Import system credential from virtiofs with tag io.systemd.credentials

[arianvp]

Component

systemd

Is your feature request related to a problem? Please describe

I want to have a way to import credentials into my VM but I am not using QEMU . However my VMM does provide virtiofs and no SMBIOS. (e.g. MacOS Virtualization.Framework, or Cloud-Hypervisor, FireCracker).

Describe the solution you'd like

1. We define a virtiofs tag io.systemd.credentials
2. We mount this under /run/credentials/@virtiofs mount -t virtiofs io.systemd.credentials /run/credentials/@virtiofs
3. We copy credentials to /run/credentials/@system
4. (We unmount /run/credentials/@virtiofs)

Other option because it feels a bit pointless to copy these files around.

1. We mount to /run/credentials/@virtiofs.
2. Systemd reads from both /run/credentials/@virtiofs and /run/credentials/@system

Describe alternatives you've considered

None

The systemd version you checked that didn't have the feature you are asking for

254

[poettering]

So I think we probably want two things:

1. simply mount virtiofs tagged with io.systemd.run-host to /run/host, to match similar logic in nspawn, so that VM host can pass in creds, sysexts, portable services, nspawn containers that way, matching behaviour in contaners

2. have a generator that mounts rootfs, /usr/, /home/ and /srv/ from virtiofs by generating mount units for it, roughly mimicking gpt-auto-generator.

[arianvp]

have a generator that mounts rootfs, /usr/, /home/ and /srv/ from virtiofs by generating mount units for it, roughly mimicking gpt-auto-generator.

Hmm does fstab-generator not already do enough here?

just set

root=my-tag rootfstype=virtiofs

on the cmdline and you'll have a rootfs mounted by a specified tag. For the other partitions entries in /etc/fstab suffice.

Or is it just about standardising on the tags for io.systemd.{root,usr,srv,home} as virtiofs tag?

[arianvp]

a generator is hard here because you can't know if a tag exists except for mounting it :/ At least I haven't found a way to discover what tags are available for mounting. There are no paths in /dev that show up.

So people have to be explicit in their fstab that the virtiofs tag exists and needs to be mounted. There isn't a way for us to "discover" this I think.

[poettering]

it is my understanding that each virtiofs fs is exposed as separate virtio device, which are enumeratable in sysfs. but i didn't check. Need to have a look.

[poettering]

have a generator that mounts rootfs, /usr/, /home/ and /srv/ from virtiofs by generating mount units for it, roughly mimicking gpt-auto-generator.

Hmm does fstab-generator not already do enough here?

just set

root=my-tag rootfstype=virtiofs

on the cmdline and you'll have a rootfs mounted by a specified tag. For the other partitions entries in /etc/fstab suffice.

Or is it just about standardising on the tags for io.systemd.{root,usr,srv,home} as virtiofs tag?

so, yes of course, this logic would be entirely redundant, in the same way as systemd-gpt-auto-generator kinda is. It's mostly an excercise of pushing people towards a certain way to set up VMs.

[keszybz]

Another idea would be to use virtiofs to exfiltrate journal logs from the machine.

[poettering]

Also see:

https://mastodon.social/@pid_eins/111099050986753937
https://gitlab.com/virtio-fs/virtiofsd/-/issues/128