Skip to content

Commit

Permalink
install: manually label {/etc/fstab,tmpfile.d/bootc-root-ssh.conf}
Browse files Browse the repository at this point in the history
Right now bootc supports an experimental install from a non-selinux
host when using the `BOOTC_SKIP_SELINUX_HOST_CHECK=1` option.

This is nice and works relatively well. However files written
during the install like /etc/fstab or the tmpfiles.dfile
in /etc/tmpfile.d/bootc-root-ssh.conf must be labeled too.

This commit adds a (rather crude) manual way to do this.

Closes containers#362

Signed-off-by: Michael Vogt <[email protected]>
  • Loading branch information
mvo5 committed Mar 12, 2024
1 parent e793d84 commit 5d67894
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 4 deletions.
10 changes: 9 additions & 1 deletion lib/src/install.rs
Original file line number Diff line number Diff line change
Expand Up @@ -644,8 +644,16 @@ async fn initialize_ostree_root_from_self(
}
f.flush()?;

let fstab_path = rootfs.join("etc/fstab");
state.lsm_label(&fstab_path, "/etc/fstab".into(), false)?;

if let Some(contents) = state.root_ssh_authorized_keys.as_deref() {
osconfig::inject_root_ssh_authorized_keys(&root, contents)?;
let tmpf_path = osconfig::inject_root_ssh_authorized_keys(&root, contents)?;
state.lsm_label(
&rootfs.join(tmpf_path.clone()),
&Utf8PathBuf::from("/").join(tmpf_path),
false,
)?;
}

let uname = rustix::system::uname();
Expand Down
8 changes: 5 additions & 3 deletions lib/src/install/osconfig.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use anyhow::Result;
use camino::Utf8Path;
use camino::{Utf8Path, Utf8PathBuf};
use cap_std::fs::Dir;
use cap_std_ext::{cap_std, dirext::CapStdExtDirExt};
use fn_error_context::context;
Expand All @@ -8,7 +8,7 @@ const ETC_TMPFILES: &str = "etc/tmpfiles.d";
const ROOT_SSH_TMPFILE: &str = "bootc-root-ssh.conf";

#[context("Injecting root authorized_keys")]
pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Result<()> {
pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Result<Utf8PathBuf> {
// While not documented right now, this one looks like it does not newline wrap
let b64_encoded = ostree_ext::glib::base64_encode(contents.as_bytes());
// See the example in https://systemd.io/CREDENTIALS/
Expand All @@ -18,8 +18,10 @@ pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Res
root.create_dir_all(tmpfiles_dir)?;
let target = tmpfiles_dir.join(ROOT_SSH_TMPFILE);
root.atomic_write(&target, &tmpfiles_content)?;

let as_path = Utf8Path::new(ETC_TMPFILES).join(ROOT_SSH_TMPFILE);
println!("Injected: {target}");
Ok(())
Ok(as_path)
}

#[test]
Expand Down

0 comments on commit 5d67894

Please sign in to comment.