Skip to content

Commit

Permalink
install: Ensure we label / (and /boot)
Browse files Browse the repository at this point in the history
This came out of a discussion with bootc-image-builder, which
has this issue right now:
osbuild/bootc-image-builder#149

As I noted in that issue, I think it's basically been working
here because we always write to a real fresh filesystem, but
let's be very explicit.

There's a notable tricky bootstrapping we're solving here
around "what's the label of `/`" because we know we are running
the target OS as a container image already.

Signed-off-by: Colin Walters <[email protected]>
  • Loading branch information
cgwalters committed Jan 29, 2024
1 parent 1fa75d0 commit 47db129
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
10 changes: 10 additions & 0 deletions lib/src/install.rs
Original file line number Diff line number Diff line change
Expand Up @@ -445,6 +445,10 @@ async fn initialize_ostree_root_from_self(
let rootfs = root_setup.rootfs.as_path();
let cancellable = gio::Cancellable::NONE;

// Ensure that the physical root is labeled.
// Another implementation: https://github.com/coreos/coreos-assembler/blob/3cd3307904593b3a131b81567b13a4d0b6fe7c90/src/create_disk.sh#L295
state.lsm_label(rootfs, "/".into(), false)?;

// TODO: make configurable?
let stateroot = STATEROOT_DEFAULT;
Task::new_and_run(
Expand All @@ -453,6 +457,12 @@ async fn initialize_ostree_root_from_self(
["admin", "init-fs", "--modern", rootfs.as_str()],
)?;

// And also label /boot AKA xbootldr, if it exists
let bootdir = rootfs.join("boot");
if bootdir.try_exists()? {
state.lsm_label(&bootdir, "/boot".into(), false)?;
}

// Default to avoiding grub2-mkconfig etc., but we need to use zipl on s390x.
// TODO: Lower this logic into ostree proper.
let bootloader = if cfg!(target_arch = "s390x") {
Expand Down
1 change: 1 addition & 0 deletions tests/kolainst/install
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ EOF
# but for now let's just sanity test that the install command executes.
lsblk ${DEV}
mount /dev/vda3 /var/mnt
ls -Z /var/mnt |grep ':root_t:'
grep foo=bar /var/mnt/loader/entries/*.conf
grep localtestkarg=somevalue /var/mnt/loader/entries/*.conf
grep -Ee '^linux /boot/ostree' /var/mnt/loader/entries/*.conf
Expand Down

0 comments on commit 47db129

Please sign in to comment.