machine: introduce io.systemd.Machine.BindMount method

diff --git a/src/machine/machine-varlink.c b/src/machine/machine-varlink.c
index 1d2814b26a3cdffef73cdb72b4163435bf2b7c0c..a88c2930cf28d0d311317a35a067dbfb21a1909e 100644 (file)
--- a/src/machine/machine-varlink.c
+++ b/src/machine/machine-varlink.c
@@ -12,6 +12,7 @@
 #include "json-util.h"
 #include "machine-varlink.h"
 #include "machine.h"
+#include "mount-util.h"
 #include "path-util.h"
 #include "pidref.h"
 #include "process-util.h"
@@ -728,3 +729,99 @@ int vl_method_map_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_m
 
         return sd_varlink_reply(link, v);
 }
+
+typedef struct MachineMountParameters {
+        const char *name;
+        PidRef pidref;
+        char *src;
+        char *dest;
+        bool read_only;
+        bool mkdir;
+} MachineMountParameters;
+
+static void machine_mount_paramaters_done(MachineMountParameters *p) {
+        assert(p);
+
+        pidref_done(&p->pidref);
+        free(p->src);
+        free(p->dest);
+}
+
+int vl_method_bind_mount(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
+        static const sd_json_dispatch_field dispatch_table[] = {
+                VARLINK_DISPATCH_MACHINE_LOOKUP_FIELDS(MachineOpenParameters),
+                { "source",      SD_JSON_VARIANT_STRING,  json_dispatch_path,       offsetof(MachineMountParameters, src),       SD_JSON_MANDATORY },
+                { "destination", SD_JSON_VARIANT_STRING,  json_dispatch_path,       offsetof(MachineMountParameters, dest),      0                 },
+                { "readOnly",    SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineMountParameters, read_only), 0                 },
+                { "mkdir",       SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineMountParameters, mkdir),     0                 },
+                VARLINK_DISPATCH_POLKIT_FIELD,
+                {}
+        };
+
+        Manager *manager = ASSERT_PTR(userdata);
+        _cleanup_(machine_mount_paramaters_done) MachineMountParameters p = {
+                .pidref = PIDREF_NULL
+        };
+        MountInNamespaceFlags mount_flags = 0;
+        uid_t uid_shift;
+        int r;
+
+        assert(link);
+        assert(parameters);
+
+        r = sd_varlink_dispatch(link, parameters, dispatch_table, &p);
+        if (r != 0)
+                return r;
+
+        /* There is no need for extra validation since json_dispatch_path() does path_is_valid() and path_is_absolute().*/
+        const char *dest = p.dest ?: p.src;
+
+        Machine *machine;
+        r = lookup_machine_by_name_or_pidref(link, manager, p.name, &p.pidref, &machine);
+        if (r == -ESRCH)
+                return sd_varlink_error(link, "io.systemd.Machine.NoSuchMachine", NULL);
+        if (r != 0)
+                return r;
+
+        if (machine->class != MACHINE_CONTAINER)
+                return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL);
+
+        r = varlink_verify_polkit_async(
+                        link,
+                        manager->bus,
+                        "org.freedesktop.machine1.manage-machines",
+                        (const char**) STRV_MAKE("name", machine->name,
+                                                 "verb", "bind",
+                                                 "src", p.src,
+                                                 "dest", dest),
+                        &manager->polkit_registry);
+        if (r <= 0)
+                return r;
+
+        r = machine_get_uid_shift(machine, &uid_shift);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to get machine UID shift: %m");
+        if (uid_shift != 0) {
+                log_debug("Can't bind mount on container '%s' with user namespacing applied", machine->name);
+                return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL);
+        }
+
+        if (p.read_only)
+                mount_flags |= MOUNT_IN_NAMESPACE_READ_ONLY;
+        if (p.mkdir)
+                mount_flags |= MOUNT_IN_NAMESPACE_MAKE_FILE_OR_DIRECTORY;
+
+        const char *propagate_directory = strjoina("/run/systemd/nspawn/propagate/", machine->name);
+
+        r = bind_mount_in_namespace(
+                        &machine->leader,
+                        propagate_directory,
+                        "/run/host/incoming/",
+                        p.src,
+                        dest,
+                        mount_flags);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to mount %s on %s in the namespace of machine '%s': %m", p.src, dest, machine->name);
+
+        return sd_varlink_reply(link, NULL);
+}

diff --git a/src/machine/machine-varlink.h b/src/machine/machine-varlink.h
index 984a8d8f3ed78fb259ea379ec991b1c8fbb185c4..401d8f5c6829178e0c1c5a5066be0c9dd7ec182c 100644 (file)
--- a/src/machine/machine-varlink.h
+++ b/src/machine/machine-varlink.h
@@ -27,3 +27,4 @@ int vl_method_kill(sd_varlink *link, sd_json_variant *parameters, sd_varlink_met
 int vl_method_open(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
 int vl_method_map_from(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
 int vl_method_map_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
+int vl_method_bind_mount(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);

diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
index 104b841dd5e1b2821b48425486f40a000f6a0d49..68b31cf262d626b7e7803c76ce39c3ee2f36a2a8 100644 (file)
--- a/src/machine/machined-varlink.c
+++ b/src/machine/machined-varlink.c
@@ -774,6 +774,7 @@ static int manager_varlink_init_machine(Manager *m) {
                         "io.systemd.Machine.Open",        vl_method_open,
                         "io.systemd.Machine.MapFrom",     vl_method_map_from,
                         "io.systemd.Machine.MapTo",       vl_method_map_to,
+                        "io.systemd.Machine.BindMount",   vl_method_bind_mount,
                         "io.systemd.MachineImage.List",   vl_method_list_images,
                         "io.systemd.MachineImage.Update", vl_method_update_image,
                         "io.systemd.MachineImage.Clone",  vl_method_clone_image,

diff --git a/src/shared/varlink-io.systemd.Machine.c b/src/shared/varlink-io.systemd.Machine.c
index 696d4020022572ca6e5b7e41399c0807b20e739c..e66c0e7423519d7ff9cb25d93bb6d56246a10c45 100644 (file)
--- a/src/shared/varlink-io.systemd.Machine.c
+++ b/src/shared/varlink-io.systemd.Machine.c
@@ -147,6 +147,18 @@ static SD_VARLINK_DEFINE_METHOD(
                 SD_VARLINK_FIELD_COMMENT("Machine's name which owns mapped UID/GID"),
                 SD_VARLINK_DEFINE_OUTPUT(machineName, SD_VARLINK_STRING, SD_VARLINK_NULLABLE));
 
+static SD_VARLINK_DEFINE_METHOD(
+                BindMount,
+                VARLINK_DEFINE_MACHINE_LOOKUP_AND_POLKIT_INPUT_FIELDS,
+                SD_VARLINK_FIELD_COMMENT("The source directory/file on the host"),
+                SD_VARLINK_DEFINE_INPUT(source, SD_VARLINK_STRING, 0),
+                SD_VARLINK_FIELD_COMMENT("The destination directory/file in the container. If null, it's equal to 'source'"),
+                SD_VARLINK_DEFINE_INPUT(destination, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
+                SD_VARLINK_FIELD_COMMENT("If true, the bind mount shall be read-only"),
+                SD_VARLINK_DEFINE_INPUT(readOnly, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
+                SD_VARLINK_FIELD_COMMENT("The destination mount point shall be created first, if it is missing"),
+                SD_VARLINK_DEFINE_INPUT(mkdir, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE));
+
 static SD_VARLINK_DEFINE_ERROR(NoSuchMachine);
 static SD_VARLINK_DEFINE_ERROR(MachineExists);
 static SD_VARLINK_DEFINE_ERROR(NoPrivateNetworking);
@@ -187,6 +199,8 @@ SD_VARLINK_DEFINE_INTERFACE(
                 &vl_method_MapFrom,
                 SD_VARLINK_SYMBOL_COMMENT("Maps given host's UID/GID to a machine and corresponding UID/GID"),
                 &vl_method_MapTo,
+                SD_VARLINK_SYMBOL_COMMENT("Bind mounts a file or directory from the host into the container"),
+                &vl_method_BindMount,
                 SD_VARLINK_SYMBOL_COMMENT("No matching machine currently running"),
                 &vl_error_NoSuchMachine,
                 &vl_error_MachineExists,