Open
Conversation
Introduce a new public API, krun_add_virtiofs3(), that extends krun_add_virtiofs2() with an additional read_only flag. When set, the virtio-fs device exposes the host directory as a read-only filesystem to the guest. The implementation adds a PassthroughFsRo wrapper around PassthroughFs that: - Delegates all read-only FUSE operations (lookup, getattr, read, readdir, etc.) to the inner PassthroughFs - Rejects all mutating operations (write, create, mkdir, unlink, rename, setattr, setxattr, etc.) with EROFS - Blocks O_WRONLY/O_RDWR opens and writable DAX mappings - Strips WRITEBACK_CACHE from init options to prevent the guest kernel from buffering writes - Reports ST_RDONLY in statfs so userspace tools see the mount as read-only The wrapper is designed to fail closed: unoverridden FileSystem trait methods fall back to the trait defaults (ENOSYS), so new operations are implicitly blocked until explicitly handled. The existing krun_add_virtiofs() and krun_add_virtiofs2() APIs are refactored to delegate to krun_add_virtiofs3() with read_only=false, reducing code duplication. Null pointer checks are also added to the shared implementation. The FsWorker now uses an FsServer enum to dispatch to either the read-write PassthroughFs or the read-only PassthroughFsRo, and its constructor returns Result to properly propagate filesystem initialization errors instead of panicking. Fixes: containers#343 Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>
Open read-only DAX mappings with O_RDONLY so read-only shares do not require host write access on macOS. Allow harmless O_APPEND on read-only opens and cover the flag handling with unit tests. Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>
JAORMX
requested review from
MatiasVara,
dorindabassey,
jakecorrenti,
mtjhrc,
slp and
tylerfanelli
as code owners
Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>
JAORMX
force-pushed
the
virtiofs-read-only
branch
from
0c0c04e to
d0209ec
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a read-only virtio-fs mode to the public API and wires the new flag through the virtio-fs device configuration, worker setup, and VMM builder so callers can expose shared directories without allowing guest writes.
The implementation wraps the passthrough backend in a read-only filesystem layer that rejects mutating FUSE operations with
EROFS, disables writeback cache, and still preserves the non-mutating control ioctls the guest uses. On macOS,setupmappingnow opens the backing file withO_RDONLYfor read-only mappings, which fixes read-only DAX mounts.I also changed virtio-fs worker creation to return an activation error instead of panicking if the backend cannot be initialized.