_DEFINE_INPUT(source, SD_VARLINK_STRING, 0), + SD_VARLINK_FIELD_COMMENT("The destination directory/file in the container. If null, it's equal to 'source'"), + SD_VARLINK_DEFINE_INPUT(destination, SD_VARLINK_STRING, SD_VARLINK_NULLABLE), + SD_VARLINK_FIELD_COMMENT("If true, the bind mount shall be read-only"), + SD_VARLINK_DEFINE_INPUT(readOnly, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE), + SD_VARLINK_FIELD_COMMENT("The destination mount point shall be created first, if it is missing"), + SD_VARLINK_DEFINE_INPUT(mkdir, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE)); + static SD_VARLINK_DEFINE_ERROR(NoSuchMachine); static SD_VARLINK_DEFINE_ERROR(MachineExists); static SD_VARLINK_DEFINE_ERROR(NoPrivateNetworking); @@ -187,6 +199,8 @@ SD_VARLINK_DEFINE_INTERFACE( &vl_method_MapFrom, SD_VARLINK_SYMBOL_COMMENT("Maps given host's UID/GID to a machine and corresponding UID/GID"), &vl_method_MapTo, + SD_VARLINK_SYMBOL_COMMENT("Bind mounts a file or directory from the host into the container"), + &vl_method_BindMount, SD_VARLINK_SYMBOL_COMMENT("No matching machine currently running"), &vl_error_NoSuchMachine, &vl_error_MachineExists,