hst/fs: interface filesystem config

This allows mount points to be represented by different underlying structs.

Signed-off-by: Ophestra <cat@gensokyo.uk>

hst/config.go

@@ -66,7 +66,7 @@ type ExtraPermConfig struct {
 }
 
 func (e *ExtraPermConfig) String() string {
-	if e.Path == nil {
+	if e == nil || e.Path == nil {
 		return "<invalid>"
 	}
 	buf := make([]byte, 0, 5+len(e.Path.String()))

hst/config_test.go

@@ -0,0 +1,35 @@
+package hst_test
+
+import (
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestExtraPermConfig(t *testing.T) {
+	testCases := []struct {
+		name   string
+		config *hst.ExtraPermConfig
+		want   string
+	}{
+		{"nil", nil, "<invalid>"},
+		{"nil path", &hst.ExtraPermConfig{Path: nil}, "<invalid>"},
+		{"r", &hst.ExtraPermConfig{Path: container.AbsFHSRoot, Read: true}, "r--:/"},
+		{"r+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRoot, Read: true}, "r--+:/"},
+		{"w", &hst.ExtraPermConfig{Path: hst.AbsTmp, Write: true}, "-w-:/.hakurei"},
+		{"w+", &hst.ExtraPermConfig{Ensure: true, Path: hst.AbsTmp, Write: true}, "-w-+:/.hakurei"},
+		{"x", &hst.ExtraPermConfig{Path: container.AbsFHSRunUser, Execute: true}, "--x:/run/user/"},
+		{"x+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRunUser, Execute: true}, "--x+:/run/user/"},
+		{"rwx", &hst.ExtraPermConfig{Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx:/tmp/"},
+		{"rwx+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx+:/tmp/"},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := tc.config.String(); got != tc.want {
+				t.Errorf("String: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}

hst/container.go

@@ -51,8 +51,8 @@ type (
 
 		// pass through all devices
 		Device bool `json:"device,omitempty"`
-		// container host filesystem bind mounts
-		Filesystem []FilesystemConfig `json:"filesystem"`
+		// container mount points
+		Filesystem []FilesystemConfigJSON `json:"filesystem"`
 		// create symlinks inside container filesystem
 		Link []LinkConfig `json:"symlink"`
 
@@ -68,20 +68,6 @@ type (
 		AutoEtc bool `json:"auto_etc"`
 	}
 
-	// FilesystemConfig is an abstract representation of a bind mount.
-	FilesystemConfig struct {
-		// mount point in container, same as src if empty
-		Dst *container.Absolute `json:"dst,omitempty"`
-		// host filesystem path to make available to the container
-		Src *container.Absolute `json:"src"`
-		// do not mount filesystem read-only
-		Write bool `json:"write,omitempty"`
-		// do not disable device files
-		Device bool `json:"dev,omitempty"`
-		// fail if the bind mount cannot be established for any reason
-		Must bool `json:"require,omitempty"`
-	}
-
 	LinkConfig struct {
 		// symlink target in container
 		Target *container.Absolute `json:"target"`

hst/fs.go

@@ -0,0 +1,121 @@
+package hst
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"reflect"
+
+	"hakurei.app/container"
+)
+
+// FilesystemConfig is an abstract representation of a mount point.
+type FilesystemConfig interface {
+	// Type returns the type of this mount point.
+	Type() string
+	// Target returns the pathname of the mount point in the container.
+	Target() *container.Absolute
+	// Host returns a slice of all host paths used by this mount point.
+	Host() []*container.Absolute
+	// Apply appends the [container.Op] implementing this mount point.
+	Apply(ops *container.Ops)
+
+	fmt.Stringer
+}
+
+var (
+	ErrFSNull = errors.New("unexpected null in mount point")
+)
+
+// FSTypeError is returned when [ContainerConfig.Filesystem] contains an entry with invalid type.
+type FSTypeError string
+
+func (f FSTypeError) Error() string { return fmt.Sprintf("invalid filesystem type %q", string(f)) }
+
+// FSImplError is returned when the underlying struct of [FilesystemConfig] does not match
+// what [FilesystemConfig.Type] claims to be.
+type FSImplError struct {
+	Type  string
+	Value FilesystemConfig
+}
+
+func (f FSImplError) Error() string {
+	implType := reflect.TypeOf(f.Value)
+	var name string
+	for implType != nil && implType.Kind() == reflect.Ptr {
+		name += "*"
+		implType = implType.Elem()
+	}
+	if implType != nil {
+		name += implType.Name()
+	} else {
+		name += "nil"
+	}
+	return fmt.Sprintf("implementation %s is not %s", name, f.Type)
+}
+
+// FilesystemConfigJSON is the [json] adapter for [FilesystemConfig].
+type FilesystemConfigJSON struct {
+	FilesystemConfig
+}
+
+// Valid returns whether the [FilesystemConfigJSON] is valid.
+func (f *FilesystemConfigJSON) Valid() bool { return f != nil && f.FilesystemConfig != nil }
+
+func (f *FilesystemConfigJSON) MarshalJSON() ([]byte, error) {
+	if f == nil || f.FilesystemConfig == nil {
+		return nil, ErrFSNull
+	}
+	var v any
+	t := f.Type()
+	switch t {
+	case FilesystemBind:
+		if ct, ok := f.FilesystemConfig.(*FSBind); !ok {
+			return nil, FSImplError{t, f.FilesystemConfig}
+		} else {
+			v = &struct {
+				Type string `json:"type"`
+				*FSBind
+			}{FilesystemBind, ct}
+		}
+
+	case FilesystemEphemeral:
+		if ct, ok := f.FilesystemConfig.(*FSEphemeral); !ok {
+			return nil, FSImplError{t, f.FilesystemConfig}
+		} else {
+			v = &struct {
+				Type string `json:"type"`
+				*FSEphemeral
+			}{FilesystemEphemeral, ct}
+		}
+
+	default:
+		return nil, FSTypeError(t)
+	}
+
+	return json.Marshal(v)
+}
+
+func (f *FilesystemConfigJSON) UnmarshalJSON(data []byte) error {
+	t := new(struct {
+		Type string `json:"type"`
+	})
+	if err := json.Unmarshal(data, &t); err != nil {
+		return err
+	}
+	if t == nil {
+		return ErrFSNull
+	}
+	switch t.Type {
+	case FilesystemBind:
+		*f = FilesystemConfigJSON{new(FSBind)}
+
+	case FilesystemEphemeral:
+		*f = FilesystemConfigJSON{new(FSEphemeral)}
+
+	default:
+		return FSTypeError(t.Type)
+	}
+
+	return json.Unmarshal(data, f.FilesystemConfig)
+}

hst/fs_test.go

@@ -0,0 +1,269 @@
+package hst_test
+
+import (
+	"encoding/json"
+	"errors"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFilesystemConfigJSON(t *testing.T) {
+	testCases := []struct {
+		name string
+		want hst.FilesystemConfigJSON
+
+		wantErr     error
+		data, sData string
+	}{
+		{"nil", hst.FilesystemConfigJSON{FilesystemConfig: nil}, hst.ErrFSNull,
+			`null`, `{"fs":null,"magic":3236757504}`},
+
+		{"bad type", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"cat"}},
+			hst.FSTypeError("cat"),
+			`{"type":"cat","meow":true}`, `{"fs":{"type":"cat","meow":true},"magic":3236757504}`},
+
+		{"bad impl bind", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"bind"}},
+			hst.FSImplError{
+				Type:  "bind",
+				Value: stubFS{"bind"},
+			},
+			"\x00", "\x00"},
+
+		{"bad impl ephemeral", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"ephemeral"}},
+			hst.FSImplError{
+				Type:  "ephemeral",
+				Value: stubFS{"ephemeral"},
+			},
+			"\x00", "\x00"},
+
+		{"bind", hst.FilesystemConfigJSON{
+			FilesystemConfig: &hst.FSBind{
+				Dst:      m("/etc"),
+				Src:      m("/mnt/etc"),
+				Optional: true,
+			},
+		}, nil,
+			`{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true}`,
+			`{"fs":{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true},"magic":3236757504}`},
+
+		{"ephemeral", hst.FilesystemConfigJSON{
+			FilesystemConfig: &hst.FSEphemeral{
+				Dst:   m("/run/user/65534"),
+				Write: true,
+				Size:  1 << 10,
+				Perm:  0700,
+			},
+		}, nil,
+			`{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448}`,
+			`{"fs":{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448},"magic":3236757504}`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Run("marshal", func(t *testing.T) {
+				{
+					d, err := json.Marshal(&tc.want)
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						goto checkSMarshal
+					}
+					if string(d) != tc.data {
+						t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.data)
+					}
+				}
+
+			checkSMarshal:
+				{
+					d, err := json.Marshal(&sCheck{tc.want, syscall.MS_MGC_VAL})
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						return
+					}
+					if string(d) != tc.sData {
+						t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sData)
+					}
+				}
+			})
+
+			t.Run("unmarshal", func(t *testing.T) {
+				if tc.data == "\x00" && tc.sData == "\x00" {
+					if errors.As(tc.wantErr, new(hst.FSImplError)) {
+						// this error is only returned on marshal
+						return
+					}
+				}
+
+				{
+					var got hst.FilesystemConfigJSON
+					err := json.Unmarshal([]byte(tc.data), &got)
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						goto checkSUnmarshal
+					}
+					if !reflect.DeepEqual(&tc.want, &got) {
+						t.Errorf("Unmarshal: %#v, want %#v", &tc.want, &got)
+					}
+				}
+
+			checkSUnmarshal:
+				{
+					var got sCheck
+					err := json.Unmarshal([]byte(tc.sData), &got)
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						return
+					}
+					want := sCheck{tc.want, syscall.MS_MGC_VAL}
+					if !reflect.DeepEqual(&got, &want) {
+						t.Errorf("Unmarshal: %#v, want %#v", &got, &want)
+					}
+				}
+			})
+		})
+	}
+
+	t.Run("valid", func(t *testing.T) {
+		if got := (*hst.FilesystemConfigJSON).Valid(nil); got {
+			t.Errorf("Valid: %v, want false", got)
+		}
+
+		if got := new(hst.FilesystemConfigJSON).Valid(); got {
+			t.Errorf("Valid: %v, want false", got)
+		}
+
+		if got := (&hst.FilesystemConfigJSON{FilesystemConfig: new(hst.FSBind)}).Valid(); !got {
+			t.Errorf("Valid: %v, want true", got)
+		}
+	})
+
+	t.Run("passthrough", func(t *testing.T) {
+		if err := new(hst.FilesystemConfigJSON).UnmarshalJSON(make([]byte, 0)); err == nil {
+			t.Errorf("UnmarshalJSON: error = %v", err)
+		}
+	})
+}
+
+func TestFSErrors(t *testing.T) {
+	t.Run("type", func(t *testing.T) {
+		want := `invalid filesystem type "cat"`
+		if got := hst.FSTypeError("cat").Error(); got != want {
+			t.Errorf("Error: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("impl", func(t *testing.T) {
+		testCases := []struct {
+			name string
+			val  hst.FilesystemConfig
+			want string
+		}{
+			{"nil", nil, "implementation nil is not cat"},
+			{"stub", stubFS{"cat"}, "implementation stubFS is not cat"},
+			{"*stub", &stubFS{"cat"}, "implementation *stubFS is not cat"},
+			{"(*stub)(nil)", (*stubFS)(nil), "implementation *stubFS is not cat"},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				err := hst.FSImplError{Type: "cat", Value: tc.val}
+				if got := err.Error(); got != tc.want {
+					t.Errorf("Error: %q, want %q", got, tc.want)
+				}
+			})
+		}
+	})
+}
+
+type stubFS struct {
+	typeName string
+}
+
+func (s stubFS) Type() string                { return s.typeName }
+func (s stubFS) Target() *container.Absolute { panic("unreachable") }
+func (s stubFS) Host() []*container.Absolute { panic("unreachable") }
+func (s stubFS) Apply(*container.Ops)        { panic("unreachable") }
+func (s stubFS) String() string              { return "<invalid " + s.typeName + ">" }
+
+type sCheck struct {
+	FS    hst.FilesystemConfigJSON `json:"fs"`
+	Magic int                      `json:"magic"`
+}
+
+type fsTestCase struct {
+	name   string
+	fs     hst.FilesystemConfig
+	ops    container.Ops
+	target *container.Absolute
+	host   []*container.Absolute
+	str    string
+}
+
+func checkFs(t *testing.T, fstype string, testCases []fsTestCase) {
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := tc.fs.Type(); got != fstype {
+				t.Errorf("Type: %q, want %q", got, fstype)
+			}
+
+			t.Run("ops", func(t *testing.T) {
+				ops := new(container.Ops)
+				tc.fs.Apply(ops)
+				if !reflect.DeepEqual(ops, &tc.ops) {
+					gotString := new(strings.Builder)
+					for _, op := range *ops {
+						gotString.WriteString("\n" + op.String())
+					}
+					wantString := new(strings.Builder)
+					for _, op := range tc.ops {
+						wantString.WriteString("\n" + op.String())
+					}
+					t.Errorf("Apply: %s, want %s", gotString, wantString)
+				}
+			})
+
+			t.Run("target", func(t *testing.T) {
+				if got := tc.fs.Target(); !reflect.DeepEqual(got, tc.target) {
+					t.Errorf("Target: %q, want %q", got, tc.target)
+				}
+			})
+
+			t.Run("host", func(t *testing.T) {
+				if got := tc.fs.Host(); !reflect.DeepEqual(got, tc.host) {
+					t.Errorf("Host: %q, want %q", got, tc.host)
+				}
+			})
+
+			t.Run("string", func(t *testing.T) {
+				if tc.str == "\x00" {
+					return
+				}
+
+				if got := tc.fs.String(); got != tc.str {
+					t.Errorf("String: %q, want %q", got, tc.str)
+				}
+			})
+		})
+	}
+}
+
+func m(pathname string) *container.Absolute { return container.MustAbs(pathname) }
+func ms(pathnames ...string) []*container.Absolute {
+	as := make([]*container.Absolute, len(pathnames))
+	for i, pathname := range pathnames {
+		as[i] = container.MustAbs(pathname)
+	}
+	return as
+}

hst/fsbind.go

@@ -0,0 +1,102 @@
+package hst
+
+import (
+	"encoding/gob"
+	"strings"
+
+	"hakurei.app/container"
+)
+
+func init() { gob.Register(new(FSBind)) }
+
+// FilesystemBind is the [FilesystemConfig.Type] name of a bind mount point.
+const FilesystemBind = "bind"
+
+// FSBind represents a host to container bind mount.
+type FSBind struct {
+	// mount point in container, same as src if empty
+	Dst *container.Absolute `json:"dst,omitempty"`
+	// host filesystem path to make available to the container
+	Src *container.Absolute `json:"src"`
+	// do not mount filesystem read-only
+	Write bool `json:"write,omitempty"`
+	// do not disable device files, implies Write
+	Device bool `json:"dev,omitempty"`
+	// skip this mount point if the host path does not exist
+	Optional bool `json:"optional,omitempty"`
+}
+
+func (b *FSBind) Type() string { return FilesystemBind }
+
+func (b *FSBind) Target() *container.Absolute {
+	if b == nil || b.Src == nil {
+		return nil
+	}
+	if b.Dst == nil {
+		return b.Src
+	}
+	return b.Dst
+}
+
+func (b *FSBind) Host() []*container.Absolute {
+	if b == nil || b.Src == nil {
+		return nil
+	}
+	return []*container.Absolute{b.Src}
+}
+
+func (b *FSBind) Apply(ops *container.Ops) {
+	if b == nil || b.Src == nil {
+		return
+	}
+
+	dst := b.Dst
+	if dst == nil {
+		dst = b.Src
+	}
+	var flags int
+	if b.Write {
+		flags |= container.BindWritable
+	}
+	if b.Device {
+		flags |= container.BindDevice | container.BindWritable
+	}
+	if b.Optional {
+		flags |= container.BindOptional
+	}
+	ops.Bind(b.Src, dst, flags)
+}
+
+func (b *FSBind) String() string {
+	g := 4
+	if b == nil || b.Src == nil {
+		return "<invalid>"
+	}
+
+	g += len(b.Src.String())
+	if b.Dst != nil {
+		g += len(b.Dst.String())
+	}
+
+	expr := new(strings.Builder)
+	expr.Grow(g)
+
+	if b.Device {
+		expr.WriteString("d")
+	} else if b.Write {
+		expr.WriteString("w")
+	}
+
+	if !b.Optional {
+		expr.WriteString("*")
+	} else {
+		expr.WriteString("+")
+	}
+
+	expr.WriteString(b.Src.String())
+	if b.Dst != nil {
+		expr.WriteString(":" + b.Dst.String())
+	}
+
+	return expr.String()
+}

hst/fsbind_test.go

@@ -0,0 +1,66 @@
+package hst_test
+
+import (
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFSBind(t *testing.T) {
+	checkFs(t, "bind", []fsTestCase{
+		{"nil", (*hst.FSBind)(nil), nil, nil, nil, "<invalid>"},
+
+		{"full", &hst.FSBind{
+			Dst:      m("/dev"),
+			Src:      m("/mnt/dev"),
+			Optional: true,
+			Device:   true,
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/dev"),
+			Target: m("/dev"),
+			Flags:  container.BindWritable | container.BindDevice | container.BindOptional,
+		}}, m("/dev"), ms("/mnt/dev"),
+			"d+/mnt/dev:/dev"},
+
+		{"full write dev", &hst.FSBind{
+			Dst:    m("/dev"),
+			Src:    m("/mnt/dev"),
+			Write:  true,
+			Device: true,
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/dev"),
+			Target: m("/dev"),
+			Flags:  container.BindWritable | container.BindDevice,
+		}}, m("/dev"), ms("/mnt/dev"),
+			"d*/mnt/dev:/dev"},
+
+		{"full write", &hst.FSBind{
+			Dst:   m("/tmp"),
+			Src:   m("/mnt/tmp"),
+			Write: true,
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/tmp"),
+			Target: m("/tmp"),
+			Flags:  container.BindWritable,
+		}}, m("/tmp"), ms("/mnt/tmp"),
+			"w*/mnt/tmp:/tmp"},
+
+		{"full no flags", &hst.FSBind{
+			Dst: m("/etc"),
+			Src: m("/mnt/etc"),
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/etc"),
+			Target: m("/etc"),
+		}}, m("/etc"), ms("/mnt/etc"),
+			"*/mnt/etc:/etc"},
+
+		{"nil dst", &hst.FSBind{
+			Src: m("/"),
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/"),
+			Target: m("/"),
+		}}, m("/"), ms("/"),
+			"*/"},
+	})
+}

hst/fsephemeral.go

@@ -0,0 +1,83 @@
+package hst
+
+import (
+	"encoding/gob"
+	"os"
+	"strings"
+
+	"hakurei.app/container"
+)
+
+func init() { gob.Register(new(FSEphemeral)) }
+
+// FilesystemEphemeral is the [FilesystemConfig.Type] name of a mount point with ephemeral state.
+const FilesystemEphemeral = "ephemeral"
+
+// FSEphemeral represents an ephemeral container mount point.
+type FSEphemeral struct {
+	// mount point in container
+	Dst *container.Absolute `json:"dst,omitempty"`
+	// do not mount filesystem read-only
+	Write bool `json:"write,omitempty"`
+	// upper limit on the size of the filesystem
+	Size int `json:"size,omitempty"`
+	// initial permission bits of the new filesystem
+	Perm os.FileMode `json:"perm,omitempty"`
+}
+
+func (e *FSEphemeral) Type() string { return FilesystemEphemeral }
+
+func (e *FSEphemeral) Target() *container.Absolute {
+	if e == nil {
+		return nil
+	}
+	return e.Dst
+}
+
+func (e *FSEphemeral) Host() []*container.Absolute { return nil }
+
+const fsEphemeralDefaultPerm = os.FileMode(0755)
+
+func (e *FSEphemeral) Apply(ops *container.Ops) {
+	if e == nil || e.Dst == nil {
+		return
+	}
+
+	size := e.Size
+	if size < 0 {
+		size = 0
+	}
+
+	perm := e.Perm
+	if perm == 0 {
+		perm = fsEphemeralDefaultPerm
+	}
+
+	if e.Write {
+		ops.Tmpfs(e.Dst, size, perm)
+	} else {
+		ops.Readonly(e.Dst, perm)
+	}
+}
+
+func (e *FSEphemeral) String() string {
+	if e == nil || e.Dst == nil {
+		return "<invalid>"
+	}
+
+	expr := new(strings.Builder)
+	expr.Grow(15 + len(FilesystemEphemeral) + len(e.Dst.String()))
+
+	if e.Write {
+		expr.WriteString("w")
+	}
+	expr.WriteString("+" + FilesystemEphemeral + "(")
+	if e.Perm != 0 {
+		expr.WriteString(e.Perm.String())
+	} else {
+		expr.WriteString(fsEphemeralDefaultPerm.String())
+	}
+	expr.WriteString("):" + e.Dst.String())
+
+	return expr.String()
+}

hst/fsephemeral_test.go

@@ -0,0 +1,50 @@
+package hst_test
+
+import (
+	"syscall"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFSEphemeral(t *testing.T) {
+	checkFs(t, "ephemeral", []fsTestCase{
+		{"nil", (*hst.FSEphemeral)(nil), nil, nil, nil, "<invalid>"},
+
+		{"full", &hst.FSEphemeral{
+			Dst:   m("/run/user/65534"),
+			Write: true,
+			Size:  1 << 10,
+			Perm:  0700,
+		}, container.Ops{&container.MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   m("/run/user/65534"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0700,
+		}}, m("/run/user/65534"), nil,
+			"w+ephemeral(-rwx------):/run/user/65534"},
+
+		{"cover ro", &hst.FSEphemeral{Dst: m("/run/nscd")},
+			container.Ops{&container.MountTmpfsOp{
+				FSName: "readonly",
+				Path:   m("/run/nscd"),
+				Flags:  syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_RDONLY,
+				Perm:   0755,
+			}}, m("/run/nscd"), nil,
+			"+ephemeral(-rwxr-xr-x):/run/nscd"},
+
+		{"negative size", &hst.FSEphemeral{
+			Dst:   hst.AbsTmp,
+			Write: true,
+			Size:  -1,
+		}, container.Ops{&container.MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   hst.AbsTmp,
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Perm:   0755,
+		}}, hst.AbsTmp, nil,
+			"w+ephemeral(-rwxr-xr-x):/.hakurei"},
+	})
+}

hst/template.go

@@ -77,15 +77,14 @@ func Template() *Config {
 				"GOOGLE_DEFAULT_CLIENT_ID":     "77185425430.apps.googleusercontent.com",
 				"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
 			},
-			Filesystem: []FilesystemConfig{
-				{Dst: container.AbsFHSTmp, Src: container.AbsNonexistent, Write: true},
-				{Src: container.MustAbs("/nix/store")},
-				{Src: container.AbsFHSRun.Append("current-system")},
-				{Src: container.AbsFHSRun.Append("opengl-driver")},
-				{Src: container.AbsFHSVar.Append("db/nix-channels")},
-				{Src: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
-					Dst: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true, Must: true},
-				{Src: container.AbsFHSDev.Append("dri"), Device: true},
+			Filesystem: []FilesystemConfigJSON{
+				{&FSEphemeral{Dst: container.AbsFHSTmp, Write: true, Perm: 0755}},
+				{&FSBind{Src: container.MustAbs("/nix/store")}},
+				{&FSBind{Src: container.AbsFHSRun.Append("current-system")}},
+				{&FSBind{Src: container.AbsFHSRun.Append("opengl-driver")}},
+				{&FSBind{Src: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
+					Dst: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
+				{&FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
 			},
 			Link:      []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
 			AutoRoot:  container.AbsFHSVarLib.Append("hakurei/base/org.debian"),

hst/template_test.go

@@ -98,31 +98,34 @@ func TestTemplate(t *testing.T) {
 		"device": true,
 		"filesystem": [
 			{
+				"type": "ephemeral",
 				"dst": "/tmp/",
-				"src": "/proc/nonexistent",
-				"write": true
+				"write": true,
+				"perm": 493
 			},
 			{
+				"type": "bind",
 				"src": "/nix/store"
 			},
 			{
+				"type": "bind",
 				"src": "/run/current-system"
 			},
 			{
+				"type": "bind",
 				"src": "/run/opengl-driver"
 			},
 			{
-				"src": "/var/db/nix-channels"
-			},
-			{
+				"type": "bind",
 				"dst": "/data/data/org.chromium.Chromium",
 				"src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-				"write": true,
-				"require": true
+				"write": true
 			},
 			{
+				"type": "bind",
 				"src": "/dev/dri",
-				"dev": true
+				"dev": true,
+				"optional": true
 			}
 		],
 		"symlink": [