From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <oguz@gaia.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 9C7916178D
 for <pve-devel@pve.proxmox.com>; Thu,  9 Jul 2020 14:45:13 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 88016127F6
 for <pve-devel@pve.proxmox.com>; Thu,  9 Jul 2020 14:44:43 +0200 (CEST)
Received: from gaia.proxmox.com (212-186-127-178.static.upcbusiness.at
 [212.186.127.178])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id DBC94127EE
 for <pve-devel@pve.proxmox.com>; Thu,  9 Jul 2020 14:44:42 +0200 (CEST)
Received: from gaia.proxmox.com (localhost.localdomain [127.0.0.1])
 by gaia.proxmox.com (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTP id
 069CifZb710224; Thu, 9 Jul 2020 14:44:41 +0200
Received: (from oguz@localhost)
 by gaia.proxmox.com (8.15.2/8.15.2/Submit) id 069Cif1c710212;
 Thu, 9 Jul 2020 14:44:41 +0200
From: Oguz Bektas <o.bektas@proxmox.com>
To: pve-devel@pve.proxmox.com
Date: Thu,  9 Jul 2020 14:44:34 +0200
Message-Id: <20200709124434.709889-1-o.bektas@proxmox.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.789 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 KHOP_HELO_FCRDNS        0.275 Relay HELO differs from its IP's reverse DNS
 NO_DNS_FOR_FROM         0.379 Envelope sender has no MX or A DNS records
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
Subject: [pve-devel] [RFC container] fix #2762: add recursive bindmount
 option
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2020 12:45:13 -0000

allows to mount bindmounts recursively. useful for mounting ZFS datasets
in containers.

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---

@wobu is unsure about the security implications of this (bindmount +
symlink + recursion), so i'm sending this first version as RFC to get
reviewed.


 src/PVE/LXC.pm        | 14 ++++++++------
 src/PVE/LXC/Config.pm |  5 +++++
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index f3aca7a..aaf9594 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1452,10 +1452,11 @@ sub __bindmount_verify {
 
 # Perform the actual bind mounting:
 sub __bindmount_do {
-    my ($dir, $dest, $ro, @extra_opts) = @_;
-    PVE::Tools::run_command(['mount', '-o', 'bind', @extra_opts, $dir, $dest]);
+    my ($dir, $dest, $ro, $recursive_bind, @extra_opts) = @_;
+    my $bind_method = $recursive_bind ? 'rbind' : 'bind';
+    PVE::Tools::run_command(['mount', '-o', $bind_method, @extra_opts, $dir, $dest]);
     if ($ro) {
-	eval { PVE::Tools::run_command(['mount', '-o', 'bind,remount,ro', $dest]); };
+	eval { PVE::Tools::run_command(['mount', '-o', "$bind_method,remount,ro", $dest]); };
 	if (my $err = $@) {
 	    warn "bindmount error\n";
 	    # don't leave writable bind-mounts behind...
@@ -1466,11 +1467,11 @@ sub __bindmount_do {
 }
 
 sub bindmount {
-    my ($dir, $parentfd, $last_dir, $dest, $ro, @extra_opts) = @_;
+    my ($dir, $parentfd, $last_dir, $dest, $ro, $recursive_bind, @extra_opts) = @_;
 
     my $srcdh = __bindmount_prepare('/', $dir);
 
-    __bindmount_do($dir, $dest, $ro, @extra_opts);
+    __bindmount_do($dir, $dest, $ro, $recursive_bind, @extra_opts);
 
     if (!__bindmount_verify($srcdh, $parentfd, $last_dir, $ro)) {
 	PVE::Tools::run_command(['umount', $dest]);
@@ -1591,6 +1592,7 @@ sub __mountpoint_mount {
 
     my $optstring = join(',', @$optlist);
     my $readonly = $mountpoint->{ro};
+    my $recursive_bind = $mountpoint->{recursive};
 
     my @extra_opts;
     @extra_opts = ('-o', $optstring) if $optstring;
@@ -1676,7 +1678,7 @@ sub __mountpoint_mount {
 	return wantarray ? ($volid, 0, $devpath) : $volid;
     } elsif ($type eq 'bind') {
 	die "directory '$volid' does not exist\n" if ! -d $volid;
-	bindmount($volid, $parentfd, $last_dir//$rootdir, $mount_path, $readonly, @extra_opts) if $mount_path;
+	bindmount($volid, $parentfd, $last_dir//$rootdir, $mount_path, $readonly, $recursive_bind, @extra_opts) if $mount_path;
 	warn "cannot enable quota control for bind mounts\n" if $quota;
 	return wantarray ? ($volid, 0, undef) : $volid;
     }
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index edd587b..0b8c35d 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -766,6 +766,11 @@ my $mp_desc = {
 	verbose_description => "Path to the mount point as seen from inside the container.\n\n".
 			       "NOTE: Must not contain any symlinks for security reasons."
     },
+    recursive => {
+	type => 'boolean',
+	description => 'Mount recursively. Useful for mounting ZFS dataset trees.',
+	optional => 1
+    }
 };
 PVE::JSONSchema::register_format('pve-ct-mountpoint', $mp_desc);
 
-- 
2.20.1