From d0cff60e9dd86669e76441d511f84bc2f0b22ab7 Mon Sep 17 00:00:00 2001
From: Thomas Schneider <thomas@fsmpi.rwth-aachen.de>
Date: Tue, 31 Jan 2023 15:10:56 +0100
Subject: [PATCH] guest-overlay: Replace pam_mount with systemd units

---
 guest-overlay/files/guests-home.mount         | 10 ++++
 guest-overlay/files/guests-provision.mount    |  4 ++
 .../files/guests-temporary-dirs.service       | 11 ++++
 guest-overlay/files/guests-temporary.mount    |  8 +++
 guest-overlay/files/pam_mount.conf.xml        | 52 -----------------
 guest-overlay/handlers/main.yml               |  6 +-
 guest-overlay/tasks/main.yml                  | 57 +++++++++++--------
 7 files changed, 69 insertions(+), 79 deletions(-)
 create mode 100644 guest-overlay/files/guests-home.mount
 create mode 100644 guest-overlay/files/guests-provision.mount
 create mode 100644 guest-overlay/files/guests-temporary-dirs.service
 create mode 100644 guest-overlay/files/guests-temporary.mount
 delete mode 100644 guest-overlay/files/pam_mount.conf.xml

diff --git a/guest-overlay/files/guests-home.mount b/guest-overlay/files/guests-home.mount
new file mode 100644
index 0000000..c0fa7b4
--- /dev/null
+++ b/guest-overlay/files/guests-home.mount
@@ -0,0 +1,10 @@
+[Unit]
+Requires=guests-provision.mount guests-temporary.mount guests-temporary-dirs.service
+After=guests-provision.mount guests-temporary.mount guests-temporary-dirs.service
+[Install]
+RequiredBy=user@1000.service
+[Mount]
+What=none
+Where=/guests/home
+Type=overlay
+Options=lowerdir=/guests/provision,upperdir=/guests/temporary/upper,workdir=/guests/temporary/work
diff --git a/guest-overlay/files/guests-provision.mount b/guest-overlay/files/guests-provision.mount
new file mode 100644
index 0000000..e19cb35
--- /dev/null
+++ b/guest-overlay/files/guests-provision.mount
@@ -0,0 +1,4 @@
+[Mount]
+What=/guests/provision.squashfs
+Where=/guests/provision
+Options=noatime,ro,loop
diff --git a/guest-overlay/files/guests-temporary-dirs.service b/guest-overlay/files/guests-temporary-dirs.service
new file mode 100644
index 0000000..5648081
--- /dev/null
+++ b/guest-overlay/files/guests-temporary-dirs.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Guests overlay directory setup
+BindsTo=guests-temporary.mount
+After=guests-temporary.mount
+Requires=guests-temporary.mount
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mkdir /guests/temporary/upper
+ExecStart=/bin/mkdir /guests/temporary/work
+RemainAfterExit=true
diff --git a/guest-overlay/files/guests-temporary.mount b/guest-overlay/files/guests-temporary.mount
new file mode 100644
index 0000000..7f73c0b
--- /dev/null
+++ b/guest-overlay/files/guests-temporary.mount
@@ -0,0 +1,8 @@
+[Unit]
+BindsTo=user@1000.service
+Wants=guests-temporary-dirs.service
+[Mount]
+What=tmpfs
+Where=/guests/temporary
+Type=tmpfs
+Options=rw,nosuid,nodev,noatime,mode=0700
diff --git a/guest-overlay/files/pam_mount.conf.xml b/guest-overlay/files/pam_mount.conf.xml
deleted file mode 100644
index 7f5241e..0000000
--- a/guest-overlay/files/pam_mount.conf.xml
+++ /dev/null
@@ -1,52 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
-<!--
-	See pam_mount.conf(5) for a description.
--->
-
-<pam_mount>
-
-		<!-- debug should come before everything else,
-		since this file is still processed in a single pass
-		from top-to-bottom -->
-
-<debug enable="0" />
-
-
-<!-- Volume definitions -->
-
-<volume sgrp="gast" fstype="squashfs" path="/guests/provision.squashfs" mountpoint="/guests/provision" options="noatime,ro,loop" />
-
-<volume sgrp="gast" fstype="tmpfs" path="tmpfs" mountpoint="/guests/temporary" options="noatime,noexec,rw" />
-
-<volume sgrp="gast" fstype="tmpfs" path="tmpfs" mountpoint="/guests/temporary_workdir" options="noatime,noexec,rw" />
-
-<volume path="none" sgrp="gast" fstype="overlay" mountpoint="/guests/home" options="lowerdir=/guests/provision,upperdir=/guests/temporary,workdir=/guests/temporary_workdir" />
-
-<!-- pam_mount parameters: General tunables -->
-
-<!--
-<luserconf name=".pam_mount.conf.xml" />
--->
-
-<!-- Note that commenting out mntoptions will give you the defaults.
-     You will need to explicitly initialize it with the empty string
-     to reset the defaults to nothing. -->
-<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
-<!--
-<mntoptions deny="suid,dev" />
-<mntoptions allow="*" />
-<mntoptions deny="*" />
--->
-<mntoptions require="nosuid,nodev" />
-
-<logout wait="0" hup="0" term="0" kill="0" />
-
-
-		<!-- pam_mount parameters: Volume-related -->
-
-<mkmountpoint enable="1" remove="true" />
-
-<umount>umount -l %(MNTPT)</umount> 
-
-</pam_mount>
diff --git a/guest-overlay/handlers/main.yml b/guest-overlay/handlers/main.yml
index 610a662..4df3968 100644
--- a/guest-overlay/handlers/main.yml
+++ b/guest-overlay/handlers/main.yml
@@ -1,5 +1,5 @@
 ---
-# file: roles/guest-overlay/handlers/main.yml
 
-- name: restart sddm
-  service: name=sddm state=restarted
+- name: Reload systemd
+  systemd:
+    daemon_reload: true
diff --git a/guest-overlay/tasks/main.yml b/guest-overlay/tasks/main.yml
index 0b63d1f..e218016 100644
--- a/guest-overlay/tasks/main.yml
+++ b/guest-overlay/tasks/main.yml
@@ -22,31 +22,27 @@
   tags:
     - guest-overlay
 
-- name: ensure pam-mount available
-  apt:
-    name:
-      - libpam-mount
-    state: present
-  tags:
-    - guest-overlay
-    - packages
-
-- name: ensure overlayfs mountpoints are available
+- name: Create /guests directory
   file:
-    path: "/guests/{{ item }}"
+    path: "/guests"
     state: directory
-    recurse: true
-  with_items:
-    - home
-    - provision
-    - temporary
+    owner: root
+    group: root
+    mode: '0755'
   tags:
     - guest-overlay
     - mount
 
 - name: ensure the squasfs is created  # noqa 301
-  # yamllint disable-line rule:line-length
-  command: mksquashfs "{{ role_path }}/files/provision" "{{ role_path }}/files/provision.squashfs" -force-uid 1000 -force-gid 1000
+  command:
+    argv:
+      - mksquashfs
+      - "{{ role_path }}/files/provision"
+      - "{{ role_path }}/files/provision.squashfs"
+      - -force-uid
+      - 1000
+      - -force-gid
+      - 1000
   delegate_to: localhost
   run_once: true
   tags:
@@ -66,11 +62,24 @@
     - provision
     - squashfs
 
-- name: deployment of our pam-mount config
+- name: Install systemd services
   copy:
-    src: pam_mount.conf.xml
-    dest: /etc/security/pam_mount.conf.xml
+    src: "{{ item }}"
+    dest: /etc/systemd/system/
+    owner: root
+    group: root
+    mode: '0644'
+  loop:
+    - guests-home.mount
+    - guests-provision.mount
+    - guests-temporary-dirs.service
+    - guests-temporary.mount
   notify:
-    - restart sddm
-  tags:
-    - guest-overlay
+    - Reload systemd
+
+- name: Enable systemd service
+  systemd:
+    name: guests-home.mount
+    enabled: true
+    # Don’t start it here, it is automatically pulled in by user@1000.service
+    # when gast logs in.
-- 
GitLab