Arbitrary bind mount support

nginx / unit

NGINX Unit - universal web app server - a lightweight and versatile open source server that simplifies the application stack by natively executing application code across eight different programming language runtimes.

https://unit.nginx.org

Apache License 2.0

5.4k stars 331 forks source link

Arbitrary bind mount support #477

Open dward opened 4 years ago

dward commented 4 years ago

We're looking for the ability to manually specify specific directories to bind mount when isolated to a root.

An example of this:

             "isolation": {
                 "bind_mounts": [{
                     "src": "/tmp",
                     "dst": "/tmp",
                     "readonly": false
                  },{
                     "src": "/usr/local/lib/php",
                     "dst": "/usr/local/lib/php"
                     "readonly": true
                  }]
              }

Is this a feature that's planned? If not, is it something that I could contribute?

smtalk commented 4 years ago

Ability to mount homedir as real-path would be awesome to have as well I guess? To have the files in /home/user for example, instead of just /. So that it works the same if isolation is removed.

i4ki commented 4 years ago

Hi @dward

Yes, it's a planned feature.

smtalk commented 4 years ago

@i4ki we've almost finished nginx unit implementation in one of the most popular web hosting control panels. May you confirm full homedir path is also planned?

Thank you for all the hard work and efforts!

i4ki commented 4 years ago

Hi @smtalk

@i4ki we've almost finished nginx unit implementation in one of the most popular web hosting control panels.

Great =)

May you confirm full homedir path is also planned?

Do you mean mounting /home/$user into /home/$user where $user comes from the "user" app configuration? Maybe through an option, not as a default, because inside $HOME there's plenty of sensitive user's data (as $HOME/.ssh).

@VBart What do you think?

smtalk commented 4 years ago

@i4ki yes, so that all full paths still work after 'chroot' and don't break anything. Optional option is perfect, we'd just use it by default in control panel.

Regarding mentioned /home/$user/.ssh - it might be beneficial for some, to use the same ssh keys for connections from the apps :)

VBart commented 4 years ago

There can be various different schemes aren't covered by /home/$user. I think just providing an option to do arbitrary additional mounts, like mentioned in the first message - would be enough.

smtalk commented 4 years ago

@i4ki even "everything empty" until working_directory / root would be okay to have. The goal is just to make the same apps work in chrooted/non-chrooted env. I mean if full paths to the app are used somewhere, they'd still work when the app becomes chrooted. Something bubblewrap-like (as @VBart already mentioned) would be most flexible, of course: https://github.com/nginx/unit/issues/391#issuecomment-608431877

Thank you!