Move VM mount functionality to PAM for better umount handling.

2023-08-18 09:23:14 +02:00 · 2023-08-18 09:23:14 +02:00 · 793b37853e
commit 793b37853e
parent f854b3659c
4 changed files with 32 additions and 61 deletions
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@ -14,19 +14,12 @@
    dest: /etc/security/pam_mount.conf.xml
    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK -->"
    block: |
+      <!-- mounts for home, share and nextcloud -->
      <volume
        fstype="cifs"
        server="{{ smb_server }}"
        path="{{ smb_share }}"
        mountpoint="/srv/samba/schools/default-school"
-        options="sec=krb5i,cruid=%(USERUID),user=%(USER),file_mode=0700,dir_mode=0700,mfsymlinks,nobrl"
-        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
-      </volume>
-      <volume
-        fstype="cifs"
-        server="{{ smb_server }}"
-        path="{{ smb_share }}share"
-        mountpoint="/lmn/media/%(USER)/share"
        options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks,nobrl"
        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
      </volume>
@ -37,6 +30,20 @@
        options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,grpid,file_mode=0770,dir_mode=0770,forceuid,forcegid"
        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
      </volume>
+
+      <!-- bind mounts for the VMs, setting gid here does not work -->
+      <volume
+        path="~"
+        mountpoint="/lmn/media/%(USER)/home"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+      </volume>
+      <volume
+        path="/srv/samba/schools/default-school/share"
+        mountpoint="/lmn/media/%(USER)/share"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+      </volume>
    insertafter: "<!-- Volume definitions -->"


@ -78,21 +85,6 @@
    line: KillUserProcesses=yes
    insertafter: '#KillUserProcesses=no'

- name: Umount all user-mounts on logout
-  blockinfile:
-    dest: /usr/share/sddm/scripts/Xstop
-    block: |
-      for i in $(mount | /usr/bin/grep "/lmn/media/" | /usr/bin/cut -f 3 -d ' '); do
-        umount $i
-      done
-      umount /srv/samba/schools/default-school
-
- name: Deploy script to generate links in /lmn/media/$USER/
-  copy:
-    src: lmn-mounthome.sh
-    dest: /etc/profile.d/
-    mode: '0644'
-
 - name: Bind mount lmn/media with nosuid directory
  ansible.posix.mount:
    src: /lmn/media
--- a/roles/lmn_vm/files/mounthome.sh
+++ b/roles/lmn_vm/files/mounthome.sh
@ -18,6 +18,8 @@ exit_script_home() {
    kill -- -$$ # Sends SIGTERM to child/sub processes
 }

+##########################
+
 if [[ "$#" -gt 0 ]] && [[ "$1" = '-u' ]]; then
    findmnt "/lmn/media/${SUDO_USER}/home"    && umount "/lmn/media/${SUDO_USER}/home"    && rmdir "/lmn/media/${SUDO_USER}/home"
    #findmnt "/lmn/media/${SUDO_USER}/share"   && umount "/lmn/media/${SUDO_USER}/share"   && rmdir "/lmn/media/${SUDO_USER}/share"
@ -56,27 +58,4 @@ elif [ "$#" -gt 0 ] && [ "$1" = '-l' ]; then
    #echo "Um weiter zu arbeiten: <Strg> + <Z>"
    trap exit_script SIGHUP SIGINT SIGTERM
    sleep infinity 
-else
-    #mkdir -p "/media/${SUDO_USER}"
-    #chown "${SUDO_USER}:1010" "/media/${SUDO_USER}"
-    chgrp 1010 "/lmn/media/${SUDO_USER}"
-    chmod 0770 "/lmn/media/${SUDO_USER}"
-    #if ! findmnt "/lmn/media/${SUDO_USER}/share"; then
-    #  [[ -d "/lmn/media/${SUDO_USER}/share" ]] || mkdir "/lmn/media/${SUDO_USER}/share"
-    #  mount --bind "/lmn/media/${SUDO_USER}/.default-school/share" "/lmn/media/${SUDO_USER}/share"
-    #fi
-    if ! findmnt "/lmn/media/${SUDO_USER}/home"; then
-      [[ -d "/lmn/media/${SUDO_USER}/home" ]] || mkdir "/lmn/media/${SUDO_USER}/home"
-      home="$(getent passwd $SUDO_USER | cut -d: -f6)"
-      mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,nobrl,mfsymlinks" \
-           "//server/default-school/${home##/srv/samba/schools/default-school/}" "/lmn/media/${SUDO_USER}/home"
-      trap exit_script_home SIGHUP SIGINT SIGTERM
-      sleep infinity 
-    fi
-    #mkdir -p "/lmn/media/${SUDO_USER}/home"
-    #mkdir -p "/lmn/media/${SUDO_USER}/share"
-    #mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
-    #       "//server/default-school/${home}" "/lmn/media/${SUDO_USER}/home"
-    #mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
-    #       "//server/default-school/share" "/lmn/media/${SUDO_USER}/share"
 fi
--- a/roles/lmn_vm/files/run-vm.sh
+++ b/roles/lmn_vm/files/run-vm.sh
@ -99,18 +99,14 @@ check_images() {
   echo "VM-Image and required backingfiles available and checked"
 }

+#################
+
 # check, if we have to start squid
 if ! killall -s 0 squid; then
    echo "starting squid."
    /usr/sbin/squid -f /etc/squid/squid-usermode.conf
 fi

-## check, if we have to mount home
-#if ! findmnt "/media/${USER}/home"; then
-#    echo "mounting home."
-    sudo mounthome.sh &
-#fi
-
 # because virsh has problems with long pathnames, using diffent configdir
 export XDG_CONFIG_HOME="/tmp/${UID}/.config"

--- a/roles/lmn_vm/files/start-virtiofsd.sh
+++ b/roles/lmn_vm/files/start-virtiofsd.sh
@ -9,24 +9,28 @@ if [[  $# -ne 1 ]]; then
    exit 1
 fi

-VM_NAME=$1
-
-export XDG_RUNTIME_DIR="/run/user/${SUDO_UID}"
+VM_NAME="$1"
+XDG_RUNTIME_DIR="/run/user/${SUDO_UID}"

 if ! [[ -d "${XDG_RUNTIME_DIR}/virtiofs" ]]; then
       mkdir "${XDG_RUNTIME_DIR}/virtiofs/"
       chown "${SUDO_UID}" "${XDG_RUNTIME_DIR}/virtiofs/"
 fi

-[[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]] && \
+if [[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]] ; then
    /usr/bin/rm "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"
-#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" --socket-group="${SUDO_USER}" --announce-submounts -o source="/media/${USER}" > /dev/null &
-#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" --socket-group="${SUDO_USER}" -o source="/media/${USER}" > /dev/null &
+fi
+#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \
+#     --socket-group="${SUDO_USER}" --announce-submounts -o source="/media/${USER}" > /dev/null &
+#sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \
+#     --socket-group="${SUDO_USER}" -o source="/media/${USER}" > /dev/null &
+
 /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" \
-			-o source="/lmn/media/${SUDO_USER}" > /dev/null &
+			-o source="/lmn/media/${SUDO_USER}/" &
+
 # Wait until socket-File exists and chown to user
 until [[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]]; do
-   echo "waiting for ${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"
-   sleep 0.1
+    echo "waiting for ${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"
+    sleep 0.1
 done
 /usr/bin/chown "${SUDO_USER}" "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"