From: Lennart Poettering Date: Tue, 14 Jan 2025 15:51:27 +0000 (+0100) Subject: nspawn: enable usrquota support on /tmp/ and /dev/shm/ X-Git-Tag: v258-rc1~1560^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F36036%2Fhead;p=thirdparty%2Fsystemd.git nspawn: enable usrquota support on /tmp/ and /dev/shm/ --- diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index f64d6b48a62..b666a3585dd 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -588,7 +588,7 @@ int mount_all(const char *dest, /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing when we are privileged) */ { "tmpfs", "/tmp", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME, - MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR }, + MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR|MOUNT_USRQUOTA_GRACEFUL }, { "tmpfs", "/sys", "tmpfs", "mode=0555" TMPFS_LIMITS_SYS, MS_NOSUID|MS_NOEXEC|MS_NODEV, MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS|MOUNT_MKDIR|MOUNT_PRIVILEGED }, { "sysfs", "/sys", "sysfs", NULL, SYS_DEFAULT_MOUNT_FLAGS, @@ -598,7 +598,7 @@ int mount_all(const char *dest, { "tmpfs", "/dev", "tmpfs", "mode=0755" TMPFS_LIMITS_PRIVATE_DEV, MS_NOSUID|MS_STRICTATIME, MOUNT_FATAL|MOUNT_MKDIR }, { "tmpfs", "/dev/shm", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME, - MOUNT_FATAL|MOUNT_MKDIR }, + MOUNT_FATAL|MOUNT_MKDIR|MOUNT_USRQUOTA_GRACEFUL }, { "tmpfs", "/run", "tmpfs", "mode=0755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME, MOUNT_FATAL|MOUNT_MKDIR }, { "/run/host", "/run/host", NULL, NULL, MS_BIND, @@ -706,6 +706,23 @@ int mount_all(const char *dest, o = options; } + if (FLAGS_SET(m->mount_settings, MOUNT_USRQUOTA_GRACEFUL)) { + r = mount_option_supported(m->type, /* key= */ "usrquota", /* value= */ NULL); + if (r < 0) + log_warning_errno(r, "Failed to determine if '%s' supports 'usrquota', assuming it doesn't: %m", m->type); + else if (r == 0) + log_info("Kernel doesn't support 'usrquota' on '%s', not including in mount options for '%s'.", m->type, m->where); + else { + _cleanup_free_ char *joined = NULL; + + if (!strextend_with_separator(&joined, ",", o ?: POINTER_MAX, "usrquota")) + return log_oom(); + + free_and_replace(options, joined); + o = options; + } + } + if (FLAGS_SET(m->mount_settings, MOUNT_PREFIX_ROOT)) { /* Optionally prefix the mount source with the root dir. This is useful in bind * mounts to be created within the container image before we transition into it. Note diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h index 53aa993d6a2..1f54b516252 100644 --- a/src/nspawn/nspawn-mount.h +++ b/src/nspawn/nspawn-mount.h @@ -21,6 +21,7 @@ typedef enum MountSettingsMask { MOUNT_PREFIX_ROOT = 1 << 10,/* if set, prefix the source path with the container's root directory */ MOUNT_FOLLOW_SYMLINKS = 1 << 11,/* if set, we'll follow symlinks for the mount target */ MOUNT_PRIVILEGED = 1 << 12,/* if set, we'll only mount this in the outer child if we are running in privileged mode */ + MOUNT_USRQUOTA_GRACEFUL = 1 << 13,/* if set, append "usrquota" to mount options if kernel tmpfs supports that */ } MountSettingsMask; typedef enum CustomMountType {