[stgt] [PATCH 2/2] tgt-admin: check if device is mounted on /
Tomasz Chmielewski
mangoo at wpkg.org
Tue Sep 2 16:56:41 CEST 2008
Doron Shoham schrieb:
> Tomasz Chmielewski wrote:
>
>> Generally, any filesystem mounted on the target should not be allocated
>> to initiators. Disallowing / (i.e., /dev/sda1), but allowing /usr (i.e.,
>> /dev/sda2) or swap is certainly not a good idea.
>>
>> The info can be fetched from /etc/mtab (unless we have a system with
>> read-only /etc, where /etc/mtab could be a link to /proc/mounts - I
>> think /proc/mounts doesn't always show an underlying device where rootfs
>> sits). Also, parsing /proc/swaps would be useful.
>>
>> But what if someone has rootfs on /dev/mtd0, mtd0 consists of /dev/sda1
>> and /dev/sdb1 - and wants to allocate /dev/sdb to initiators? Not to say
>> LVM, dm-crypt devices, etc... - it looks like there are lots of
>> possibilities for an admin to break the system ;)
>>
>>
>> If someone is brave (or uses a distributed fs on the target) and really
>> wants to allow initiators access to a mounted filesystem, we could add a
>> separate option for that ("allow-mounted")?
>> Although I guess it wouldn't have many users today.
>>
>>
>
> For the beginning we will just disallow any filesystem mounted on the target.
> Later we can expand it to handle /dev/mtd0, LVM and so on.
>
> If I understood correctly, we need to:
> 1. parse /etc/matb - read the device which mounted on /
> Doesn't the rootfs will be always mounted on /, even if we use nfs?
Yes, rootfs is /. The question is - what device is "rootfs".
/etc/mtab will show you rootfs device:
# cat /etc/mtab
/dev/sda5 / ext3 rw,noatime,barrier=1 0 0
However, this is not always the case with /proc/mounts:
# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / ext3 rw,noatime,data=ordered 0 0
What is our root device here?
# ls -l /dev/root
lrwxrwxrwx 1 root root 9 2008-05-16 16:47 /dev/root -> /dev/sda5
Yet another system:
# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / ext3 rw,noatime,errors=continue,barrier=1,data=ordered 0 0
# ls -l /dev/root
brw------- 1 root root 8, 1 2008-09-02 06:46 /dev/root
No symlink here, but a real node?
# ls -l /dev/|grep "8,.*1 "
brw------- 1 root root 8, 1 2008-09-02 06:46 root
brw-rw---- 1 root disk 8, 1 2008-09-02 06:46 sda1
And it gets even more funny with LVM (/dev/syn4/1 is a symlink to /dev/mapper/syn4-1):
$ cat /etc/mtab
/dev/mapper/syn4-1 on / type ext3 (rw,noatime)
$ cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/syn4/1 / ext3 rw,noatime,data=ordered 0 0
Or dm-crypt - the underlying device is /dev/sdb2:
# cat /etc/mtab
/dev/mapper/hda2_crypt / ext3 rw,noatime,errors=remount-ro,barrier=1,commit=120 0 0
# cat /proc/mounts
/dev/mapper/hda2_crypt / ext3 rw,noatime,errors=remount-ro,commit=120,barrier=1,data=ordered 0 0
/dev/mapper/hda2_crypt /dev/.static/dev ext3 rw,errors=remount-ro,commit=120,barrier=1,data=ordered 0 0
> 2. parse /proc/mounts - read all the devices
> compare the devices we found to the device we want to allocate.
Edge cases can be:
- missing /etc/mtab - something wrong with the system, as lots of tools depend on this file - throw an error, and exit?
- /etc/mtab pointing to /proc/mounts (mostly on embedded systems, home NAS devices etc.) - so reading /proc/mounts for the second time wouldn't make much sense.
- system is running in chroot; /etc/mtab contents can be invalid; checking if we're running in chroot can be somewhat tricky. I'd say we should skip this case (and probably document it).
> 3. Add allow-mounted option to override this action and allow the allocation.
>
> Do you have any suggestions about handling other situations as you described above (/dev/mtd0, LVM, etc...)?
You can easily add swaps - just parse /proc/swaps.
Software RAID should be also quite easy:
# cat /proc/mdstat
Personalities : [raid1]
md3 : active raid1 sdb3[0] sda3[1]
1437696 blocks [2/2] [UU]
md2 : active raid1 sda1[0] sdb1[1]
96256 blocks [2/2] [UU]
md1 : active raid1 sda2[0] sdb2[1]
76621952 blocks [2/2] [UU]
unused devices: <none>
Here, we probably don't want to allow access to:
- sda3, adb3,
- sda1, sdb1,
- sda2, sdb2,
- underlying sda and sdb.
Also, inspecting /sys/block/<device>/holders/ might bring some info.
Let's get back to the dm-crypt device:
# cat /etc/mtab
/dev/mapper/hda2_crypt / ext3 rw,noatime,errors=remount-ro,barrier=1,commit=120 0 0
# cat /proc/mounts
/dev/mapper/hda2_crypt / ext3 rw,noatime,errors=remount-ro,commit=120,barrier=1,data=ordered 0 0
/dev/mapper/hda2_crypt /dev/.static/dev ext3 rw,errors=remount-ro,commit=120,barrier=1,data=ordered 0 0
So we don't know what device is really used - neither /etc/mtab nor /proc/mounts told us.
# ls -l /dev/mapper/hda2_crypt
brw-rw---- 1 root disk 253, 0 2008-08-05 11:37 /dev/mapper/hda2_crypt
# ls -l /dev/dm-*
brw-rw---- 1 root disk 253, 0 2008-08-05 11:37 /dev/dm-0 # <- it's this device
brw-rw---- 1 root disk 253, 1 2008-08-05 11:38 /dev/dm-1
brw-rw---- 1 root disk 253, 2 2008-08-05 11:38 /dev/dm-2
brw-rw---- 1 root disk 253, 3 2008-08-05 11:38 /dev/dm-3
brw-rw---- 1 root disk 253, 4 2008-08-05 11:38 /dev/dm-4
brw-rw---- 1 root disk 253, 5 2008-08-05 11:38 /dev/dm-5
brw-rw---- 1 root disk 253, 6 2008-08-05 11:38 /dev/dm-6
brw-rw---- 1 root disk 253, 7 2008-08-05 11:38 /dev/dm-7
Let's inspect all /sys/block/<device>/holders/ and /sys/block/<device>/<partition>/holders/ until we find:
# ls /sys/block/sdb/sdb2/holders
lrwxrwxrwx 1 root root 0 2008-09-02 16:19 dm-0 -> ../../../../block/dm-0/
# ls -l /dev/dm-0
brw-rw---- 1 root disk 253, 0 2008-08-05 11:37 /dev/dm-0
Now we know that /dev/mapper/hda2_crypt sits on /dev/sda2.
To sum up:
- start with parsing /etc/mtab (look for mounted block devices) and /proc/swaps
- make it in a way so that it easily extends for other tests
--
Tomasz Chmielewski
http://wpkg.org
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the stgt
mailing list