diff options
Diffstat (limited to 'crates/runner/src/tar.rs')
| -rw-r--r-- | crates/runner/src/tar.rs | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/crates/runner/src/tar.rs b/crates/runner/src/tar.rs index 32d8e8d..10cac92 100644 --- a/crates/runner/src/tar.rs +++ b/crates/runner/src/tar.rs @@ -11,7 +11,7 @@ use nix::{ sys::wait, }; -use common::error::*; +use common::{error::*, string_hash::ArchiveHash}; use super::{ ns, @@ -19,12 +19,28 @@ use super::{ }; use crate::paths; -pub fn pack<W: Write, P: AsRef<Path>>(archive: &mut W, source: P) -> Result<()> { +pub fn pack<W: Write, P: AsRef<Path>>( + rootfs_hash: &ArchiveHash, + archive: &mut W, + source: P, +) -> Result<()> { + let rootfs = paths::depend_dir(rootfs_hash); + let _rootfs_mount = fs::mount(&rootfs, &rootfs, None, MsFlags::MS_BIND, None) + .with_context(|| format!("Failed to bind mount rootfs to {:?}", rootfs))?; + mount::mount::<str, str, str, str>( + None, + &rootfs, + None, + MsFlags::MS_REMOUNT | MsFlags::MS_BIND | MsFlags::MS_RDONLY, + None, + ) + .context("Failed to mount container rootfs read-only")?; + let (mut piper, pipew) = fs::pipe()?; let exec_tar = || -> Result<()> { - // We are in our own mount namespace, so mounting into the shared ROOTFS_DIR is fine - let dev_target = paths::join(&[paths::ROOTFS_DIR, "dev"]); + // We are in our own mount namespace, so mounting into the shared rootfs is fine + let dev_target = paths::join(&[&rootfs, "dev"]); mount::mount::<_, _, str, str>( Some(paths::DEV_DIR), dev_target.as_str(), @@ -32,7 +48,7 @@ pub fn pack<W: Write, P: AsRef<Path>>(archive: &mut W, source: P) -> Result<()> MsFlags::MS_BIND | MsFlags::MS_REC, None, )?; - let mount_target = paths::join(&[paths::ROOTFS_DIR, paths::TASK_BUILDDIR]); + let mount_target = paths::join(&[&rootfs, paths::TASK_BUILDDIR]); mount::mount::<_, _, str, str>( Some(source.as_ref()), mount_target.as_str(), @@ -41,7 +57,7 @@ pub fn pack<W: Write, P: AsRef<Path>>(archive: &mut W, source: P) -> Result<()> None, )?; - ns::pivot_root(paths::ROOTFS_DIR); + ns::pivot_root(&rootfs); let err = Command::new("tar") .args(&[ |