Share student home directories with teachers in VMs

Replace custom virtiofsd package by trixie repository package and remove deprecated wrapper scripts
Deny access to sensitive data for other users
2026-04-15 11:41:19 +02:00 · 2026-04-15 11:38:37 +02:00 · 2026-04-15 11:30:41 +02:00
6 changed files with 8 additions and 60 deletions
--- a/roles/lmn_vm/files/lmn-vm
+++ b/roles/lmn_vm/files/lmn-vm
@ -16,11 +16,6 @@ lmnsynci ALL=(root) NOPASSWD: /usr/local/bin/vm-aria2
 %role-student ALL=(root) NOPASSWD: /usr/local/bin/vm-link-images
 %role-teacher ALL=(root) NOPASSWD: /usr/local/bin/vm-link-images
 # vm-virtiofsd: Start Virtiofsd as systemd-service
 %examusers ALL=(root) NOPASSWD: /usr/local/bin/vm-virtiofsd
 %role-student ALL=(root) NOPASSWD: /usr/local/bin/vm-virtiofsd
 %role-teacher ALL=(root) NOPASSWD: /usr/local/bin/vm-virtiofsd
 # desktop-sync:
 %examusers ALL=(root) NOPASSWD: /usr/local/bin/desktop-sync
 %role-student ALL=(root) NOPASSWD: /usr/local/bin/desktop-sync
--- a/roles/lmn_vm/files/virtiofsd
+++ b/roles/lmn_vm/files/virtiofsd
--- a/roles/lmn_vm/files/vm-run
+++ b/roles/lmn_vm/files/vm-run
@ -149,7 +149,7 @@ start_virtiofs_service() {
  local drive_letter=$3
  local socket="/run/user/${UID}/virtiofs-${VM_NAME}-${target_name,,}.sock"
-  systemd-run --user /usr/local/bin/virtiofsd --uid-map=":${GUEST_UID}:${UID}:1:" --gid-map=":${GUEST_GID}:$(id -g):1:" \
+  systemd-run --user /usr/lib/qemu/virtiofsd --uid-map=":${GUEST_UID}:${UID}:1:" --gid-map=":${GUEST_GID}:$(id -g):1:" \
        --socket-path "${socket}" --shared-dir "${shared_dir}" --syslog
  if [[ $? -ne 0 ]]; then
@ -208,6 +208,8 @@ EOF
 QEMU='qemu:///session'
 umask 077
 NEWCLONE=0
 PERSISTENT=0
 LIBVIRTOSINFO="win10"
--- a/roles/lmn_vm/files/vm-virtiofsd
+++ b/roles/lmn_vm/files/vm-virtiofsd
@ -1,50 +0,0 @@
 #!/usr/bin/bash
 set -eu
 # if less than one arguments supplied, display usage
 if [[  $# -ne 1 ]]; then
    echo "This script takes as input the name of the VM " >&2
    echo "Usage: $0 vm_name" >&2
    exit 1
 fi
 VM_NAME="$1"
 ## Make sure VMs can read the base directory:
 chgrp 1010 "/lmn/media/${SUDO_USER}"
 chmod 0775 "/lmn/media/${SUDO_USER}"
 socket="/run/user/$(id -u $SUDO_USER)/virtiofs-${VM_NAME}.sock"
 #  FIXME: This does not work.  In windows, there is no virtiofs device.
 #  In GNU/Linux it's only readable.
 #
 #if ! systemctl -q is-active virtiofs-${VM_NAME}.socket ; then
 #    systemd-run --unit=virtiofs-${VM_NAME} \
 #		--slice=system-virtiofs \
 #		--collect \
 #		--socket-property=ListenStream="$socket" \
 #		--socket-property=Accept=no \
 #		--socket-property=SocketMode=0700 \
 #		--socket-property=SocketUser=${SUDO_USER} \
 #		--property=Type=exec \
 #		--property=StandardInput=socket \
 #		/usr/local/bin/virtiofsd --log-level debug --sandbox none \
 #		--syslog --fd=0 --shared-dir "/lmn/media/${SUDO_USER}"
 #else
 #    systemctl restart virtiofs-${VM_NAME}.socket
 #fi
 if [[ ! -S "$socket" ]] ; then
    systemd-run --unit=virtiofs-${VM_NAME} \
 		--slice=system-virtiofs \
 		--collect \
 		--property=Type=exec \
 		--property=SuccessExitStatus=1 \
 		--property="ExecStopPost=rm $socket" \
 		/usr/local/bin/virtiofsd --socket-path "$socket" \
 		--shared-dir "/lmn/media/${SUDO_USER}"
 fi
 sleep 1
 chown "${SUDO_USER}" "$socket"
--- a/roles/lmn_vm/files/vm-vminfo
+++ b/roles/lmn_vm/files/vm-vminfo
@ -57,7 +57,9 @@ def get_krb5 ():
 def get_mounts():
    mounts = []
    mounts.append({ 'Drive': 'H', 'RemotePath': '\\\\server.pn.steinbeis.schule' + nethome.replace('/srv/samba/schools','').replace('/','\\'), 'Name': 'Home_Server' })
-    mounts.append({ 'Drive': 'T', 'RemotePath': '\\\\server.pn.steinbeis.schule\default-school\share', 'Name': 'Tausch' })
+    mounts.append({ 'Drive': 'T', 'RemotePath': '\\\\server.pn.steinbeis.schule\\default-school\\share', 'Name': 'Tausch' })
    if "role-teacher" in vminfo['Groups']:
        mounts.append({ 'Drive': 'S', 'RemotePath': '\\\\server.pn.steinbeis.schule\\default-school\\students', 'Name': 'SuS' })
    return mounts
 def get_user_folders():
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@ -21,6 +21,7 @@
      - virt-viewer
      - dialog # for vm-netboot menu
      - python3-impacket
      - virtiofsd
    # - name: allow all users to use VMs
    #   lineinfile:
@ -125,9 +126,7 @@
    - vm-upload
    - vm-sync
    - vm-link-images
    - vm-virtiofsd
    - vm-vminfo
    - virtiofsd
    - vm-aria2
    - uploadseed
    - desktop-sync
@ -222,7 +221,7 @@
      Description=Create .vminfo.json for VMs
      [Service]
      Type=simple
-      ExecStart=/usr/bin/bash -c 'umask 027; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
+      ExecStart=/usr/bin/bash -c 'umask 077; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
    dest: /etc/systemd/user/vminfo.service
    mode: '0644'
Author	SHA1	Message	Date
Raphael Dannecker	83522e7513	Share student home directories with teachers in VMs	2026-04-15 11:41:19 +02:00
Raphael Dannecker	becf8fb451	Replace custom virtiofsd package by trixie repository package and remove deprecated wrapper scripts	2026-04-15 11:38:37 +02:00
Raphael Dannecker	c709bceab9	Deny access to sensitive data for other users	2026-04-15 11:30:41 +02:00