diff options
| author | Matthias Schiffer <mschiffer@universe-factory.net> | 2021-11-01 23:20:49 +0100 |
|---|---|---|
| committer | Matthias Schiffer <mschiffer@universe-factory.net> | 2021-11-01 23:33:45 +0100 |
| commit | 3123a16b6793a209aa10b4e72b63729ae9a32e99 (patch) | |
| tree | c22afe45db2e2091fb19e723a046a3fe2ee3c024 /crates/runner/src/tar.rs | |
| parent | f6e4529dba0adbf1736687686a0d70e674830a21 (diff) | |
| download | rebel-3123a16b6793a209aa10b4e72b63729ae9a32e99.tar rebel-3123a16b6793a209aa10b4e72b63729ae9a32e99.zip | |
runner: use rootfs passed in Task definition
With this, the rootfs hash is included in the task's input hash, so now
the hash covers all significant inputs except for the runner itself.
Diffstat (limited to 'crates/runner/src/tar.rs')
| -rw-r--r-- | crates/runner/src/tar.rs | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/crates/runner/src/tar.rs b/crates/runner/src/tar.rs index 32d8e8d..10cac92 100644 --- a/crates/runner/src/tar.rs +++ b/crates/runner/src/tar.rs @@ -11,7 +11,7 @@ use nix::{ sys::wait, }; -use common::error::*; +use common::{error::*, string_hash::ArchiveHash}; use super::{ ns, @@ -19,12 +19,28 @@ use super::{ }; use crate::paths; -pub fn pack<W: Write, P: AsRef<Path>>(archive: &mut W, source: P) -> Result<()> { +pub fn pack<W: Write, P: AsRef<Path>>( + rootfs_hash: &ArchiveHash, + archive: &mut W, + source: P, +) -> Result<()> { + let rootfs = paths::depend_dir(rootfs_hash); + let _rootfs_mount = fs::mount(&rootfs, &rootfs, None, MsFlags::MS_BIND, None) + .with_context(|| format!("Failed to bind mount rootfs to {:?}", rootfs))?; + mount::mount::<str, str, str, str>( + None, + &rootfs, + None, + MsFlags::MS_REMOUNT | MsFlags::MS_BIND | MsFlags::MS_RDONLY, + None, + ) + .context("Failed to mount container rootfs read-only")?; + let (mut piper, pipew) = fs::pipe()?; let exec_tar = || -> Result<()> { - // We are in our own mount namespace, so mounting into the shared ROOTFS_DIR is fine - let dev_target = paths::join(&[paths::ROOTFS_DIR, "dev"]); + // We are in our own mount namespace, so mounting into the shared rootfs is fine + let dev_target = paths::join(&[&rootfs, "dev"]); mount::mount::<_, _, str, str>( Some(paths::DEV_DIR), dev_target.as_str(), @@ -32,7 +48,7 @@ pub fn pack<W: Write, P: AsRef<Path>>(archive: &mut W, source: P) -> Result<()> MsFlags::MS_BIND | MsFlags::MS_REC, None, )?; - let mount_target = paths::join(&[paths::ROOTFS_DIR, paths::TASK_BUILDDIR]); + let mount_target = paths::join(&[&rootfs, paths::TASK_BUILDDIR]); mount::mount::<_, _, str, str>( Some(source.as_ref()), mount_target.as_str(), @@ -41,7 +57,7 @@ pub fn pack<W: Write, P: AsRef<Path>>(archive: &mut W, source: P) -> Result<()> None, )?; - ns::pivot_root(paths::ROOTFS_DIR); + ns::pivot_root(&rootfs); let err = Command::new("tar") .args(&[ |