Pantavisor offers a way to define the physical storage medium by setting up disks. This will allow pantavisor containers to access to does disks directly.
There are currently 4 disks types supported:
- Non-encrypted directory
- Device Mapper crypt using without hardware acceleration (dm-crypt-versatile)
- Device Mapper crypt using i.Mx CAAM (dm-crypt-caam)
- Device Mapper crypt using i.Mx DCP (dm-crypt-dcp)
Each disk that is defined in the state JSON can then be privately used by the containers. They can also be internally used by Pantavisor, as in the case of metadata.
For this, we need to edit the device.json file in the root filesystem of the device repository (the folder created after doing a pvr clone of a device), and modify or create the disks key inside the device.json.
inside the disks configuration, we have an array of disk configurations, that disk configuration has this structure:
{
"name": string, // unique name of the disk to be used in container storage (mandatory),
"path": path, // destination mount path in case of a directory. For the crypt disk, please refer below (mandatory),
"type": string, // type of disk, available values: directory, dm-crypt-versatile, dm-crypt-caam or dm-crypt-dcp (madnatory),
"options": string, // options to be passed for mount command -o (optional)
}
Device-mapper crypt disk follows a special pattern in the path:
image_path,size,key_name
- image_path: disk path which will be encrypted (created during first boot if not present).
- size: size in MB used to create the disk file.
- key_name: name of the key file which needs to be created using respective tools (e.g. caam-keygen for i.Mx CAAM).
For example:
"path": "/storage/dm-crypt-file/disk1/file.img,8,disk1_key_name"
Taking all that into account we can see a device.json where the disks key could look something like this:
{
"disks": [
{
"name": "dm-internal-secrets",
"path": "/storage/dm-crypt-files/dm-internal-secrets/versatile.img,2,versatile_key-internal_secrets",
"type": "dm-crypt-versatile"
}
],
"groups": [...],
"volumes": {...}
}
That disk can be mounted by pantavisor inside the volumes configuration in the device.json or the volumes configuration of the individual containers.
How to mount disk for Pantavisor
One example of a disk mounted globally for pantavisor will be the user-meta and device-meta encrypted disk:
{
"disks": [
{
"name": "dm-internal-secrets",
"path": "/storage/dm-crypt-files/dm-internal-secrets/versatile.img,2,versatile_key-internal_secrets",
"type": "dm-crypt-versatile"
}
],
"groups": [...],
"volumes": {
"pv--devmeta": {
"disk": "dm-internal-secrets",
"persistence": "permanent"
},
"pv--usrmeta": {
"disk": "dm-internal-secrets",
"persistence": "permanent"
}
}
}
Where the disk is mounted as a permanent volume for the whole pantavisor, where pantavisor will read and write all the user-meta and device-meta.
How to mount disk into a container
To mount a disk into a container we need to create the disk inside the device.json the new disk will have the same structure as the previous one.
Example:
{
"name": "pvr-sdk-dm-versatile",
"path": "/storage/dm-crypt-files/pvr-sdk/versatile.img,8,versatile_key-pvr-sdk-dm-versatile",
"type": "dm-crypt-versatile"
}
Then in the src.json of the container, we need to add a new persistence configuration, following the container storage configuration options (documentation about container storage) but adding after the persistence type the name of the disk used by the volume, following this format:
{
"persistence": {
"MOUNT_POINT_IN_CONTAINER": "TYPE@DISK_NAME"
}
}
that new persistence should look something like this:
Example:
"persistence": {
"/var/dmcrypt/volume": "permanent@pvr-sdk-dm-versatile"
},
After changing the src.json we need to generate a new run.json with his changes:
pvr app install CONTAINER_NAME
Example:
pvr app install pvr-sdk
Conclusions
By using disks, pantavisor allows us to manage container storage in a better and more secure way by allowing us to use encrypted disks for the containers.