[lxc-devel] [lxd/master] Mount options for disk device mounts #6225
splett2 on Github
lxc-bot at linuxcontainers.org
Sat Nov 9 22:15:25 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 499 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191109/9ae39435/attachment.bin>
-------------- next part --------------
From 138f0a05c87e1fa85acd3eb3b01af0c79471dd29 Mon Sep 17 00:00:00 2001
From: Lily <lily at wireless-10-147-28-83.public.utexas.edu>
Date: Sat, 9 Nov 2019 15:17:40 -0600
Subject: [PATCH 1/4] api: Add extention for passing in raw mount options
Signed-off-by: Lillian J. Johnson lillianjanjohnson at gmail.com
---
doc/api-extensions.md | 3 +++
shared/version/api.go | 1 +
2 files changed, 4 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 1ffb73084e..ca09e50e41 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -869,3 +869,6 @@ elevated permissions.
## compression_squashfs
Adds support for importing/exporting of images/backups using SquashFS file system format.
+
+## container\_raw\_mount
+This adds support for passing in raw mount options for disk devices.
\ No newline at end of file
diff --git a/shared/version/api.go b/shared/version/api.go
index 6498b1d156..f6b0e345a1 100644
--- a/shared/version/api.go
+++ b/shared/version/api.go
@@ -174,6 +174,7 @@ var APIExtensions = []string{
"ceph_data_pool_name",
"container_syscall_intercept_mount",
"compression_squashfs",
+ "container_raw_mount",
}
// APIExtensionsCount returns the number of available API extensions.
From 37cc012696d7763222f422c619fdc91d7b6fef96 Mon Sep 17 00:00:00 2001
From: Lily <lily at wireless-10-147-28-83.public.utexas.edu>
Date: Sat, 9 Nov 2019 15:20:15 -0600
Subject: [PATCH 2/4] doc/container: added raw_mount_options to disk options
Signed-off-by: Lillian J. Johnson lillianjanjohnson at gmail.com
---
doc/containers.md | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/doc/containers.md b/doc/containers.md
index 88a095a67e..38543c0c31 100644
--- a/doc/containers.md
+++ b/doc/containers.md
@@ -481,20 +481,21 @@ if the source is a block device, a regular mount.
The following properties exist:
-Key | Type | Default | Required | Description
-:-- | :-- | :-- | :-- | :--
-limits.read | string | - | no | I/O limit in byte/s (various suffixes supported, see below) or in iops (must be suffixed with "iops")
-limits.write | string | - | no | I/O limit in byte/s (various suffixes supported, see below) or in iops (must be suffixed with "iops")
-limits.max | string | - | no | Same as modifying both limits.read and limits.write
-path | string | - | yes | Path inside the container where the disk will be mounted
-source | string | - | yes | Path on the host, either to a file/directory or to a block device
-required | boolean | true | no | Controls whether to fail if the source doesn't exist
-readonly | boolean | false | no | Controls whether to make the mount read-only
-size | string | - | no | Disk size in bytes (various suffixes supported, see below). This is only supported for the rootfs (/).
-recursive | boolean | false | no | Whether or not to recursively mount the source path
-pool | string | - | no | The storage pool the disk device belongs to. This is only applicable for storage volumes managed by LXD.
-propagation | string | - | no | Controls how a bind-mount is shared between the container and the host. (Can be one of `private`, the default, or `shared`, `slave`, `unbindable`, `rshared`, `rslave`, `runbindable`, `rprivate`. Please see the Linux Kernel [shared subtree](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) documentation for a full explanation)
-shift | boolean | false | no | Setup a shifting overlay to translate the source uid/gid to match the container
+Key | Type | Default | Required | Description
+:-- | :-- | :-- | :-- | :--
+limits.read | string | - | no | I/O limit in byte/s (various suffixes supported, see below) or in iops (must be suffixed with "iops")
+limits.write | string | - | no | I/O limit in byte/s (various suffixes supported, see below) or in iops (must be suffixed with "iops")
+limits.max | string | - | no | Same as modifying both limits.read and limits.write
+path | string | - | yes | Path inside the container where the disk will be mounted
+source | string | - | yes | Path on the host, either to a file/directory or to a block device
+required | boolean | true | no | Controls whether to fail if the source doesn't exist
+readonly | boolean | false | no | Controls whether to make the mount read-only
+size | string | - | no | Disk size in bytes (various suffixes supported, see below). This is only supported for the rootfs (/).
+recursive | boolean | false | no | Whether or not to recursively mount the source path
+pool | string | - | no | The storage pool the disk device belongs to. This is only applicable for storage volumes managed by LXD.
+propagation | string | - | no | Controls how a bind-mount is shared between the container and the host. (Can be one of `private`, the default, or `shared`, `slave`, `unbindable`, `rshared`, `rslave`, `runbindable`, `rprivate`. Please see the Linux Kernel [shared subtree](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) documentation for a full explanation)
+shift | boolean | false | no | Setup a shifting overlay to translate the source uid/gid to match the container
+raw.mount.options| string | - | no | Filesystem specific mount options
If multiple disks, backed by the same block device, have I/O limits set,
the average of the limits will be used.
From ac4c6350a646aa213e1f74bbd8fb3e3ac20b2f89 Mon Sep 17 00:00:00 2001
From: Lily <lily at wireless-10-147-28-83.public.utexas.edu>
Date: Sat, 9 Nov 2019 15:25:33 -0600
Subject: [PATCH 3/4] lxd/device add support for raw_mount_options for disk
device mounts
Signed-off-by: Lillian J. Johnson lillianjanjohnson at gmail.com
---
lxd/device/device_utils_disk.go | 8 ++++----
lxd/device/device_utils_unix.go | 2 +-
lxd/device/disk.go | 3 ++-
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/lxd/device/device_utils_disk.go b/lxd/device/device_utils_disk.go
index 469f32ad54..7d84d3b0cb 100644
--- a/lxd/device/device_utils_disk.go
+++ b/lxd/device/device_utils_disk.go
@@ -48,7 +48,7 @@ func IsBlockdev(path string) bool {
}
// DiskMount mounts a disk device.
-func DiskMount(srcPath string, dstPath string, readonly bool, recursive bool, propagation string) error {
+func DiskMount(srcPath string, dstPath string, readonly bool, recursive bool, propagation string, rawMountOptions string) error {
var err error
// Prepare the mount flags
@@ -95,7 +95,7 @@ func DiskMount(srcPath string, dstPath string, readonly bool, recursive bool, pr
}
// Mount the filesystem
- err = unix.Mount(srcPath, dstPath, fstype, uintptr(flags), "")
+ err = unix.Mount(srcPath, dstPath, fstype, uintptr(flags), rawMountOptions)
if err != nil {
return fmt.Errorf("Unable to mount %s at %s: %s", srcPath, dstPath, err)
}
@@ -103,14 +103,14 @@ func DiskMount(srcPath string, dstPath string, readonly bool, recursive bool, pr
// Remount bind mounts in readonly mode if requested
if readonly == true && flags&unix.MS_BIND == unix.MS_BIND {
flags = unix.MS_RDONLY | unix.MS_BIND | unix.MS_REMOUNT
- err = unix.Mount("", dstPath, fstype, uintptr(flags), "")
+ err = unix.Mount("", dstPath, fstype, uintptr(flags), rawMountOptions)
if err != nil {
return fmt.Errorf("Unable to mount %s in readonly mode: %s", dstPath, err)
}
}
flags = unix.MS_REC | unix.MS_SLAVE
- err = unix.Mount("", dstPath, "", uintptr(flags), "")
+ err = unix.Mount("", dstPath, "", uintptr(flags), rawMountOptions)
if err != nil {
return fmt.Errorf("unable to make mount %s private: %s", dstPath, err)
}
diff --git a/lxd/device/device_utils_unix.go b/lxd/device/device_utils_unix.go
index 632cbff564..53cb50bb07 100644
--- a/lxd/device/device_utils_unix.go
+++ b/lxd/device/device_utils_unix.go
@@ -273,7 +273,7 @@ func UnixDeviceCreate(s *state.State, idmapSet *idmap.IdmapSet, devicesPath stri
}
f.Close()
- err = DiskMount(srcPath, devPath, false, false, "")
+ err = DiskMount(srcPath, devPath, false, false, "", "")
if err != nil {
return nil, err
}
diff --git a/lxd/device/disk.go b/lxd/device/disk.go
index 954dd56849..d708d00461 100644
--- a/lxd/device/disk.go
+++ b/lxd/device/disk.go
@@ -75,6 +75,7 @@ func (d *disk) validateConfig() error {
"size": shared.IsAny,
"pool": shared.IsAny,
"propagation": validatePropagation,
+ "raw.mount.options": shared.IsAny,
}
err := d.config.Validate(rules)
@@ -606,7 +607,7 @@ func (d *disk) createDevice() (string, error) {
}
// Mount the fs.
- err := DiskMount(srcPath, devPath, isReadOnly, isRecursive, d.config["propagation"])
+ err := DiskMount(srcPath, devPath, isReadOnly, isRecursive, d.config["propagation"], d.config["raw.mount.options"])
if err != nil {
return "", err
}
From 39a409083bc9fdd5fce25114baf60b6bd3c544f0 Mon Sep 17 00:00:00 2001
From: Lily <lily at wireless-10-147-28-83.public.utexas.edu>
Date: Sat, 9 Nov 2019 15:39:45 -0600
Subject: [PATCH 4/4] tests: Add test for raw.mount.options for disk device
mounts
Signed-off-by: Lillian J. Johnson lillianjanjohnson at gmail.com
---
doc/containers.md | 2 +-
test/suites/container_devices_disk.sh | 26 ++++++++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/doc/containers.md b/doc/containers.md
index 38543c0c31..5441367e3b 100644
--- a/doc/containers.md
+++ b/doc/containers.md
@@ -495,7 +495,7 @@ recursive | boolean | false | no | Whether or not to
pool | string | - | no | The storage pool the disk device belongs to. This is only applicable for storage volumes managed by LXD.
propagation | string | - | no | Controls how a bind-mount is shared between the container and the host. (Can be one of `private`, the default, or `shared`, `slave`, `unbindable`, `rshared`, `rslave`, `runbindable`, `rprivate`. Please see the Linux Kernel [shared subtree](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) documentation for a full explanation)
shift | boolean | false | no | Setup a shifting overlay to translate the source uid/gid to match the container
-raw.mount.options| string | - | no | Filesystem specific mount options
+raw.mount.options| string | - | no | Filesystem specific mount options
If multiple disks, backed by the same block device, have I/O limits set,
the average of the limits will be used.
diff --git a/test/suites/container_devices_disk.sh b/test/suites/container_devices_disk.sh
index 91ef518b0f..b79738cfdf 100644
--- a/test/suites/container_devices_disk.sh
+++ b/test/suites/container_devices_disk.sh
@@ -5,6 +5,7 @@ test_container_devices_disk() {
lxc launch testimage foo
test_container_devices_disk_shift
+ test_container_devices_raw_mount_options
lxc delete -f foo
}
@@ -59,3 +60,28 @@ test_container_devices_disk_shift() {
lxc storage volume delete "${POOL}" foo-shift
lxc stop foo -f
}
+
+test_container_devices_raw_mount_options() {
+ configure_loop_device loop_file_1 loop_device_1
+ mkfs.vfat "${loop_device_1}"
+
+ lxc launch testimage foo-priv -c security.privileged=true
+
+ lxc config device add foo-priv loop_raw_mount_options disk source="${loop_device_1}" path=/mnt
+ [ "$(lxc exec foo -- stat /mnt -c '%u:%g')" = "0:0" ] || false
+ lxc config device remove foo-priv loop_raw_mount_options
+
+ lxc config device add foo-priv loop_raw_mount_options disk source="${loop_device_1}" path=/mnt raw.mount.options=uid=123,gid=456
+ [ "$(lxc exec foo -- stat /mnt -c '%u:%g')" = "123:456" ] || false
+ lxc config device remove foo-priv loop_raw_mount_options
+
+ lxc stop foo-priv -f
+ lxc config device add foo-priv loop_raw_mount_options disk source="${loop_device_1}" path=/mnt raw.mount.options=uid=123,gid=456
+ lxc start foo-priv
+
+ [ "$(lxc exec foo -- stat /mnt -c '%u:%g')" = "123:456" ] || false
+ lxc config device remove foo-priv loop_raw_mount_options
+
+ lxc delete -f foo-priv
+ deconfigure_loop_device "${loop_file_1}" "${loop_device_1}"
+}
More information about the lxc-devel
mailing list