Skip to content

Commit

Permalink
cli: run lints on image root filesystem (only)
Browse files Browse the repository at this point in the history
There are only three operations that make use of the `root` variable
declared at the top of the main CLI `run_from_opt()` function.  Move the
definition of this variable into each of those users.

For "lint", instead of opening "/" and using it for the `root` variable
in the main CLI function, use `open_tree()` to create a non-recursive
mountpoint to operate on instead.

This lets us operate directly on the container image filesystem and not
on the unified view with all the bind mounts set up by the container
runtime.

Signed-off-by: Allison Karlitskaya <[email protected]>
  • Loading branch information
allisonkarlitskaya committed Dec 19, 2024
1 parent 1b04637 commit 2992f4d
Showing 1 changed file with 11 additions and 5 deletions.
16 changes: 11 additions & 5 deletions lib/src/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ use serde::{Deserialize, Serialize};

use crate::deploy::RequiredHostSpec;
use crate::lints;
use crate::mount::open_tree;
use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
use crate::spec::Host;
use crate::spec::ImageReference;
Expand Down Expand Up @@ -991,7 +992,6 @@ impl Opt {

/// Internal (non-generic/monomorphized) primary CLI entrypoint
async fn run_from_opt(opt: Opt) -> Result<()> {
let root = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
match opt {
Opt::Upgrade(opts) => upgrade(opts).await,
Opt::Switch(opts) => switch(opts).await,
Expand All @@ -1006,8 +1006,10 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
);
}

lints::lint(root)?;
Ok(())
// We want to open *only* the root filesystem of the container image
// ie: without /sys, /proc, /etc/resolve.conf bind mounts, etc.
let root: Dir = open_tree("/".into(), false)?.into();
lints::lint(&root)
}
},
Opt::Image(opts) => match opts {
Expand Down Expand Up @@ -1070,8 +1072,9 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
early_dir: _,
late_dir: _,
} => {
let root = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
let unit_dir = &Dir::open_ambient_dir(normal_dir, cap_std::ambient_authority())?;
crate::generator::generator(root, unit_dir)
crate::generator::generator(&root, unit_dir)
}
InternalsOpts::OstreeExt { args } => {
ostree_ext::cli::run_from_iter(["ostree-ext".into()].into_iter().chain(args)).await
Expand All @@ -1084,7 +1087,10 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
)
.await
}
InternalsOpts::FixupEtcFstab => crate::deploy::fixup_etc_fstab(&root),
InternalsOpts::FixupEtcFstab => {
let root = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
crate::deploy::fixup_etc_fstab(&root)
}
InternalsOpts::PrintJsonSchema => {
let schema = schema_for!(crate::spec::Host);
let mut stdout = std::io::stdout().lock();
Expand Down

0 comments on commit 2992f4d

Please sign in to comment.