Merge pull request #1046 from kernelkit/resctrict-mount-in-cont

axkar · web-flow · commit 0065aeef47af · 2025-05-22T18:26:29.000+02:00
confd: Add mount constraint for container config
diff --git a/doc/ChangeLog.md b/doc/ChangeLog.md
@@ -20,6 +20,7 @@ All notable changes to the project are documented in this file.
 ### Fixes
 - Fix containers with multiple mounts
 - Correct description for LAG LACP modes 
+- Fix #1040: Add `mount` constraint for container config 
 
 
 [v25.04.0][] - 2025-04-30
diff --git a/src/confd/src/infix-containers.c b/src/confd/src/infix-containers.c
@@ -250,7 +250,35 @@ static int change(sr_session_ctx_t *session, uint32_t sub_id, const char *module
 	switch (event) {
 	case SR_EV_DONE:
 		break;
+
 	case SR_EV_CHANGE:
+		err = sr_get_data(session, CFG_XPATH "//.", 0, 0, 0, &cfg);
+		if (err || !cfg)
+			return SR_ERR_INTERNAL;
+
+		cifs = lydx_get_descendant(cfg->tree, "containers", "container", NULL);
+		LYX_LIST_FOR_EACH(cifs, cif, "container") {
+			struct lyd_node *mount;
+			LYX_LIST_FOR_EACH(lyd_child(cif), mount, "mount") {
+				const char *src  = lydx_get_cattr(mount, "source");
+				const char *id   = lydx_get_cattr(mount, "name");
+
+				if (src && access(src, R_OK) != 0) {
+				    	char errmsg[256];
+				    	const char *reason = strerror(errno);
+				    	snprintf(errmsg, sizeof(errmsg),
+				             	"Container '%s': mount '%s' source file '%s' is invalid: %s",
+				             	lydx_get_cattr(cif, "name"), id, src, reason);
+				    	sr_session_set_error_message(session, errmsg);
+				    	sr_release_data(cfg);
+				    	return SR_ERR_VALIDATION_FAILED;
+				}
+			}
+		}
+
+		sr_release_data(cfg);
+		return SR_ERR_OK;
+
 	case SR_EV_ABORT:
 	default:
 		return SR_ERR_OK;
diff --git a/src/confd/yang/confd/infix-containers.yang b/src/confd/yang/confd/infix-containers.yang
@@ -22,6 +22,13 @@ module infix-containers {
     prefix infix-sys;
   }
 
+  revision 2025-05-14 {
+    description
+      "Validation improvement:
+       - Added constraint to require either 'source' or 'content' in a container mount.";
+    reference "internal";
+  }
+
   revision 2024-11-15 {
     description "Two major changes:
                   - Add support for ftp/http/https images with checksum
@@ -342,6 +349,7 @@ module infix-containers {
         }
 
         choice data {
+          mandatory true;
           case source {
             leaf source {
               description "Host path to mount in container, may be a glob.
diff --git a/src/confd/yang/confd/infix-containers@2025-05-14.yang b/src/confd/yang/confd/infix-containers@2025-05-14.yang
diff --git a/src/confd/yang/containers.inc b/src/confd/yang/containers.inc
@@ -2,5 +2,5 @@
 # REMEMBER TO UPDATE infix-interfaces ALSO IN confd.inc
 MODULES=(
     "infix-interfaces@2025-01-09.yang -e vlan-filtering -e containers"
-    "infix-containers@2024-11-15.yang"
+    "infix-containers@2025-05-14.yang"
 )

Original file line number	Diff line number	Diff line change
`@@ -2,5 +2,5 @@`
`2`	`2`	`# REMEMBER TO UPDATE infix-interfaces ALSO IN confd.inc`
`3`	`3`	`MODULES=(`
`4`	`4`	`"[email protected] -e vlan-filtering -e containers"`
`5`		`- "infix-containers@2024-11-15.yang"`
	`5`	`+ "infix-containers@2025-05-14.yang"`
`6`	`6`	`)`