feat: Add file bind mount support via arca-filesystem-service

VirtioFS only supports directory shares, so file bind mounts require mounting
the parent directory via VirtioFS and then creating a bind mount for the
specific file inside the container's mount namespace.

Changes:
- Add CreateBindMount gRPC endpoint to arca-filesystem-service
- Implement mount namespace switching to perform bind mount in container context
- Add container PID discovery via ARCA_CONTAINER_ID environment variable
- Fix Mount.swift to create empty file (not directory) for file bind mount targets
- Rename arca-overlayfs-service to arca-filesystem-service (more accurate name)
- Update cross-compilation build script for Linux ARM64

The bind mount is performed inside the container's mount namespace so it is
visible to the container process and persists correctly.

Closes Arca issue apple#7

Author: richardkiene

Sources/ContainerizationOS/Mount/Mount.swift

@@ -151,7 +151,20 @@ extension Mount {
         if let perms = createWithPerms {
             try mkdirAll(targetParent, perms)
         }
-        try mkdirAll(target, 0o755)
+
+        // Check if this is a file bind mount (signaled by "arca-file-bind" option)
+        // For file bind mounts, create an empty file at the target instead of a directory
+        let isFileBindMount = self.options.contains("arca-file-bind")
+        if isFileBindMount {
+            // Create parent directory if needed
+            try mkdirAll(targetParent, 0o755)
+            // Create empty file at target
+            if !FileManager.default.fileExists(atPath: target) {
+                _ = FileManager.default.createFile(atPath: target, contents: nil)
+            }
+        } else {
+            try mkdirAll(target, 0o755)
+        }
 
         if opts.flags & Int32(MS_REMOUNT) == 0 || !dataString.isEmpty {
             let result = _mount(self.source, target, self.type, UInt(originalFlags), dataString)

vminitd/Sources/vminitd/Application.swift

@@ -146,27 +146,28 @@ struct Application {
             log.warning("arca-wireguard-service binary not found at \(wireGuardServicePath), WireGuard networking will not be available")
         }
 
-        // Start arca-overlayfs-service in background for OverlayFS layer mounting
+        // Start arca-filesystem-service in background for filesystem operations
         // This service listens on vsock port 51821 (accessible from host via container.dialVsock())
-        let overlayFSServicePath = "/sbin/arca-overlayfs-service"
-        let overlayFSServiceExists = FileManager.default.fileExists(atPath: overlayFSServicePath)
-        log.info("arca-overlayfs-service binary exists: \(overlayFSServiceExists) at \(overlayFSServicePath)")
-
-        if overlayFSServiceExists {
-            log.info("starting arca-overlayfs-service...")
-            var overlayFSService = Command(overlayFSServicePath)
+        // Provides: filesystem sync, upperdir enumeration (docker diff), bind mounts (file volumes), archive operations
+        let filesystemServicePath = "/sbin/arca-filesystem-service"
+        let filesystemServiceExists = FileManager.default.fileExists(atPath: filesystemServicePath)
+        log.info("arca-filesystem-service binary exists: \(filesystemServiceExists) at \(filesystemServicePath)")
+
+        if filesystemServiceExists {
+            log.info("starting arca-filesystem-service...")
+            var filesystemService = Command(filesystemServicePath)
             // Leave stdin/stdout/stderr as nil for detached background service
-            overlayFSService.stdin = nil
-            overlayFSService.stdout = nil
-            overlayFSService.stderr = .standardError  // Log errors to vminitd stderr
+            filesystemService.stdin = nil
+            filesystemService.stdout = nil
+            filesystemService.stderr = .standardError  // Log errors to vminitd stderr
             do {
-                try overlayFSService.start()
-                log.info("arca-overlayfs-service started successfully on vsock port 51821")
+                try filesystemService.start()
+                log.info("arca-filesystem-service started successfully on vsock port 51821")
             } catch {
-                log.error("failed to start arca-overlayfs-service: \(error)")
+                log.error("failed to start arca-filesystem-service: \(error)")
             }
         } else {
-            log.warning("arca-overlayfs-service binary not found at \(overlayFSServicePath), OverlayFS mounting will not be available")
+            log.warning("arca-filesystem-service binary not found at \(filesystemServicePath), filesystem operations will not be available")
         }
 
         // Start arca-process-service in background for process control

vminitd/extensions/filesystem-service/build.sh

@@ -1,11 +1,22 @@
 #!/bin/bash
-# Build Arca Filesystem Service binary
+# Build Arca Filesystem Service binary for Linux ARM64
+
 set -e
 
-cd "$(dirname "$0")"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR"
+
+echo "Building arca-filesystem-service for Linux ARM64..."
+
+# Cross-compile for Linux ARM64
+GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build \
+    -o arca-filesystem-service \
+    -ldflags="-s -w" \
+    ./cmd/arca-filesystem-service
 
-echo "Building arca-filesystem-service..."
-go build -o arca-filesystem-service ./cmd/arca-filesystem-service
+if [ ! -f arca-filesystem-service ]; then
+    echo "ERROR: Build failed - arca-filesystem-service binary not created"
+    exit 1
+fi
 
-echo "✓ Build complete: arca-filesystem-service"
-ls -lh arca-filesystem-service
+echo "✓ Built arca-filesystem-service ($(du -h arca-filesystem-service | awk '{print $1}')"

vminitd/extensions/filesystem-service/filesystem.go

@@ -13,9 +13,12 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"os"
 	"path/filepath"
+	"runtime"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -29,6 +32,82 @@ type Server struct {
 	pb.UnimplementedFilesystemServiceServer
 }
 
+// findContainerPID finds the PID of a container by searching /proc for ARCA_CONTAINER_ID
+func findContainerPID(containerID string) (int, error) {
+	entries, err := ioutil.ReadDir("/proc")
+	if err != nil {
+		return 0, fmt.Errorf("failed to read /proc: %w", err)
+	}
+
+	for _, entry := range entries {
+		if !entry.IsDir() {
+			continue
+		}
+
+		// Check if directory name is numeric (PID)
+		pid, err := strconv.Atoi(entry.Name())
+		if err != nil {
+			continue
+		}
+
+		// Read /proc/[pid]/environ to find ARCA_CONTAINER_ID
+		environPath := filepath.Join("/proc", entry.Name(), "environ")
+		environData, err := ioutil.ReadFile(environPath)
+		if err != nil {
+			continue
+		}
+
+		// environ is null-separated key=value pairs
+		for _, env := range bytes.Split(environData, []byte{0}) {
+			if bytes.HasPrefix(env, []byte("ARCA_CONTAINER_ID=")) {
+				foundID := string(bytes.TrimPrefix(env, []byte("ARCA_CONTAINER_ID=")))
+				if foundID == containerID {
+					return pid, nil
+				}
+			}
+		}
+	}
+
+	return 0, fmt.Errorf("container PID not found for ID: %s", containerID)
+}
+
+// withMountNamespace executes a function inside a mount namespace
+// Pattern similar to WireGuard's netns switching but for mount namespaces
+func withMountNamespace(nsPath string, fn func() error) error {
+	// Lock goroutine to OS thread for namespace operations
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	// Open current mount namespace to return to it later
+	rootMntFd, err := unix.Open("/proc/self/ns/mnt", unix.O_RDONLY, 0)
+	if err != nil {
+		return fmt.Errorf("failed to open root mount namespace: %w", err)
+	}
+	defer unix.Close(rootMntFd)
+
+	// Open target mount namespace
+	targetMntFd, err := unix.Open(nsPath, unix.O_RDONLY, 0)
+	if err != nil {
+		return fmt.Errorf("failed to open target mount namespace: %w", err)
+	}
+	defer unix.Close(targetMntFd)
+
+	// Enter target mount namespace
+	if err := unix.Setns(targetMntFd, unix.CLONE_NEWNS); err != nil {
+		return fmt.Errorf("failed to enter mount namespace: %w", err)
+	}
+
+	// Ensure we return to root namespace
+	defer func() {
+		if err := unix.Setns(rootMntFd, unix.CLONE_NEWNS); err != nil {
+			log.Printf("Warning: failed to return to root mount namespace: %v", err)
+		}
+	}()
+
+	// Execute the function inside the namespace
+	return fn()
+}
+
 // SyncFilesystem flushes all filesystem buffers to disk
 // Calls the sync() syscall to ensure all cached writes are persisted
 func (s *Server) SyncFilesystem(ctx context.Context, req *pb.SyncFilesystemRequest) (*pb.SyncFilesystemResponse, error) {
@@ -357,3 +436,122 @@ func (s *Server) WriteArchive(ctx context.Context, req *pb.WriteArchiveRequest)
 		Success: true,
 	}, nil
 }
+
+// CreateBindMount creates a bind mount from source to target
+// Works like "mount --bind /source /target" inside the container
+// Used for file bind mounts (VirtioFS only supports directory shares)
+func (s *Server) CreateBindMount(ctx context.Context, req *pb.CreateBindMountRequest) (*pb.CreateBindMountResponse, error) {
+	log.Printf("CreateBindMount: containerID=%s source=%s target=%s readOnly=%v", req.ContainerId, req.Source, req.Target, req.ReadOnly)
+
+	// Find container PID by searching /proc for ARCA_CONTAINER_ID environment variable
+	containerPID, err := findContainerPID(req.ContainerId)
+	if err != nil {
+		errMsg := fmt.Sprintf("failed to find container PID: %v", err)
+		log.Printf("ERROR: %s", errMsg)
+		return &pb.CreateBindMountResponse{
+			Success: false,
+			Error:   errMsg,
+		}, nil
+	}
+	log.Printf("✓ Found container PID: %d", containerPID)
+
+	// Resolve target path to absolute VM path
+	// Target is container-relative (e.g., "/test.txt"), resolve to VM path (e.g., "/run/container/{id}/rootfs/test.txt")
+	targetAbsolute := fmt.Sprintf("/run/container/%s/rootfs%s", req.ContainerId, req.Target)
+	log.Printf("Resolved target path: %s -> %s", req.Target, targetAbsolute)
+
+	// All bind mount operations must happen inside the container's mount namespace
+	// The source file is mounted via VirtioFS inside the container's mount namespace
+	// The target file must be created inside the container's mount namespace
+	mntNsPath := fmt.Sprintf("/proc/%d/ns/mnt", containerPID)
+	log.Printf("Will perform all operations in container mount namespace: %s", mntNsPath)
+
+	// Perform all operations inside the container's mount namespace
+	err = withMountNamespace(mntNsPath, func() error {
+		log.Printf("Inside container mount namespace")
+
+		// Validate source exists
+		sourceInfo, err := os.Stat(req.Source)
+		if err != nil {
+			log.Printf("ERROR: source path does not exist: %v", err)
+			return fmt.Errorf("source path does not exist: %w", err)
+		}
+		log.Printf("✓ Source exists: %s (isDir=%v, size=%d)", req.Source, sourceInfo.IsDir(), sourceInfo.Size())
+
+		// Ensure parent directory of target exists
+		targetParent := filepath.Dir(targetAbsolute)
+		if err := os.MkdirAll(targetParent, 0755); err != nil {
+			log.Printf("ERROR: failed to create target parent directory: %v", err)
+			return fmt.Errorf("failed to create target parent directory: %w", err)
+		}
+		log.Printf("✓ Target parent directory exists: %s", targetParent)
+
+		// Check if target exists
+		targetInfo, err := os.Stat(targetAbsolute)
+		if err != nil {
+			if os.IsNotExist(err) {
+				// Create target matching source type
+				if sourceInfo.IsDir() {
+					log.Printf("Creating target directory: %s", targetAbsolute)
+					if err := os.Mkdir(targetAbsolute, 0755); err != nil {
+						log.Printf("ERROR: failed to create target directory: %v", err)
+						return fmt.Errorf("failed to create target directory: %w", err)
+					}
+					log.Printf("✓ Target directory created")
+				} else {
+					// Create empty file
+					log.Printf("Creating target file: %s", targetAbsolute)
+					f, err := os.Create(targetAbsolute)
+					if err != nil {
+						log.Printf("ERROR: failed to create target file: %v", err)
+						return fmt.Errorf("failed to create target file: %w", err)
+					}
+					f.Close()
+					log.Printf("✓ Target file created")
+				}
+			} else {
+				log.Printf("ERROR: failed to stat target: %v", err)
+				return fmt.Errorf("failed to stat target: %w", err)
+			}
+		} else {
+			log.Printf("✓ Target already exists: isDir=%v", targetInfo.IsDir())
+			// Target exists - verify types match
+			if sourceInfo.IsDir() != targetInfo.IsDir() {
+				log.Printf("ERROR: source and target type mismatch")
+				return fmt.Errorf("source and target must both be files or both be directories")
+			}
+		}
+
+		// Perform bind mount using syscall (we're already in the namespace)
+		log.Printf("Performing bind mount: %s -> %s", req.Source, targetAbsolute)
+		if err := unix.Mount(req.Source, targetAbsolute, "", unix.MS_BIND, ""); err != nil {
+			log.Printf("ERROR: failed to bind mount: %v", err)
+			return fmt.Errorf("failed to bind mount: %w", err)
+		}
+		log.Printf("✓ Bind mount successful")
+
+		// If read-only, remount with read-only flag
+		if req.ReadOnly {
+			log.Printf("Remounting as read-only...")
+			if err := unix.Mount("", targetAbsolute, "", unix.MS_BIND|unix.MS_REMOUNT|unix.MS_RDONLY, ""); err != nil {
+				log.Printf("ERROR: failed to remount as read-only: %v", err)
+				return fmt.Errorf("failed to remount as read-only: %w", err)
+			}
+			log.Printf("✓ Remounted as read-only")
+		}
+
+		log.Printf("Bind mount created successfully: %s -> %s (container path: %s)", req.Source, targetAbsolute, req.Target)
+		return nil
+	})
+
+	if err != nil {
+		return &pb.CreateBindMountResponse{
+			Success: false,
+			Error:   err.Error(),
+		}, nil
+	}
+
+	return &pb.CreateBindMountResponse{
+		Success: true,
+	}, nil
+}