guest-overlay: Replace pam_mount with systemd units

d0cff60e · Thomas Schneider · 77d1d9e5 · d0cff60e · d0cff60e · d0cff60e
Commit d0cff60e authored 2 years ago by Thomas Schneider
--- a/guest-overlay/files/guests-home.mount
+++ b/guest-overlay/files/guests-home.mount
+[Unit]
+Requires=guests-provision.mount guests-temporary.mount guests-temporary-dirs.service
+After=guests-provision.mount guests-temporary.mount guests-temporary-dirs.service
+[Install]
+RequiredBy=user@1000.service
+[Mount]
+What=none
+Where=/guests/home
+Type=overlay
+Options=lowerdir=/guests/provision,upperdir=/guests/temporary/upper,workdir=/guests/temporary/work
--- a/guest-overlay/files/guests-provision.mount
+++ b/guest-overlay/files/guests-provision.mount
+[Mount]
+What=/guests/provision.squashfs
+Where=/guests/provision
+Options=noatime,ro,loop
--- a/guest-overlay/files/guests-temporary-dirs.service
+++ b/guest-overlay/files/guests-temporary-dirs.service
+[Unit]
+Description=Guests overlay directory setup
+BindsTo=guests-temporary.mount
+After=guests-temporary.mount
+Requires=guests-temporary.mount
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mkdir /guests/temporary/upper
+ExecStart=/bin/mkdir /guests/temporary/work
+RemainAfterExit=true
--- a/guest-overlay/files/guests-temporary.mount
+++ b/guest-overlay/files/guests-temporary.mount
+[Unit]
+BindsTo=user@1000.service
+Wants=guests-temporary-dirs.service
+[Mount]
+What=tmpfs
+Where=/guests/temporary
+Type=tmpfs
+Options=rw,nosuid,nodev,noatime,mode=0700
--- a/guest-overlay/files/pam_mount.conf.xml
+++ b/guest-overlay/files/pam_mount.conf.xml
-<?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
-<!--
-	See pam_mount.conf(5) for a description.
-->
-
-<pam_mount>
-
-		<!-- debug should come before everything else,
-		since this file is still processed in a single pass
-		from top-to-bottom -->
-
-<debug enable="0" />
-
-
-<!-- Volume definitions -->
-
-<volume sgrp="gast" fstype="squashfs" path="/guests/provision.squashfs" mountpoint="/guests/provision" options="noatime,ro,loop" />
-
-<volume sgrp="gast" fstype="tmpfs" path="tmpfs" mountpoint="/guests/temporary" options="noatime,noexec,rw" />
-
-<volume sgrp="gast" fstype="tmpfs" path="tmpfs" mountpoint="/guests/temporary_workdir" options="noatime,noexec,rw" />
-
-<volume path="none" sgrp="gast" fstype="overlay" mountpoint="/guests/home" options="lowerdir=/guests/provision,upperdir=/guests/temporary,workdir=/guests/temporary_workdir" />
-
-<!-- pam_mount parameters: General tunables -->
-
-<!--
-<luserconf name=".pam_mount.conf.xml" />
-->
-
-<!-- Note that commenting out mntoptions will give you the defaults.
-     You will need to explicitly initialize it with the empty string
-     to reset the defaults to nothing. -->
-<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
-<!--
-<mntoptions deny="suid,dev" />
-<mntoptions allow="*" />
-<mntoptions deny="*" />
-->
-<mntoptions require="nosuid,nodev" />
-
-<logout wait="0" hup="0" term="0" kill="0" />
-
-
-		<!-- pam_mount parameters: Volume-related -->
-
-<mkmountpoint enable="1" remove="true" />
-
-<umount>umount -l %(MNTPT)</umount> 
-
-</pam_mount>
--- a/guest-overlay/handlers/main.yml
+++ b/guest-overlay/handlers/main.yml
 ---
-# file: roles/guest-overlay/handlers/main.yml

- name: restart sddm
-  service: name=sddm state=restarted
+- name: Reload systemd
+  systemd:
+    daemon_reload: true
--- a/guest-overlay/tasks/main.yml
+++ b/guest-overlay/tasks/main.yml
@@ -22,31 +22,27 @@
  tags:
    - guest-overlay

- name: ensure pam-mount available
-  apt:
-    name:
-      - libpam-mount
-    state: present
-  tags:
-    - guest-overlay
-    - packages
-
- name: ensure overlayfs mountpoints are available
+- name: Create /guests directory
  file:
-    path: "/guests/{{ item }}"
+    path: "/guests"
    state: directory
-    recurse: true
-  with_items:
-    - home
-    - provision
-    - temporary
+    owner: root
+    group: root
+    mode: '0755'
  tags:
    - guest-overlay
    - mount

 - name: ensure the squasfs is created  # noqa 301
-  # yamllint disable-line rule:line-length
-  command: mksquashfs "{{ role_path }}/files/provision" "{{ role_path }}/files/provision.squashfs" -force-uid 1000 -force-gid 1000
+  command:
+    argv:
+      - mksquashfs
+      - "{{ role_path }}/files/provision"
+      - "{{ role_path }}/files/provision.squashfs"
+      - -force-uid
+      - 1000
+      - -force-gid
+      - 1000
  delegate_to: localhost
  run_once: true
  tags:
@@ -66,11 +62,24 @@
    - provision
    - squashfs

- name: deployment of our pam-mount config
+- name: Install systemd services
  copy:
-    src: pam_mount.conf.xml
-    dest: /etc/security/pam_mount.conf.xml
+    src: "{{ item }}"
+    dest: /etc/systemd/system/
+    owner: root
+    group: root
+    mode: '0644'
+  loop:
+    - guests-home.mount
+    - guests-provision.mount
+    - guests-temporary-dirs.service
+    - guests-temporary.mount
  notify:
-    - restart sddm
-  tags:
-    - guest-overlay
+    - Reload systemd
+
+- name: Enable systemd service
+  systemd:
+    name: guests-home.mount
+    enabled: true
+    # Don’t start it here, it is automatically pulled in by user@1000.service
+    # when gast logs in.