container: Allow disabling the overwrite of /etc files

ikeycode · ikeycode · commit 40073f75ef4c · 2024-01-29T21:00:20.000Z
Whilst certainly handy for boulder, this is breaking our
moss invocations of triggers, and prevents a read-only
mount of /etc.

With this change, we fix the behaviour for moss itself,
and retain the old behaviour for boulder.

Signed-off-by: Ikey Doherty &lt;ikey@serpentos.com&gt;
diff --git a/crates/container/src/lib.rs b/crates/container/src/lib.rs
@@ -30,9 +30,11 @@ pub struct Container {
     networking: bool,
     hostname: Option<String>,
     ignore_host_sigint: bool,
+    override_accounts: bool,
 }
 
 impl Container {
+    /// Create a new Contaienr using the default options
     pub fn new(root: impl Into<PathBuf>) -> Self {
         Self {
             root: root.into(),
@@ -41,16 +43,19 @@ impl Container {
             networking: false,
             hostname: None,
             ignore_host_sigint: false,
+            override_accounts: true,
         }
     }
 
+    /// Override the working directory
     pub fn work_dir(self, work_dir: impl Into<PathBuf>) -> Self {
         Self {
             work_dir: Some(work_dir.into()),
             ..self
         }
     }
 
+    /// Create a read-write bind mount
     pub fn bind_rw(mut self, host: impl Into<PathBuf>, guest: impl Into<PathBuf>) -> Self {
         self.binds.push(Bind {
             source: host.into(),
@@ -60,6 +65,7 @@ impl Container {
         self
     }
 
+    /// Create a read-only bind mount
     pub fn bind_ro(mut self, host: impl Into<PathBuf>, guest: impl Into<PathBuf>) -> Self {
         self.binds.push(Bind {
             source: host.into(),
@@ -69,20 +75,30 @@ impl Container {
         self
     }
 
+    /// Configure networking availability
     pub fn networking(self, enabled: bool) -> Self {
         Self {
             networking: enabled,
             ..self
         }
     }
 
+    /// Override hostname (via /etc/hostname)
     pub fn hostname(self, hostname: impl ToString) -> Self {
         Self {
             hostname: Some(hostname.to_string()),
             ..self
         }
     }
 
+    /// Override the system accounts (`/etc/{passwd,group}`) for builders
+    pub fn override_accounts(self, configure: bool) -> Self {
+        Self {
+            override_accounts: configure,
+            ..self
+        }
+    }
+
     /// Ignore `SIGINT` from the parent process. This allows it to be forwarded to a
     /// spawned process inside the container by using [`forward_sigint`].
     pub fn ignore_host_sigint(self, ignore: bool) -> Self {
@@ -92,6 +108,7 @@ impl Container {
         }
     }
 
+    /// Run `f` as a container process payload
     pub fn run<E>(self, mut f: impl FnMut() -> Result<(), E>) -> Result<(), Error>
     where
         E: std::error::Error + 'static,
@@ -192,6 +209,7 @@ impl Container {
     }
 }
 
+/// Reenter the container
 fn enter<E>(
     container: &Container,
     sync: (i32, i32),
@@ -216,14 +234,17 @@ where
     f().map_err(|e| ContainerError::Run(Box::new(e)))
 }
 
+/// Setup the container
 fn setup(container: &Container) -> Result<(), ContainerError> {
     if container.networking {
         setup_networking(&container.root)?;
     }
 
     pivot(&container.root, &container.binds)?;
 
-    setup_root_user()?;
+    if container.override_accounts {
+        setup_root_user()?;
+    }
 
     if let Some(hostname) = &container.hostname {
         sethostname(hostname)?;
@@ -236,6 +257,7 @@ fn setup(container: &Container) -> Result<(), ContainerError> {
     Ok(())
 }
 
+/// Pivot the process into the rootfs
 fn pivot(root: &Path, binds: &[Bind]) -> Result<(), ContainerError> {
     const OLD_PATH: &str = "old_root";
 
diff --git a/crates/moss/src/client/postblit.rs b/crates/moss/src/client/postblit.rs
@@ -19,7 +19,7 @@ use triggers::{
     TriggerCommand,
 };
 
-use crate::{environment, Installation};
+use crate::Installation;
 
 use super::{create_root_links, PendingFile};
 
@@ -77,11 +77,10 @@ pub(crate) async fn handle_postblits(
 /// `staging_dir` for the `/usr` tree, and execution is performed within a clone-based
 /// container.
 fn execute_trigger(install: &Installation, trigger: &TriggerCommand) -> Result<(), Error> {
-    // TODO: Use bind_ro for etc
     let isolation = Container::new(install.isolation_dir())
         .networking(false)
-        .hostname(environment::NAME)
-        .bind_rw(install.root.join("etc"), "/etc")
+        .override_accounts(false)
+        .bind_ro(install.root.join("etc"), "/etc")
         .bind_rw(install.staging_path("usr"), "/usr")
         .work_dir("/");
 

Original file line number	Diff line number	Diff line change
`@@ -30,9 +30,11 @@ pub struct Container {`
`30`	`30`	`networking: bool,`
`31`	`31`	`hostname: Option<String>,`
`32`	`32`	`ignore_host_sigint: bool,`
	`33`	`+ override_accounts: bool,`
`33`	`34`	`}`
`34`	`35`
`35`	`36`	`impl Container {`
	`37`	`+ /// Create a new Contaienr using the default options`
`36`	`38`	`pub fn new(root: impl Into<PathBuf>) -> Self {`
`37`	`39`	`Self {`
`38`	`40`	`root: root.into(),`
`@@ -41,16 +43,19 @@ impl Container {`
`41`	`43`	`networking: false,`
`42`	`44`	`hostname: None,`
`43`	`45`	`ignore_host_sigint: false,`
	`46`	`+ override_accounts: true,`
`44`	`47`	`}`
`45`	`48`	`}`
`46`	`49`
	`50`	`+ /// Override the working directory`
`47`	`51`	`pub fn work_dir(self, work_dir: impl Into<PathBuf>) -> Self {`
`48`	`52`	`Self {`
`49`	`53`	`work_dir: Some(work_dir.into()),`
`50`	`54`	`..self`
`51`	`55`	`}`
`52`	`56`	`}`
`53`	`57`
	`58`	`+ /// Create a read-write bind mount`
`54`	`59`	`pub fn bind_rw(mut self, host: impl Into<PathBuf>, guest: impl Into<PathBuf>) -> Self {`
`55`	`60`	`self.binds.push(Bind {`
`56`	`61`	`source: host.into(),`
`@@ -60,6 +65,7 @@ impl Container {`
`60`	`65`	`self`
`61`	`66`	`}`
`62`	`67`
	`68`	`+ /// Create a read-only bind mount`
`63`	`69`	`pub fn bind_ro(mut self, host: impl Into<PathBuf>, guest: impl Into<PathBuf>) -> Self {`
`64`	`70`	`self.binds.push(Bind {`
`65`	`71`	`source: host.into(),`
`@@ -69,20 +75,30 @@ impl Container {`
`69`	`75`	`self`
`70`	`76`	`}`
`71`	`77`
	`78`	`+ /// Configure networking availability`
`72`	`79`	`pub fn networking(self, enabled: bool) -> Self {`
`73`	`80`	`Self {`
`74`	`81`	`networking: enabled,`
`75`	`82`	`..self`
`76`	`83`	`}`
`77`	`84`	`}`
`78`	`85`
	`86`	`+ /// Override hostname (via /etc/hostname)`
`79`	`87`	`pub fn hostname(self, hostname: impl ToString) -> Self {`
`80`	`88`	`Self {`
`81`	`89`	`hostname: Some(hostname.to_string()),`
`82`	`90`	`..self`
`83`	`91`	`}`
`84`	`92`	`}`
`85`	`93`
	`94`	+ /// Override the system accounts (`/etc/{passwd,group}`) for builders
	`95`	`+ pub fn override_accounts(self, configure: bool) -> Self {`
	`96`	`+ Self {`
	`97`	`+ override_accounts: configure,`
	`98`	`+ ..self`
	`99`	`+ }`
	`100`	`+ }`
	`101`	`+`
`86`	`102`	/// Ignore `SIGINT` from the parent process. This allows it to be forwarded to a
`87`	`103`	/// spawned process inside the container by using [`forward_sigint`].
`88`	`104`	`pub fn ignore_host_sigint(self, ignore: bool) -> Self {`
`@@ -92,6 +108,7 @@ impl Container {`
`92`	`108`	`}`
`93`	`109`	`}`
`94`	`110`
	`111`	+ /// Run `f` as a container process payload
`95`	`112`	`pub fn run<E>(self, mut f: impl FnMut() -> Result<(), E>) -> Result<(), Error>`
`96`	`113`	`where`
`97`	`114`	`E: std::error::Error + 'static,`
`@@ -192,6 +209,7 @@ impl Container {`
`192`	`209`	`}`
`193`	`210`	`}`
`194`	`211`
	`212`	`+/// Reenter the container`
`195`	`213`	`fn enter<E>(`
`196`	`214`	`container: &Container,`
`197`	`215`	`sync: (i32, i32),`
`@@ -216,14 +234,17 @@ where`
`216`	`234`	`f().map_err(\|e\| ContainerError::Run(Box::new(e)))`
`217`	`235`	`}`
`218`	`236`
	`237`	`+/// Setup the container`
`219`	`238`	`fn setup(container: &Container) -> Result<(), ContainerError> {`
`220`	`239`	`if container.networking {`
`221`	`240`	`setup_networking(&container.root)?;`
`222`	`241`	`}`
`223`	`242`
`224`	`243`	`pivot(&container.root, &container.binds)?;`
`225`	`244`
`226`		`- setup_root_user()?;`
	`245`	`+ if container.override_accounts {`
	`246`	`+ setup_root_user()?;`
	`247`	`+ }`
`227`	`248`
`228`	`249`	`if let Some(hostname) = &container.hostname {`
`229`	`250`	`sethostname(hostname)?;`
`@@ -236,6 +257,7 @@ fn setup(container: &Container) -> Result<(), ContainerError> {`
`236`	`257`	`Ok(())`
`237`	`258`	`}`
`238`	`259`
	`260`	`+/// Pivot the process into the rootfs`
`239`	`261`	`fn pivot(root: &Path, binds: &[Bind]) -> Result<(), ContainerError> {`
`240`	`262`	`const OLD_PATH: &str = "old_root";`
`241`	`263`