From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 2514B36AC; Mon, 01 Dec 2025 14:34:12 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 8716A369A; Mon, 01 Dec 2025 14:34:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a1-smtp.messagingengine.com (fout-a1-smtp.messagingengine.com [103.168.172.144]) by atuin.qyliss.net (Postfix) with ESMTPS id E40983699 for ; Mon, 01 Dec 2025 14:34:07 +0000 (UTC) Received: from phl-compute-11.internal (phl-compute-11.internal [10.202.2.51]) by mailfout.phl.internal (Postfix) with ESMTP id BCFDAEC0797; Mon, 1 Dec 2025 09:34:04 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-11.internal (MEProxy); Mon, 01 Dec 2025 09:34:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1764599644; x=1764686044; bh=AO+A4jtLw+ OzcYGFpYWNFeEloAHa7a02mfqXRnIaXfA=; b=ifuuCCxq0qaa/UFjZsRyMEJtDc QfZ4jKUSTMB19YzEi1wER5aTwuciZjuCZQtj2yoWMvVG8UtcqpPstBOWeCw6FHNG espjj9Wrwh5mbX9HJMkYS+lYrgvIiMrEyH2NRhQYCP0X5zpj4fcbP3x8wFi7p3Lj 6i+kQXT7aYjZuxFhQFpJ9o2C9NJIVYiRlpvB8HWn1xalaovMpwIrWBzr4GWBUU4X 5bkDIAwZXtcb4yxF5H5krGv0wisx1eRgkRTd1XvxwOb/0bW9ZxQ/LkyqgZWrc0s9 6UFQCfOrCWqiyiMGDlxKGxdhqBB3LbQgU8J7o4Sss2Gvbh8Qy+N3GiQJ+b3Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1764599644; x=1764686044; bh=AO+A4jtLw+OzcYGFpYWNFeEloAHa7a02mfq XRnIaXfA=; b=V6WUwIug7VB5LpvDyCh7ZQ4/28dY71y7+cGqERU+X5y4xXFnESC 7ZQ45F5Df3C/AMNMxNlBJReeK6JCopAVYecApsFZyKOsl6HbN4n+VGaVn5azS9Ec 4OXsahE5HcUDSgsyxA6JQAiponSPPRELBc4Y/ZNAZ781EzLJ+tBTGNPFJ73IaoJ4 70ZMepDH4VnQX0AWxwT4xcFjqkk6MsOOLV9rGHMDFUQfHXv8cwK3Wm3vrC9LqLGm 75xSXO3UT8/1Ft/eV+MDXo9pHHKCOlwi/WKG2+giS7qwvXANiKrPGyUXjAbhsOpd n+JwDpvRzTSi2iHCM51d6KOKQYWcHek4/DQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvheejleehucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeiudffue eilefgtefgtddttdekkeehkefgheekudefveetgeefiefftedvteeuveenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrd hishdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohep uggvmhhiohgsvghnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlse hsphgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 1 Dec 2025 09:34:03 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 951243F868C3; Mon, 01 Dec 2025 15:33:52 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 2/5] host/rootfs: create a per-VM mount namespace In-Reply-To: <594830b6-d3a3-42da-84a8-190e08a353e8@gmail.com> References: <20251201044534.977524-1-hi@alyssa.is> <20251201044534.977524-3-hi@alyssa.is> <594830b6-d3a3-42da-84a8-190e08a353e8@gmail.com> Date: Mon, 01 Dec 2025 15:33:50 +0100 Message-ID: <87v7iquv8x.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: ARMXBGTB5JVDAU2V2IMYOXEN2HYZDP2M X-Message-ID-Hash: ARMXBGTB5JVDAU2V2IMYOXEN2HYZDP2M X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: devel@spectrum-os.org X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 11/30/25 23:45, Alyssa Ross wrote: >> This will solve the problem of mounts for VMs being very annoying to >> clean up, as evidenced in run-appimage. It was looking to be even >> worse for Flatpak. > > Does the updater also need to be adjusted? It does, thanks for pointing that out. We really need a test for it! >> Signed-off-by: Alyssa Ross >> --- >> .../template/data/service/dbus/run | 2 ++ >> .../template/data/service/vhost-user-fs/run | 4 +-- >> .../image/usr/bin/create-vm-dependencies | 23 ++++++++++++++--- >> host/rootfs/image/usr/bin/run-appimage | 25 +++++++++---------- >> 4 files changed, 34 insertions(+), 20 deletions(-) >>=20 >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-se= rvices/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init= /run-image/service/vm-services/template/data/service/dbus/run >> index 351fc68..9b23192 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/dbus/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/dbus/run >> @@ -4,6 +4,8 @@ >>=20=20 >> importas -i VM VM >>=20=20 >> +nsenter --mount=3D${VM}/mount >> + >> dbus-daemon >> --config-file /usr/share/dbus-1/session.conf >> --print-address 3 >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-se= rvices/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-l= inux-init/run-image/service/vm-services/template/data/service/vhost-user-fs= /run >> index 5d5ad7d..3848b0c 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/vhost-user-fs/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/vhost-user-fs/run >> @@ -12,8 +12,6 @@ export TMPDIR /run >>=20=20 >> # The VM should not be able to write directly into a tmpfs, but there >> # can be writable block-based bind mounted subdirectories. > > Comment should be moved to the code that does the bind mount. Also, > this comment is somewhat stale: the main reason to prevent writing > into the toplevel fs/ folder is that host tools (like the updater) > assume symlinks can't be created in it. Good idea. >> -unshare -m --propagation slave >> importas -i VM VM >> -if { mount --rbind -o ro ${VM}/fs ${VM}/fs } >> - >> +nsenter --mount=3D${VM}/mount >> virtiofsd --fd 3 --shared-dir ${VM}/fs >> diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/roo= tfs/image/usr/bin/create-vm-dependencies >> index f3a1b69..21681cd 100755 >> --- a/host/rootfs/image/usr/bin/create-vm-dependencies >> +++ b/host/rootfs/image/usr/bin/create-vm-dependencies >> @@ -1,11 +1,26 @@ >> #!/bin/execlineb -S1 >> # SPDX-License-Identifier: EUPL-1.2+ >> -# SPDX-FileCopyrightText: 2024 Alyssa Ross >> +# SPDX-FileCopyrightText: 2024-2025 Alyssa Ross >>=20=20 >> -if { mount -m --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/vm/by= -id/${1}/fs/config } >> +if { touch /run/vm/by-id/${1}/mount } >> +if { mount --make-private --bind /run/vm/by-id/${1}/mount /run/vm/by-id= /${1}/mount } >>=20=20 >> -if { mkdir -p /run/vm/by-id/${1}/doc-run/doc /run/vm/by-id/${1}/fs/doc } >> -if { mount --rbind /run/vm/by-id/${1}/doc-run/doc /run/vm/by-id/${1}/fs= /doc } >> +if { >> + unshare --mount=3D/run/vm/by-id/${1}/mount >> + >> + if { >> + mkdir -p >> + /run/vm/by-id/${1}/doc-run/doc >> + /run/vm/by-id/${1}/fs/config >> + /run/vm/by-id/${1}/fs/doc > I would also create /run/vm/by-id/${1}/config/fs... > >> + } >> + >> + if { mount --make-shared --rbind /run/vm/by-id/${1} /run/vm/by-id/${1= } } >> + >> + if { mount --rbind -o ro /run/vm/by-id/${1}/fs /run/vm/by-id/${1}/fs } > > VMs should not be able to write to their own config, so this and the > next like should be swapped. Makes sense. >> + if { mount --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/vm/by-= id/${1}/fs/config } > > ...and remove this `-o nofail`. Not sure about that, since config is likely to be on a different filesystem we may not even be able to write to. Either way, it's out of scope here, because it already works this way before this change. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaS2nTgAKCRCZddwkt31p Fd5CAP9kmrO14lsF6FnlOMQ3Pn360VZRzgyFlw6ks4iFGUZoowD/RLcUY2D+F0h3 ClZfB1QT1pkZ0SzGI3ekoRBKuiZb0wk= =bdPX -----END PGP SIGNATURE----- --=-=-=--