hst/config: remove container etc field

This no longer needs special treatment since it can be specified as a generic filesystem entry. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-25 19:13:31 +09:00 · 2025-08-25 19:13:31 +09:00 · 0dcac55a0c
commit 0dcac55a0c
parent 6d202d73b4
13 changed files with 60 additions and 59 deletions
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@ -12,7 +12,6 @@ import (
 	"text/tabwriter"
 	"time"

-	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal/app/state"
 	"hakurei.app/internal/hlog"
@ -104,18 +103,11 @@ func printShowInstance(
 		writeFlag("tty", params.Tty)
 		writeFlag("mapuid", params.MapRealUID)
 		writeFlag("directwl", config.DirectWayland)
-		writeFlag("autoetc", params.AutoEtc)
 		if len(flags) == 0 {
 			flags = append(flags, "none")
 		}
 		t.Printf(" Flags:\t%s\n", strings.Join(flags, " "))

-		etc := params.Etc
-		if etc == nil {
-			etc = container.AbsFHSEtc
-		}
-		t.Printf(" Etc:\t%s\n", etc)
-
 		if config.Path != nil {
 			t.Printf(" Path:\t%s\n", config.Path)
 		}
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@ -41,13 +41,13 @@ func Test_printShowInstance(t *testing.T) {
 Groups:         video, dialout, plugdev
 Data:           /var/lib/hakurei/u0/org.chromium.Chromium
 Hostname:       localhost
- Flags:          userns devel net abstract device tty mapuid autoetc
- Etc:            /etc/
+ Flags:          userns devel net abstract device tty mapuid
 Path:           /run/current-system/sw/bin/chromium
 Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland

 Filesystem
 autoroot:w:/var/lib/hakurei/base/org.debian
+ autoetc:/etc/
 w+ephemeral(-rwxr-xr-x):/tmp/
 w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
 */nix/store
@ -83,14 +83,12 @@ App
 Identity:       0
 Enablements:    (no enablements)
 Flags:          none
- Etc:            /etc/

 `},
 		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App
 Identity:       0
 Enablements:    (no enablements)
 Flags:          none
- Etc:            /etc/

 Filesystem
 <invalid>
@ -120,13 +118,13 @@ App
 Groups:         video, dialout, plugdev
 Data:           /var/lib/hakurei/u0/org.chromium.Chromium
 Hostname:       localhost
- Flags:          userns devel net abstract device tty mapuid autoetc
- Etc:            /etc/
+ Flags:          userns devel net abstract device tty mapuid
 Path:           /run/current-system/sw/bin/chromium
 Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland

 Filesystem
 autoroot:w:/var/lib/hakurei/base/org.debian
+ autoetc:/etc/
 w+ephemeral(-rwxr-xr-x):/tmp/
 w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
 */nix/store
@ -286,6 +284,12 @@ App
          "write": true,
          "special": true
        },
+        {
+          "type": "bind",
+          "dst": "/etc/",
+          "src": "/etc/",
+          "special": true
+        },
        {
          "type": "ephemeral",
          "dst": "/tmp/",
@ -331,9 +335,7 @@ App
          "target": "/run/user/65534",
          "linkname": "/run/user/150"
        }
-      ],
-      "etc": "/etc/",
-      "auto_etc": true
+      ]
    }
  },
  "time": "1970-01-01T00:00:00.000000009Z"
@ -440,6 +442,12 @@ App
        "write": true,
        "special": true
      },
+      {
+        "type": "bind",
+        "dst": "/etc/",
+        "src": "/etc/",
+        "special": true
+      },
      {
        "type": "ephemeral",
        "dst": "/tmp/",
@ -485,9 +493,7 @@ App
        "target": "/run/user/65534",
        "linkname": "/run/user/150"
      }
-    ],
-    "etc": "/etc/",
-    "auto_etc": true
+    ]
  }
 }
 `},
@ -648,6 +654,12 @@ func Test_printPs(t *testing.T) {
            "write": true,
            "special": true
          },
+          {
+            "type": "bind",
+            "dst": "/etc/",
+            "src": "/etc/",
+            "special": true
+          },
          {
            "type": "ephemeral",
            "dst": "/tmp/",
@ -693,9 +705,7 @@ func Test_printPs(t *testing.T) {
            "target": "/run/user/65534",
            "linkname": "/run/user/150"
          }
-        ],
-        "etc": "/etc/",
-        "auto_etc": true
+        ]
      }
    },
    "time": "1970-01-01T00:00:00.000000009Z"
--- a/cmd/hpkg/app.go
+++ b/cmd/hpkg/app.go
@ -94,6 +94,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
 			Tty:          app.Tty || flagDropShell,
 			MapRealUID:   app.MapRealUID,
 			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}},
 				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
@ -108,8 +109,6 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
 				{pathBin, pathSwBin.String()},
 				{container.AbsFHSUsrBin, pathSwBin.String()},
 			},
-			Etc:     pathSet.cacheDir.Append("etc"),
-			AutoEtc: true,
 		},
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
--- a/cmd/hpkg/with.go
+++ b/cmd/hpkg/with.go
@ -49,6 +49,7 @@ func withNixDaemon(
 			SeccompFlags: seccomp.AllowMultiarch,
 			Tty:          dropShell,
 			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
 			},
 			Link: []hst.LinkConfig{
@ -56,8 +57,6 @@ func withNixDaemon(
 				{pathBin, pathSwBin.String()},
 				{container.AbsFHSUsrBin, pathSwBin.String()},
 			},
-			Etc:     pathSet.cacheDir.Append("etc"),
-			AutoEtc: true,
 		},
 	}), dropShell, beforeFail)
 }
@ -89,6 +88,7 @@ func withCacheDir(
 			SeccompFlags: seccomp.AllowMultiarch,
 			Tty:          dropShell,
 			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: workDir.Append(container.FHSEtc), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
 				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}},
 			},
@ -97,8 +97,6 @@ func withCacheDir(
 				{pathBin, pathSwBin.String()},
 				{container.AbsFHSUsrBin, pathSwBin.String()},
 			},
-			Etc:     workDir.Append(container.FHSEtc),
-			AutoEtc: true,
 		},
 	}, dropShell, beforeFail)
 }
--- a/hst/config.go
+++ b/hst/config.go
@ -98,11 +98,6 @@ type (
 		Filesystem []FilesystemConfigJSON `json:"filesystem"`
 		// create symlinks inside container filesystem
 		Link []LinkConfig `json:"symlink"`
-
-		// read-only /etc directory
-		Etc *container.Absolute `json:"etc,omitempty"`
-		// automatically set up /etc symlinks
-		AutoEtc bool `json:"auto_etc"`
 	}

 	LinkConfig struct {
--- a/hst/hst.go
+++ b/hst/hst.go
@ -98,6 +98,7 @@ func Template() *Config {
 			},
 			Filesystem: []FilesystemConfigJSON{
 				{&FSBind{container.AbsFHSRoot, container.AbsFHSVarLib.Append("hakurei/base/org.debian"), true, false, false, true}},
+				{&FSBind{container.AbsFHSEtc, container.AbsFHSEtc, false, false, false, true}},
 				{&FSEphemeral{Target: container.AbsFHSTmp, Write: true, Perm: 0755}},
 				{&FSOverlay{
 					Target: container.MustAbs("/nix/store"),
@ -112,9 +113,7 @@ func Template() *Config {
 					Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
 				{&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
 			},
-			Link:    []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
-			Etc:     container.AbsFHSEtc,
-			AutoEtc: true,
+			Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
 		},
 	}
 }
--- a/hst/hst_test.go
+++ b/hst/hst_test.go
@ -109,6 +109,12 @@ func TestTemplate(t *testing.T) {
 				"write": true,
 				"special": true
 			},
+			{
+				"type": "bind",
+				"dst": "/etc/",
+				"src": "/etc/",
+				"special": true
+			},
 			{
 				"type": "ephemeral",
 				"dst": "/tmp/",
@ -154,9 +160,7 @@ func TestTemplate(t *testing.T) {
 				"target": "/run/user/65534",
 				"linkname": "/run/user/150"
 			}
-		],
-		"etc": "/etc/",
-		"auto_etc": true
+		]
 	}
 }`

--- a/internal/app/app_nixos_linux_test.go
+++ b/internal/app/app_nixos_linux_test.go
@ -27,7 +27,7 @@ var testCasesNixos = []sealTestCase{
 			Shell:       m("/run/current-system/sw/bin/zsh"),

 			Container: &hst.ContainerConfig{
-				Userns: true, HostNet: true, MapRealUID: true, Env: nil, AutoEtc: true,
+				Userns: true, HostNet: true, MapRealUID: true, Env: nil,
 				Filesystem: []hst.FilesystemConfigJSON{
 					f(&hst.FSBind{Source: m("/bin")}),
 					f(&hst.FSBind{Source: m("/usr/bin/")}),
@ -40,6 +40,7 @@ var testCasesNixos = []sealTestCase{
 					f(&hst.FSBind{Source: m("/sys/devices"), Optional: true}),
 					f(&hst.FSBind{Source: m("/run/opengl-driver")}),
 					f(&hst.FSBind{Source: m("/dev/dri"), Device: true, Optional: true}),
+					f(&hst.FSBind{Source: m("/etc/"), Target: m("/etc/"), Special: true}),
 				},
 			},
 			SystemBus: &dbus.Config{
--- a/internal/app/app_pd_linux_test.go
+++ b/internal/app/app_pd_linux_test.go
@ -49,9 +49,9 @@ var testCasesPd = []sealTestCase{
 				DevWritable(m("/dev/"), true).
 				Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
 				Readonly(m("/var/run/nscd"), 0755).
+				Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
 				Tmpfs(m("/run/user/1971"), 8192, 0755).
 				Tmpfs(m("/run/dbus"), 8192, 0755).
-				Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
 				Remount(m("/dev/"), syscall.MS_RDONLY).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable).
@ -186,9 +186,9 @@ var testCasesPd = []sealTestCase{
 				Bind(m("/dev/dri"), m("/dev/dri"), container.BindWritable|container.BindDevice|container.BindOptional).
 				Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
 				Readonly(m("/var/run/nscd"), 0755).
+				Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
 				Tmpfs(m("/run/user/1971"), 8192, 0755).
 				Tmpfs(m("/run/dbus"), 8192, 0755).
-				Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
 				Remount(m("/dev/"), syscall.MS_RDONLY).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable).
--- a/internal/app/container_linux.go
+++ b/internal/app/container_linux.go
@ -244,18 +244,6 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 		params.Link(l.Target, linkname, dereference)
 	}

-	if !s.AutoEtc {
-		if s.Etc != nil {
-			params.Bind(s.Etc, container.AbsFHSEtc, 0)
-		}
-	} else {
-		if s.Etc == nil {
-			params.Etc(container.AbsFHSEtc, prefix)
-		} else {
-			params.Etc(s.Etc, prefix)
-		}
-	}
-
 	// no more ContainerConfig paths beyond this point
 	if !s.Device {
 		params.Remount(container.AbsFHSDev, syscall.MS_RDONLY)
--- a/internal/app/seal_linux.go
+++ b/internal/app/seal_linux.go
@ -242,7 +242,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 			HostNet:      true,
 			HostAbstract: true,
 			Tty:          true,
-			AutoEtc:      true,

 			Filesystem: []hst.FilesystemConfigJSON{
 				{&hst.FSBind{
@ -267,6 +266,15 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 			conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Target: nscd}})
 		}

+		// do autoetc last
+		conf.Filesystem = append(conf.Filesystem,
+			hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
+				Target:  container.AbsFHSEtc,
+				Source:  container.AbsFHSEtc,
+				Special: true,
+			}},
+		)
+
 		config.Container = conf
 	}

--- a/nixos.nix
+++ b/nixos.nix
@ -180,8 +180,15 @@ in
                          (optDevBind "/dev/nvidia0")
                        ]
                        ++ optionals app.useCommonPaths cfg.commonPaths
-                        ++ app.extraPaths;
-                      auto_etc = true;
+                        ++ app.extraPaths
+                        ++ [
+                          {
+                            type = "bind";
+                            dst = "/etc/";
+                            src = "/etc/";
+                            special = true;
+                          }
+                        ];

                      symlink = [
                        {
--- a/test/sandbox/case/pd.nix
+++ b/test/sandbox/case/pd.nix
@ -182,9 +182,9 @@
      (ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw")
      (ent "/kvm" "/dev/kvm" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/" "/run/nscd" "ro,nosuid,nodev,relatime" "tmpfs" "readonly" "ro,mode=755,uid=1000000,gid=1000000")
+      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
      (ent "/" "/run/dbus" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
-      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000")
      (ent "/tmp/hakurei.1000/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/hakurei.1000/tmpdir/0" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")