it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move VM mount functionality to PAM for better umount handling.

Browse source
This commit is contained in:
Andreas B. Mundt 2023-08-18 09:23:14 +02:00
parent f854b3659c
commit 793b37853e
4 changed files with 32 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
roles/lmn_mount/tasks/main.yml
View file

@ -14,19 +14,12 @@
dest: /etc/security/pam_mount.conf.xml dest: /etc/security/pam_mount.conf.xml
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK -->" marker: "<!-- {mark} ANSIBLE MANAGED BLOCK -->"
block: | block: |
<!-- mounts for home, share and nextcloud -->
<volume <volume
fstype="cifs" fstype="cifs"
server="{{ smb_server }}" server="{{ smb_server }}"
path="{{ smb_share }}" path="{{ smb_share }}"
mountpoint="/srv/samba/schools/default-school" mountpoint="/srv/samba/schools/default-school"
options="sec=krb5i,cruid=%(USERUID),user=%(USER),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume>
<volume
fstype="cifs"
server="{{ smb_server }}"
path="{{ smb_share }}share"
mountpoint="/lmn/media/%(USER)/share"
options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks,nobrl" options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks,nobrl"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not> ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume> </volume>
@ -37,6 +30,20 @@
options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,grpid,file_mode=0770,dir_mode=0770,forceuid,forcegid" options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,grpid,file_mode=0770,dir_mode=0770,forceuid,forcegid"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not> ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume> </volume>
<!-- bind mounts for the VMs, setting gid here does not work -->
<volume
path="~"
mountpoint="/lmn/media/%(USER)/home"
options="bind"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume>
<volume
path="/srv/samba/schools/default-school/share"
mountpoint="/lmn/media/%(USER)/share"
options="bind"
><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
</volume>
insertafter: "<!-- Volume definitions -->" insertafter: "<!-- Volume definitions -->"
@ -78,21 +85,6 @@
line: KillUserProcesses=yes line: KillUserProcesses=yes
insertafter: '#KillUserProcesses=no' insertafter: '#KillUserProcesses=no'
- name: Umount all user-mounts on logout
blockinfile:
dest: /usr/share/sddm/scripts/Xstop
block: |
for i in $(mount | /usr/bin/grep "/lmn/media/" | /usr/bin/cut -f 3 -d ' '); do
umount $i
done
umount /srv/samba/schools/default-school
- name: Deploy script to generate links in /lmn/media/$USER/
copy:
src: lmn-mounthome.sh
dest: /etc/profile.d/
mode: '0644'
- name: Bind mount lmn/media with nosuid directory - name: Bind mount lmn/media with nosuid directory
ansible.posix.mount: ansible.posix.mount:
src: /lmn/media src: /lmn/media

25
roles/lmn_vm/files/mounthome.sh
View file

@ -18,6 +18,8 @@ exit_script_home() {
kill -- -$$ # Sends SIGTERM to child/sub processes kill -- -$$ # Sends SIGTERM to child/sub processes
} }
##########################
if [[ "$#" -gt 0 ]] && [[ "$1" = '-u' ]]; then if [[ "$#" -gt 0 ]] && [[ "$1" = '-u' ]]; then
findmnt "/lmn/media/${SUDO_USER}/home" && umount "/lmn/media/${SUDO_USER}/home" && rmdir "/lmn/media/${SUDO_USER}/home" findmnt "/lmn/media/${SUDO_USER}/home" && umount "/lmn/media/${SUDO_USER}/home" && rmdir "/lmn/media/${SUDO_USER}/home"
#findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share" && rmdir "/lmn/media/${SUDO_USER}/share" #findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share" && rmdir "/lmn/media/${SUDO_USER}/share"
@ -56,27 +58,4 @@ elif [ "$#" -gt 0 ] && [ "$1" = '-l' ]; then
#echo "Um weiter zu arbeiten: <Strg> + <Z>" #echo "Um weiter zu arbeiten: <Strg> + <Z>"
trap exit_script SIGHUP SIGINT SIGTERM trap exit_script SIGHUP SIGINT SIGTERM
sleep infinity sleep infinity
else
#mkdir -p "/media/${SUDO_USER}"
#chown "${SUDO_USER}:1010" "/media/${SUDO_USER}"
chgrp 1010 "/lmn/media/${SUDO_USER}"
chmod 0770 "/lmn/media/${SUDO_USER}"
#if ! findmnt "/lmn/media/${SUDO_USER}/share"; then
# [[ -d "/lmn/media/${SUDO_USER}/share" ]] || mkdir "/lmn/media/${SUDO_USER}/share"
# mount --bind "/lmn/media/${SUDO_USER}/.default-school/share" "/lmn/media/${SUDO_USER}/share"
#fi
if ! findmnt "/lmn/media/${SUDO_USER}/home"; then
[[ -d "/lmn/media/${SUDO_USER}/home" ]] || mkdir "/lmn/media/${SUDO_USER}/home"
home="$(getent passwd $SUDO_USER | cut -d: -f6)"
mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,nobrl,mfsymlinks" \
"//server/default-school/${home##/srv/samba/schools/default-school/}" "/lmn/media/${SUDO_USER}/home"
trap exit_script_home SIGHUP SIGINT SIGTERM
sleep infinity
fi
#mkdir -p "/lmn/media/${SUDO_USER}/home"
#mkdir -p "/lmn/media/${SUDO_USER}/share"
#mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
# "//server/default-school/${home}" "/lmn/media/${SUDO_USER}/home"
#mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
# "//server/default-school/share" "/lmn/media/${SUDO_USER}/share"
fi fi

8
roles/lmn_vm/files/run-vm.sh
View file

@ -99,18 +99,14 @@ check_images() {
echo "VM-Image and required backingfiles available and checked" echo "VM-Image and required backingfiles available and checked"
} }
#################
# check, if we have to start squid # check, if we have to start squid
if ! killall -s 0 squid; then if ! killall -s 0 squid; then
echo "starting squid." echo "starting squid."
/usr/sbin/squid -f /etc/squid/squid-usermode.conf /usr/sbin/squid -f /etc/squid/squid-usermode.conf
fi fi
## check, if we have to mount home
#if ! findmnt "/media/${USER}/home"; then
# echo "mounting home."
sudo mounthome.sh &
#fi
# because virsh has problems with long pathnames, using diffent configdir # because virsh has problems with long pathnames, using diffent configdir
export XDG_CONFIG_HOME="/tmp/${UID}/.config" export XDG_CONFIG_HOME="/tmp/${UID}/.config"

18
roles/lmn_vm/files/start-virtiofsd.sh
View file

@ -9,21 +9,25 @@ if [[ $# -ne 1 ]]; then
exit 1 exit 1
fi fi
VM_NAME=$1 VM_NAME="$1"
XDG_RUNTIME_DIR="/run/user/${SUDO_UID}"
export XDG_RUNTIME_DIR="/run/user/${SUDO_UID}"
if ! [[ -d "${XDG_RUNTIME_DIR}/virtiofs" ]]; then if ! [[ -d "${XDG_RUNTIME_DIR}/virtiofs" ]]; then
mkdir "${XDG_RUNTIME_DIR}/virtiofs/" mkdir "${XDG_RUNTIME_DIR}/virtiofs/"
chown "${SUDO_UID}" "${XDG_RUNTIME_DIR}/virtiofs/" chown "${SUDO_UID}" "${XDG_RUNTIME_DIR}/virtiofs/"
fi fi
[[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]] && \ if [[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]] ; then
/usr/bin/rm "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" /usr/bin/rm "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"
#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" --socket-group="${SUDO_USER}" --announce-submounts -o source="/media/${USER}" > /dev/null & fi
#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" --socket-group="${SUDO_USER}" -o source="/media/${USER}" > /dev/null & #sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \
# --socket-group="${SUDO_USER}" --announce-submounts -o source="/media/${USER}" > /dev/null &
#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \
# --socket-group="${SUDO_USER}" -o source="/media/${USER}" > /dev/null &
/usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \ /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \
-o source="/lmn/media/${SUDO_USER}" > /dev/null & -o source="/lmn/media/${SUDO_USER}/" &
# Wait until socket-File exists and chown to user # Wait until socket-File exists and chown to user
until [[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]]; do until [[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]]; do
echo "waiting for ${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" echo "waiting for ${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"