From 21a78c7639a8720d8b911409fc34010676826f4e Mon Sep 17 00:00:00 2001 From: Ahmed Karic Date: Fri, 16 May 2025 16:28:05 +0200 Subject: [PATCH 1/2] confd: Add mount constraint for container config This change ensures configuration correctness by enforcing that each container mount has either a source or content set. Without this, the system may generate invalid runtime arguments (src=(null)), leading to container startup failures. --- doc/ChangeLog.md | 1 + src/confd/yang/confd/infix-containers.yang | 8 ++++++++ ...s@2024-11-15.yang => infix-containers@2025-05-14.yang} | 0 src/confd/yang/containers.inc | 2 +- 4 files changed, 10 insertions(+), 1 deletion(-) rename src/confd/yang/confd/{infix-containers@2024-11-15.yang => infix-containers@2025-05-14.yang} (100%) diff --git a/doc/ChangeLog.md b/doc/ChangeLog.md index acbbdb84d..826b22771 100644 --- a/doc/ChangeLog.md +++ b/doc/ChangeLog.md @@ -20,6 +20,7 @@ All notable changes to the project are documented in this file. ### Fixes - Fix containers with multiple mounts - Correct description for LAG LACP modes +- Fix #1040: Add `mount` constraint for container config [v25.04.0][] - 2025-04-30 diff --git a/src/confd/yang/confd/infix-containers.yang b/src/confd/yang/confd/infix-containers.yang index c72555ec2..18974e579 100644 --- a/src/confd/yang/confd/infix-containers.yang +++ b/src/confd/yang/confd/infix-containers.yang @@ -22,6 +22,13 @@ module infix-containers { prefix infix-sys; } + revision 2025-05-14 { + description + "Validation improvement: + - Added constraint to require either 'source' or 'content' in a container mount."; + reference "internal"; + } + revision 2024-11-15 { description "Two major changes: - Add support for ftp/http/https images with checksum @@ -342,6 +349,7 @@ module infix-containers { } choice data { + mandatory true; case source { leaf source { description "Host path to mount in container, may be a glob. diff --git a/src/confd/yang/confd/infix-containers@2024-11-15.yang b/src/confd/yang/confd/infix-containers@2025-05-14.yang similarity index 100% rename from src/confd/yang/confd/infix-containers@2024-11-15.yang rename to src/confd/yang/confd/infix-containers@2025-05-14.yang diff --git a/src/confd/yang/containers.inc b/src/confd/yang/containers.inc index e6d3d8b3f..b7e660449 100644 --- a/src/confd/yang/containers.inc +++ b/src/confd/yang/containers.inc @@ -2,5 +2,5 @@ # REMEMBER TO UPDATE infix-interfaces ALSO IN confd.inc MODULES=( "infix-interfaces@2025-01-09.yang -e vlan-filtering -e containers" - "infix-containers@2024-11-15.yang" + "infix-containers@2025-05-14.yang" ) From dfc350a783bf3bffd9227b4ad2028984641bd533 Mon Sep 17 00:00:00 2001 From: Ahmed Karic Date: Fri, 16 May 2025 16:40:20 +0200 Subject: [PATCH 2/2] confd: Validate container mount source path If an invalid mount source path is specified, the container logs a "file not found" error and subsequently crashes. Adding a check inside the SR_EV_CHANGE event handler performs an early validation of the mount source path, allowing to reject configurations that reference non-existent or unreadable files before they are committed to the datastore. --- src/confd/src/infix-containers.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/src/confd/src/infix-containers.c b/src/confd/src/infix-containers.c index 9c4620ccf..29285b13e 100644 --- a/src/confd/src/infix-containers.c +++ b/src/confd/src/infix-containers.c @@ -250,7 +250,35 @@ static int change(sr_session_ctx_t *session, uint32_t sub_id, const char *module switch (event) { case SR_EV_DONE: break; + case SR_EV_CHANGE: + err = sr_get_data(session, CFG_XPATH "//.", 0, 0, 0, &cfg); + if (err || !cfg) + return SR_ERR_INTERNAL; + + cifs = lydx_get_descendant(cfg->tree, "containers", "container", NULL); + LYX_LIST_FOR_EACH(cifs, cif, "container") { + struct lyd_node *mount; + LYX_LIST_FOR_EACH(lyd_child(cif), mount, "mount") { + const char *src = lydx_get_cattr(mount, "source"); + const char *id = lydx_get_cattr(mount, "name"); + + if (src && access(src, R_OK) != 0) { + char errmsg[256]; + const char *reason = strerror(errno); + snprintf(errmsg, sizeof(errmsg), + "Container '%s': mount '%s' source file '%s' is invalid: %s", + lydx_get_cattr(cif, "name"), id, src, reason); + sr_session_set_error_message(session, errmsg); + sr_release_data(cfg); + return SR_ERR_VALIDATION_FAILED; + } + } + } + + sr_release_data(cfg); + return SR_ERR_OK; + case SR_EV_ABORT: default: return SR_ERR_OK;