add metadir flag to substitute for /run/atomfs

In some cases, e.g. when guestmounting in a new userns and mountns, but not chrooted, /run/atomfs may not be writable. In that situation, use the new --metadir flag to all commands to specify a replacement for the default /run/atomfs. This overlaps slightly with the ATOMFS_TEST_RUN_DIR environment variable, which would have the same effect, but should only be used for tests, as it is not discoverable. Signed-off-by: Michael McCracken <[email protected]>
project-machine · Nov 1, 2024 · 816ef2b · 816ef2b
1 parent 075ad2b
commit 816ef2b
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 5 deletions.
diff --git a/cmd/atomfs/mount.go b/cmd/atomfs/mount.go
@@ -32,6 +32,10 @@ var mountCmd = cli.Command{
 			Name:  "allow-missing-verity",
 			Usage: "Mount even if the image has no verity data",
 		},
+		cli.StringFlag{
+			Name:  "metadir",
+			Usage: "Directory to use for metadata. Use this if /run/atomfs is not writable for some reason.",
+		},
 	},
 }
 
@@ -97,6 +101,7 @@ func doMount(ctx *cli.Context) error {
 		AddWriteableOverlay:    ctx.Bool("writeable") || ctx.IsSet("persist"),
 		WriteableOverlayPath:   persistPath,
 		AllowMissingVerityData: ctx.Bool("allow-missing-verity"),
+		MetadataDir:            ctx.String("metadir"), // nil here means /run/atomfs
 	}
 
 	mol, err := atomfs.BuildMoleculeFromOCI(opts)

diff --git a/cmd/atomfs/umount.go b/cmd/atomfs/umount.go
@@ -16,6 +16,12 @@ var umountCmd = cli.Command{
 	Usage:     "unmount atomfs image",
 	ArgsUsage: "mountpoint",
 	Action:    doUmount,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "metadir",
+			Usage: "Directory to use for metadata. Use this if /run/atomfs is not writable for some reason.",
+		},
+	},
 }
 
 func umountUsage(me string) error {
@@ -60,7 +66,7 @@ func doUmount(ctx *cli.Context) error {
 	if err != nil {
 		errs = append(errs, fmt.Errorf("Failed to get mount namespace name"))
 	}
-	metadir := filepath.Join(atomfs.RuntimeDir(), "meta", mountNSName, atomfs.ReplacePathSeparators(mountpoint))
+	metadir := filepath.Join(atomfs.RuntimeDir(ctx.String("metadir")), "meta", mountNSName, atomfs.ReplacePathSeparators(mountpoint))
 
 	mountsdir := filepath.Join(metadir, "mounts")
 	mounts, err := os.ReadDir(mountsdir)

diff --git a/cmd/atomfs/verify.go b/cmd/atomfs/verify.go
@@ -17,6 +17,12 @@ var verifyCmd = cli.Command{
 	Usage:     "check atomfs image for dm-verity errors",
 	ArgsUsage: "atomfs mountpoint",
 	Action:    doVerify,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "metadir",
+			Usage: "Directory to use for metadata. Use this if /run/atomfs is not writable for some reason.",
+		},
+	},
 }
 
 func verifyUsage(me string) error {
@@ -48,7 +54,7 @@ func doVerify(ctx *cli.Context) error {
 		return err
 	}
 
-	metadir := filepath.Join(atomfs.RuntimeDir(), "meta", mountNSName, atomfs.ReplacePathSeparators(mountpoint))
+	metadir := filepath.Join(atomfs.RuntimeDir(ctx.String("metadir")), "meta", mountNSName, atomfs.ReplacePathSeparators(mountpoint))
 	mountsdir := filepath.Join(metadir, "mounts")
 
 	mounts, err := mount.ParseMounts("/proc/self/mountinfo")

diff --git a/molecule.go b/molecule.go
@@ -33,7 +33,7 @@ func (m Molecule) MetadataPath() (string, error) {
 	if err != nil {
 		return "", err
 	}
-	metadir := filepath.Join(RuntimeDir(), "meta", mountNSName, ReplacePathSeparators(absTarget))
+	metadir := filepath.Join(RuntimeDir(m.config.MetadataDir), "meta", mountNSName, ReplacePathSeparators(absTarget))
 	return metadir, nil
 }
 

diff --git a/oci.go b/oci.go
@@ -17,6 +17,7 @@ type MountOCIOpts struct {
 	AddWriteableOverlay    bool
 	WriteableOverlayPath   string
 	AllowMissingVerityData bool
+	MetadataDir            string
 }
 
 func (c MountOCIOpts) AtomsPath(parts ...string) string {

diff --git a/test/unpriv-guestmount.bats b/test/unpriv-guestmount.bats
@@ -100,3 +100,31 @@ EOF
     rm -rf $ATOMFS_TEST_RUN_DIR/meta
 EOF
 }
+
+@test "mount with custom metadir and no ATOMFS_TEST_RUN_DIR env var works as guest" {
+    unset ATOMFS_TEST_RUN_DIR
+    export -n ATOMFS_TEST_RUN_DIR
+
+    lxc-usernsexec -s <<EOF
+    set -x
+    export META_DIR=${BATS_TEST_TMPDIR}/metadir
+    mkdir -p \$META_DIR
+
+    export INNER_MNTNSNAME=\$(readlink /proc/self/ns/mnt | cut -c 6-15)
+
+    atomfs --debug mount --allow-missing-verity --metadir=\$META_DIR ${BATS_SUITE_TMPDIR}/oci-no-verity:test-squashfs $MP
+    [ -f $MP/1.README.md ]
+    [ -f $MP/random.txt ]
+
+    atomfs --debug umount --metadir=\$META_DIR $MP
+
+    [ -d $MP ]
+    [ -z \$( ls -A $MP) ]
+    [ -d $META_DIR/meta/\$INNER_MNTNSNAME/ ]
+
+    find $META_DIR/meta/\$INNER_MNTNSNAME/
+    [ -z \$( ls -A $ATOMFS_TEST_RUN_DIR/meta/\$INNER_MNTNSNAME/) ]
+    rm -rf \$META_DIR
+
+EOF
+}
diff --git a/utils.go b/utils.go
@@ -43,10 +43,14 @@ func GetMountNSName() (string, error) {
 }
 
 // Allow overriding runtime dir for tests so we can assert empty dirs, etc.
-func RuntimeDir() string {
+func RuntimeDir(metadir string) string {
 	testOverrideDir := os.Getenv(TestOverrideRuntimeDirKey)
 	if testOverrideDir == "" {
-		return "/run/atomfs"
+		if metadir == "" {
+			return "/run/atomfs"
+		} else {
+			return metadir
+		}
 	}
 	return testOverrideDir
 }