fix: storages and mounts

cmd/server/update_test.go

@@ -0,0 +1,72 @@
+package main
+
+import (
+	"strings"
+	"testing"
+)
+
+// TestReleaseAPIURL pins the contract that downstream code (the updater and
+// /install.sh) relies on: only https://host/owner/repo produces an API URL,
+// everything else errors. Plain HTTP must be rejected — M7 makes auto-update
+// only trust TLS-protected release feeds, since the binary it downloads is
+// exec'd as root.
+func TestReleaseAPIURL(t *testing.T) {
+	tests := []struct {
+		name    string
+		in      string
+		want    string
+		wantErr string // substring expected in the error message; "" means success
+	}{
+		{
+			name: "valid https repo",
+			in:   "https://tea.example.com/owner/repo",
+			want: "https://tea.example.com/api/v1/repos/owner/repo/releases/latest",
+		},
+		{
+			name:    "http rejected",
+			in:      "http://tea.example.com/owner/repo",
+			wantErr: "https",
+		},
+		{
+			name:    "ssh scheme rejected",
+			in:      "ssh://tea.example.com/owner/repo",
+			wantErr: "https",
+		},
+		{
+			name:    "missing repo segment",
+			in:      "https://tea.example.com/owner",
+			wantErr: "owner/repo",
+		},
+		{
+			name:    "extra path segments",
+			in:      "https://tea.example.com/owner/repo/extra",
+			wantErr: "owner/repo",
+		},
+		{
+			name:    "empty",
+			in:      "",
+			wantErr: "https",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := releaseAPIURL(tt.in)
+			if tt.wantErr == "" {
+				if err != nil {
+					t.Fatalf("unexpected error: %v", err)
+				}
+				if got != tt.want {
+					t.Errorf("got %q, want %q", got, tt.want)
+				}
+				return
+			}
+			if err == nil {
+				t.Fatalf("expected error containing %q, got nil (result %q)", tt.wantErr, got)
+			}
+			if !strings.Contains(err.Error(), tt.wantErr) {
+				t.Errorf("error %q does not contain %q", err.Error(), tt.wantErr)
+			}
+		})
+	}
+}

internal/modules/system/info.go

@@ -499,9 +499,12 @@ func diskInfo() []DiskInfo {
 	disks := []DiskInfo{}
 	seen := map[string]bool{}
 	for _, e := range entries {
-		// Only real block devices; skip pseudo filesystems and snap's squashfs
-		// loop mounts that would otherwise clutter the list.
-		if !strings.HasPrefix(e.Device, "/dev/") || e.FSType == "squashfs" || seen[e.Mountpoint] {
+		// ponytail: filter by fstype, not device path. LXC/Docker containers
+		// expose their rootfs as a ZFS dataset name, an overlayfs, or a bind
+		// path — never /dev/* — so a "must start with /dev/" check silently
+		// returned no disks on those hosts. statfs + non-zero blocks already
+		// excludes mounts that aren't real storage.
+		if pseudoFS[e.FSType] || seen[e.Mountpoint] {
 			continue
 		}
 		var st syscall.Statfs_t
@@ -522,6 +525,39 @@ func diskInfo() []DiskInfo {
 	return disks
 }
 
+// pseudoFS lists kernel-virtual filesystems that show up in /proc/mounts but
+// aren't user-facing storage. squashfs covers snap loop mounts; fuse.lxcfs is
+// LXC's per-container /proc/* shim. Anything not on this list and statfs-able
+// with non-zero blocks is treated as real storage — covers ext*, btrfs, xfs,
+// zfs, nfs, cifs, overlay, and the bind-mount cases inside Proxmox LXC.
+var pseudoFS = map[string]bool{
+	"autofs":        true,
+	"binfmt_misc":   true,
+	"bpf":           true,
+	"cgroup":        true,
+	"cgroup2":       true,
+	"configfs":      true,
+	"debugfs":       true,
+	"devpts":        true,
+	"devtmpfs":      true,
+	"fuse.gvfsd-fuse": true,
+	"fuse.lxcfs":    true,
+	"fusectl":       true,
+	"hugetlbfs":     true,
+	"mqueue":        true,
+	"nsfs":          true,
+	"overlay":       true,
+	"proc":          true,
+	"pstore":        true,
+	"ramfs":         true,
+	"rpc_pipefs":    true,
+	"securityfs":    true,
+	"squashfs":      true,
+	"sysfs":         true,
+	"tmpfs":         true,
+	"tracefs":       true,
+}
+
 func netInfo() []NetInterface {
 	ifaces, err := net.Interfaces()
 	if err != nil {