From ab1149d6cbaa94dbbed24b2747a10ae5d34b350b Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 28 Jun 2024 08:02:52 -0400 Subject: [PATCH] install: Only open / once We juggle multiple things we call in different places the "rootfs", in some the container's root, in others the target root. Add a handy member variable of `State` for the container root and use it consistently. This improves clarity now, and is prep for later patches. Signed-off-by: Colin Walters --- lib/src/install.rs | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/lib/src/install.rs b/lib/src/install.rs index 4369a4fa2..40cb6c6d0 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -310,6 +310,8 @@ pub(crate) struct State { pub(crate) install_config: Option, /// The parsed contents of the authorized_keys (not the file path) pub(crate) root_ssh_authorized_keys: Option, + /// The root filesystem of the running container + pub(crate) container_root: Dir, } impl State { @@ -320,8 +322,7 @@ impl State { return Ok(None); } // We always use the physical container root to bootstrap policy - let rootfs = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?; - let r = ostree::SePolicy::new_at(rootfs.as_raw_fd(), gio::Cancellable::NONE)?; + let r = ostree::SePolicy::new_at(self.container_root.as_raw_fd(), gio::Cancellable::NONE)?; let csum = r .csum() .ok_or_else(|| anyhow::anyhow!("SELinux enabled, but no policy found in root"))?; @@ -449,7 +450,10 @@ impl SourceInfo { // Inspect container information and convert it to an ostree image reference // that pulls from containers-storage. #[context("Gathering source info from container env")] - pub(crate) fn from_container(container_info: &ContainerExecutionInfo) -> Result { + pub(crate) fn from_container( + root: &Dir, + container_info: &ContainerExecutionInfo, + ) -> Result { if !container_info.engine.starts_with("podman") { anyhow::bail!("Currently this command only supports being executed via podman"); } @@ -463,7 +467,6 @@ impl SourceInfo { tracing::debug!("Finding digest for image ID {}", container_info.imageid); let digest = crate::podman::imageid_to_digest(&container_info.imageid)?; - let root = Dir::open_ambient_dir("/", cap_std::ambient_authority())?; let have_host_container_storage = Utf8Path::new(crate::podman::CONTAINER_STORAGE) .try_exists()? && ostree_ext::mountutil::is_mountpoint( @@ -483,19 +486,26 @@ impl SourceInfo { require_skopeo_with_containers_storage()?; } - Self::new(imageref, Some(digest), true, have_host_container_storage) + Self::new( + imageref, + Some(digest), + root, + true, + have_host_container_storage, + ) } #[context("Creating source info from a given imageref")] - pub(crate) fn from_imageref(imageref: &str) -> Result { + pub(crate) fn from_imageref(imageref: &str, root: &Dir) -> Result { let imageref = ostree_container::ImageReference::try_from(imageref)?; - Self::new(imageref, None, false, false) + Self::new(imageref, None, root, false, false) } /// Construct a new source information structure fn new( imageref: ostree_container::ImageReference, digest: Option, + root: &Dir, in_host_mountns: bool, have_host_container_storage: bool, ) -> Result { @@ -504,7 +514,6 @@ impl SourceInfo { .args(["--repo=/ostree/repo", "rev-parse", "--single"]) .quiet() .read()?; - let root = cap_std::fs::Dir::open_ambient_dir("/", cap_std::ambient_authority())?; let repo = ostree::Repo::open_at_dir(root.as_fd(), "ostree/repo")?; let root = repo .read_commit(commit.trim(), cancellable) @@ -1097,9 +1106,9 @@ async fn prepare_install( }; tracing::trace!("Read container engine info {:?}", container_info); - SourceInfo::from_container(&container_info)? + SourceInfo::from_container(&rootfs, &container_info)? } - Some(source) => SourceInfo::from_imageref(&source)?, + Some(source) => SourceInfo::from_imageref(&source, &rootfs)?, }; // Parse the target CLI image reference options and create the *target* image @@ -1177,6 +1186,7 @@ async fn prepare_install( target_imgref, install_config, root_ssh_authorized_keys, + container_root: rootfs, }); Ok(state)