diff --git a/doc/CONFIGURATION.md b/doc/CONFIGURATION.md index 7c64db7e4..118103f76 100644 --- a/doc/CONFIGURATION.md +++ b/doc/CONFIGURATION.md @@ -304,16 +304,16 @@ Mountpoint supports mounting S3 buckets to a directory or a FUSE file descriptor For directory mount points, the passed path must be an existing directory. -For FUSE file descriptors on Linux, you can specify an open FUSE file descriptor as a mount point with '/dev/fd/N' syntax. +For FUSE file descriptors on Linux, you can specify an open FUSE file descriptor as a mount point with `/dev/fd/N` syntax. This is useful in container environments to achieve unprivileged mounts. In this case, it's callers responsibility to: -1. Opening FUSE device (/dev/fuse) in read-write mode to obtain a file descriptor -2. Performing 'mount' syscall with desired mount point, the file descriptor and mount options. +1. Opening FUSE device (`/dev/fuse`) in read-write mode to obtain a file descriptor +2. Performing `mount` syscall with desired mount point, the file descriptor and mount options. Mountpoint by default uses and recommends enabling `nodev`, `nosuid`, `default_permissions` and `noatime` mount options, see [Linux kernel documentation](https://man7.org/linux/man-pages/man8/mount.fuse3.8.html#OPTIONS) about more details on mount options. -3. Spawning Mountpoint with the file descriptor using '/dev/fd/N' syntax as mount point +3. Spawning Mountpoint with the file descriptor using `/dev/fd/N` syntax as mount point 4. Closing the file descriptor in the parent process -5. Performing 'unmount' syscall on the mount point once its desired and/or Mountpoint process terminates +5. Performing `unmount` syscall on the mount point once its desired and/or Mountpoint process terminates See [mounthelper.go](https://github.com/awslabs/mountpoint-s3/tree/main/examples/fuse-fd-mount-point/mounthelper.go) as an example usage of this feature. diff --git a/mountpoint-s3/src/cli.rs b/mountpoint-s3/src/cli.rs index 8b76dc51b..9f0686989 100644 --- a/mountpoint-s3/src/cli.rs +++ b/mountpoint-s3/src/cli.rs @@ -557,16 +557,11 @@ impl CliArgs { #[cfg(target_os = "linux")] if matches!(mount_point, MountPoint::FileDescriptor(_)) { - let passed_mount_options = &[ - (self.read_only, "--read-only"), - (self.auto_unmount, "--auto-unmount"), - (self.allow_root, "--allow-root"), - (self.allow_other, "--allow-other"), - ] - .iter() - .filter(|o| o.0) - .map(|o| o.1) - .collect::>(); + let passed_mount_options = &[(self.read_only, "--read-only"), (self.auto_unmount, "--auto-unmount")] + .iter() + .filter(|o| o.0) + .map(|o| o.1) + .collect::>(); if !passed_mount_options.is_empty() { return Err(anyhow!( diff --git a/mountpoint-s3/tests/fuse_tests/fork_test.rs b/mountpoint-s3/tests/fuse_tests/fork_test.rs index c989e301f..d484e73f8 100644 --- a/mountpoint-s3/tests/fuse_tests/fork_test.rs +++ b/mountpoint-s3/tests/fuse_tests/fork_test.rs @@ -30,8 +30,6 @@ use crate::common::{creds::get_scoped_down_credentials, s3::get_non_test_region, const MOUNT_OPTION_READ_ONLY: &str = "--read-only"; const MOUNT_OPTION_AUTO_UNMOUNT: &str = "--auto-unmount"; -const MOUNT_OPTION_ALLOW_ROOT: &str = "--allow-root"; -const MOUNT_OPTION_ALLOW_OTHER: &str = "--allow-other"; const MAX_WAIT_DURATION: std::time::Duration = std::time::Duration::from_secs(10); @@ -412,9 +410,7 @@ fn run_fail_on_non_fuse_fd() -> Result<(), Box> { #[test_case(&[MOUNT_OPTION_READ_ONLY])] #[test_case(&[MOUNT_OPTION_AUTO_UNMOUNT])] -#[test_case(&[MOUNT_OPTION_ALLOW_ROOT])] -#[test_case(&[MOUNT_OPTION_ALLOW_OTHER])] -#[test_case(&[MOUNT_OPTION_READ_ONLY, MOUNT_OPTION_ALLOW_OTHER])] +#[test_case(&[MOUNT_OPTION_READ_ONLY, MOUNT_OPTION_AUTO_UNMOUNT])] fn run_fail_on_non_fuse_fd_if_mount_options_passed(mount_options: &[&str]) -> Result<(), Box> { let (bucket, prefix) = get_test_bucket_and_prefix("run_fail_on_non_fuse_fd_if_mount_options_passed"); let region = get_test_region();