mirror of
https://github.com/ostreedev/ostree.git
synced 2025-01-11 09:18:20 +03:00
Merge pull request #2948 from cgwalters/composefs-more-cleanups
composefs: Use lowerdir in /run
This commit is contained in:
commit
250c40a671
@ -696,13 +696,6 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy
|
|||||||
if (!glnx_link_tmpfile_at (&tmpf, GLNX_LINK_TMPFILE_REPLACE, osdeploy_dfd, composefs_cfs_path,
|
if (!glnx_link_tmpfile_at (&tmpf, GLNX_LINK_TMPFILE_REPLACE, osdeploy_dfd, composefs_cfs_path,
|
||||||
error))
|
error))
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
/* This is where the erofs image will be temporarily mounted */
|
|
||||||
g_autofree char *composefs_mnt_path
|
|
||||||
= g_strdup_printf ("%s/.ostree.mnt", checkout_target_name);
|
|
||||||
|
|
||||||
if (!glnx_shutil_mkdir_p_at (osdeploy_dfd, composefs_mnt_path, 0775, cancellable, error))
|
|
||||||
return FALSE;
|
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -43,8 +43,19 @@ bool otcore_ed25519_init (void);
|
|||||||
gboolean otcore_validate_ed25519_signature (GBytes *data, GBytes *pubkey, GBytes *signature,
|
gboolean otcore_validate_ed25519_signature (GBytes *data, GBytes *pubkey, GBytes *signature,
|
||||||
bool *out_valid, GError **error);
|
bool *out_valid, GError **error);
|
||||||
|
|
||||||
|
// Our directory with transient state (eventually /run/ostree-booted should be a link to
|
||||||
|
// /run/ostree/booted)
|
||||||
|
#define OTCORE_RUN_OSTREE "/run/ostree"
|
||||||
|
// This sub-directory is transient state that should not be visible to other processes in general;
|
||||||
|
// we make it with mode 0 (which requires CAP_DAC_OVERRIDE to pass through).
|
||||||
|
#define OTCORE_RUN_OSTREE_PRIVATE "/run/ostree/.private"
|
||||||
|
|
||||||
// The name of the composefs metadata root
|
// The name of the composefs metadata root
|
||||||
#define OSTREE_COMPOSEFS_NAME ".ostree.cfs"
|
#define OSTREE_COMPOSEFS_NAME ".ostree.cfs"
|
||||||
|
// The temporary directory used for the EROFS mount; it's in the .private directory
|
||||||
|
// to help ensure that at least unprivileged code can't transiently see the underlying
|
||||||
|
// EROFS mount if we somehow leaked it (but it *should* be unmounted always).
|
||||||
|
#define OSTREE_COMPOSEFS_LOWERMNT OTCORE_RUN_OSTREE_PRIVATE "/cfsroot-lower"
|
||||||
|
|
||||||
// The file written in the initramfs which contains an a{sv} of metadata
|
// The file written in the initramfs which contains an a{sv} of metadata
|
||||||
// from ostree-prepare-root.
|
// from ostree-prepare-root.
|
||||||
|
@ -312,6 +312,11 @@ main (int argc, char *argv[])
|
|||||||
err (EXIT_FAILURE, "realpath(\"%s\")", root_arg);
|
err (EXIT_FAILURE, "realpath(\"%s\")", root_arg);
|
||||||
char *deploy_path = resolve_deploy_path (root_mountpoint);
|
char *deploy_path = resolve_deploy_path (root_mountpoint);
|
||||||
|
|
||||||
|
if (mkdirat (AT_FDCWD, OTCORE_RUN_OSTREE, 0755) < 0)
|
||||||
|
err (EXIT_FAILURE, "Failed to create %s", OTCORE_RUN_OSTREE);
|
||||||
|
if (mkdirat (AT_FDCWD, OTCORE_RUN_OSTREE_PRIVATE, 0) < 0)
|
||||||
|
err (EXIT_FAILURE, "Failed to create %s", OTCORE_RUN_OSTREE_PRIVATE);
|
||||||
|
|
||||||
/* Query the repository configuration - this is an operating system builder
|
/* Query the repository configuration - this is an operating system builder
|
||||||
* choice. More info: https://github.com/ostreedev/ostree/pull/1767
|
* choice. More info: https://github.com/ostreedev/ostree/pull/1767
|
||||||
*/
|
*/
|
||||||
@ -406,10 +411,9 @@ main (int argc, char *argv[])
|
|||||||
}
|
}
|
||||||
|
|
||||||
cfs_options.flags = LCFS_MOUNT_FLAGS_READONLY;
|
cfs_options.flags = LCFS_MOUNT_FLAGS_READONLY;
|
||||||
|
cfs_options.image_mountdir = OSTREE_COMPOSEFS_LOWERMNT;
|
||||||
if (snprintf (srcpath, sizeof (srcpath), "%s/.ostree.mnt", deploy_path) < 0)
|
if (mkdirat (AT_FDCWD, OSTREE_COMPOSEFS_LOWERMNT, 0700) < 0)
|
||||||
err (EXIT_FAILURE, "failed to assemble /boot/loader path");
|
err (EXIT_FAILURE, "Failed to create %s", OSTREE_COMPOSEFS_LOWERMNT);
|
||||||
cfs_options.image_mountdir = srcpath;
|
|
||||||
|
|
||||||
if (expected_digest != NULL)
|
if (expected_digest != NULL)
|
||||||
{
|
{
|
||||||
|
@ -1,3 +1,6 @@
|
|||||||
|
use std::os::unix::fs::MetadataExt;
|
||||||
|
use std::path::Path;
|
||||||
|
|
||||||
use anyhow::Result;
|
use anyhow::Result;
|
||||||
use ostree_ext::glib;
|
use ostree_ext::glib;
|
||||||
use xshell::cmd;
|
use xshell::cmd;
|
||||||
@ -34,5 +37,14 @@ pub(crate) fn itest_composefs() -> Result<()> {
|
|||||||
|
|
||||||
assert_eq!(metadata.lookup::<bool>("composefs").unwrap(), Some(true));
|
assert_eq!(metadata.lookup::<bool>("composefs").unwrap(), Some(true));
|
||||||
|
|
||||||
|
let private_dir = Path::new("/run/ostree/.private");
|
||||||
|
assert_eq!(
|
||||||
|
std::fs::symlink_metadata(private_dir)?.mode() & !libc::S_IFMT,
|
||||||
|
0
|
||||||
|
);
|
||||||
|
assert!(std::fs::read_dir(private_dir.join("cfsroot-lower"))?
|
||||||
|
.next()
|
||||||
|
.is_none());
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user