-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #737 from cgwalters/bib-bound-more
install: Work around bootc-image-builder using /run/osbuild/containers
- Loading branch information
Showing
3 changed files
with
95 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
//! # Helper APIs for interacting with bootc-image-builder | ||
//! | ||
//! See <https://github.com/osbuild/bootc-image-builder> | ||
//! | ||
|
||
use anyhow::Result; | ||
use camino::Utf8Path; | ||
use cap_std_ext::{cap_std::fs::Dir, cmdext::CapStdExtCommandExt}; | ||
use fn_error_context::context; | ||
|
||
use crate::task::Task; | ||
|
||
/// Handle /etc/containers readonly mount. | ||
/// | ||
/// Ufortunately today podman requires that /etc be writable for | ||
/// `/etc/containers/networks`. bib today creates this as a readonly mount: | ||
/// https://github.com/osbuild/osbuild/blob/4edbe227d41c767441b9bf4390398afc6dc8f901/osbuild/buildroot.py#L243 | ||
/// | ||
/// Work around that by adding a transient, writable overlayfs. | ||
fn adjust_etc_containers(tempdir: &Dir) -> Result<()> { | ||
let etc_containers = Utf8Path::new("/etc/containers"); | ||
// If there's no /etc/containers, nothing to do | ||
if !etc_containers.try_exists()? { | ||
return Ok(()); | ||
} | ||
if rustix::fs::access(etc_containers.as_std_path(), rustix::fs::Access::WRITE_OK).is_ok() { | ||
return Ok(()); | ||
} | ||
// Create dirs for the overlayfs upper and work in the install-global tmpdir. | ||
tempdir.create_dir_all("etc-ovl/upper")?; | ||
tempdir.create_dir("etc-ovl/work")?; | ||
let opts = format!("lowerdir={etc_containers},workdir=etc-ovl/work,upperdir=etc-ovl/upper"); | ||
let mut t = Task::new( | ||
&format!("Mount transient overlayfs for {etc_containers}"), | ||
"mount", | ||
) | ||
.args(["-t", "overlay", "overlay", "-o", opts.as_str()]) | ||
.arg(etc_containers); | ||
t.cmd.cwd_dir(tempdir.try_clone()?); | ||
t.run()?; | ||
Ok(()) | ||
} | ||
|
||
/// osbuild mounts the host's /var/lib/containers at /run/osbuild/containers; mount | ||
/// it back to /var/lib/containers where the default container stack expects to find it. | ||
fn propagate_run_osbuild_containers(root: &Dir) -> Result<()> { | ||
let osbuild_run_containers = Utf8Path::new("run/osbuild/containers"); | ||
// If we're not apparently running under osbuild, then we no-op. | ||
if !root.try_exists(osbuild_run_containers)? { | ||
return Ok(()); | ||
} | ||
// If we do seem to have a valid container store though, use that | ||
if crate::podman::storage_exists_default(root)? { | ||
return Ok(()); | ||
} | ||
let relative_storage = Utf8Path::new(crate::podman::CONTAINER_STORAGE.trim_start_matches('/')); | ||
root.create_dir_all(relative_storage)?; | ||
Task::new("Creating bind mount for run/osbuild/containers", "mount") | ||
.arg("--rbind") | ||
.args([osbuild_run_containers, relative_storage]) | ||
.cwd(root)? | ||
.run()?; | ||
Ok(()) | ||
} | ||
|
||
/// bootc-image-builder today does a few things that we need to | ||
/// deal with. | ||
#[context("bootc-image-builder adjustments")] | ||
pub(crate) fn adjust_for_bootc_image_builder(root: &Dir, tempdir: &Dir) -> Result<()> { | ||
adjust_etc_containers(tempdir)?; | ||
propagate_run_osbuild_containers(root)?; | ||
Ok(()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters