unit icon indicating copy to clipboard operation
unit copied to clipboard
verified publisher icon nginx

Arbitrary bind mount support

Open dward opened this issue 5 years ago • 7 comments

We're looking for the ability to manually specify specific directories to bind mount when isolated to a root.

An example of this:

             "isolation": {
                 "bind_mounts": [{
                     "src": "/tmp",
                     "dst": "/tmp",
                     "readonly": false
                  },{
                     "src": "/usr/local/lib/php",
                     "dst": "/usr/local/lib/php"
                     "readonly": true
                  }]
              }

Is this a feature that's planned? If not, is it something that I could contribute?

dward avatar Sep 13 '20 19:09 dward

Ability to mount homedir as real-path would be awesome to have as well I guess? To have the files in /home/user for example, instead of just /. So that it works the same if isolation is removed.

smtalk avatar Sep 13 '20 21:09 smtalk

Hi @dward

Yes, it's a planned feature.

i4ki avatar Sep 21 '20 10:09 i4ki

@i4ki we've almost finished nginx unit implementation in one of the most popular web hosting control panels. May you confirm full homedir path is also planned?

Thank you for all the hard work and efforts!

smtalk avatar Oct 12 '20 21:10 smtalk

Hi @smtalk

@i4ki we've almost finished nginx unit implementation in one of the most popular web hosting control panels.

Great =)

May you confirm full homedir path is also planned?

Do you mean mounting /home/$user into /home/$user where $user comes from the "user" app configuration? Maybe through an option, not as a default, because inside $HOME there's plenty of sensitive user's data (as $HOME/.ssh).

@VBart What do you think?

i4ki avatar Oct 13 '20 09:10 i4ki

@i4ki yes, so that all full paths still work after 'chroot' and don't break anything. Optional option is perfect, we'd just use it by default in control panel.

Regarding mentioned /home/$user/.ssh - it might be beneficial for some, to use the same ssh keys for connections from the apps :)

smtalk avatar Oct 13 '20 09:10 smtalk

There can be various different schemes aren't covered by /home/$user. I think just providing an option to do arbitrary additional mounts, like mentioned in the first message - would be enough.

VBart avatar Oct 13 '20 17:10 VBart

@i4ki even "everything empty" until working_directory / root would be okay to have. The goal is just to make the same apps work in chrooted/non-chrooted env. I mean if full paths to the app are used somewhere, they'd still work when the app becomes chrooted. Something bubblewrap-like (as @VBart already mentioned) would be most flexible, of course: https://github.com/nginx/unit/issues/391#issuecomment-608431877

Thank you!

smtalk avatar Oct 18 '20 15:10 smtalk