[pve-devel] [RFC proxmox-ve/kernel-meta 00/15] ESP sync improvements

[Thomas Lamprecht]

On 7/10/19 6:12 PM, Thomas Lamprecht wrote:
> On 7/10/19 5:04 PM, Fabian Grünbichler wrote:
>> - mktemp or something fancier for mountpoint directory creation, instead
>>   of easy-to-guess hardcoded ones
> 
> We could just use a mount namespace, e.g., with
> # unshare --mount
> 
> Then the outside would not see our mounts, at least unpriv. users..

E.g., something like the following:

----8<----
diff --git a/bin/pveesptool b/bin/pveesptool
index 6bbf679..e4b3928 100755
--- a/bin/pveesptool
+++ b/bin/pveesptool
@@ -92,6 +92,28 @@ format() {
        exit 0
 }
 
+do_esp_install() {
+       part="$1"
+       UUID="$2"
+
+       esp_mp="/var/tmp/espmounts/$UUID"
+
+       mkdir -p "$esp_mp"
+       echo "Mounting '$part' on '$esp_mp'."
+       mount -t vfat "$part" "$esp_mp"
+
+       echo "Installing systemd-boot.."
+       mkdir -p "$esp_mp/$PMX_ESP_DIR"
+       bootctl --path "$esp_mp" install
+
+       echo "Configuring systemd-boot.."
+       echo "timeout 3" > "$esp_mp/$PMX_LOADER_CONF.tmp"
+       echo "default proxmox-*" >> "$esp_mp/$PMX_LOADER_CONF.tmp"
+       mv "$esp_mp/$PMX_LOADER_CONF.tmp" "$esp_mp/$PMX_LOADER_CONF"
+       echo "Unmounting '$part'."
+       umount "$part"
+}
+
 init() {
        part="$1"
 
@@ -112,22 +134,8 @@ init() {
                exit 1
        fi
 
-       esp_mp="/var/tmp/espmounts/$UUID"
-
-       mkdir -p "$esp_mp"
-       echo "Mounting '$part' on '$esp_mp'."
-       mount -t vfat "$part" "$esp_mp"
-
-       echo "Installing systemd-boot.."
-       mkdir -p "$esp_mp/$PMX_ESP_DIR"
-       bootctl --path "$esp_mp" install
-
-       echo "Configuring systemd-boot.."
-       echo "timeout 3" > "$esp_mp/$PMX_LOADER_CONF.tmp"
-       echo "default proxmox-*" >> "$esp_mp/$PMX_LOADER_CONF.tmp"
-       mv "$esp_mp/$PMX_LOADER_CONF.tmp" "$esp_mp/$PMX_LOADER_CONF"
-       echo "Unmounting '$part'."
-       umount "$part"
+       echo "Do real ESP initialization in mount namespace.."
+       unshare --mount --propagation private "$0" "do-esp-install" "$part" "$UUID"
 
        echo "Adding '$part' to list of synced ESPs.."
        if [ -e "$ESP_LIST" ]; then
@@ -199,6 +207,16 @@ case "$1" in
                init "$@"
                exit 0
        ;;
+       'do-esp-install')
+               shift
+               if [ -z "$1" ] || [ -z "$2" ]; then
+                       warn "E: <partition> and <uuid> are mandatory."
+                       warn ""
+                       exit 1
+               fi
+               do_esp_install "$@"
+               exit 0
+       ;;
        'refresh')
                shift
                refresh
--