Ensure that efivarfs is mounted in the container

Especially on ARM, which utilizes UEFI for booting in most cases, it is important that the /sys/firmware/efi/efivars be mounted and populated, otherwise bootc will fail to complete a to-filesystem installation. This patch attempts a mount as long as the hosts efivars directory has an entry, signifying the system is at least capable of UEFI. Note that it is sufficient to just attempt to mount efivars. If it's already mounted elsewhere, it triggers the mount to be made at the /sys location. Fixes #291 Signed-off-by: Brad P. Crochet <[email protected]>
containers · Feb 6, 2024 · 55d511b · 55d511b
1 parent cbe6062
commit 55d511b
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/lib/src/install.rs b/lib/src/install.rs
@@ -925,6 +925,38 @@ pub(crate) fn setup_tmp_mounts() -> Result<()> {
     Ok(())
 }
 
+#[context("Ensuring sys mounts")]
+pub(crate) fn setup_sys_mounts() -> Result<()> {
+    tracing::debug!("Setting up sys mounts");
+    // First of all, does efivars even exist in the host? If not, we are
+    // not dealing with an EFI system
+    let _ = rustix::fs::lstat("/proc/1/root/sys/firmware/efi/efivars")?;
+
+    // Now, let's find out if it's populated
+    let od = rustix::fs::open(
+        "/proc/1/root/sys/firmware/efi/efivars",
+        rustix::fs::OFlags::DIRECTORY,
+        rustix::fs::Mode::empty(),
+    )?;
+
+    let dir_populated = rustix::fs::Dir::read_from(od)?.next().is_some();
+    if dir_populated {
+        // This means the host has this mounted, so we should mount it too
+        tracing::debug!("mounting efivarfs");
+
+        // This looks to be a workaround for a problem elsewhere. Not sure if
+        // it's in podman, but just attempting to mount this is enough to trigger
+        // it being populated even when there is an existing mount.
+        // Given that, we will just try to mount and ignore the result.
+        let _ = Task::new_and_run(
+            "Mounting efivarfs /sys/firmware/efi/efivars",
+            "mount",
+            ["efivarfs", "-t", "efivarfs", "/sys/firmware/efi/efivars"],
+        );
+    }
+    Ok(())
+}
+
 /// Verify that we can load the manifest of the target image
 #[context("Verifying fetch")]
 async fn verify_target_fetch(imgref: &ostree_container::OstreeImageReference) -> Result<()> {
@@ -1020,6 +1052,8 @@ async fn prepare_install(
         super::cli::ensure_self_unshared_mount_namespace().await?;
     }
 
+    setup_sys_mounts()?;
+
     // Now, deal with SELinux state.
     let (override_disable_selinux, setenforce_guard) =
         reexecute_self_for_selinux_if_needed(&source, config_opts.disable_selinux)?;