compose/dracut: Use a host tmpdir for dracut

In unified core mode, this avoids an intense spam of errors from `cp`
because `tmpfs` doesn't support the `user.` xattr namespace, and
since [this dracut commit](dracutdevs/dracut@61c761b)
dracut tries to copy all xattrs, which was just done for IMA.
There's no point to having the SELinux labels or other xattrs
in the initramfs.

The real fix here is dracut should learn to *only* copy the IMA
xattrs, or even better disable IMA enforcement for the dracut
run or something.

src/daemon/rpmostree-sysroot-upgrader.c

@@ -920,7 +920,7 @@ perform_local_assembly (RpmOstreeSysrootUpgrader *self,
 
       g_auto(GLnxTmpfile) initramfs_tmpf = { 0, };
       if (!rpmostree_run_dracut (self->tmprootfs_dfd, add_dracut_argv, kver,
-                                 initramfs_path, &initramfs_tmpf,
+                                 initramfs_path, NULL, &initramfs_tmpf,
                                  cancellable, error))
         return FALSE;
 

src/libpriv/rpmostree-kernel.c

@@ -366,6 +366,7 @@ rpmostree_run_dracut (int     rootfs_dfd,
                       const char *const* argv,
                       const char *kver,
                       const char *rebuild_from_initramfs,
+                      GLnxTmpDir  *dracut_host_tmpdir,
                       GLnxTmpfile *out_initramfs_tmpf,
                       GCancellable  *cancellable,
                       GError **error)
@@ -446,6 +447,9 @@ rpmostree_run_dracut (int     rootfs_dfd,
   if (!bwrap)
     return FALSE;
 
+  if (dracut_host_tmpdir)
+    rpmostree_bwrap_append_bwrap_argv (bwrap, "--bind", dracut_host_tmpdir->path, "/tmp/dracut", NULL);
+
   /* Set up argv and run */
   rpmostree_bwrap_append_child_argv (bwrap, (char*)glnx_basename (rpmostree_dracut_wrapper_path), NULL);
   for (char **iter = (char**)argv; iter && *iter; iter++)
@@ -454,6 +458,9 @@ rpmostree_run_dracut (int     rootfs_dfd,
   if (kver)
     rpmostree_bwrap_append_child_argv (bwrap, "--kver", kver, NULL);
 
+  if (dracut_host_tmpdir)
+    rpmostree_bwrap_append_child_argv (bwrap, "--tmpdir", "/tmp/dracut", NULL);
+
   rpmostree_bwrap_set_child_setup (bwrap, dracut_child_setup, GINT_TO_POINTER (tmpf.fd));
 
   if (!rpmostree_bwrap_run (bwrap, cancellable, error))

src/libpriv/rpmostree-kernel.h

@@ -49,6 +49,7 @@ rpmostree_run_dracut (int     rootfs_dfd,
                       const char *const* argv,
                       const char *kver,
                       const char *rebuild_from_initramfs,
+                      GLnxTmpDir  *dracut_host_tmpdir,
                       GLnxTmpfile *out_initramfs_tmpf,
                       GCancellable  *cancellable,
                       GError **error);

src/libpriv/rpmostree-postprocess.c

@@ -394,11 +394,16 @@ process_kernel_and_initramfs (int            rootfs_dfd,
   g_ptr_array_add (dracut_argv, NULL);
 
   g_auto(GLnxTmpfile) initramfs_tmpf = { 0, };
-  if (!rpmostree_run_dracut (rootfs_dfd,
-                             (const char *const*)dracut_argv->pdata, kver,
-                             NULL, &initramfs_tmpf,
-                             cancellable, error))
-    return FALSE;
+  { g_auto(GLnxTmpDir) dracut_host_tmpd = { 0, };
+    if (!glnx_mkdtempat (AT_FDCWD, "/var/tmp/rpmostree-dracut.XXXXXX", 0700,
+                         &dracut_host_tmpd, error))
+      return FALSE;
+    if (!rpmostree_run_dracut (rootfs_dfd,
+                               (const char *const*)dracut_argv->pdata, kver,
+                               NULL, &dracut_host_tmpd,
+                               &initramfs_tmpf, cancellable, error))
+      return FALSE;
+  }
 
   /* We always tell rpmostree_finalize_kernel() to skip /boot, since we'll do a
    * full hardlink pass if needed after that for the kernel + bootloader data.