runner: use rootfs passed in Task definition

With this, the rootfs hash is included in the task's input hash, so now
the hash covers all significant inputs except for the runner itself.

1 files changed, 27 insertions, 19 deletions

diff --git a/crates/runner/src/task.rs b/crates/runner/src/task.rs
index c43fc2f..8981d13 100644
--- a/crates/runner/src/task.rs
+++ b/crates/runner/src/task.rs
@@ -51,6 +51,7 @@ fn input_hash(task: &Task) -> InputHash {
 	struct HashInput<'a> {
 		pub command: &'a str,
 		pub workdir: &'a str,
+		pub rootfs: &'a ArchiveHash,
 		pub inherit: &'a [LayerHash],
 		pub depends: HashMap<DependencyHash, &'a Dependency>,
 		pub outputs: &'a HashMap<String, String>,
@@ -58,6 +59,7 @@ fn input_hash(task: &Task) -> InputHash {
 	let input = HashInput {
 		command: &task.command,
 		workdir: &task.workdir,
+		rootfs: &task.rootfs,
 		inherit: &task.inherit,
 		depends: task
 			.depends
@@ -180,22 +182,27 @@ fn check_conflicts(
 	Ok(())
 }
 
-fn init_task_rootfs(input_hash: &InputHash, depends: &DependMap) -> Result<Stack<fs::Mount>> {
+fn init_task_rootfs(input_hash: &InputHash, task: &Task) -> Result<Stack<fs::Mount>> {
 	let task_tmp_dir = paths::task_tmp_dir(input_hash);
 	let mount_target = paths::join(&[&task_tmp_dir, paths::TASK_TMP_ROOTFS_SUBDIR]);
+	let rootfs = paths::depend_dir(&task.rootfs);
+
+	let depends = unpack_dependencies(input_hash, task).context("Failed to unpack dependencies")?;
 
 	let mut mounts = Stack::new();
 
 	mounts.push(
-		fs::mount(
-			paths::ROOTFS_DIR,
-			&mount_target,
-			None,
-			MsFlags::MS_BIND,
-			None,
-		)
-		.with_context(|| format!("Failed to bind mount rootfs to {:?}", mount_target))?,
+		fs::mount(rootfs, &mount_target, None, MsFlags::MS_BIND, None)
+			.with_context(|| format!("Failed to bind mount rootfs to {:?}", mount_target))?,
 	);
+	mount::mount::<str, str, str, str>(
+		None,
+		&mount_target,
+		None,
+		MsFlags::MS_REMOUNT | MsFlags::MS_BIND | MsFlags::MS_RDONLY,
+		None,
+	)
+	.context("Failed to mount container rootfs read-only")?;
 
 	let (mut dirs, mut files) = get_contents(&mount_target, "")?;
 
@@ -209,11 +216,11 @@ fn init_task_rootfs(input_hash: &InputHash, depends: &DependMap) -> Result<Stack
 			)));
 		}
 
-		let dep_target = mount_target.clone() + path;
+		let dep_target = mount_target.clone() + &path;
 		let dep_paths: Box<[_]> = dep_hashes.iter().map(paths::depend_dir).collect();
 
 		for dep in dep_paths.iter() {
-			let (dep_dirs, dep_files) = get_contents(dep, path)?;
+			let (dep_dirs, dep_files) = get_contents(dep, &path)?;
 			check_conflicts(&dirs, &files, &dep_dirs, &dep_files)?;
 			dirs.extend(dep_dirs);
 			files.extend(dep_files);
@@ -306,6 +313,8 @@ fn unpack_dependency(task: &Task, hash: &ArchiveHash) -> Result<()> {
 fn unpack_dependencies(input_hash: &InputHash, task: &Task) -> Result<DependMap> {
 	let task_tmp_dir = paths::task_tmp_dir(input_hash);
 
+	unpack_dependency(task, &task.rootfs)?;
+
 	let mut ret = DependMap::new();
 
 	for dep in &task.depends {
@@ -330,7 +339,7 @@ fn unpack_dependencies(input_hash: &InputHash, task: &Task) -> Result<DependMap>
 	Ok(ret)
 }
 
-fn collect_output(input_hash: &InputHash, path: &str) -> Result<Option<ArchiveHash>> {
+fn collect_output(input_hash: &InputHash, task: &Task, path: &str) -> Result<Option<ArchiveHash>> {
 	let source = paths::join(&[&paths::task_tmp_dir(input_hash), path]);
 	if !Path::new(&source).is_dir() {
 		return Ok(None);
@@ -344,7 +353,7 @@ fn collect_output(input_hash: &InputHash, path: &str) -> Result<Option<ArchiveHa
 		let writer = TeeWriter::new(file, hasher);
 		let mut buffered_writer = BufWriter::with_capacity(16 * 1024 * 1024, writer);
 
-		super::tar::pack(&mut buffered_writer, &source)?;
+		super::tar::pack(&task.rootfs, &mut buffered_writer, &source)?;
 
 		let writer = buffered_writer.into_inner()?;
 		let (file, hasher) = writer.into_inner();
@@ -364,7 +373,7 @@ fn collect_outputs(input_hash: &InputHash, task: &Task) -> Result<HashMap<String
 	let mut ret = HashMap::new();
 
 	for (name, path) in &task.outputs {
-		if let Some(hash) = collect_output(input_hash, path)? {
+		if let Some(hash) = collect_output(input_hash, task, path)? {
 			ret.insert(name.clone(), hash);
 		}
 	}
@@ -374,9 +383,8 @@ fn collect_outputs(input_hash: &InputHash, task: &Task) -> Result<HashMap<String
 
 fn run_task(input_hash: &InputHash, task: &Task, jobserver: &mut Jobserver) -> Result<()> {
 	let _workdir_mount = init_task(input_hash, task).context("Failed to initialize task")?;
-	let depends = unpack_dependencies(input_hash, task).context("Failed to unpack dependencies")?;
 	let _rootfs_mounts =
-		init_task_rootfs(input_hash, &depends).context("Failed to initialize task rootfs")?;
+		init_task_rootfs(input_hash, task).context("Failed to initialize task rootfs")?;
 
 	let task_tmp_dir = paths::task_tmp_dir(input_hash);
 	let rootfs = paths::join(&[&task_tmp_dir, paths::TASK_TMP_ROOTFS_SUBDIR]);
@@ -475,7 +483,7 @@ fn run_task(input_hash: &InputHash, task: &Task, jobserver: &mut Jobserver) -> R
 	Ok(())
 }
 
-fn hash_layer(input_hash: &InputHash) -> Result<Option<LayerHash>> {
+fn hash_layer(input_hash: &InputHash, task: &Task) -> Result<Option<LayerHash>> {
 	let task_state_dir = paths::task_state_dir(input_hash);
 	let task_layer_dir = paths::join(&[&task_state_dir, paths::TASK_STATE_LAYER_SUBDIR]);
 
@@ -487,7 +495,7 @@ fn hash_layer(input_hash: &InputHash) -> Result<Option<LayerHash>> {
 		let hasher = LayerHasher::new();
 		let mut buffered_writer = BufWriter::with_capacity(16 * 1024 * 1024, hasher);
 
-		tar::pack(&mut buffered_writer, &task_layer_dir)?;
+		tar::pack(&task.rootfs, &mut buffered_writer, &task_layer_dir)?;
 
 		let hasher = buffered_writer.into_inner()?;
 		Ok(Some(LayerHash(StringHash(hasher.finalize().into()))))
@@ -529,7 +537,7 @@ fn run_and_hash_task(
 
 	let outputs = collect_outputs(input_hash, task)?;
 
-	let layer = hash_layer(input_hash)?;
+	let layer = hash_layer(input_hash, task)?;
 	move_layer(input_hash, &layer)?;
 
 	Ok(TaskOutput {