diff options
| -rw-r--r-- | docs/source/markdown/podman-machine-init.1.md | 24 | ||||
| -rw-r--r-- | pkg/machine/qemu/machine.go | 11 | ||||
| -rw-r--r-- | test/system/500-networking.bats | 12 | ||||
| -rw-r--r-- | test/system/helpers.bash | 14 |
4 files changed, 44 insertions, 17 deletions
diff --git a/docs/source/markdown/podman-machine-init.1.md b/docs/source/markdown/podman-machine-init.1.md index 2adb15e6a..21c98b2c7 100644 --- a/docs/source/markdown/podman-machine-init.1.md +++ b/docs/source/markdown/podman-machine-init.1.md @@ -76,15 +76,33 @@ Set the timezone for the machine and containers. Valid values are `local` or a `timezone` such as `America/Chicago`. A value of `local`, which is the default, means to use the timezone of the machine host. -#### **--volume**, **-v**=*source:target* +#### **--volume**, **-v**=*source:target[:options]* Mounts a volume from source to target. Create a mount. If /host-dir:/machine-dir is specified as the `*source:target*`, Podman mounts _host-dir_ in the host to _machine-dir_ in the Podman machine. -The root filesystem is mounted read-only in the default operating system, -so mounts must be created under the /mnt directory. +Additional options may be specified as a comma-separated string. Recognized +options are: +* **ro**: mount volume read-only +* **rw**: mount volume read/write (default) +* **security_model=[model]**: specify 9p security model (see below) + +The 9p security model [determines] https://wiki.qemu.org/Documentation/9psetup#Starting_the_Guest_directly +if and how the 9p filesystem translates some filesystem operations before +actual storage on the host. The +default value of *mapped-xattr* specifies that 9p store symlinks and some file +attributes as extended attributes on the host. This is suitable when the host +and the guest do not need to interoperate on the shared filesystem, but has +caveats for actual shared access; notably, symlinks on the host are not usable +on the guest and vice versa. If interoperability is required, then choose +*none* instead, but keep in mind that the guest will not be able to do things +that the user running the virtual machine cannot do, e.g. create files owned by +another user. Using *none* is almost certainly the best choice for read-only +volumes. + +Example: `-v "$HOME/git:$HOME/git:ro,security_model=none"` Default volume mounts are defined in *containers.conf*. Unless changed, the default values is `$HOME:$HOME`. diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go index d208b11eb..322aa3a15 100644 --- a/pkg/machine/qemu/machine.go +++ b/pkg/machine/qemu/machine.go @@ -318,6 +318,7 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) { source := paths[0] target := source readonly := false + securityModel := "mapped-xattr" if len(paths) > 1 { target = paths[1] } @@ -325,18 +326,20 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) { options := paths[2] volopts := strings.Split(options, ",") for _, o := range volopts { - switch o { - case "rw": + switch { + case o == "rw": readonly = false - case "ro": + case o == "ro": readonly = true + case strings.HasPrefix(o, "security_model="): + securityModel = strings.Split(o, "=")[1] default: fmt.Printf("Unknown option: %s\n", o) } } } if volumeType == VolumeTypeVirtfs { - virtfsOptions := fmt.Sprintf("local,path=%s,mount_tag=%s,security_model=mapped-xattr", source, tag) + virtfsOptions := fmt.Sprintf("local,path=%s,mount_tag=%s,security_model=%s", source, tag, securityModel) if readonly { virtfsOptions += ",readonly" } diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index 0d724985e..50eb15216 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -677,16 +677,20 @@ EOF @test "podman run port forward range" { for netmode in bridge slirp4netns:port_handler=slirp4netns slirp4netns:port_handler=rootlesskit; do local range=$(random_free_port_range 3) - local port="${test%-*}" - local end_port="${test#-*}" + # die() inside $(...) does not actually stop us. + assert "$range" != "" "Could not find free port range" + + local port="${range%-*}" + local end_port="${range#*-}" local random=$(random_string) run_podman run --network $netmode -p "$range:$range" -d $IMAGE sleep inf cid="$output" for port in $(seq $port $end_port); do run_podman exec -d $cid nc -l -p $port -e /bin/cat - # -w 1 adds a 1 second timeout, for some reason ubuntus ncat doesn't close the connection on EOF, - # other options to change this are not portable across distros but -w seems to work + # -w 1 adds a 1 second timeout. For some reason, ubuntu's ncat + # doesn't close the connection on EOF, and other options to + # change this are not portable across distros. -w seems to work. run nc -w 1 127.0.0.1 $port <<<$random is "$output" "$random" "ncat got data back (netmode=$netmode port=$port)" done diff --git a/test/system/helpers.bash b/test/system/helpers.bash index 273e8d2f5..ceac48036 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -299,15 +299,17 @@ function random_free_port_range() { local maxtries=10 while [[ $maxtries -gt 0 ]]; do local firstport=$(random_free_port) - local all_ports_free=1 - for i in $(seq 2 $size); do - if ! port_is_free $((firstport + $i)); then - all_ports_free= + local lastport= + for i in $(seq 1 $((size - 1))); do + lastport=$((firstport + i)) + if ! port_is_free $lastport; then + echo "# port $lastport is in use; trying another." >&3 + lastport= break fi done - if [[ -n "$all_ports_free" ]]; then - echo "$firstport-$((firstport + $size - 1))" + if [[ -n "$lastport" ]]; then + echo "$firstport-$lastport" return fi |