From 622fe63eb37f957ee5c29684e24f1d2d636fd086 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 3 Apr 2017 11:57:55 +0200 Subject: Adding support for bind-ro nspawn option for read-only bind mounts. Signed-off-by: Daniel Baumann --- lib/container/create | 24 +++++++++++++++++++++--- lib/container/move | 29 ++++++++++++++++++++++++++++- lib/container/remove | 17 ++++++++++++++++- lib/container/start | 23 ++++++++++++++++++++++- lib/container/stop | 17 ++++++++++++++++- 5 files changed, 103 insertions(+), 7 deletions(-) (limited to 'lib') diff --git a/lib/container/create b/lib/container/create index 54cbb1d..b4fc5e9 100755 --- a/lib/container/create +++ b/lib/container/create @@ -27,7 +27,7 @@ SCRIPTS="/usr/share/container-tools/scripts" Parameters () { - GETOPT_LONGOPTIONS="name:,cnt.auto:,cnt.overlay:,bind:,capability:,drop-capability:script:," + GETOPT_LONGOPTIONS="name:,cnt.auto:,cnt.overlay:,bind:,bind-ro:,capability:,drop-capability:script:," GETOPT_OPTIONS="n:,b:,c:,d:,s:," PARAMETERS="$(getopt --longoptions ${GETOPT_LONGOPTIONS} --name=${COMMAND} --options ${GETOPT_OPTIONS} --shell sh -- ${@})" @@ -63,6 +63,11 @@ Parameters () shift 2 ;; + --bind-ro) + BIND_RO="${2}" + shift 2 + ;; + -c|--capability) CAPABILITY="${2}" shift 2 @@ -93,7 +98,7 @@ Parameters () Usage () { - echo "Usage: container ${COMMAND} -n|--name NAME [--cnt.auto=true|false|FQDN] [--cnt.overlay=DIRECTORY_LOWER:DIRECTORY_UPPER:DIRECTORY_WORK:DIRECTORY_MERGED] [-b|--bind DIRECTORY:DIRECTORY[:OPTIONS]] [-c|--capability CAPABILITY[,CAPABILITY]] [-d|--drop-capability DROP_CAPABILITY[,DROP_CAPABILITY]] [-s|--script SCRIPT] [-- SCRIPT_OPTIONS]" >&2 + echo "Usage: container ${COMMAND} -n|--name NAME [--cnt.auto=true|false|FQDN] [--cnt.overlay=DIRECTORY_LOWER:DIRECTORY_UPPER:DIRECTORY_WORK:DIRECTORY_MERGED] [-b|--bind DIRECTORY:DIRECTORY[:OPTIONS]] [--bind-ro DIRECTORY:DIRECTORY[:OPTIONS]] [-c|--capability CAPABILITY[,CAPABILITY]] [-d|--drop-capability DROP_CAPABILITY[,DROP_CAPABILITY]] [-s|--script SCRIPT] [-- SCRIPT_OPTIONS]" >&2 exit 1 } @@ -151,7 +156,7 @@ do fi done -# Creating bind mounts +# Creating rw bind mounts if [ -n "${BIND}" ] then BINDS="$(echo ${BIND} | sed -e 's|;| |g')" @@ -164,6 +169,19 @@ then done fi +# Creating ro bind mounts +if [ -n "${BIND_RO}" ] +then + BINDS="$(echo ${BIND_RO} | sed -e 's|;| |g')" + + for BIND_RO in ${BINDS_RO} + do + DIRECTORY="$(echo ${BIND_RO} | awk -F: '{ print $1 }')" + + mkdir -p "${DIRECTORY}" + done +fi + # Creating overlay mounts if [ -n "${CNT_OVERLAY}" ] then diff --git a/lib/container/move b/lib/container/move index 78b0c7f..4d64c8a 100755 --- a/lib/container/move +++ b/lib/container/move @@ -141,7 +141,7 @@ done mv "${CONFIG}/${OLD}.conf" "${CONFIG}/${NEW}.conf" mv "${MACHINES}/${OLD}" "${MACHINES}/${NEW}" -# bind mounts +# rw bind mounts BIND="$(awk -F= '/^bind=/ { print $2 }' ${CONFIG}/${NAME}.conf)" if [ -n "${BIND}" ] @@ -168,6 +168,33 @@ then done fi +# ro bind mounts +BIND_RO="$(awk -F= '/^bind-ro=/ { print $2 }' ${CONFIG}/${NAME}.conf)" + +if [ -n "${BIND_RO}" ] +then + BINDS_RO="$(echo ${BIND_RO} | sed -e 's|;| |g')" + + for BIND_RO in ${BINDS_RO} + do + SOURCE_OLD="$(echo ${BIND_RO} | awk -F: '{ print $1 }')" + SOURCE_NEW="$(echo ${SOURCE_OLD} | sed -e "s|${OLD}|${NEW}|g")" + + if [ "${SOURCE_OLD}" != "${SOURCE_NEW}" ] + then + mv "${SOURCE_OLD}" "${SOURCE_NEW}" + fi + + TARGET_OLD="$(echo ${BIND_RO} | awk -F: '{ print $2 }')" + TARGET_NEW="$(echo ${TARGET_OLD} | sed -e "s|${OLD}|${NEW}|g")" + + if [ "${TARGET_OLD}" != "${TARGET_NEW}" ] + then + mv "${MACHINES}/${NEW}/${TARGET_OLD}" "${MACHINES}/${NEW}/${TARGET_NEW}" + fi + done +fi + # config sed -i -e "s|${OLD}|${NEW}|g" "${CONFIG}/${NEW}.conf" diff --git a/lib/container/remove b/lib/container/remove index 03549a4..1b1ba7d 100755 --- a/lib/container/remove +++ b/lib/container/remove @@ -141,7 +141,7 @@ done # data if [ -e "${CONFIG}/${NAME}.conf" ] then - # Removing bind mounts + # Removing rw bind mounts BIND="$(awk -F= '/^bind=/ { print $2 }' ${CONFIG}/${NAME}.conf)" if [ -n "${BIND}" ] @@ -155,6 +155,21 @@ then rmdir --ignore-fail-on-non-empty --parents ${DIRECTORY} > /dev/null 2>&1 || true done fi + + # Removing ro bind mounts + BIND_RO="$(awk -F= '/^bind-ro=/ { print $2 }' ${CONFIG}/${NAME}.conf)" + + if [ -n "${BIND_RO}" ] + then + BINDS_RO="$(echo ${BIND_RO} | sed -e 's|;| |g')" + + for BIND_RO in ${BINDS_RO} + do + DIRECTORY="$(echo ${BIND_RO} | awk -F: '{ print $1 }')" + + rmdir --ignore-fail-on-non-empty --parents ${DIRECTORY} > /dev/null 2>&1 || true + done + fi fi # Run diff --git a/lib/container/start b/lib/container/start index 0009fd0..014e859 100755 --- a/lib/container/start +++ b/lib/container/start @@ -221,6 +221,27 @@ then done fi + BIND_RO="$(awk -F= '/^bind-ro=/ { print $2 }' ${CONFIG}/${NAME}.conf)" + + if [ -n "${BIND_RO}" ] + then + BINDS_RO="$(echo ${BIND_RO} | sed -e 's|;| |g')" + + for BIND_RO in ${BINDS_RO} + do + DIRECTORY="$(echo ${BIND_RO} | awk -F: '{ print $1 }')" + + mkdir -p "${DIRECTORY}" + done + + BIND_RO="" + + for DIRECTORIES in ${BINDS_RO} + do + BIND_RO="${BIND_RO} --bind ${DIRECTORIES}" + done + fi + BOOT="$(awk -F= '/^boot=/ { print $2 }' ${CONFIG}/${NAME}.conf || echo yes)" case "${BOOT}" in @@ -437,7 +458,7 @@ case "${START}" in *) # Run - ${SETARCH} systemd-nspawn --keep-unit ${BIND} ${BOOT} ${CAPABILITY} ${DIRECTORY} ${DROP_CAPABILITY} ${MACHINE} ${NETWORK_VETH_EXTRA} ${LINK_JOURNAL} ${REGISTER} + ${SETARCH} systemd-nspawn --keep-unit ${BIND} ${BIND_RO} ${BOOT} ${CAPABILITY} ${DIRECTORY} ${DROP_CAPABILITY} ${MACHINE} ${NETWORK_VETH_EXTRA} ${LINK_JOURNAL} ${REGISTER} # Post hooks for FILE in "${HOOKS}/post-${COMMAND}".* "${HOOKS}/${NAME}.post-${COMMAND}" diff --git a/lib/container/stop b/lib/container/stop index b8793ac..359a136 100755 --- a/lib/container/stop +++ b/lib/container/stop @@ -127,7 +127,7 @@ case "${CLEAN}" in done fi - # Removing bind mounts + # Removing rw bind mounts BIND="$(awk -F= '/^bind=/ { print $2 }' ${CONFIG}/${NAME}.conf)" if [ -n "${BIND}" ] @@ -142,6 +142,21 @@ case "${CLEAN}" in done fi + # Removing ro bind mounts + BIND_RO="$(awk -F= '/^bind-ro=/ { print $2 }' ${CONFIG}/${NAME}.conf)" + + if [ -n "${BIND_RO}" ] + then + BINDS_RO="$(echo ${BIND_RO} | sed -e 's|;| |g')" + + for BIND_RO in ${BINDS_RO} + do + DIRECTORY="$(echo ${BIND_RO} | awk -F: '{ print $1 }')" + + rmdir --ignore-fail-on-non-empty --parents ${DIRECTORY} > /dev/null 2>&1 || true + done + fi + # Removing network configuration NETWORK_VETH_EXTRA_CONF="$(awk -F= '/^network-veth-extra=/ { print $2 }' ${CONFIG}/${NAME}.conf)" -- cgit v1.2.3