From 0dcac55a0c3fcbb2d48028a4474ccecb37bb22fc Mon Sep 17 00:00:00 2001 From: Ophestra Date: Mon, 25 Aug 2025 19:13:31 +0900 Subject: [PATCH] hst/config: remove container etc field This no longer needs special treatment since it can be specified as a generic filesystem entry. Signed-off-by: Ophestra --- cmd/hakurei/print.go | 8 ------ cmd/hakurei/print_test.go | 40 +++++++++++++++++----------- cmd/hpkg/app.go | 3 +-- cmd/hpkg/with.go | 6 ++--- hst/config.go | 5 ---- hst/hst.go | 5 ++-- hst/hst_test.go | 10 ++++--- internal/app/app_nixos_linux_test.go | 3 ++- internal/app/app_pd_linux_test.go | 4 +-- internal/app/container_linux.go | 12 --------- internal/app/seal_linux.go | 10 ++++++- nixos.nix | 11 ++++++-- test/sandbox/case/pd.nix | 2 +- 13 files changed, 60 insertions(+), 59 deletions(-) diff --git a/cmd/hakurei/print.go b/cmd/hakurei/print.go index 3e238d6..20bfdde 100644 --- a/cmd/hakurei/print.go +++ b/cmd/hakurei/print.go @@ -12,7 +12,6 @@ import ( "text/tabwriter" "time" - "hakurei.app/container" "hakurei.app/hst" "hakurei.app/internal/app/state" "hakurei.app/internal/hlog" @@ -104,18 +103,11 @@ func printShowInstance( writeFlag("tty", params.Tty) writeFlag("mapuid", params.MapRealUID) writeFlag("directwl", config.DirectWayland) - writeFlag("autoetc", params.AutoEtc) if len(flags) == 0 { flags = append(flags, "none") } t.Printf(" Flags:\t%s\n", strings.Join(flags, " ")) - etc := params.Etc - if etc == nil { - etc = container.AbsFHSEtc - } - t.Printf(" Etc:\t%s\n", etc) - if config.Path != nil { t.Printf(" Path:\t%s\n", config.Path) } diff --git a/cmd/hakurei/print_test.go b/cmd/hakurei/print_test.go index 471cb35..d6c60ec 100644 --- a/cmd/hakurei/print_test.go +++ b/cmd/hakurei/print_test.go @@ -41,13 +41,13 @@ func Test_printShowInstance(t *testing.T) { Groups: video, dialout, plugdev Data: /var/lib/hakurei/u0/org.chromium.Chromium Hostname: localhost - Flags: userns devel net abstract device tty mapuid autoetc - Etc: /etc/ + Flags: userns devel net abstract device tty mapuid Path: /run/current-system/sw/bin/chromium Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Filesystem autoroot:w:/var/lib/hakurei/base/org.debian + autoetc:/etc/ w+ephemeral(-rwxr-xr-x):/tmp/ w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store */nix/store @@ -83,14 +83,12 @@ App Identity: 0 Enablements: (no enablements) Flags: none - Etc: /etc/ `}, {"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App Identity: 0 Enablements: (no enablements) Flags: none - Etc: /etc/ Filesystem @@ -120,13 +118,13 @@ App Groups: video, dialout, plugdev Data: /var/lib/hakurei/u0/org.chromium.Chromium Hostname: localhost - Flags: userns devel net abstract device tty mapuid autoetc - Etc: /etc/ + Flags: userns devel net abstract device tty mapuid Path: /run/current-system/sw/bin/chromium Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Filesystem autoroot:w:/var/lib/hakurei/base/org.debian + autoetc:/etc/ w+ephemeral(-rwxr-xr-x):/tmp/ w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store */nix/store @@ -286,6 +284,12 @@ App "write": true, "special": true }, + { + "type": "bind", + "dst": "/etc/", + "src": "/etc/", + "special": true + }, { "type": "ephemeral", "dst": "/tmp/", @@ -331,9 +335,7 @@ App "target": "/run/user/65534", "linkname": "/run/user/150" } - ], - "etc": "/etc/", - "auto_etc": true + ] } }, "time": "1970-01-01T00:00:00.000000009Z" @@ -440,6 +442,12 @@ App "write": true, "special": true }, + { + "type": "bind", + "dst": "/etc/", + "src": "/etc/", + "special": true + }, { "type": "ephemeral", "dst": "/tmp/", @@ -485,9 +493,7 @@ App "target": "/run/user/65534", "linkname": "/run/user/150" } - ], - "etc": "/etc/", - "auto_etc": true + ] } } `}, @@ -648,6 +654,12 @@ func Test_printPs(t *testing.T) { "write": true, "special": true }, + { + "type": "bind", + "dst": "/etc/", + "src": "/etc/", + "special": true + }, { "type": "ephemeral", "dst": "/tmp/", @@ -693,9 +705,7 @@ func Test_printPs(t *testing.T) { "target": "/run/user/65534", "linkname": "/run/user/150" } - ], - "etc": "/etc/", - "auto_etc": true + ] } }, "time": "1970-01-01T00:00:00.000000009Z" diff --git a/cmd/hpkg/app.go b/cmd/hpkg/app.go index e35dbf9..cd548dc 100644 --- a/cmd/hpkg/app.go +++ b/cmd/hpkg/app.go @@ -94,6 +94,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg Tty: app.Tty || flagDropShell, MapRealUID: app.MapRealUID, Filesystem: []hst.FilesystemConfigJSON{ + {FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}}, @@ -108,8 +109,6 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg {pathBin, pathSwBin.String()}, {container.AbsFHSUsrBin, pathSwBin.String()}, }, - Etc: pathSet.cacheDir.Append("etc"), - AutoEtc: true, }, ExtraPerms: []*hst.ExtraPermConfig{ {Path: dataHome, Execute: true}, diff --git a/cmd/hpkg/with.go b/cmd/hpkg/with.go index acb503d..21adeec 100644 --- a/cmd/hpkg/with.go +++ b/cmd/hpkg/with.go @@ -49,6 +49,7 @@ func withNixDaemon( SeccompFlags: seccomp.AllowMultiarch, Tty: dropShell, Filesystem: []hst.FilesystemConfigJSON{ + {FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}}, }, Link: []hst.LinkConfig{ @@ -56,8 +57,6 @@ func withNixDaemon( {pathBin, pathSwBin.String()}, {container.AbsFHSUsrBin, pathSwBin.String()}, }, - Etc: pathSet.cacheDir.Append("etc"), - AutoEtc: true, }, }), dropShell, beforeFail) } @@ -89,6 +88,7 @@ func withCacheDir( SeccompFlags: seccomp.AllowMultiarch, Tty: dropShell, Filesystem: []hst.FilesystemConfigJSON{ + {FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: workDir.Append(container.FHSEtc), Special: true}}, {FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}}, {FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}}, }, @@ -97,8 +97,6 @@ func withCacheDir( {pathBin, pathSwBin.String()}, {container.AbsFHSUsrBin, pathSwBin.String()}, }, - Etc: workDir.Append(container.FHSEtc), - AutoEtc: true, }, }, dropShell, beforeFail) } diff --git a/hst/config.go b/hst/config.go index e2f95d1..8f17de9 100644 --- a/hst/config.go +++ b/hst/config.go @@ -98,11 +98,6 @@ type ( Filesystem []FilesystemConfigJSON `json:"filesystem"` // create symlinks inside container filesystem Link []LinkConfig `json:"symlink"` - - // read-only /etc directory - Etc *container.Absolute `json:"etc,omitempty"` - // automatically set up /etc symlinks - AutoEtc bool `json:"auto_etc"` } LinkConfig struct { diff --git a/hst/hst.go b/hst/hst.go index 6654a4b..6d0f9a2 100644 --- a/hst/hst.go +++ b/hst/hst.go @@ -98,6 +98,7 @@ func Template() *Config { }, Filesystem: []FilesystemConfigJSON{ {&FSBind{container.AbsFHSRoot, container.AbsFHSVarLib.Append("hakurei/base/org.debian"), true, false, false, true}}, + {&FSBind{container.AbsFHSEtc, container.AbsFHSEtc, false, false, false, true}}, {&FSEphemeral{Target: container.AbsFHSTmp, Write: true, Perm: 0755}}, {&FSOverlay{ Target: container.MustAbs("/nix/store"), @@ -112,9 +113,7 @@ func Template() *Config { Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}}, {&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}}, }, - Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}}, - Etc: container.AbsFHSEtc, - AutoEtc: true, + Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}}, }, } } diff --git a/hst/hst_test.go b/hst/hst_test.go index 897bf93..553533b 100644 --- a/hst/hst_test.go +++ b/hst/hst_test.go @@ -109,6 +109,12 @@ func TestTemplate(t *testing.T) { "write": true, "special": true }, + { + "type": "bind", + "dst": "/etc/", + "src": "/etc/", + "special": true + }, { "type": "ephemeral", "dst": "/tmp/", @@ -154,9 +160,7 @@ func TestTemplate(t *testing.T) { "target": "/run/user/65534", "linkname": "/run/user/150" } - ], - "etc": "/etc/", - "auto_etc": true + ] } }` diff --git a/internal/app/app_nixos_linux_test.go b/internal/app/app_nixos_linux_test.go index 2bf8f67..4200aaa 100644 --- a/internal/app/app_nixos_linux_test.go +++ b/internal/app/app_nixos_linux_test.go @@ -27,7 +27,7 @@ var testCasesNixos = []sealTestCase{ Shell: m("/run/current-system/sw/bin/zsh"), Container: &hst.ContainerConfig{ - Userns: true, HostNet: true, MapRealUID: true, Env: nil, AutoEtc: true, + Userns: true, HostNet: true, MapRealUID: true, Env: nil, Filesystem: []hst.FilesystemConfigJSON{ f(&hst.FSBind{Source: m("/bin")}), f(&hst.FSBind{Source: m("/usr/bin/")}), @@ -40,6 +40,7 @@ var testCasesNixos = []sealTestCase{ f(&hst.FSBind{Source: m("/sys/devices"), Optional: true}), f(&hst.FSBind{Source: m("/run/opengl-driver")}), f(&hst.FSBind{Source: m("/dev/dri"), Device: true, Optional: true}), + f(&hst.FSBind{Source: m("/etc/"), Target: m("/etc/"), Special: true}), }, }, SystemBus: &dbus.Config{ diff --git a/internal/app/app_pd_linux_test.go b/internal/app/app_pd_linux_test.go index f3ce4cd..8afedf1 100644 --- a/internal/app/app_pd_linux_test.go +++ b/internal/app/app_pd_linux_test.go @@ -49,9 +49,9 @@ var testCasesPd = []sealTestCase{ DevWritable(m("/dev/"), true). Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional). Readonly(m("/var/run/nscd"), 0755). + Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac"). Tmpfs(m("/run/user/1971"), 8192, 0755). Tmpfs(m("/run/dbus"), 8192, 0755). - Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac"). Remount(m("/dev/"), syscall.MS_RDONLY). Tmpfs(m("/run/user/"), 4096, 0755). Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable). @@ -186,9 +186,9 @@ var testCasesPd = []sealTestCase{ Bind(m("/dev/dri"), m("/dev/dri"), container.BindWritable|container.BindDevice|container.BindOptional). Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional). Readonly(m("/var/run/nscd"), 0755). + Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c"). Tmpfs(m("/run/user/1971"), 8192, 0755). Tmpfs(m("/run/dbus"), 8192, 0755). - Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c"). Remount(m("/dev/"), syscall.MS_RDONLY). Tmpfs(m("/run/user/"), 4096, 0755). Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable). diff --git a/internal/app/container_linux.go b/internal/app/container_linux.go index 30477fe..d604012 100644 --- a/internal/app/container_linux.go +++ b/internal/app/container_linux.go @@ -244,18 +244,6 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid params.Link(l.Target, linkname, dereference) } - if !s.AutoEtc { - if s.Etc != nil { - params.Bind(s.Etc, container.AbsFHSEtc, 0) - } - } else { - if s.Etc == nil { - params.Etc(container.AbsFHSEtc, prefix) - } else { - params.Etc(s.Etc, prefix) - } - } - // no more ContainerConfig paths beyond this point if !s.Device { params.Remount(container.AbsFHSDev, syscall.MS_RDONLY) diff --git a/internal/app/seal_linux.go b/internal/app/seal_linux.go index 4e77e79..c2b580b 100644 --- a/internal/app/seal_linux.go +++ b/internal/app/seal_linux.go @@ -242,7 +242,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co HostNet: true, HostAbstract: true, Tty: true, - AutoEtc: true, Filesystem: []hst.FilesystemConfigJSON{ {&hst.FSBind{ @@ -267,6 +266,15 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Target: nscd}}) } + // do autoetc last + conf.Filesystem = append(conf.Filesystem, + hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{ + Target: container.AbsFHSEtc, + Source: container.AbsFHSEtc, + Special: true, + }}, + ) + config.Container = conf } diff --git a/nixos.nix b/nixos.nix index 64bc8be..c2858e9 100644 --- a/nixos.nix +++ b/nixos.nix @@ -180,8 +180,15 @@ in (optDevBind "/dev/nvidia0") ] ++ optionals app.useCommonPaths cfg.commonPaths - ++ app.extraPaths; - auto_etc = true; + ++ app.extraPaths + ++ [ + { + type = "bind"; + dst = "/etc/"; + src = "/etc/"; + special = true; + } + ]; symlink = [ { diff --git a/test/sandbox/case/pd.nix b/test/sandbox/case/pd.nix index 49230bc..6d58ad5 100644 --- a/test/sandbox/case/pd.nix +++ b/test/sandbox/case/pd.nix @@ -182,9 +182,9 @@ (ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw") (ent "/kvm" "/dev/kvm" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/" "/run/nscd" "ro,nosuid,nodev,relatime" "tmpfs" "readonly" "ro,mode=755,uid=1000000,gid=1000000") + (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000") (ent "/" "/run/dbus" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000") - (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000") (ent "/tmp/hakurei.1000/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/hakurei.1000/tmpdir/0" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")