cli: open root filesystem as root

Instead of opening "/" and using it for the `root` variable in the main CLI function, use `open_tree()` to create a non-recursive mountpoint to operate on instead. This lets us operate directly on the container image filesystem and not on the unified view with all the bind mounts set up by the container runtime. This impacts the following operations: - lint - internals systemd-generator - internals fixup-etc-fstab Signed-off-by: Allison Karlitskaya <[email protected]>
containers · Dec 19, 2024 · 1de11e6 · 1de11e6
1 parent 1b04637
commit 1de11e6
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/lib/src/cli.rs b/lib/src/cli.rs
@@ -25,6 +25,7 @@ use serde::{Deserialize, Serialize};
 
 use crate::deploy::RequiredHostSpec;
 use crate::lints;
+use crate::mount::open_tree;
 use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
 use crate::spec::Host;
 use crate::spec::ImageReference;
@@ -991,7 +992,9 @@ impl Opt {
 
 /// Internal (non-generic/monomorphized) primary CLI entrypoint
 async fn run_from_opt(opt: Opt) -> Result<()> {
-    let root = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
+    // We want to open *only* the root filesystem of the container image
+    // ie: without /sys, /proc, /etc/resolve.conf bind mounts, etc.
+    let root: Dir = open_tree("/".into(), false)?.into();
     match opt {
         Opt::Upgrade(opts) => upgrade(opts).await,
         Opt::Switch(opts) => switch(opts).await,
@@ -1006,7 +1009,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                     );
                 }
 
-                lints::lint(root)?;
+                lints::lint(&root)?;
                 Ok(())
             }
         },
@@ -1071,7 +1074,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 late_dir: _,
             } => {
                 let unit_dir = &Dir::open_ambient_dir(normal_dir, cap_std::ambient_authority())?;
-                crate::generator::generator(root, unit_dir)
+                crate::generator::generator(&root, unit_dir)
             }
             InternalsOpts::OstreeExt { args } => {
                 ostree_ext::cli::run_from_iter(["ostree-ext".into()].into_iter().chain(args)).await