Use virtiofs to support bind-mounts#81
Conversation
There was a problem hiding this comment.
Pull request overview
This PR implements bind mount support for containers running inside VMs by using virtiofs filesystem sharing. The implementation transforms host bind mounts into virtiofs shares that are mounted inside the VM and then bind-mounted into containers.
Key changes include:
- Replace the previous file-based bind mount mechanism with virtiofs-based sharing
- Add support for both directory and file bind mounts (files share their parent directory)
- Include comprehensive documentation about security implications of file bind mounts
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/shim/task/service.go | Replaces transformBindMounts function with new bindMounter type that uses virtiofs |
| internal/shim/task/mount.go | Implements bindMounter with methods to transform mounts, setup VM filesystems, and generate init args |
| internal/shim/task/mount_test.go | Adds comprehensive test coverage for bind mount transformation logic |
| cmd/vminitd/main.go | Adds mount flag and integrates mount setup into VM initialization |
| cmd/vminitd/bind_mounts.go | Implements virtiofs mount logic inside the VM |
| cmd/vminitd/bind_mounts_test.go | Tests bind mount parsing and string conversion |
| docs/bind-mounts.md | Documents how bind mounts work and security implications |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
akerouanton
force-pushed
the
virtiofs-bind-mounts
branch
2 times, most recently
from
2c2e18a to
2db71d6
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
just one suggestion, maybe we could introduce a unique sharefs virtiofs mount and map these all host bind mounts as sub-directories, is it possible? because many virtiofses also take overheads too. |
Using a unique virtiofs mount is probably ideal. I'm wondering if we could use hardlinks on the host-side. This would nicely solve the issue with file bind-mounts. I'll have a look at it and see if it works as expected. |
After a second thought I think hard-link might not work for cross-fs link, does bindmount on host work? I think nerdbox has enough priviledge to do bind mount? |
Fair point.
No, macOS doesn't support bindmounts. Another option we've discussed internally at Docker is to add an API to libkrun that'd let us dynamically define which files / directories are accessible from the VM. We could then mount |
yes, that would be better. Actually virtiofs daemon can do much more stuffs than just passthrough a directory, but I simply have no bandwidth to follow libkrun work even further. |
dmcgowan
force-pushed
the
virtiofs-bind-mounts
branch
from
2db71d6 to
021d6d6
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dmcgowan
force-pushed
the
virtiofs-bind-mounts
branch
from
be9b5eb to
1a8c8d6
Compare
Transform bind mounts received by the shim into virtiofs mounts, and update the OCI spec to let the VM-side shim mount from these virtiofs. File bind-mounts are supported by mounting their parent directory into the VM. A docs file is added to explain how it works, and the security implications of file bind-mounts. Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
Signed-off-by: Derek McGowan <derek@mcg.dev>
akerouanton
force-pushed
the
virtiofs-bind-mounts
branch
from
1a8c8d6 to
0e300c4
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Transform bind mounts received by the shim into virtiofs mounts, and update the OCI spec to let the VM-side shim mount from these virtiofs. File bind-mounts are supported by mounting their parent directory into the VM.
A docs file is added to explain how it works, and the security implications of file bind-mounts.