opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-23 02:18:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

applehv: allow virtiofs to mount to /

Browse Source 
FCOS has a security limitation where new directories cannot be added to the root / directory of its filesystem.  This PR uses the work-around discussed in https://github.com/coreos/rpm-ostree/issues/337#issuecomment-1000923022 to temporarily disable the limitation, perform the mkdir, and then re-enable the limitation.

This PR allows mounts on the applehv to actually work.

[NO NEW TESTS NEEDED]

Signed-off-by: Brent Baude <bbaude@redhat.com>
This commit is contained in:
Brent Baude
2023-11-06 14:05:23 -06:00
parent 0cd20090b2
commit d44f71c13d
1 changed files with 43 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
pkg/machine/applehv/machine.go
View File

@ -1084,13 +1084,20 @@ func (m *MacMachine) isIncompatible() bool {
} }
func generateSystemDFilesForVirtiofsMounts(mounts []machine.VirtIoFs) []machine.Unit { func generateSystemDFilesForVirtiofsMounts(mounts []machine.VirtIoFs) []machine.Unit {
var unitFiles []machine.Unit // mounting in fcos with virtiofs is a bit of a dance. we need a unit file for the mount, a unit file
// for automatic mounting on boot, and a "preparatory" service file that disables FCOS security, performs
// the mkdir of the mount point, and then re-enables security. This must be done for each mount.
var unitFiles []machine.Unit
for _, mnt := range mounts { for _, mnt := range mounts {
// Here we are looping the mounts and for each mount, we are adding two unit files
// for virtiofs. One unit file is the mount itself and the second is to automount it
// on boot.
autoMountUnit := `[Automount] autoMountUnit := `[Automount]
Where=%s Where=%s
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
[Unit] [Unit]
Description=Mount virtiofs volume %s Description=Mount virtiofs volume %s
` `
@ -1098,9 +1105,10 @@ Description=Mount virtiofs volume %s
What=%s What=%s
Where=%s Where=%s
Type=virtiofs Type=virtiofs
[Install]
WantedBy=multi-user.target`
[Install]
WantedBy=multi-user.target
`
virtiofsAutomount := machine.Unit{ virtiofsAutomount := machine.Unit{
Enabled: machine.BoolToPtr(true), Enabled: machine.BoolToPtr(true),
Name: fmt.Sprintf("%s.automount", mnt.Tag), Name: fmt.Sprintf("%s.automount", mnt.Tag),
@ -1111,7 +1119,38 @@ WantedBy=multi-user.target`
Name: fmt.Sprintf("%s.mount", mnt.Tag), Name: fmt.Sprintf("%s.mount", mnt.Tag),
Contents: machine.StrToPtr(fmt.Sprintf(mountUnit, mnt.Tag, mnt.Target)), Contents: machine.StrToPtr(fmt.Sprintf(mountUnit, mnt.Tag, mnt.Target)),
} }
unitFiles = append(unitFiles, virtiofsAutomount, virtiofsMount)
// This "unit" simulates something like systemctl enable virtiofs-mount-prepare@
enablePrep := machine.Unit{
Enabled: machine.BoolToPtr(true),
Name: fmt.Sprintf("virtiofs-mount-prepare@%s.service", mnt.Tag),
}
unitFiles = append(unitFiles, virtiofsAutomount, virtiofsMount, enablePrep)
} }
// mount prep is a way to workaround the FCOS limitation of creating directories
// at the rootfs / and then mounting to them.
mountPrep := `
[Unit]
Description=Allow virtios to mount to /
DefaultDependencies=no
ConditionPathExists=!%f
[Service]
Type=oneshot
ExecStartPre=chattr -i /
ExecStart=mkdir -p '%f'
ExecStopPost=chattr +i /
[Install]
WantedBy=remote-fs.target
`
virtioFSChattr := machine.Unit{
Contents: machine.StrToPtr(mountPrep),
Name: "virtiofs-mount-prepare@.service",
}
unitFiles = append(unitFiles, virtioFSChattr)
return unitFiles return unitFiles
} }