feat: New disk pass-through method (#714)

.github/ISSUE_TEMPLATE/FEATURE_REQUEST.yml

@@ -3,6 +3,13 @@ description: Suggest an idea for improving the container
 title: "[Feature]: "
 labels: ["enhancement"]
 body:
+  - type: checkboxes
+    attributes:
+      label: Is there an existing feature request for this?
+      description: Please search to see if the feature request already exists.
+      options:
+      - label: I have searched the existing feature requests
+        required: true
   - type: textarea
     id: problem
     attributes:

.github/ISSUE_TEMPLATE/QUESTION.yml

@@ -6,8 +6,7 @@ body:
   - type: markdown
     attributes:
       value: |
-        Have a question about this container?
+        Please do not use this form for technical issues, and make sure to check the [FAQ](https://github.com/vdsm/virtual-dsm/blob/master/readme.md) first!
-        Please make sure to check the [FAQ](https://github.com/vdsm/virtual-dsm/blob/master/readme.md) first!
   - type: textarea
     id: question
     attributes:

readme.md

@@ -114,12 +114,9 @@ docker run -it --rm --name dsm -p 5000:5000 --device=/dev/kvm --cap-add NET_ADMI
    It is possible to pass-through disk devices directly by adding them to your compose file in this way:
 
   ```yaml
-  environment:
-    DEVICE2: "/dev/sda"
-    DEVICE3: "/dev/sdb"
   devices:
-    - /dev/sda
+    - /dev/disk/by-uuid/12345-12345-12345-12345-12345:/dev/disk2
-    - /dev/sdb
+    - /dev/disk/by-uuid/45678-45678-45678-45678-45678:/dev/disk3
   ```
 
   Please note that the device needs to be totally empty (without any partition table) otherwise DSM does not always format it into a volume.
@@ -249,5 +246,5 @@ Only run this container on Synology hardware, any other use is not permitted by
 
 [Build]: https://github.com/vdsm/virtual-dsm/actions/workflows/build.yml/badge.svg
 [Size]: https://img.shields.io/docker/image-size/vdsm/virtual-dsm/latest?color=066da5&label=size
-[Pulls]: https://img.shields.io/docker/pulls/kroese/virtual-dsm.svg?style=flat&label=pulls&logo=docker
+[Pulls]: https://img.shields.io/docker/pulls/vdsm/virtual-dsm.svg?style=flat&label=pulls&logo=docker
 [Version]: https://img.shields.io/docker/v/vdsm/virtual-dsm/latest?arch=amd64&sort=semver&color=066da5

src/disk.sh

@@ -527,6 +527,11 @@ DISK4_FILE="/storage4/data4"
 : "${DEVICE3:=""}"
 : "${DEVICE4:=""}"
 
+[ -z "$DEVICE" ] && [ -b "/dev/disk1" ] && DEVICE="/dev/disk1"
+[ -z "$DEVICE2" ] && [ -b "/dev/disk2" ] && DEVICE2="/dev/disk2"
+[ -z "$DEVICE3" ] && [ -b "/dev/disk3" ] && DEVICE3="/dev/disk3"
+[ -z "$DEVICE4" ] && [ -b "/dev/disk4" ] && DEVICE4="/dev/disk4"
+
 if [ -n "$DEVICE" ]; then
   addDevice "$DEVICE" "device" "3" "0xc" || exit $?
 else

src/network.sh

@@ -6,6 +6,7 @@ set -Eeuo pipefail
 : "${MAC:=""}"
 : "${DHCP:="N"}"
 : "${NETWORK:="Y"}"
+: "${HOST_PORTS:=""}"
 
 : "${VM_NET_DEV:=""}"
 : "${VM_NET_TAP:="dsm"}"
@@ -35,8 +36,8 @@ configureDHCP() {
   { ip link add link "$VM_NET_DEV" name "$VM_NET_TAP" address "$VM_NET_MAC" type macvtap mode bridge ; rc=$?; } || :
 
   if (( rc != 0 )); then
-    error "Cannot create macvtap interface. Please make sure the network type is 'macvlan' and not 'ipvlan',"
+    error "Cannot create macvtap interface. Please make sure that the network type is 'macvlan' and not 'ipvlan',"
-    error "and that the NET_ADMIN capability has been added to the container: --cap-add NET_ADMIN" && exit 16
+    error "that your kernel is recent (>4) and supports it, and that the container has the NET_ADMIN capability set." && exit 16
   fi
 
   while ! ip link set "$VM_NET_TAP" up; do
@@ -103,6 +104,21 @@ configureDNS() {
   return 0
 }
 
+getPorts() {
+
+  local list=$1
+
+  [ -z "$list" ] && echo "" && return 0
+
+  if [[ "$list" != *","* ]]; then
+    echo " ! --dport $list"
+  else
+    echo " -m multiport ! --dports $list"
+  fi
+
+  return 0
+}
+
 configureNAT() {
 
   # Create the necessary file structure for /dev/net/tun
@@ -119,12 +135,15 @@ configureNAT() {
 
   # Check port forwarding flag
   if [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
-    { sysctl -w net.ipv4.ip_forward=1 ; rc=$?; } || :
+    { sysctl -w net.ipv4.ip_forward=1 > /dev/null; rc=$?; } || :
-    if (( rc != 0 )); then
+    if (( rc != 0 )) || [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
       error "IP forwarding is disabled. $ADD_ERR --sysctl net.ipv4.ip_forward=1" && exit 24
     fi
   fi
 
+  local tables="The 'ip_tables' kernel module is not loaded. Try this command: sudo modprobe ip_tables iptable_nat"
+  local tuntap="The 'tun' kernel module is not available. Try this command: 'sudo modprobe tun' or run the container with 'privileged: true'."
+
   # Create a bridge with a static IP for the VM guest
 
   VM_NET_IP='20.20.20.21'
@@ -143,7 +162,9 @@ configureNAT() {
   done
 
   # QEMU Works with taps, set tap to the bridge created
-  ip tuntap add dev "$VM_NET_TAP" mode tap
+  if ! ip tuntap add dev "$VM_NET_TAP" mode tap; then
+    error "$tuntap" && exit 31
+  fi
 
   while ! ip link set "$VM_NET_TAP" up promisc on; do
     info "Waiting for TAP to become available..."
@@ -156,13 +177,19 @@ configureNAT() {
   update-alternatives --set iptables /usr/sbin/iptables-legacy > /dev/null
   update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy > /dev/null
 
-  iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE
+  exclude=$(getPorts "$HOST_PORTS")
-  iptables -t nat -A PREROUTING -i "$VM_NET_DEV" -d "$IP" -p tcp -j DNAT --to "$VM_NET_IP"
+
+  if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE; then
+    error "$tables" && exit 30
+  fi
+
+  # shellcheck disable=SC2086
+  iptables -t nat -A PREROUTING -i "$VM_NET_DEV" -d "$IP" -p tcp${exclude} -j DNAT --to "$VM_NET_IP"
   iptables -t nat -A PREROUTING -i "$VM_NET_DEV" -d "$IP" -p udp  -j DNAT --to "$VM_NET_IP"
 
   if (( KERNEL > 4 )); then
     # Hack for guest VMs complaining about "bad udp checksums in 5 packets"
-    iptables -A POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill || true
+    iptables -A POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill > /dev/null 2>&1 || true
   fi
 
   NET_OPTS="-netdev tap,ifname=$VM_NET_TAP,script=no,downscript=no,id=hostnet0"
@@ -273,10 +300,14 @@ if [[ "$DEBUG" == [Yy1]* ]]; then
   echo
 fi
 
+if [[ "$IP" == "172.17."* ]]; then
+  warn "your container IP starts with 172.17.* which will cause conflicts when you install the Container Manager package inside DSM!"
+fi
+
 if [[ "$DHCP" == [Yy1]* ]]; then
 
-  if [[ "$GATEWAY" == "172."* ]] && [[ "$DEBUG" != [Yy1]* ]]; then
+  if [[ "$GATEWAY" == "172."* ]]; then
-    error "You can only enable DHCP while the container is on a macvlan network!" && exit 26
+    warn "your gateway IP starts with 172.* which is often a sign that you are not on a macvlan network (required for DHCP)!"
   fi
 
   # Configuration for DHCP IP

src/power.sh

@@ -10,10 +10,11 @@ API_HOST="127.0.0.1:2210"
 QEMU_TERM=""
 QEMU_PORT=7100
 QEMU_TIMEOUT=50
-QEMU_PID="/run/shm/qemu.pid"
+QEMU_DIR="/run/shm"
-QEMU_LOG="/run/shm/qemu.log"
+QEMU_PID="$QEMU_DIR/qemu.pid"
-QEMU_OUT="/run/shm/qemu.out"
+QEMU_LOG="$QEMU_DIR/qemu.log"
-QEMU_END="/run/shm/qemu.end"
+QEMU_OUT="$QEMU_DIR/qemu.out"
+QEMU_END="$QEMU_DIR/qemu.end"
 
 if [[ "$KVM" == [Nn]* ]]; then
   API_TIMEOUT=$(( API_TIMEOUT*2 ))

src/proc.sh

@@ -90,7 +90,7 @@ else
 fi
 
 if [ -z "$HOST_CPU" ]; then
-  HOST_CPU=$(lscpu | grep 'Model name' | cut -f 2 -d ":" | awk '{$1=$1}1' | sed 's# @.*##g' | sed s/"(R)"//g | sed 's/[^[:alnum:] ]\+/ /g' | sed 's/  */ /g')
+  HOST_CPU=$(lscpu | grep -m 1 'Model name' | cut -f 2 -d ":" | awk '{$1=$1}1' | sed 's# @.*##g' | sed s/"(R)"//g | sed 's/[^[:alnum:] ]\+/ /g' | sed 's/  */ /g')
 fi
 
 if [ -n "$HOST_CPU" ]; then

src/reset.sh

@@ -1,9 +1,9 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail
 
-info () { printf "%b%s%b" "\E[1;34m❯ \E[1;36m" "$1" "\E[0m\n"; }
+info () { printf "%b%s%b" "\E[1;34m❯ \E[1;36m" "${1:-}" "\E[0m\n"; }
-error () { printf "%b%s%b" "\E[1;31m❯ " "ERROR: $1" "\E[0m\n" >&2; }
+error () { printf "%b%s%b" "\E[1;31m❯ " "ERROR: ${1:-}" "\E[0m\n" >&2; }
-warn () { printf "%b%s%b" "\E[1;31m❯ " "Warning: $1" "\E[0m\n" >&2; }
+warn () { printf "%b%s%b" "\E[1;31m❯ " "Warning: ${1:-}" "\E[0m\n" >&2; }
 
 trap 'error "Status $? while: $BASH_COMMAND (line $LINENO/$BASH_LINENO)"' ERR
 
@@ -43,7 +43,7 @@ KERNEL=$(echo "$SYS" | cut -b 1)
 MINOR=$(echo "$SYS" | cut -d '.' -f2)
 ARCH=$(dpkg --print-architecture)
 RAM="$(free -g | grep Mem: | awk '{print $7}')/$(free -g | grep Mem: | awk '{print $2}') GB"
-CPU=$(lscpu | grep 'Model name' | cut -f 2 -d ":" | awk '{$1=$1}1' | sed 's# @.*##g' | sed s/"(R)"//g | sed 's/[^[:alnum:] ]\+/ /g' | sed 's/  */ /g')
+CPU=$(lscpu | grep -m 1 'Model name' | cut -f 2 -d ":" | awk '{$1=$1}1' | sed 's# @.*##g' | sed s/"(R)"//g | sed 's/[^[:alnum:] ]\+/ /g' | sed 's/  */ /g')
 
 # Check system