diff options
| author | Ivan Kruglov <mail@ikruglov.com> | 2024-12-18 19:06:36 +0100 |
|---|---|---|
| committer | Ivan Kruglov <mail@ikruglov.com> | 2025-01-02 16:58:16 +0100 |
| commit | d12b63f168a256c4bbed3bba71b21209ebc3c69a (patch) | |
| tree | 8a0fc76082c552bffb56f4206ccb965b97c0f205 /src/machine | |
| parent | systemctl: certainly ignore ENOENT in checking inhibitors (diff) | |
| download | systemd-d12b63f168a256c4bbed3bba71b21209ebc3c69a.tar.xz systemd-d12b63f168a256c4bbed3bba71b21209ebc3c69a.zip | |
machine: introduce io.systemd.Machine.BindMount method
Diffstat (limited to 'src/machine')
| -rw-r--r-- | src/machine/machine-varlink.c | 97 | ||||
| -rw-r--r-- | src/machine/machine-varlink.h | 1 | ||||
| -rw-r--r-- | src/machine/machined-varlink.c | 1 |
3 files changed, 99 insertions, 0 deletions
diff --git a/src/machine/machine-varlink.c b/src/machine/machine-varlink.c index 1d2814b26a..a88c2930cf 100644 --- a/src/machine/machine-varlink.c +++ b/src/machine/machine-varlink.c @@ -12,6 +12,7 @@ #include "json-util.h" #include "machine-varlink.h" #include "machine.h" +#include "mount-util.h" #include "path-util.h" #include "pidref.h" #include "process-util.h" @@ -728,3 +729,99 @@ int vl_method_map_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_m return sd_varlink_reply(link, v); } + +typedef struct MachineMountParameters { + const char *name; + PidRef pidref; + char *src; + char *dest; + bool read_only; + bool mkdir; +} MachineMountParameters; + +static void machine_mount_paramaters_done(MachineMountParameters *p) { + assert(p); + + pidref_done(&p->pidref); + free(p->src); + free(p->dest); +} + +int vl_method_bind_mount(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) { + static const sd_json_dispatch_field dispatch_table[] = { + VARLINK_DISPATCH_MACHINE_LOOKUP_FIELDS(MachineOpenParameters), + { "source", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineMountParameters, src), SD_JSON_MANDATORY }, + { "destination", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineMountParameters, dest), 0 }, + { "readOnly", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineMountParameters, read_only), 0 }, + { "mkdir", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineMountParameters, mkdir), 0 }, + VARLINK_DISPATCH_POLKIT_FIELD, + {} + }; + + Manager *manager = ASSERT_PTR(userdata); + _cleanup_(machine_mount_paramaters_done) MachineMountParameters p = { + .pidref = PIDREF_NULL + }; + MountInNamespaceFlags mount_flags = 0; + uid_t uid_shift; + int r; + + assert(link); + assert(parameters); + + r = sd_varlink_dispatch(link, parameters, dispatch_table, &p); + if (r != 0) + return r; + + /* There is no need for extra validation since json_dispatch_path() does path_is_valid() and path_is_absolute().*/ + const char *dest = p.dest ?: p.src; + + Machine *machine; + r = lookup_machine_by_name_or_pidref(link, manager, p.name, &p.pidref, &machine); + if (r == -ESRCH) + return sd_varlink_error(link, "io.systemd.Machine.NoSuchMachine", NULL); + if (r != 0) + return r; + + if (machine->class != MACHINE_CONTAINER) + return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL); + + r = varlink_verify_polkit_async( + link, + manager->bus, + "org.freedesktop.machine1.manage-machines", + (const char**) STRV_MAKE("name", machine->name, + "verb", "bind", + "src", p.src, + "dest", dest), + &manager->polkit_registry); + if (r <= 0) + return r; + + r = machine_get_uid_shift(machine, &uid_shift); + if (r < 0) + return log_debug_errno(r, "Failed to get machine UID shift: %m"); + if (uid_shift != 0) { + log_debug("Can't bind mount on container '%s' with user namespacing applied", machine->name); + return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL); + } + + if (p.read_only) + mount_flags |= MOUNT_IN_NAMESPACE_READ_ONLY; + if (p.mkdir) + mount_flags |= MOUNT_IN_NAMESPACE_MAKE_FILE_OR_DIRECTORY; + + const char *propagate_directory = strjoina("/run/systemd/nspawn/propagate/", machine->name); + + r = bind_mount_in_namespace( + &machine->leader, + propagate_directory, + "/run/host/incoming/", + p.src, + dest, + mount_flags); + if (r < 0) + return log_debug_errno(r, "Failed to mount %s on %s in the namespace of machine '%s': %m", p.src, dest, machine->name); + + return sd_varlink_reply(link, NULL); +} diff --git a/src/machine/machine-varlink.h b/src/machine/machine-varlink.h index 984a8d8f3e..401d8f5c68 100644 --- a/src/machine/machine-varlink.h +++ b/src/machine/machine-varlink.h @@ -27,3 +27,4 @@ int vl_method_kill(sd_varlink *link, sd_json_variant *parameters, sd_varlink_met int vl_method_open(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata); int vl_method_map_from(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata); int vl_method_map_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata); +int vl_method_bind_mount(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata); diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c index 104b841dd5..68b31cf262 100644 --- a/src/machine/machined-varlink.c +++ b/src/machine/machined-varlink.c @@ -774,6 +774,7 @@ static int manager_varlink_init_machine(Manager *m) { "io.systemd.Machine.Open", vl_method_open, "io.systemd.Machine.MapFrom", vl_method_map_from, "io.systemd.Machine.MapTo", vl_method_map_to, + "io.systemd.Machine.BindMount", vl_method_bind_mount, "io.systemd.MachineImage.List", vl_method_list_images, "io.systemd.MachineImage.Update", vl_method_update_image, "io.systemd.MachineImage.Clone", vl_method_clone_image, |