From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH] host/rootfs: add mount-userdata command
Date: Fri, 12 Dec 2025 22:48:59 +0100 [thread overview]
Message-ID: <20251212214859.389183-1-hi@alyssa.is> (raw)
We shouldn't leave it to the user to manually mount user data
partitions. We want to ensure restrictive mount flags are set, and be
able to do other operations around the mounting. It's also nice to
have a single place where all user data partitions can be mounted.
I've taken inspiration from the FHS in using /media for this.
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
.../development/persistent-storage.adoc | 19 ++++++++++-----
.../using-spectrum/creating-custom-vms.adoc | 5 ++--
.../using-spectrum/vm-file-access.adoc | 4 ++--
host/rootfs/Makefile | 2 +-
host/rootfs/file-list.mk | 1 +
host/rootfs/image/etc/fstab | 11 +++++----
host/rootfs/image/usr/bin/mount-userdata | 24 +++++++++++++++++++
7 files changed, 50 insertions(+), 16 deletions(-)
create mode 100755 host/rootfs/image/usr/bin/mount-userdata
diff --git a/Documentation/development/persistent-storage.adoc b/Documentation/development/persistent-storage.adoc
index 12426b46..c4bcc163 100644
--- a/Documentation/development/persistent-storage.adoc
+++ b/Documentation/development/persistent-storage.adoc
@@ -2,7 +2,7 @@
:page-parent: Development
:page-nav_order: 2
-// SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
+// SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is>
// SPDX-License-Identifier: GFDL-1.3-no-invariants-or-later OR CC-BY-SA-4.0
Spectrum's root filesystem is immutable, so if you want to be able to
@@ -10,8 +10,15 @@ persist data between sessions, you'll need to create a persistent
storage partition. Spectrum comes with `cryptsetup`, and in future is
likely to assume that btrfs-specific features are available.
-Conventionally, the persistent storage partition is mounted on /ext
-after booting. It's not mounted automatically, because generally the
-partition should be encrypted, meaning a key has to be supplied to
-mount it anyway, and because there might be multiple persistent data
-partitions to choose from.
+Persistent storage can be mounted as follows:
+
+[source,shell]
+----
+cryptsetup open /dev/sda1 userdata
+mount-userdata /dev/mapper/userdata
+----
+
+It's not mounted automatically, because generally the partition should
+be encrypted, meaning a key has to be supplied to mount it anyway, and
+because there might be multiple persistent data partitions to choose
+from.
diff --git a/Documentation/using-spectrum/creating-custom-vms.adoc b/Documentation/using-spectrum/creating-custom-vms.adoc
index a397ac50..1eca7f36 100644
--- a/Documentation/using-spectrum/creating-custom-vms.adoc
+++ b/Documentation/using-spectrum/creating-custom-vms.adoc
@@ -13,8 +13,9 @@ configurations are directories under a dedicated parent directory, and
the name of each configuration directory determines the name of
the VM. After mounting the persistent storage partition, the
configured VMs can be made available by running `vm-import user
-/ext/vms`, replacing /ext/vms with the directory containing the VM
-definitions.
+/media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/vms`, replacing
+/media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/vms with the directory
+containing the VM definitions.
The directory can contain the following files:
diff --git a/Documentation/using-spectrum/vm-file-access.adoc b/Documentation/using-spectrum/vm-file-access.adoc
index 1b4fe9a5..a079cfe8 100644
--- a/Documentation/using-spectrum/vm-file-access.adoc
+++ b/Documentation/using-spectrum/vm-file-access.adoc
@@ -48,7 +48,7 @@ can be bind-mounted into it:
+
[listing]
[source,shell]
-echo "Hello, world!" > /ext/example.txt
+echo "Hello, world!" > /media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/example.txt
2. Create an empty file to bind mount over:
+
@@ -60,5 +60,5 @@ touch /run/vm/by-name/user.appvm-example/fs/example.txt
+
[listing]
[source,shell]
-mount --rbind /ext/example.txt /run/vm/by-name/user.appvm-example/fs/example.txt
+mount --rbind /media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/example.txt /run/vm/by-name/user.appvm-example/fs/example.txt
====
diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 7bec1259..211fb5dd 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -33,8 +33,8 @@ DIRS = \
etc/s6-linux-init/run-image/user \
etc/s6-linux-init/run-image/vm/by-id \
etc/s6-linux-init/run-image/vm/by-name \
- ext \
home \
+ media \
proc \
run \
sys \
diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk
index f69775d2..6bf40ff8 100644
--- a/host/rootfs/file-list.mk
+++ b/host/rootfs/file-list.mk
@@ -56,6 +56,7 @@ FILES = \
image/etc/xdg/weston/weston.ini \
image/usr/bin/assign-devices \
image/usr/bin/create-vm-dependencies \
+ image/usr/bin/mount-userdata \
image/usr/bin/root-terminal \
image/usr/bin/run-appimage \
image/usr/bin/run-flatpak \
diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab
index 5c23a374..18bb5e45 100644
--- a/host/rootfs/image/etc/fstab
+++ b/host/rootfs/image/etc/fstab
@@ -1,7 +1,8 @@
# SPDX-License-Identifier: CC0-1.0
# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is>
-proc /proc proc nosuid,nodev,noexec 0 0
-devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0
-tmpfs /dev/shm tmpfs nosuid,nodev 0 0
-sysfs /sys sysfs nosuid,nodev,noexec 0 0
-tmpfs /tmp tmpfs nosuid,nodev 0 0
+proc /proc proc nosuid,nodev,noexec 0 0
+devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0
+tmpfs /dev/shm tmpfs nosuid,nodev 0 0
+tmpfs /media tmpfs nosuid,nodev,noexec,nosymfollow,mode=755 0 0
+sysfs /sys sysfs nosuid,nodev,noexec 0 0
+tmpfs /tmp tmpfs nosuid,nodev 0 0
diff --git a/host/rootfs/image/usr/bin/mount-userdata b/host/rootfs/image/usr/bin/mount-userdata
new file mode 100755
index 00000000..e4a873c0
--- /dev/null
+++ b/host/rootfs/image/usr/bin/mount-userdata
@@ -0,0 +1,24 @@
+#!/bin/execlineb -W
+# SPDX-License-Identifier: EUPL-1.2+
+# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
+
+backtick -D "" uuid {
+ importas -Siu 1
+ blkid -o value -s UUID $1
+}
+
+multisubstitute {
+ importas -Siu 0
+ importas -Siu 1
+ importas -Siu uuid
+}
+
+case $uuid {
+ "" {
+ fdmove -c 1 2
+ printf "%s: '%s' does not have a UUID\n" $0 $1
+ }
+}
+
+if { mount -m -o nosuid,nodev,noexec,nosymfollow -- $1 /media/${uuid} }
+printf "%s\n" /media/${uuid}
base-commit: 1afc3a7042ee1c40b6d2e564219be31ea8f1017f
--
2.51.0
next reply other threads:[~2025-12-12 21:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-12 21:48 Alyssa Ross [this message]
2025-12-12 23:02 ` [PATCH] host/rootfs: add mount-userdata command Demi Marie Obenour
2025-12-13 10:59 ` Alyssa Ross
2025-12-14 1:35 ` Demi Marie Obenour
2025-12-13 12:31 ` Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251212214859.389183-1-hi@alyssa.is \
--to=hi@alyssa.is \
--cc=devel@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).