From 816ef2b7508f98ae9215615de4d08f2ce4bf0d45 Mon Sep 17 00:00:00 2001 From: Michael McCracken Date: Thu, 31 Oct 2024 17:14:36 -0700 Subject: [PATCH] add metadir flag to substitute for /run/atomfs In some cases, e.g. when guestmounting in a new userns and mountns, but not chrooted, /run/atomfs may not be writable. In that situation, use the new --metadir flag to all commands to specify a replacement for the default /run/atomfs. This overlaps slightly with the ATOMFS_TEST_RUN_DIR environment variable, which would have the same effect, but should only be used for tests, as it is not discoverable. Signed-off-by: Michael McCracken --- cmd/atomfs/mount.go | 5 +++++ cmd/atomfs/umount.go | 8 +++++++- cmd/atomfs/verify.go | 8 +++++++- molecule.go | 2 +- oci.go | 1 + test/unpriv-guestmount.bats | 28 ++++++++++++++++++++++++++++ utils.go | 8 ++++++-- 7 files changed, 55 insertions(+), 5 deletions(-) diff --git a/cmd/atomfs/mount.go b/cmd/atomfs/mount.go index 5b272c3..4eec79d 100644 --- a/cmd/atomfs/mount.go +++ b/cmd/atomfs/mount.go @@ -32,6 +32,10 @@ var mountCmd = cli.Command{ Name: "allow-missing-verity", Usage: "Mount even if the image has no verity data", }, + cli.StringFlag{ + Name: "metadir", + Usage: "Directory to use for metadata. Use this if /run/atomfs is not writable for some reason.", + }, }, } @@ -97,6 +101,7 @@ func doMount(ctx *cli.Context) error { AddWriteableOverlay: ctx.Bool("writeable") || ctx.IsSet("persist"), WriteableOverlayPath: persistPath, AllowMissingVerityData: ctx.Bool("allow-missing-verity"), + MetadataDir: ctx.String("metadir"), // nil here means /run/atomfs } mol, err := atomfs.BuildMoleculeFromOCI(opts) diff --git a/cmd/atomfs/umount.go b/cmd/atomfs/umount.go index 215d993..fde7340 100644 --- a/cmd/atomfs/umount.go +++ b/cmd/atomfs/umount.go @@ -16,6 +16,12 @@ var umountCmd = cli.Command{ Usage: "unmount atomfs image", ArgsUsage: "mountpoint", Action: doUmount, + Flags: []cli.Flag{ + cli.StringFlag{ + Name: "metadir", + Usage: "Directory to use for metadata. Use this if /run/atomfs is not writable for some reason.", + }, + }, } func umountUsage(me string) error { @@ -60,7 +66,7 @@ func doUmount(ctx *cli.Context) error { if err != nil { errs = append(errs, fmt.Errorf("Failed to get mount namespace name")) } - metadir := filepath.Join(atomfs.RuntimeDir(), "meta", mountNSName, atomfs.ReplacePathSeparators(mountpoint)) + metadir := filepath.Join(atomfs.RuntimeDir(ctx.String("metadir")), "meta", mountNSName, atomfs.ReplacePathSeparators(mountpoint)) mountsdir := filepath.Join(metadir, "mounts") mounts, err := os.ReadDir(mountsdir) diff --git a/cmd/atomfs/verify.go b/cmd/atomfs/verify.go index 957d2df..c587405 100644 --- a/cmd/atomfs/verify.go +++ b/cmd/atomfs/verify.go @@ -17,6 +17,12 @@ var verifyCmd = cli.Command{ Usage: "check atomfs image for dm-verity errors", ArgsUsage: "atomfs mountpoint", Action: doVerify, + Flags: []cli.Flag{ + cli.StringFlag{ + Name: "metadir", + Usage: "Directory to use for metadata. Use this if /run/atomfs is not writable for some reason.", + }, + }, } func verifyUsage(me string) error { @@ -48,7 +54,7 @@ func doVerify(ctx *cli.Context) error { return err } - metadir := filepath.Join(atomfs.RuntimeDir(), "meta", mountNSName, atomfs.ReplacePathSeparators(mountpoint)) + metadir := filepath.Join(atomfs.RuntimeDir(ctx.String("metadir")), "meta", mountNSName, atomfs.ReplacePathSeparators(mountpoint)) mountsdir := filepath.Join(metadir, "mounts") mounts, err := mount.ParseMounts("/proc/self/mountinfo") diff --git a/molecule.go b/molecule.go index 267309b..f22e0c9 100644 --- a/molecule.go +++ b/molecule.go @@ -33,7 +33,7 @@ func (m Molecule) MetadataPath() (string, error) { if err != nil { return "", err } - metadir := filepath.Join(RuntimeDir(), "meta", mountNSName, ReplacePathSeparators(absTarget)) + metadir := filepath.Join(RuntimeDir(m.config.MetadataDir), "meta", mountNSName, ReplacePathSeparators(absTarget)) return metadir, nil } diff --git a/oci.go b/oci.go index 22550d8..500247e 100644 --- a/oci.go +++ b/oci.go @@ -17,6 +17,7 @@ type MountOCIOpts struct { AddWriteableOverlay bool WriteableOverlayPath string AllowMissingVerityData bool + MetadataDir string } func (c MountOCIOpts) AtomsPath(parts ...string) string { diff --git a/test/unpriv-guestmount.bats b/test/unpriv-guestmount.bats index 3000819..a2db887 100644 --- a/test/unpriv-guestmount.bats +++ b/test/unpriv-guestmount.bats @@ -100,3 +100,31 @@ EOF rm -rf $ATOMFS_TEST_RUN_DIR/meta EOF } + +@test "mount with custom metadir and no ATOMFS_TEST_RUN_DIR env var works as guest" { + unset ATOMFS_TEST_RUN_DIR + export -n ATOMFS_TEST_RUN_DIR + + lxc-usernsexec -s <