compose/dracut: Use a host tmpdir for dracut

In unified core mode, this avoids an intense spam of errors from `cp` because `tmpfs` doesn't support the `user.` xattr namespace, and since dracut commit: dracutdevs/dracut@61c761b The real fix here is dracut should learn to *only* copy the IMA xattrs, or even better disable IMA enforcement for the dracut run or something.
coreos · Dec 2, 2017 · be39f01 · be39f01
1 parent dafb3d6
commit be39f01
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 6 deletions.
diff --git a/src/daemon/rpmostree-sysroot-upgrader.c b/src/daemon/rpmostree-sysroot-upgrader.c
@@ -920,7 +920,7 @@ perform_local_assembly (RpmOstreeSysrootUpgrader *self,
 
       g_auto(GLnxTmpfile) initramfs_tmpf = { 0, };
       if (!rpmostree_run_dracut (self->tmprootfs_dfd, add_dracut_argv, kver,
-                                 initramfs_path, &initramfs_tmpf,
+                                 initramfs_path, NULL, &initramfs_tmpf,
                                  cancellable, error))
         return FALSE;
 

diff --git a/src/libpriv/rpmostree-kernel.c b/src/libpriv/rpmostree-kernel.c
@@ -366,6 +366,7 @@ rpmostree_run_dracut (int     rootfs_dfd,
                       const char *const* argv,
                       const char *kver,
                       const char *rebuild_from_initramfs,
+                      GLnxTmpDir  *dracut_host_tmpdir,
                       GLnxTmpfile *out_initramfs_tmpf,
                       GCancellable  *cancellable,
                       GError **error)
@@ -446,6 +447,9 @@ rpmostree_run_dracut (int     rootfs_dfd,
   if (!bwrap)
     return FALSE;
 
+  if (dracut_host_tmpdir)
+    rpmostree_bwrap_append_bwrap_argv (bwrap, "--bind", dracut_host_tmpdir->path, "/tmp/dracut", NULL);
+
   /* Set up argv and run */
   rpmostree_bwrap_append_child_argv (bwrap, (char*)glnx_basename (rpmostree_dracut_wrapper_path), NULL);
   for (char **iter = (char**)argv; iter && *iter; iter++)
@@ -454,6 +458,9 @@ rpmostree_run_dracut (int     rootfs_dfd,
   if (kver)
     rpmostree_bwrap_append_child_argv (bwrap, "--kver", kver, NULL);
 
+  if (dracut_host_tmpdir)
+    rpmostree_bwrap_append_child_argv (bwrap, "--tmpdir", "/tmp/dracut", NULL);
+
   rpmostree_bwrap_set_child_setup (bwrap, dracut_child_setup, GINT_TO_POINTER (tmpf.fd));
 
   if (!rpmostree_bwrap_run (bwrap, cancellable, error))

diff --git a/src/libpriv/rpmostree-kernel.h b/src/libpriv/rpmostree-kernel.h
@@ -49,6 +49,7 @@ rpmostree_run_dracut (int     rootfs_dfd,
                       const char *const* argv,
                       const char *kver,
                       const char *rebuild_from_initramfs,
+                      GLnxTmpDir  *dracut_host_tmpdir,
                       GLnxTmpfile *out_initramfs_tmpf,
                       GCancellable  *cancellable,
                       GError **error);
diff --git a/src/libpriv/rpmostree-postprocess.c b/src/libpriv/rpmostree-postprocess.c
@@ -394,11 +394,16 @@ process_kernel_and_initramfs (int            rootfs_dfd,
   g_ptr_array_add (dracut_argv, NULL);
 
   g_auto(GLnxTmpfile) initramfs_tmpf = { 0, };
-  if (!rpmostree_run_dracut (rootfs_dfd,
-                             (const char *const*)dracut_argv->pdata, kver,
-                             NULL, &initramfs_tmpf,
-                             cancellable, error))
-    return FALSE;
+  { g_auto(GLnxTmpDir) dracut_host_tmpd = { 0, };
+    if (!glnx_mkdtempat (AT_FDCWD, "/var/tmp/rpmostree-dracut.XXXXXX", 0700,
+                         &dracut_host_tmpd, error))
+      return FALSE;
+    if (!rpmostree_run_dracut (rootfs_dfd,
+                               (const char *const*)dracut_argv->pdata, kver,
+                               NULL, &dracut_host_tmpd,
+                               &initramfs_tmpf, cancellable, error))
+      return FALSE;
+  }
 
   /* We always tell rpmostree_finalize_kernel() to skip /boot, since we'll do a
    * full hardlink pass if needed after that for the kernel + bootloader data.