Properly mount base layers

gabriel-samfira · gabriel-samfira · commit 9139208b3198 · 2023-05-31T02:12:08.000+03:00
As opposed to a writable layer derived from a base layer, the volume
path of a base layer, once activated and prepared will not be a WCIFS
volume, but the actual path on disk to the snapshot. We cannot directly
mount this folder, as that would mean a client may gain access and
potentially damage important metadata files that would render the layer
unusabble.

For base layers we need to mount the Files folder which must exist in
any valid base windows-layer.

Signed-off-by: Gabriel Adrian Samfira &lt;gsamfira@cloudbasesolutions.com&gt;
diff --git a/mount/mount_windows.go b/mount/mount_windows.go
@@ -99,6 +99,14 @@ func (m *Mount) mount(target string) (retErr error) {
 		return fmt.Errorf("failed to get volume path for layer %s: %w", m.Source, err)
 	}
 
+	if len(parentLayerPaths) == 0 {
+		// this is a base layer. It gets mounted without going through WCIFS. We need to mount the Files
+		// folder, not the actual source, or the client may inadvertently remove metadata files.
+		volume = filepath.Join(volume, "Files")
+		if _, err := os.Stat(volume); err != nil {
+			return fmt.Errorf("no Files folder in layer %s", layerID)
+		}
+	}
 	if err := bindfilter.ApplyFileBinding(target, volume, m.ReadOnly()); err != nil {
 		return fmt.Errorf("failed to set volume mount path for layer %s: %w", m.Source, err)
 	}
diff --git a/snapshots/windows/windows.go b/snapshots/windows/windows.go
@@ -319,24 +319,14 @@ func (s *snapshotter) mounts(sn storage.Snapshot, key string) []mount.Mount {
 
 	mountType := "windows-layer"
 
-	if len(sn.ParentIDs) == 0 {
-		// A mount of a parentless snapshot is a bind-mount.
-		mountType = "bind"
-		// If not being extracted into, then the bind-target is the
-		// "Files" subdirectory.
-		if !strings.Contains(key, snapshots.UnpackKeyPrefix) {
-			source = filepath.Join(source, "Files")
-		}
-	}
-
 	// error is not checked here, as a string array will never fail to Marshal
 	parentLayersJSON, _ := json.Marshal(parentLayerPaths)
 	parentLayersOption := mount.ParentLayerPathsFlag + string(parentLayersJSON)
 
 	options := []string{
 		roFlag,
 	}
-	if mountType != "bind" {
+	if len(sn.ParentIDs) != 0 {
 		options = append(options, parentLayersOption)
 	}
 	mounts := []mount.Mount{

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,14 @@ func (m *Mount) mount(target string) (retErr error) {`
`99`	`99`	`return fmt.Errorf("failed to get volume path for layer %s: %w", m.Source, err)`
`100`	`100`	`}`
`101`	`101`
	`102`	`+ if len(parentLayerPaths) == 0 {`
	`103`	`+ // this is a base layer. It gets mounted without going through WCIFS. We need to mount the Files`
	`104`	`+ // folder, not the actual source, or the client may inadvertently remove metadata files.`
	`105`	`+ volume = filepath.Join(volume, "Files")`
	`106`	`+ if _, err := os.Stat(volume); err != nil {`
	`107`	`+ return fmt.Errorf("no Files folder in layer %s", layerID)`
	`108`	`+ }`
	`109`	`+ }`
`102`	`110`	`if err := bindfilter.ApplyFileBinding(target, volume, m.ReadOnly()); err != nil {`
`103`	`111`	`return fmt.Errorf("failed to set volume mount path for layer %s: %w", m.Source, err)`
`104`	`112`	`}`