commit 4c9226192babf26db21e27914a3bfcb98cc70a80
parent ef91716f38708ce25a3e35498a68767f6fd103ff
Author: ccx <ccx@te2000.cz>
Date: Fri, 19 Apr 2024 19:03:54 +0000
Generate execline script to mount container data instead of fstab
Diffstat:
3 files changed, 105 insertions(+), 28 deletions(-)
diff --git a/service_scripts/generic/run b/service_scripts/generic/run
@@ -45,7 +45,7 @@ s6-envuidgid ${CONTAINER_USER}
unshare -m -u -i # new mount, UTS and IPC namespaces
-if { mount -a -T data/fstab }
+$PID1_EXEC
# Run user's setup script (optional)
if {
@@ -56,7 +56,6 @@ if {
}
}
-$PID1_EXEC
emptyenv -c
ns_run_unshared data/root {
# pre pivot-root commands
diff --git a/zsh-functions/confz_containers_init b/zsh-functions/confz_containers_init
@@ -382,15 +382,45 @@ confz_container_service_ephemeral_check() {
mnt_dirs=( ns $=vars[mnt_dirs_extra] )
- fstab=(
- $vars[containers_dir]/systems/$vars[image_name]$'\t'$container_user_dir/root$'\tnone\tbind,ro,nosuid,nodev\t0 0'
- /run/containers/$container.$vars[user]/home$'\t'$container_user_dir/root/home$'\tnone\tbind,nosuid,nodev\t0 0'
- /run/containers/$container.$vars[user]/run$'\t'$container_user_dir/root/run$'\tnone\tbind,nosuid,nodev\t0 0'
- /run/containers/$container.$vars[user]/tmp$'\t'$container_user_dir/root/tmp$'\tnone\tbind,nosuid,nodev\t0 0'
- /run/containers/$container.$vars[user]/mnt$'\t'$container_user_dir/root/mnt$'\tnone\tbind,ro,nosuid,nodev\t0 0'
- "${(f@)vars[fstab_extra]}"
+ local src dst rw
+ local -a bind_mounts pid1_el_lines
+ bind_mounts=(
+ $vars[containers_dir]/systems/$vars[image_name]
+ $container_user_dir/root
+ ro
+
+ /run/containers/$container.$vars[user]/home
+ $container_user_dir/root/home
+ rw
+
+ /run/containers/$container.$vars[user]/run
+ $container_user_dir/root/run
+ rw
+
+ /run/containers/$container.$vars[user]/tmp
+ $container_user_dir/root/tmp
+ rw
+
+ /run/containers/$container.$vars[user]/mnt
+ $container_user_dir/root/mnt
+ ro
)
+ pid1_el_lines=( "#!$(which execlineb) -S0" )
+ for src dst rw in "$bind_mounts[@]"; do
+ fstab+=( $src$'\t'$dst$'\tnone\tbind,'$rw$',nosuid,nodev\t0 0' )
+ src_el=\"${${src//\\/\\\\}//\"/\\\"}\"
+ dst_el=\"${${dst//\\/\\\\}//\"/\\\"}\"
+ pid1_el_lines+=(
+ "if { s6-mount -o bind,$rw,nodev,nosuid $src_el $dst_el )"
+ "if { s6-mount -o remount,$rw,nodev,nosuid $dst_el )"
+ )
+ done
+
+ fstab+=( "${(f@)vars[fstab_extra]}" )
+ (($+vars[pid1_el])) && pid1_el_lines+=( $vars[pid1_el] )
+ pid1_el_lines+=( '$@' )
+
svc_dir=$vars[svscan_dir]/container.$container.$vars[user]
require container_service_preset preset=generic \
svc_dir=$svc_dir control_user=$uid control_group=$gid \
@@ -398,7 +428,7 @@ confz_container_service_ephemeral_check() {
log_uid=0 log_gid=$gid \
root_link=$container_user_dir/root \
fstab=${(F)fstab} \?down \?fstab_post \
- \?prepare_chroot \?pid1_exec
+ \?prepare_chroot pid1_exec=${(F)pid1_el_lines}
require fs_d filename=$svc_dir/env
require fs_contentnl filename=$svc_dir/env/CONTAINER_USER \
content=$vars[user]
@@ -447,15 +477,45 @@ confz_container_service_generic_check() {
mnt_dirs=( ns $=vars[mnt_dirs_extra] )
- fstab=(
- $vars[containers_dir]/systems/$vars[image_name]$'\t'$container_user_dir/root$'\tnone\tbind,ro,nosuid,nodev\t0 0'
- $container_user_dir/home$'\t'$container_user_dir/root/home$'\tnone\tbind,nosuid,nodev\t0 0'
- /run/containers/$container.$vars[user]/run$'\t'$container_user_dir/root/run$'\tnone\tbind,nosuid,nodev\t0 0'
- /run/containers/$container.$vars[user]/tmp$'\t'$container_user_dir/root/tmp$'\tnone\tbind,nosuid,nodev\t0 0'
- /run/containers/$container.$vars[user]/mnt$'\t'$container_user_dir/root/mnt$'\tnone\tbind,ro,nosuid,nodev\t0 0'
- "${(f@)vars[fstab_extra]}"
+ local src dst rw
+ local -a bind_mounts pid1_el_lines
+ bind_mounts=(
+ $vars[containers_dir]/systems/$vars[image_name]
+ $container_user_dir/root
+ ro
+
+ $container_user_dir/home
+ $container_user_dir/root/home
+ rw
+
+ /run/containers/$container.$vars[user]/run
+ $container_user_dir/root/run
+ rw
+
+ /run/containers/$container.$vars[user]/tmp
+ $container_user_dir/root/tmp
+ rw
+
+ /run/containers/$container.$vars[user]/mnt
+ $container_user_dir/root/mnt
+ ro
)
+ pid1_el_lines=( "#!$(which execlineb) -S0" )
+ for src dst rw in "$bind_mounts[@]"; do
+ fstab+=( $src$'\t'$dst$'\tnone\tbind,'$rw$',nosuid,nodev\t0 0' )
+ src_el=\"${${src//\\/\\\\}//\"/\\\"}\"
+ dst_el=\"${${dst//\\/\\\\}//\"/\\\"}\"
+ pid1_el_lines+=(
+ "if { s6-mount -o bind,$rw,nodev,nosuid $src_el $dst_el )"
+ "if { s6-mount -o remount,$rw,nodev,nosuid $dst_el )"
+ )
+ done
+
+ fstab+=( "${(f@)vars[fstab_extra]}" )
+ (($+vars[pid1_el])) && pid1_el_lines+=( $vars[pid1_el] )
+ pid1_el_lines+=( '$@' )
+
svc_dir=$vars[svscan_dir]/container.$container.$vars[user]
require container_service_preset preset=generic \
svc_dir=$svc_dir control_user=$uid control_group=$gid \
@@ -463,7 +523,7 @@ confz_container_service_generic_check() {
log_uid=0 log_gid=$gid \
root_link=$container_user_dir/root \
fstab=${(F)fstab} \?down \?fstab_post \
- \?prepare_chroot \?pid1_exec
+ \?prepare_chroot pid1_exec=${(F)pid1_el_lines}
require fs_d filename=$svc_dir/env
require fs_contentnl filename=$svc_dir/env/CONTAINER_USER \
content=$vars[user]
diff --git a/zsh-functions/confz_site_containers_init b/zsh-functions/confz_site_containers_init
@@ -18,26 +18,46 @@ confz_site_containers_usersvc_simple_check() {
defvar mount_ro init
defvar container_type generic
- local userdir bindroot flags mtp
- local -a fstab mnt_dirs_extra
+ local userdir bindroot flags mtp src dst src_el dst_el
+ local -a fstab mnt_dirs_extra pid1_el_lines
userdir=$vars[containers_dir]/user/$vars[user]
bindroot=$userdir/$vars[container_name]/root
if (($+vars[mount_ro])); then
flags=$'\tnone\tbind,ro,nosuid,nodev\t0 0'
for mtp in ${=vars[mount_ro]}; do
+ src=$site_containers_mountpoints[$mtp]
+ dst=$bindroot/mnt/$mtp
mnt_dirs_extra+=( $mtp )
- fstab+=( $site_containers_mountpoints[$mtp]$'\t'$bindroot/mnt/$mtp$flags )
+ fstab+=( $src$'\t'$dst$flags )
+ src_el=\"${${src//\\/\\\\}//\"/\\\"}\"
+ dst_el=\"${${dst//\\/\\\\}//\"/\\\"}\"
+ pid1_el_lines+=(
+ "if { mkdir -p $dst_el }"
+ "if { s6-mount -r -o bind,nodev,nosuid $src_el $dst_el )"
+ "if { s6-mount -o remount,ro,nodev,nosuid $dst_el )"
+ )
done
fi
if (($+vars[mount_rw])); then
flags=$'\tnone\tbind,rw,nosuid,nodev\t0 0'
for mtp in ${=vars[mount_rw]}; do
+ src=$site_containers_mountpoints[$mtp]
+ dst=$bindroot/mnt/$mtp
mnt_dirs_extra+=( $mtp )
- fstab+=( $site_containers_mountpoints[$mtp]$'\t'$bindroot/mnt/$mtp$flags )
+ fstab+=( $src$'\t'$dst$flags )
+ src_el=\"${${src//\\/\\\\}//\"/\\\"}\"
+ dst_el=\"${${dst//\\/\\\\}//\"/\\\"}\"
+ pid1_el_lines+=(
+ "if { mkdir -p $dst_el }"
+ "if { s6-mount -r -o bind,nodev,nosuid $src_el $dst_el )"
+ "if { s6-mount -o remount,rw,nodev,nosuid $dst_el )"
+ )
done
fi
+ (($+vars[pid1_el])) && pid1_el_lines+=( $vars[pid1_el] )
+
if (($#mnt_dirs_extra)); then
unify mnt_dirs_extra "$mnt_dirs_extra"
unify fstab_extra ${(F)fstab}
@@ -45,7 +65,8 @@ confz_site_containers_usersvc_simple_check() {
require container_service_$vars[container_type] \
:image_name :container_name :containers_dir :svscan_dir :user \
- \?mnt_dirs_extra \?fstab_extra \?prepare_chroot \?pid1_exec
+ \?mnt_dirs_extra \?fstab_extra \?prepare_chroot \
+ pid1_el=${(F)pid1_el_lines}
#local chome=$userdir/$vars[container_name]/home/$vars[user]
#if ! [[ -d $chome/run ]]; then
@@ -112,21 +133,18 @@ confz_site_containers_user_check() {
done
local -a el_netns=(
- "#!$(which execlineb) -S0"
'unshare -n # make new network namespace'
'if { ip addr add 127.0.0.1/8 dev lo }'
'if { ip addr add ::1/128 dev lo }'
'if { ip link set lo up }'
- '$@'
)
- local in_netns=pid1_exec=${(F)el_netns}
+ local in_netns=pid1_el=${(F)el_netns}
local -a exec_softlimit_fd=(
"#!$(which zsh)"
'ulimit -H -n unlimited'
'exec "$@"'
)
- local more_fds=pid1_exec=${(F)exec_softlimit_fd}
local -a el_mount_usb_devices=(
"#!$(which execlineb) -P"
@@ -153,7 +171,7 @@ confz_site_containers_user_check() {
UCa tor
UCa ssh
UCa pass mount_rw="ccx-password-store"
- UC rcm-ssh alpine-ssh $more_fds
+ UC rcm-ssh alpine-ssh
UCa socials
UCa gpg $with_usb $in_netns
UCv signal
