From: Oguz Bektas <o.bektas@proxmox.com>
To: pve-devel@pve.proxmox.com
Subject: [pve-devel] [RFC container] fix #2762: add recursive bindmount option
Date: Thu, 9 Jul 2020 14:44:34 +0200 [thread overview]
Message-ID: <20200709124434.709889-1-o.bektas@proxmox.com> (raw)
allows to mount bindmounts recursively. useful for mounting ZFS datasets
in containers.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
@wobu is unsure about the security implications of this (bindmount +
symlink + recursion), so i'm sending this first version as RFC to get
reviewed.
src/PVE/LXC.pm | 14 ++++++++------
src/PVE/LXC/Config.pm | 5 +++++
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index f3aca7a..aaf9594 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1452,10 +1452,11 @@ sub __bindmount_verify {
# Perform the actual bind mounting:
sub __bindmount_do {
- my ($dir, $dest, $ro, @extra_opts) = @_;
- PVE::Tools::run_command(['mount', '-o', 'bind', @extra_opts, $dir, $dest]);
+ my ($dir, $dest, $ro, $recursive_bind, @extra_opts) = @_;
+ my $bind_method = $recursive_bind ? 'rbind' : 'bind';
+ PVE::Tools::run_command(['mount', '-o', $bind_method, @extra_opts, $dir, $dest]);
if ($ro) {
- eval { PVE::Tools::run_command(['mount', '-o', 'bind,remount,ro', $dest]); };
+ eval { PVE::Tools::run_command(['mount', '-o', "$bind_method,remount,ro", $dest]); };
if (my $err = $@) {
warn "bindmount error\n";
# don't leave writable bind-mounts behind...
@@ -1466,11 +1467,11 @@ sub __bindmount_do {
}
sub bindmount {
- my ($dir, $parentfd, $last_dir, $dest, $ro, @extra_opts) = @_;
+ my ($dir, $parentfd, $last_dir, $dest, $ro, $recursive_bind, @extra_opts) = @_;
my $srcdh = __bindmount_prepare('/', $dir);
- __bindmount_do($dir, $dest, $ro, @extra_opts);
+ __bindmount_do($dir, $dest, $ro, $recursive_bind, @extra_opts);
if (!__bindmount_verify($srcdh, $parentfd, $last_dir, $ro)) {
PVE::Tools::run_command(['umount', $dest]);
@@ -1591,6 +1592,7 @@ sub __mountpoint_mount {
my $optstring = join(',', @$optlist);
my $readonly = $mountpoint->{ro};
+ my $recursive_bind = $mountpoint->{recursive};
my @extra_opts;
@extra_opts = ('-o', $optstring) if $optstring;
@@ -1676,7 +1678,7 @@ sub __mountpoint_mount {
return wantarray ? ($volid, 0, $devpath) : $volid;
} elsif ($type eq 'bind') {
die "directory '$volid' does not exist\n" if ! -d $volid;
- bindmount($volid, $parentfd, $last_dir//$rootdir, $mount_path, $readonly, @extra_opts) if $mount_path;
+ bindmount($volid, $parentfd, $last_dir//$rootdir, $mount_path, $readonly, $recursive_bind, @extra_opts) if $mount_path;
warn "cannot enable quota control for bind mounts\n" if $quota;
return wantarray ? ($volid, 0, undef) : $volid;
}
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index edd587b..0b8c35d 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -766,6 +766,11 @@ my $mp_desc = {
verbose_description => "Path to the mount point as seen from inside the container.\n\n".
"NOTE: Must not contain any symlinks for security reasons."
},
+ recursive => {
+ type => 'boolean',
+ description => 'Mount recursively. Useful for mounting ZFS dataset trees.',
+ optional => 1
+ }
};
PVE::JSONSchema::register_format('pve-ct-mountpoint', $mp_desc);
--
2.20.1
reply other threads:[~2020-07-09 12:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200709124434.709889-1-o.bektas@proxmox.com \
--to=o.bektas@proxmox.com \
--cc=pve-devel@pve.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox