interfaces/builtin/mount_control: add support for nfs mounts #14694
Conversation
bboozzoo
added
the
Needs Samuele review
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #14694 +/- ##
==========================================
+ Coverage 78.95% 79.03% +0.08%
==========================================
Files 1084 1087 +3
Lines 146638 147666 +1028
==========================================
+ Hits 115773 116706 +933
- Misses 23667 23731 +64
- Partials 7198 7229 +31
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| @@ -583,6 +601,15 @@ func (iface *mountControlInterface) AppArmorConnectedPlug(spec *apparmor.Specifi | |||
| target = expanded + target[variableEnd:] | |||
| } | |||
|
|
|||
| if mountInfo.isType("nfs") { | |||
| // override NFS share source, also see 'nfs-mount' interface | |||
| source = "*:**" | |||
There was a problem hiding this comment.
Does this mean that there can only be one entry for nfs in the mount-control plug? Does this mean that we allow any nfs source, so the snap could mount any source(s) it wants, mediated by one rule?
Would it be feasible to specify the source one wants to allow connections to (and deny others), or is that beyond the scope of the interface to specify?
There was a problem hiding this comment.
The host address and the share path describe some remote system and are not controlled by snap in any way, so I'm not sure we can expect to have something reliable here. I would prefer not to rebuild a snap or need to regenerate an assertion each time this changes. We have a similar rule in nfs-mount and cifs-mount interfaces.
There was a problem hiding this comment.
I assume this was agreed with Samuele?
|
note for myself, file a ticket for allowing cifs mounts in mount-control. |
interfaces/builtin/mount_control.go
Outdated
|
|
||
| allowNoSource := false | ||
| if strutil.ListContains(types, "nfs") { | ||
| if len(types) > 1 { |
There was a problem hiding this comment.
maybe relatedly to this we should have a comment here and maybe in the doc that supporting multiple types in one entry is mostly for situation when the filesystem is not provided but guessed or a single mount is expected to be performed with a few possible filesystems but under program control with other means
|
I'm adding a spread test. I've already registered and received approval for |
bboozzoo
force-pushed
the
bboozzoo/mount-control-nfs
branch
from
bd27458
to
27f6ceb
Compare
github-actions
bot
added
the
Needs Documentation -auto-
bboozzoo
added
Needs security review
interfaces/builtin/mount_control.go
Outdated
| if t == "tmpfs" { | ||
| includesTmpfs = true | ||
|
|
||
| if strutil.ListContains(exclusiveFsTypes, t) { |
There was a problem hiding this comment.
should we do && exclusiveType == "", so we capture the first and not the last of these?
|
FYI I have granted the use of mount-control for the new test snap in the store and so it should now be available for the spread tests etc. |
bboozzoo
force-pushed
the
bboozzoo/mount-control-nfs
branch
from
27f6ceb
to
b30c74d
Compare
github-actions
bot
added
the
Needs Documentation -auto-
bboozzoo
removed
the
Needs Samuele review
interfaces/builtin/mount_control.go
Outdated
| @@ -125,6 +125,7 @@ var allowedFilesystemSpecificMountOptions = map[string][]string{ | |||
| "jfs": {"iocharset=", "resize=", "nointegrity", "integrity", "errors=", "noquota", "quota", "usrquota", "grpquota"}, | |||
| "msdos": {"blocksize=", "uid=", "gid=", "umask=", "dmask=", "fmask=", "allow_utime=", "check=", "codepage=", "conv=", "cvf_format=", "cvf_option", "debug", "discard", "dos1xfloppy", "errors=", "fat=", "iocharset=", "nfs=", "tz=", "time_offset=", "quiet", "rodir", "showexec", "sys_immutable", "flush", "usefree", "dots", "nodots", "dotsOK="}, | |||
| "nfs": {"nfsvers=", "vers=", "soft", "hard", "softreval", "nosoftreval", "intr", "nointr", "timeo=", "retrans=", "rsize=", "wsize=", "ac", "noac", "acregmin=", "acregmax=", "acdirmin=", "acdirmax=", "actimeo=", "bg", "fg", "nconnect=", "max_connect=", "rdirplus", "nordirplus", "retry=", "sec=", "sharecache", "nosharecache", "revsport", "norevsport", "lookupcache=", "fsc", "nofsc", "sloppy", "proto=", "udp", "tcp", "rdma", "port=", "mountport=", "mountproto=", "mounthost=", "mountvers=", "namlen=", "lock", "nolock", "cto", "nocto", "acl", "noacl", "local_lock=", "minorversion=", "clientaddr=", "migration", "nomigration"}, | |||
| // TODO: drop nfs4? | |||
There was a problem hiding this comment.
I think so, from what I gather nfs defaults to 4 since nfs-utils 1.2 (15 years ago) and kernels 2.6.33. It's also deprecated from use in /etc/fstab. From manpages https://www.man7.org/linux/man-pages/man5/nfs.5.html when no nfsvers is specified, the client will start with 4.2 and then negotiate down until a compatible version is found (3 being the lowest anyway).
There was a problem hiding this comment.
Also:
maciek@galeon:~ ls -l `which mount.nfs4`
lrwxrwxrwx 1 root root 9 10-20 09:17 /usr/bin/mount.nfs4 -> mount.nfs
I'll just proceed to drop nfs4 from mount-control. There are no users, since nobody was able to specify the right attributes anyway.
interfaces/builtin/mount_control.go
Outdated
| } | ||
|
|
||
| allowNoSource := false | ||
| if strutil.ListContains(types, "nfs") { |
tests/lib/snaps/store/test-snapd-mount-control-nfs/snapcraft.yaml
Outdated
Show resolved
Hide resolved
| version: 1.0 | ||
|
|
||
| apps: | ||
| cmd: |
There was a problem hiding this comment.
This should be called sh, not cmd. We have two styles of shell like tests, one that is like cmd and runs $@, effectively, and one that is sh and runs /bin/sh "$@". Those are not the same and we should be clear what is it that we run.
Extend the mount-control interface with support for nfs mounts. The nfs entries cannot specify any other filesystem types, nor contain the 'what' attribute. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Add snap for testing mount-control with NFS Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Add support for performing NFS mounts through `snapctl mount` command. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
… for nfs and tmpfs Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
…ve FS type during validation Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
The explicit 'nfs4' filesystem is deprecated and mounts should use the 'nfs' type which defaults to NFSv4 and supports all required options for handling NFSv3 and NFSv4. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
bboozzoo
force-pushed
the
bboozzoo/mount-control-nfs
branch
from
889ebdf
to
1b9f9b4
Compare
| { | ||
| // deprecated nfs4 | ||
| "mount:\n - where: /media/foo\n type: [nfs4]\n options: [rw]\n what: 127.0.0.1:/share", | ||
| `mount-control "what" attribute is invalid: must start with / and not contain special characters`, |
There was a problem hiding this comment.
I would have expected this to say "nfs4" is not supported.
There was a problem hiding this comment.
it keeps the current status quo wrt nfs4, i.e. it's not possible to construct an mount-control entry which would work
There was a problem hiding this comment.
This might be more confusing than helpful, what is the impact of changing this to be more accurate.
| #!/bin/sh | ||
| PS1='$ ' | ||
|
|
||
| exec "$@" |
There was a problem hiding this comment.
This is not /bin/sh "$@", the name is misleading and it differs from other "sh" apps in other tests. If you want to keep the ".cmd" suffix and semantics just do so.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
bboozzoo
force-pushed
the
bboozzoo/mount-control-nfs
branch
from
1b9f9b4
to
6529d53
Compare
alexmurray
removed
the
Needs security review
|
|
||
| # limit to systems where we know NFS works without much hassle | ||
| systems: | ||
| - ubuntu-24.04-* |
There was a problem hiding this comment.
The actual bug is reported for core22.
What is the risk when limiting to release 24.04?
There was a problem hiding this comment.
The dependencies we need for exporting NFS shared as not available on Ubuntu Core.
| if includesTmpfs && len(types) > 1 { | ||
| return errors.New(`mount-control filesystem type "tmpfs" cannot be listed with other types`) | ||
| if exclusiveFsType != "" && len(types) > 1 { | ||
| return fmt.Errorf(`mount-control filesystem type %q cannot be listed with other types`, exclusiveFsType) |
There was a problem hiding this comment.
Should something about this be documented?
https://snapcraft.io/docs/mount-control-interface
There was a problem hiding this comment.
yes, but editing pages in the forum does not work atm
| { | ||
| // deprecated nfs4 | ||
| "mount:\n - where: /media/foo\n type: [nfs4]\n options: [rw]\n what: 127.0.0.1:/share", | ||
| `mount-control "what" attribute is invalid: must start with / and not contain special characters`, |
There was a problem hiding this comment.
This might be more confusing than helpful, what is the impact of changing this to be more accurate.
| @@ -583,6 +601,15 @@ func (iface *mountControlInterface) AppArmorConnectedPlug(spec *apparmor.Specifi | |||
| target = expanded + target[variableEnd:] | |||
| } | |||
|
|
|||
| if mountInfo.isType("nfs") { | |||
| // override NFS share source, also see 'nfs-mount' interface | |||
| source = "*:**" | |||
There was a problem hiding this comment.
I assume this was agreed with Samuele?
| // possible construct a valid and useful specification using this | ||
| // type | ||
| { | ||
| // deprecated nfs4 |
There was a problem hiding this comment.
Should we update nfs_mount.go ?
mount fstype=nfs{,4} *:** -> ...
There was a problem hiding this comment.
In a separate PR perhaps
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
…retry Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* master: (44 commits) wrappers: do not reload activation units (canonical#14724) gadget/install: support for no{exec,dev,suid} mount flags interfaces/builtin/mount_control: add support for nfs mounts (canonical#14694) tests: use gojq - part 1 (canonical#14686) interfaces/desktop-legacy: allow DBus access to com.canonical.dbusmenu interfaces/builtin/fwupd.go: allow access to nvmem for thunderbolt plugin tests: removing uc16 executions (canonical#14575) tests: Added arm github runner to build snapd (canonical#14504) tests: no need to run spread when there are not tests matching the filter (canonical#14728) tests/lib/tools/store-state: exit on errors, update relevant tests (canonical#14725) tests: udpate the github workflow to run tests suggested by spread-filter tool (canonical#14519) testtime: add mockable timers for use in tests (canonical#14672) interface/screen_inhibit_control: Improve screen inhibit control for use on core (canonical#14134) tests: use images with 20G disk in openstack (canonical#14720) i/builtin: allow @ in custom-device filepaths (canonical#14651) tests: refactor test-snapd-desktop-layout-with-content tests: fix broken app definition tests: capitalize sentences in comments tests: wrap very long shell line tests: fix raciness in async startup and sync install ...
Extend the mount-control interface with support for nfs mounts. The nfs entries cannot specify any other filesystem types, nor contain the 'what' attribute.
Related: SNAPDENG-34139 LP#2086601
Thanks for helping us make a better snapd!
Have you signed the license agreement and read the contribution guide?