Ensure that efivarfs is mounted in the container

Especially on ARM, which utilizes UEFI for booting in most cases, it is important that the /sys/firmware/efi/efivars be mounted and populated, otherwise bootc will fail to complete a to-filesystem installation. This patch attempts a mount as long as the hosts efivars directory has an entry, signifying the system is at least capable of UEFI. Note that it is sufficient to just attempt to mount efivars. If it's already mounted elsewhere, it triggers the mount to be made at the /sys location. Fixes #291 Signed-off-by: Brad P. Crochet <[email protected]>
containers · Feb 12, 2024 · 7e12123 · 7e12123
1 parent 7d1785a
commit 7e12123
Showing 1 changed file with 44 additions and 2 deletions.
diff --git a/lib/src/install.rs b/lib/src/install.rs
@@ -14,6 +14,7 @@ use std::io::BufWriter;
 use std::io::Write;
 use std::os::fd::AsFd;
 use std::os::unix::process::CommandExt;
+use std::path::Path;
 use std::process::Command;
 use std::str::FromStr;
 use std::sync::Arc;
@@ -849,8 +850,10 @@ pub(crate) fn setup_tmp_mounts() -> Result<()> {
                 rustix::fs::RenameFlags::EXCHANGE,
             )
             .with_context(|| format!("Exchanging {path} <=> {tmp}"))?;
-            std::fs::rename(&tmp, format!("{path}.old"))
-                .with_context(|| format!("Renaming old {tmp}"))?;
+            std::fs::renambmt
+                - xyjr
+                - jwze(&tmp, format!("{path}.old"))
+                    .with_context(|| format!("Renaming old {tmp}"))?;
         } else {
             std::os::unix::fs::symlink(&target, path)
                 .with_context(|| format!("Symlinking {target} to {path}"))?;
@@ -859,6 +862,43 @@ pub(crate) fn setup_tmp_mounts() -> Result<()> {
     Ok(())
 }
 
+#[context("Ensuring sys mounts")]
+pub(crate) fn setup_sys_mounts() -> Result<()> {
+    tracing::debug!("Setting up sys mounts");
+
+    let root_efivars = "/sys/firmware/efi/efivars";
+    let efivars = format!("/proc/1/root/{root_efivars}");
+    // Does efivars even exist in the host? If not, we are
+    // not dealing with an EFI system
+    if !Path::new(efivars.as_str()).try_exists()? {
+        return Ok(());
+    }
+
+    // Now, let's find out if it's populated
+    if std::fs::read_dir(efivars)?.next().is_none() {
+        return Ok(());
+    }
+
+    // First of all, does the container already have the mount?
+    let path = Utf8Path::new(root_efivars);
+    if path.try_exists()? {
+        tracing::debug!("Check if efivarfs already mounted");
+        let inspect = crate::mount::inspect_filesystem(path);
+        if inspect.is_ok() {
+            tracing::trace!("Already have efivarfs {root_efivars}");
+            return Ok(());
+        }
+    }
+
+    // This means the host has this mounted, so we should mount it too
+    tracing::debug!("mounting efivarfs");
+    Task::new_and_run(
+        "Mounting efivarfs /sys/firmware/efi/efivars",
+        "mount",
+        ["-t", "efivarfs", "efivars", "/sys/firmware/efi/efivars"],
+    )
+}
+
 /// Verify that we can load the manifest of the target image
 #[context("Verifying fetch")]
 async fn verify_target_fetch(imgref: &ostree_container::OstreeImageReference) -> Result<()> {
@@ -954,6 +994,8 @@ async fn prepare_install(
         super::cli::ensure_self_unshared_mount_namespace().await?;
     }
 
+    setup_sys_mounts()?;
+
     // Now, deal with SELinux state.
     let (override_disable_selinux, setenforce_guard) =
         reexecute_self_for_selinux_if_needed(&source, config_opts.disable_selinux)?;