We shouldn't leave it to the user to manually mount user data partitions. We want to ensure restrictive mount flags are set, and be able to do other operations around the mounting. It's also nice to have a single place where all user data partitions can be mounted. I've taken inspiration from the FHS in using /media for this. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- .../development/persistent-storage.adoc | 19 ++++++++++----- .../using-spectrum/creating-custom-vms.adoc | 5 ++-- .../using-spectrum/vm-file-access.adoc | 4 ++-- host/rootfs/Makefile | 2 +- host/rootfs/file-list.mk | 1 + host/rootfs/image/etc/fstab | 11 +++++---- host/rootfs/image/usr/bin/mount-userdata | 24 +++++++++++++++++++ 7 files changed, 50 insertions(+), 16 deletions(-) create mode 100755 host/rootfs/image/usr/bin/mount-userdata diff --git a/Documentation/development/persistent-storage.adoc b/Documentation/development/persistent-storage.adoc index 12426b46..c4bcc163 100644 --- a/Documentation/development/persistent-storage.adoc +++ b/Documentation/development/persistent-storage.adoc @@ -2,7 +2,7 @@ :page-parent: Development :page-nav_order: 2 -// SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is> +// SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is> // SPDX-License-Identifier: GFDL-1.3-no-invariants-or-later OR CC-BY-SA-4.0 Spectrum's root filesystem is immutable, so if you want to be able to @@ -10,8 +10,15 @@ persist data between sessions, you'll need to create a persistent storage partition. Spectrum comes with `cryptsetup`, and in future is likely to assume that btrfs-specific features are available. -Conventionally, the persistent storage partition is mounted on /ext -after booting. It's not mounted automatically, because generally the -partition should be encrypted, meaning a key has to be supplied to -mount it anyway, and because there might be multiple persistent data -partitions to choose from. +Persistent storage can be mounted as follows: + +[source,shell] +---- +cryptsetup open /dev/sda1 userdata +mount-userdata /dev/mapper/userdata +---- + +It's not mounted automatically, because generally the partition should +be encrypted, meaning a key has to be supplied to mount it anyway, and +because there might be multiple persistent data partitions to choose +from. diff --git a/Documentation/using-spectrum/creating-custom-vms.adoc b/Documentation/using-spectrum/creating-custom-vms.adoc index a397ac50..1eca7f36 100644 --- a/Documentation/using-spectrum/creating-custom-vms.adoc +++ b/Documentation/using-spectrum/creating-custom-vms.adoc @@ -13,8 +13,9 @@ configurations are directories under a dedicated parent directory, and the name of each configuration directory determines the name of the VM. After mounting the persistent storage partition, the configured VMs can be made available by running `vm-import user -/ext/vms`, replacing /ext/vms with the directory containing the VM -definitions. +/media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/vms`, replacing +/media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/vms with the directory +containing the VM definitions. The directory can contain the following files: diff --git a/Documentation/using-spectrum/vm-file-access.adoc b/Documentation/using-spectrum/vm-file-access.adoc index 1b4fe9a5..a079cfe8 100644 --- a/Documentation/using-spectrum/vm-file-access.adoc +++ b/Documentation/using-spectrum/vm-file-access.adoc @@ -48,7 +48,7 @@ can be bind-mounted into it: + [listing] [source,shell] -echo "Hello, world!" > /ext/example.txt +echo "Hello, world!" > /media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/example.txt 2. Create an empty file to bind mount over: + @@ -60,5 +60,5 @@ touch /run/vm/by-name/user.appvm-example/fs/example.txt + [listing] [source,shell] -mount --rbind /ext/example.txt /run/vm/by-name/user.appvm-example/fs/example.txt +mount --rbind /media/4e43cdc2-82b2-4d94-8a90-b6c6189312d2/example.txt /run/vm/by-name/user.appvm-example/fs/example.txt ==== diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index 7bec1259..211fb5dd 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -33,8 +33,8 @@ DIRS = \ etc/s6-linux-init/run-image/user \ etc/s6-linux-init/run-image/vm/by-id \ etc/s6-linux-init/run-image/vm/by-name \ - ext \ home \ + media \ proc \ run \ sys \ diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk index f69775d2..6bf40ff8 100644 --- a/host/rootfs/file-list.mk +++ b/host/rootfs/file-list.mk @@ -56,6 +56,7 @@ FILES = \ image/etc/xdg/weston/weston.ini \ image/usr/bin/assign-devices \ image/usr/bin/create-vm-dependencies \ + image/usr/bin/mount-userdata \ image/usr/bin/root-terminal \ image/usr/bin/run-appimage \ image/usr/bin/run-flatpak \ diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab index 5c23a374..18bb5e45 100644 --- a/host/rootfs/image/etc/fstab +++ b/host/rootfs/image/etc/fstab @@ -1,7 +1,8 @@ # SPDX-License-Identifier: CC0-1.0 # SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is> -proc /proc proc nosuid,nodev,noexec 0 0 -devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs nosuid,nodev 0 0 -sysfs /sys sysfs nosuid,nodev,noexec 0 0 -tmpfs /tmp tmpfs nosuid,nodev 0 0 +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +tmpfs /media tmpfs nosuid,nodev,noexec,nosymfollow,mode=755 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +tmpfs /tmp tmpfs nosuid,nodev 0 0 diff --git a/host/rootfs/image/usr/bin/mount-userdata b/host/rootfs/image/usr/bin/mount-userdata new file mode 100755 index 00000000..e4a873c0 --- /dev/null +++ b/host/rootfs/image/usr/bin/mount-userdata @@ -0,0 +1,24 @@ +#!/bin/execlineb -W +# SPDX-License-Identifier: EUPL-1.2+ +# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> + +backtick -D "" uuid { + importas -Siu 1 + blkid -o value -s UUID $1 +} + +multisubstitute { + importas -Siu 0 + importas -Siu 1 + importas -Siu uuid +} + +case $uuid { + "" { + fdmove -c 1 2 + printf "%s: '%s' does not have a UUID\n" $0 $1 + } +} + +if { mount -m -o nosuid,nodev,noexec,nosymfollow -- $1 /media/${uuid} } +printf "%s\n" /media/${uuid} base-commit: 1afc3a7042ee1c40b6d2e564219be31ea8f1017f -- 2.51.0