On 12/12/25 16:48, Alyssa Ross wrote: > We shouldn't leave it to the user to manually mount user data > partitions. We want to ensure restrictive mount flags are set, and be > able to do other operations around the mounting. It's also nice to > have a single place where all user data partitions can be mounted. > I've taken inspiration from the FHS in using /media for this. Yay! I kept doing this manually and it was annoying. > Signed-off-by: Alyssa Ross > --- > .../development/persistent-storage.adoc | 19 ++++++++++----- > .../using-spectrum/creating-custom-vms.adoc | 5 ++-- > .../using-spectrum/vm-file-access.adoc | 4 ++-- > host/rootfs/Makefile | 2 +- > host/rootfs/file-list.mk | 1 + > host/rootfs/image/etc/fstab | 11 +++++---- > host/rootfs/image/usr/bin/mount-userdata | 24 +++++++++++++++++++ > 7 files changed, 50 insertions(+), 16 deletions(-) > create mode 100755 host/rootfs/image/usr/bin/mount-userdata > > diff --git a/Documentation/development/persistent-storage.adoc b/Documentation/development/persistent-storage.adoc > index 12426b46..c4bcc163 100644 > --- a/Documentation/development/persistent-storage.adoc > +++ b/Documentation/development/persistent-storage.adoc > @@ -2,7 +2,7 @@ > :page-parent: Development > :page-nav_order: 2 > > -// SPDX-FileCopyrightText: 2024 Alyssa Ross > +// SPDX-FileCopyrightText: 2024-2025 Alyssa Ross > // SPDX-License-Identifier: GFDL-1.3-no-invariants-or-later OR CC-BY-SA-4.0 > > Spectrum's root filesystem is immutable, so if you want to be able to > @@ -10,8 +10,15 @@ persist data between sessions, you'll need to create a persistent > storage partition. Spectrum comes with `cryptsetup`, and in future is > likely to assume that btrfs-specific features are available. > > -Conventionally, the persistent storage partition is mounted on /ext > -after booting. It's not mounted automatically, because generally the > -partition should be encrypted, meaning a key has to be supplied to > -mount it anyway, and because there might be multiple persistent data > -partitions to choose from. > +Persistent storage can be mounted as follows: > + > +[source,shell] > +---- > +cryptsetup open /dev/sda1 userdata > +mount-userdata /dev/mapper/userdata > +---- > + > +It's not mounted automatically, because generally the partition should > +be encrypted, meaning a key has to be supplied to mount it anyway, and > +because there might be multiple persistent data partitions to choose > +from. > diff --git a/Documentation/using-spectrum/creating-custom-vms.adoc b/Documentation/using-spectrum/creating-custom-vms.adoc > index a397ac50..1eca7f36 100644 > --- a/Documentation/using-spectrum/creating-custom-vms.adoc > +++ b/Documentation/using-spectrum/creating-custom-vms.adoc > @@ -13,8 +13,9 @@ configurations are directories under a dedicated parent directory, and > the name of each configuration directory determines the name of > the VM. After mounting the persistent storage partition, the > configured VMs can be made available by running `vm-import user > -/ext/vms`, replacing /ext/vms with the directory containing the VM > -definitions. > +/media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/vms`, replacing > +/media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/vms with the directory > +containing the VM definitions. > > The directory can contain the following files: > > diff --git a/Documentation/using-spectrum/vm-file-access.adoc b/Documentation/using-spectrum/vm-file-access.adoc > index 1b4fe9a5..a079cfe8 100644 > --- a/Documentation/using-spectrum/vm-file-access.adoc > +++ b/Documentation/using-spectrum/vm-file-access.adoc > @@ -48,7 +48,7 @@ can be bind-mounted into it: > + > [listing] > [source,shell] > -echo "Hello, world!" > /ext/example.txt > +echo "Hello, world!" > /media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/example.txt > > 2. Create an empty file to bind mount over: > + > @@ -60,5 +60,5 @@ touch /run/vm/by-name/user.appvm-example/fs/example.txt > + > [listing] > [source,shell] > -mount --rbind /ext/example.txt /run/vm/by-name/user.appvm-example/fs/example.txt > +mount --rbind /media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/example.txt /run/vm/by-name/user.appvm-example/fs/example.txt > ==== > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index 7bec1259..211fb5dd 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -33,8 +33,8 @@ DIRS = \ > etc/s6-linux-init/run-image/user \ > etc/s6-linux-init/run-image/vm/by-id \ > etc/s6-linux-init/run-image/vm/by-name \ > - ext \ > home \ > + media \ > proc \ > run \ > sys \ > diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk > index f69775d2..6bf40ff8 100644 > --- a/host/rootfs/file-list.mk > +++ b/host/rootfs/file-list.mk > @@ -56,6 +56,7 @@ FILES = \ > image/etc/xdg/weston/weston.ini \ > image/usr/bin/assign-devices \ > image/usr/bin/create-vm-dependencies \ > + image/usr/bin/mount-userdata \ > image/usr/bin/root-terminal \ > image/usr/bin/run-appimage \ > image/usr/bin/run-flatpak \ > diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab > index 5c23a374..18bb5e45 100644 > --- a/host/rootfs/image/etc/fstab > +++ b/host/rootfs/image/etc/fstab > @@ -1,7 +1,8 @@ > # SPDX-License-Identifier: CC0-1.0 > # SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross > -proc /proc proc nosuid,nodev,noexec 0 0 > -devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 > -tmpfs /dev/shm tmpfs nosuid,nodev 0 0 > -sysfs /sys sysfs nosuid,nodev,noexec 0 0 > -tmpfs /tmp tmpfs nosuid,nodev 0 0 > +proc /proc proc nosuid,nodev,noexec 0 0 > +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 > +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 > +tmpfs /media tmpfs nosuid,nodev,noexec,nosymfollow,mode=755 0 0 > +sysfs /sys sysfs nosuid,nodev,noexec 0 0 > +tmpfs /tmp tmpfs nosuid,nodev 0 0 > diff --git a/host/rootfs/image/usr/bin/mount-userdata b/host/rootfs/image/usr/bin/mount-userdata > new file mode 100755 > index 00000000..e4a873c0 > --- /dev/null > +++ b/host/rootfs/image/usr/bin/mount-userdata > @@ -0,0 +1,24 @@ > +#!/bin/execlineb -W > +# SPDX-License-Identifier: EUPL-1.2+ > +# SPDX-FileCopyrightText: 2025 Alyssa Ross > + > +backtick -D "" uuid { > + importas -Siu 1 > + blkid -o value -s UUID $1 Missing "--"? > +} > + > +multisubstitute { > + importas -Siu 0 > + importas -Siu 1 > + importas -Siu uuid > +} > + > +case $uuid { > + "" { > + fdmove -c 1 2 > + printf "%s: '%s' does not have a UUID\n" $0 $1 > + } > +} > + > +if { mount -m -o nosuid,nodev,noexec,nosymfollow -- $1 /media/${uuid} } > +printf "%s\n" /media/${uuid} Do we really want a mode of 0755? Also, I believe Spectrum should use noatime. This avoids a burst of unsharing of snapshots due to atime updates. Should this use ‘-t btrfs’? I thought Spectrum assumed this. > base-commit: 1afc3a7042ee1c40b6d2e564219be31ea8f1017f -- Sincerely, Demi Marie Obenour (she/her/hers)