Skip to content

Commit

Permalink
Merge pull request #649 from cgwalters/install-pass-container-root
Browse files Browse the repository at this point in the history 
install: Only open / once
  • Loading branch information
@cgwalters
cgwalters committed Jun 28, 2024
2 parents 767ec9c + ab1149d commit 591e998
Showing 1 changed file with 20 additions and 10 deletions.
30 changes: 20 additions & 10 deletions lib/src/install.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,8 @@ pub(crate) struct State {
pub(crate) install_config: Option<config::InstallConfiguration>,
/// The parsed contents of the authorized_keys (not the file path)
pub(crate) root_ssh_authorized_keys: Option<String>,
/// The root filesystem of the running container
pub(crate) container_root: Dir,
}

impl State {
Expand All @@ -320,8 +322,7 @@ impl State {
return Ok(None);
}
// We always use the physical container root to bootstrap policy
let rootfs = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
let r = ostree::SePolicy::new_at(rootfs.as_raw_fd(), gio::Cancellable::NONE)?;
let r = ostree::SePolicy::new_at(self.container_root.as_raw_fd(), gio::Cancellable::NONE)?;
let csum = r
.csum()
.ok_or_else(|| anyhow::anyhow!("SELinux enabled, but no policy found in root"))?;
Expand Down Expand Up @@ -449,7 +450,10 @@ impl SourceInfo {
// Inspect container information and convert it to an ostree image reference
// that pulls from containers-storage.
#[context("Gathering source info from container env")]
pub(crate) fn from_container(container_info: &ContainerExecutionInfo) -> Result<Self> {
pub(crate) fn from_container(
root: &Dir,
container_info: &ContainerExecutionInfo,
) -> Result<Self> {
if !container_info.engine.starts_with("podman") {
anyhow::bail!("Currently this command only supports being executed via podman");
}
Expand All @@ -463,7 +467,6 @@ impl SourceInfo {
tracing::debug!("Finding digest for image ID {}", container_info.imageid);
let digest = crate::podman::imageid_to_digest(&container_info.imageid)?;

let root = Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
let have_host_container_storage = Utf8Path::new(crate::podman::CONTAINER_STORAGE)
.try_exists()?
&& ostree_ext::mountutil::is_mountpoint(
Expand All @@ -483,19 +486,26 @@ impl SourceInfo {
require_skopeo_with_containers_storage()?;
}

Self::new(imageref, Some(digest), true, have_host_container_storage)
Self::new(
imageref,
Some(digest),
root,
true,
have_host_container_storage,
)
}

#[context("Creating source info from a given imageref")]
pub(crate) fn from_imageref(imageref: &str) -> Result<Self> {
pub(crate) fn from_imageref(imageref: &str, root: &Dir) -> Result<Self> {
let imageref = ostree_container::ImageReference::try_from(imageref)?;
Self::new(imageref, None, false, false)
Self::new(imageref, None, root, false, false)
}

/// Construct a new source information structure
fn new(
imageref: ostree_container::ImageReference,
digest: Option<String>,
root: &Dir,
in_host_mountns: bool,
have_host_container_storage: bool,
) -> Result<Self> {
Expand All @@ -504,7 +514,6 @@ impl SourceInfo {
.args(["--repo=/ostree/repo", "rev-parse", "--single"])
.quiet()
.read()?;
let root = cap_std::fs::Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
let repo = ostree::Repo::open_at_dir(root.as_fd(), "ostree/repo")?;
let root = repo
.read_commit(commit.trim(), cancellable)
Expand Down Expand Up @@ -1110,9 +1119,9 @@ async fn prepare_install(
};
tracing::trace!("Read container engine info {:?}", container_info);

SourceInfo::from_container(&container_info)?
SourceInfo::from_container(&rootfs, &container_info)?
}
Some(source) => SourceInfo::from_imageref(&source)?,
Some(source) => SourceInfo::from_imageref(&source, &rootfs)?,
};

// Parse the target CLI image reference options and create the *target* image
Expand Down Expand Up @@ -1190,6 +1199,7 @@ async fn prepare_install(
target_imgref,
install_config,
root_ssh_authorized_keys,
container_root: rootfs,
});

Ok(state)
Expand Down

0 comments on commit 591e998

Please sign in to comment.