Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI option for read-only directory mounting #9608

Open
simonw opened this issue Nov 14, 2024 · 2 comments
Open

CLI option for read-only directory mounting #9608

simonw opened this issue Nov 14, 2024 · 2 comments

Comments

@simonw
Copy link

simonw commented Nov 14, 2024

Feature

When using the wasmtime run command I'd like to be able to attach a directory as read-only.

Benefit

Currently this works:

wget https://github.com/brettcannon/cpython-wasi-build/releases/download/v3.13.0/python-3.13.0-wasi_sdk-24.zip
unzip python-3.13.0-wasi_sdk-24.zip
wasmtime run --dir .::/ python.wasm -c 'print("hello world")'

But you can break the installation if you run code like this:

wasmtime run --dir .::/ python.wasm -c 'open("python.wasm", "wb").write(b"blah")'

I'd like to be able to open a directory as readonly - maybe something like this:

wasmtime run --dir-ro .::/ python.wasm -c 'open("python.wasm", "wb").write(b"blah")'

Implementation

The underlying library has support for this:

pub fn preopened_dir(
    &mut self,
    host_path: impl AsRef<Path>,
    guest_path: impl AsRef<str>,
    dir_perms: DirPerms,
    file_perms: FilePerms,
) -> Result<&mut Self>

https://docs.rs/wasmtime-wasi/latest/wasmtime_wasi/struct.WasiCtxBuilder.html#method.preopened_dir

Exposing that in the CLI would be very useful.
@simonw simonw mentioned this issue Nov 14, 2024
Closed
@pchickey
Copy link
Contributor

Thanks for this request, this is straightforward to implement and has clear benefits.

For the CLI syntax, I think it should be provided, optionally, in the argument passed to --dir, perhaps as --dir $src::$dst::ro.

As a quick survey of prior art: Docker has two different syntaxes for read-only volumes https://docs.docker.com/engine/storage/volumes/#use-a-read-only-volume, -v $src:$dst:ro and --mount source=$src,dest=$dst,readonly. From my reading of the podman docs, it supports the -v syntax but not --mount, but I don't have any insight into why podman made that decision.

Wasmtime doesn't match either of Docker's, but given its closer to -v than --mount I think we could add support for a ro or rw specifier after an additional :: separator. There are many alternatives, however - we could treat --dir $src::$dst as legacy syntax (to not break existing users) an start supporting --dir $src:$dst and --dir $src:$dst:ro as the new syntax. We could adopt docker's --mount syntax under wasmtime run -S mount and expose readonly there and not try to add it to --dir. I don't have any particularly strong preferences here but maybe @alexcrichton can chime in, as he did lots of the design of the current CLI scheme.

@alexcrichton
Copy link
Member

Doing some digging some historical bits and pieces here are:

Going off #7309 the conclusion there was to support a json blob to --dir. Not ergonomic to pass manually but easy to extend. I suspect readonly is somewhat common enough that it specifically may want a ::ro suffix as well, but I also don't feel strongly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simonw @alexcrichton @pchickey