From 3123a16b6793a209aa10b4e72b63729ae9a32e99 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Mon, 1 Nov 2021 23:20:49 +0100
Subject: runner: use rootfs passed in Task definition

With this, the rootfs hash is included in the task's input hash, so now
the hash covers all significant inputs except for the runner itself.
---
 crates/runner/src/tar.rs | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

(limited to 'crates/runner/src/tar.rs')

diff --git a/crates/runner/src/tar.rs b/crates/runner/src/tar.rs
index 32d8e8d..10cac92 100644
--- a/crates/runner/src/tar.rs
+++ b/crates/runner/src/tar.rs
@@ -11,7 +11,7 @@ use nix::{
 	sys::wait,
 };
 
-use common::error::*;
+use common::{error::*, string_hash::ArchiveHash};
 
 use super::{
 	ns,
@@ -19,12 +19,28 @@ use super::{
 };
 use crate::paths;
 
-pub fn pack<W: Write, P: AsRef<Path>>(archive: &mut W, source: P) -> Result<()> {
+pub fn pack<W: Write, P: AsRef<Path>>(
+	rootfs_hash: &ArchiveHash,
+	archive: &mut W,
+	source: P,
+) -> Result<()> {
+	let rootfs = paths::depend_dir(rootfs_hash);
+	let _rootfs_mount = fs::mount(&rootfs, &rootfs, None, MsFlags::MS_BIND, None)
+		.with_context(|| format!("Failed to bind mount rootfs to {:?}", rootfs))?;
+	mount::mount::<str, str, str, str>(
+		None,
+		&rootfs,
+		None,
+		MsFlags::MS_REMOUNT | MsFlags::MS_BIND | MsFlags::MS_RDONLY,
+		None,
+	)
+	.context("Failed to mount container rootfs read-only")?;
+
 	let (mut piper, pipew) = fs::pipe()?;
 
 	let exec_tar = || -> Result<()> {
-		// We are in our own mount namespace, so mounting into the shared ROOTFS_DIR is fine
-		let dev_target = paths::join(&[paths::ROOTFS_DIR, "dev"]);
+		// We are in our own mount namespace, so mounting into the shared rootfs is fine
+		let dev_target = paths::join(&[&rootfs, "dev"]);
 		mount::mount::<_, _, str, str>(
 			Some(paths::DEV_DIR),
 			dev_target.as_str(),
@@ -32,7 +48,7 @@ pub fn pack<W: Write, P: AsRef<Path>>(archive: &mut W, source: P) -> Result<()>
 			MsFlags::MS_BIND | MsFlags::MS_REC,
 			None,
 		)?;
-		let mount_target = paths::join(&[paths::ROOTFS_DIR, paths::TASK_BUILDDIR]);
+		let mount_target = paths::join(&[&rootfs, paths::TASK_BUILDDIR]);
 		mount::mount::<_, _, str, str>(
 			Some(source.as_ref()),
 			mount_target.as_str(),
@@ -41,7 +57,7 @@ pub fn pack<W: Write, P: AsRef<Path>>(archive: &mut W, source: P) -> Result<()>
 			None,
 		)?;
 
-		ns::pivot_root(paths::ROOTFS_DIR);
+		ns::pivot_root(&rootfs);
 
 		let err = Command::new("tar")
 			.args(&[
-- 
cgit v1.2.3