Re: [systemd-devel] Using LoadCredential for passing API key to s3 bucket mount unit
Hi Lennart, Thank you for your reply! > systemd only resolves env vars in ExecXYZ= lines, nowhere else. And > definitely not in Options= Background: fuse mounts can use arbitrary executables that provide mount-like calling interface. Those executables can be specified as type fuse.$my_executable. For example, the following script can be placed in arbitrary place in $PATH as "my_wrapper": #!/bin/sh env echo "My credentials directory: ${CREDENTIALS_DIRECTORY}" echo "Its contents:" ls -als "${CREDENTIALS_DIRECTORY}" echo "My argv: $@" # failing noop, not mounting anything # this could be a call to s3fs false Then, this mount unit could call it: [Unit] Description=tmp bucket mount After=network.target [Mount] What=temp-bucket Where=/mnt/tmp Type=fuse.my_wrapper LoadCredential=password_file:/etc/s3fs/tmp_key Options=passwd_file="${CREDENTIALS_DIRECTORY}"/password_file This results in the following in journald: systemd[1]: Mounting tmp bucket mount... mount[539027]: CREDENTIALS_DIRECTORY=/run/credentials/mnt-tmp.mount mount[539027]: PWD=/ mount[539027]: SYSTEMD_EXEC_PID=539025 mount[539027]: _=/usr/bin/env mount[539027]: HOME=/root mount[539027]: LANG=en_US.utf8 mount[539027]: INVOCATION_ID=f5f58395a5f04f349c97d19a400bfedf mount[539027]: SHLVL=1 mount[539027]: JOURNAL_STREAM=8:14978691 mount[539026]: My credentials directory: /run/credentials/mnt-tmp.mount mount[539026]: Its contents: mount[539028]: ls: cannot access '/run/credentials/mnt-tmp.mount': No such file or directory mount[539026]: My argv: temp-bucket /mnt/tmp -o rw,passwd_file="/run/credentials/mnt-tmp.mount"/password_file,dev,suid systemd[1]: mnt-tmp.mount: Mount process exited, code=exited, status=1/FAILURE systemd[1]: mnt-tmp.mount: Failed with result 'exit-code'. systemd[1]: Failed to mount tmp bucket mount. Judging by "My argv" line, while the systemd itself would not resolve CREDENTIALS_DIRECTORY, the mounting script ultimately does receive its contents if it was specified in Options= > $CREDENIALS_DIRECTORY should already point to a dir with the unit name > in it. i.e. what is the precise value? Apologies, I misspoke in my previous mail. The actual directory is _not_ created, see output above. $CREDENIALS_DIRECTORY variable does get the expected value "/run/credentials/mnt-tmp.mount", but this path is not created, thus the credentials are not passed, see above. > Consider filing an issue on github, if the creds stuff doesn't > work. But note that the env var replacement you need to do in mout > mount.fuse.s3fs wrapper script really, PID 1 won't do that for you. Can you please confirm that my example wrapper above looks like it should work? If so, I will file the issue. -- With best regards, -- Vladimir Timofeenko
Re: [systemd-devel] Using LoadCredential for passing API key to s3 bucket mount unit
On Mi, 01.09.21 13:31, Vladimir Timofeenko (vladi...@vtimofeenko.com) wrote: > Hi, > > I am playing with the idea of using systemd mount to mount S3 bucket on > the system using s3fs. > > To mount a bucket, an API key is required. s3fs can read the API key > from a file specified as an option: > > s3fs $bucket_name $where -o passwd_file=${PATH_TO_PASSWORD_FILE} ... > > I tried to set up a .mount unit with LoadCredential directive: > > [Unit] > Description=tmp bucket mount > After=network.target > > [Mount] > What=temp-bucket > Where=/mnt/tmp > Type=fuse.s3fs > LoadCredential=password_file:/etc/s3fs/tmp_key > Options=passwd_file="${CREDENTIALS_DIRECTORY}"/password_file,url=https://s3... systemd only resolves env vars in ExecXYZ= lines, nowhere else. And definitely not in Options= > I have used a small wrapper that calls env before calling s3fs to > investigate, and it appears that during the mount command execution > ${CREDENTIALS_DIRECTORY} is created, but there is no subdirectory > corresponding to the unit name. $CREDENIALS_DIRECTORY should already point to a dir with the unit name in it. i.e. what is the precise value? I must admit I never tested credentials with mount units. We might be missing something there, though I see no reason why it shouldn't work. Consider filing an issue on github, if the creds stuff doesn't work. But note that the env var replacement you need to do in mout mount.fuse.s3fs wrapper script really, PID 1 won't do that for you. Lennart -- Lennart Poettering, Berlin
[systemd-devel] Using LoadCredential for passing API key to s3 bucket mount unit
Hi, I am playing with the idea of using systemd mount to mount S3 bucket on the system using s3fs. To mount a bucket, an API key is required. s3fs can read the API key from a file specified as an option: s3fs $bucket_name $where -o passwd_file=${PATH_TO_PASSWORD_FILE} ... I tried to set up a .mount unit with LoadCredential directive: [Unit] Description=tmp bucket mount After=network.target [Mount] What=temp-bucket Where=/mnt/tmp Type=fuse.s3fs LoadCredential=password_file:/etc/s3fs/tmp_key Options=passwd_file="${CREDENTIALS_DIRECTORY}"/password_file,url=https://s3... [Install] WantedBy=multi-user.target However mount start fails with s3fs not being able to read from passwd_file: s3fs: specified passwd_file is not readable. I have used a small wrapper that calls env before calling s3fs to investigate, and it appears that during the mount command execution ${CREDENTIALS_DIRECTORY} is created, but there is no subdirectory corresponding to the unit name. Is this a correct use for LoadCredential? systemctl --version systemd 248 (248) +PAM -AUDIT -SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID -CURL -ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE -BZIP2 +LZ4 -XZ -ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified OS: Gentoo -- With best regards, -- Vladimir Timofeenko