From 793b37853e36e310513ee5c717b483352e2866ca Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andreas.mundt@steinbeisschule-reutlingen.de>
Date: Fri, 18 Aug 2023 09:23:14 +0200
Subject: [PATCH] Move VM mount functionality to PAM for better umount
handling.
---
roles/lmn_mount/tasks/main.yml | 38 +++++++++++----------------
roles/lmn_vm/files/mounthome.sh | 25 ++----------------
roles/lmn_vm/files/run-vm.sh | 8 ++----
roles/lmn_vm/files/start-virtiofsd.sh | 22 +++++++++-------
4 files changed, 32 insertions(+), 61 deletions(-)
diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml
index 9e22dfa..6b81675 100644
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@@ -14,19 +14,12 @@
dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK -->"
block: |
+ <!-- mounts for home, share and nextcloud -->
<volume
fstype="cifs"
server="{{ smb_server }}"
path="{{ smb_share }}"
mountpoint="/srv/samba/schools/default-school"
- options="sec=krb5i,cruid=%(USERUID),user=%(USER),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl"
- ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
- </volume>
- <volume
- fstype="cifs"
- server="{{ smb_server }}"
- path="{{ smb_share }}share"
- mountpoint="/lmn/media/%(USER)/share"
options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks,nobrl"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume>
@@ -37,6 +30,20 @@
options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,grpid,file_mode=0770,dir_mode=0770,forceuid,forcegid"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume>
+
+ <!-- bind mounts for the VMs, setting gid here does not work -->
+ <volume
+ path="~"
+ mountpoint="/lmn/media/%(USER)/home"
+ options="bind"
+ ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+ </volume>
+ <volume
+ path="/srv/samba/schools/default-school/share"
+ mountpoint="/lmn/media/%(USER)/share"
+ options="bind"
+ ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+ </volume>
insertafter: "<!-- Volume definitions -->"
@@ -78,21 +85,6 @@
line: KillUserProcesses=yes
insertafter: '#KillUserProcesses=no'
-- name: Umount all user-mounts on logout
- blockinfile:
- dest: /usr/share/sddm/scripts/Xstop
- block: |
- for i in $(mount | /usr/bin/grep "/lmn/media/" | /usr/bin/cut -f 3 -d ' '); do
- umount $i
- done
- umount /srv/samba/schools/default-school
-
-- name: Deploy script to generate links in /lmn/media/$USER/
- copy:
- src: lmn-mounthome.sh
- dest: /etc/profile.d/
- mode: '0644'
-
- name: Bind mount lmn/media with nosuid directory
ansible.posix.mount:
src: /lmn/media
diff --git a/roles/lmn_vm/files/mounthome.sh b/roles/lmn_vm/files/mounthome.sh
index 1ad2796..184624d 100755
--- a/roles/lmn_vm/files/mounthome.sh
+++ b/roles/lmn_vm/files/mounthome.sh
@@ -18,6 +18,8 @@ exit_script_home() {
kill -- -$$ # Sends SIGTERM to child/sub processes
}
+##########################
+
if [[ "$#" -gt 0 ]] && [[ "$1" = '-u' ]]; then
findmnt "/lmn/media/${SUDO_USER}/home" && umount "/lmn/media/${SUDO_USER}/home" && rmdir "/lmn/media/${SUDO_USER}/home"
#findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share" && rmdir "/lmn/media/${SUDO_USER}/share"
@@ -56,27 +58,4 @@ elif [ "$#" -gt 0 ] && [ "$1" = '-l' ]; then
#echo "Um weiter zu arbeiten: <Strg> + <Z>"
trap exit_script SIGHUP SIGINT SIGTERM
sleep infinity
-else
- #mkdir -p "/media/${SUDO_USER}"
- #chown "${SUDO_USER}:1010" "/media/${SUDO_USER}"
- chgrp 1010 "/lmn/media/${SUDO_USER}"
- chmod 0770 "/lmn/media/${SUDO_USER}"
- #if ! findmnt "/lmn/media/${SUDO_USER}/share"; then
- # [[ -d "/lmn/media/${SUDO_USER}/share" ]] || mkdir "/lmn/media/${SUDO_USER}/share"
- # mount --bind "/lmn/media/${SUDO_USER}/.default-school/share" "/lmn/media/${SUDO_USER}/share"
- #fi
- if ! findmnt "/lmn/media/${SUDO_USER}/home"; then
- [[ -d "/lmn/media/${SUDO_USER}/home" ]] || mkdir "/lmn/media/${SUDO_USER}/home"
- home="$(getent passwd $SUDO_USER | cut -d: -f6)"
- mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,nobrl,mfsymlinks" \
- "//server/default-school/${home##/srv/samba/schools/default-school/}" "/lmn/media/${SUDO_USER}/home"
- trap exit_script_home SIGHUP SIGINT SIGTERM
- sleep infinity
- fi
- #mkdir -p "/lmn/media/${SUDO_USER}/home"
- #mkdir -p "/lmn/media/${SUDO_USER}/share"
- #mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
- # "//server/default-school/${home}" "/lmn/media/${SUDO_USER}/home"
- #mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
- # "//server/default-school/share" "/lmn/media/${SUDO_USER}/share"
fi
diff --git a/roles/lmn_vm/files/run-vm.sh b/roles/lmn_vm/files/run-vm.sh
index d368262..30deedf 100755
--- a/roles/lmn_vm/files/run-vm.sh
+++ b/roles/lmn_vm/files/run-vm.sh
@@ -99,18 +99,14 @@ check_images() {
echo "VM-Image and required backingfiles available and checked"
}
+#################
+
# check, if we have to start squid
if ! killall -s 0 squid; then
echo "starting squid."
/usr/sbin/squid -f /etc/squid/squid-usermode.conf
fi
-## check, if we have to mount home
-#if ! findmnt "/media/${USER}/home"; then
-# echo "mounting home."
- sudo mounthome.sh &
-#fi
-
# because virsh has problems with long pathnames, using diffent configdir
export XDG_CONFIG_HOME="/tmp/${UID}/.config"
diff --git a/roles/lmn_vm/files/start-virtiofsd.sh b/roles/lmn_vm/files/start-virtiofsd.sh
index 1236274..4c6ae0e 100755
--- a/roles/lmn_vm/files/start-virtiofsd.sh
+++ b/roles/lmn_vm/files/start-virtiofsd.sh
@@ -9,24 +9,28 @@ if [[ $# -ne 1 ]]; then
exit 1
fi
-VM_NAME=$1
-
-export XDG_RUNTIME_DIR="/run/user/${SUDO_UID}"
+VM_NAME="$1"
+XDG_RUNTIME_DIR="/run/user/${SUDO_UID}"
if ! [[ -d "${XDG_RUNTIME_DIR}/virtiofs" ]]; then
mkdir "${XDG_RUNTIME_DIR}/virtiofs/"
chown "${SUDO_UID}" "${XDG_RUNTIME_DIR}/virtiofs/"
fi
-[[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]] && \
+if [[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]] ; then
/usr/bin/rm "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"
-#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" --socket-group="${SUDO_USER}" --announce-submounts -o source="/media/${USER}" > /dev/null &
-#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" --socket-group="${SUDO_USER}" -o source="/media/${USER}" > /dev/null &
+fi
+#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \
+# --socket-group="${SUDO_USER}" --announce-submounts -o source="/media/${USER}" > /dev/null &
+#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \
+# --socket-group="${SUDO_USER}" -o source="/media/${USER}" > /dev/null &
+
/usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \
- -o source="/lmn/media/${SUDO_USER}" > /dev/null &
+ -o source="/lmn/media/${SUDO_USER}/" &
+
# Wait until socket-File exists and chown to user
until [[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]]; do
- echo "waiting for ${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"
- sleep 0.1
+ echo "waiting for ${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"
+ sleep 0.1
done
/usr/bin/chown "${SUDO_USER}" "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"