Add a check for required binaries

cgwalters · cgwalters · commit cec44026bc54 · 2025-11-13T21:18:08.000-05:00
- We require bwrap in the target container currently, make
  that clear. That needs to be done in the entrypoint
  shell script.
- Once we're past that we're in Rust, so add infrastructure
  to verify that we have systemctl and objcopy for
  the UKI extraction.

Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/kit/Cargo.toml b/crates/kit/Cargo.toml
@@ -49,6 +49,7 @@ strum = { version = "0.26", features = ["derive"] }
 quick-xml = "0.36"
 oci-spec = "0.8.2"
 sha2 = "0.10"
+which = "7.0"
 
 [dev-dependencies]
 similar-asserts = "1.5"
diff --git a/crates/kit/scripts/entrypoint.sh b/crates/kit/scripts/entrypoint.sh
@@ -3,6 +3,12 @@ set -euo pipefail
 
 SELFEXE=/run/selfexe
 
+# Check for required binaries early
+if ! command -v bwrap &>/dev/null; then
+    echo "Error: bwrap (bubblewrap) is currently required in the target container image" >&2
+    exit 1
+fi
+
 # Shell script library
 init_tmproot() {
     if test -d /run/tmproot; then return 0; fi
diff --git a/crates/kit/src/run_ephemeral.rs b/crates/kit/src/run_ephemeral.rs
@@ -700,6 +700,29 @@ fn parse_service_exit_code(status_content: &str) -> Result<i32> {
     Ok(0)
 }
 
+/// Check for required binaries in the target container image
+///
+/// These binaries must be present in the container image being run as an ephemeral VM.
+fn check_required_container_binaries() -> Result<()> {
+    // We use systemctl in a few places. objcopy is for UKI extraction.
+    let required_binaries = ["systemctl", "objcopy"];
+
+    let mut missing = Vec::new();
+
+    for binary in &required_binaries {
+        if which::which(binary).is_err() {
+            missing.push(format!("Missing required executable: {}", binary));
+        }
+    }
+
+    if !missing.is_empty() {
+        return Err(eyre!("{}", missing.join("\n")));
+    }
+
+    debug!("All required container binaries found");
+    Ok(())
+}
+
 /// VM execution inside container: extracts kernel/initramfs, starts virtiofsd processes,
 /// generates systemd mount units, sets up command execution, launches QEMU.
 pub(crate) async fn run_impl(opts: RunEphemeralOpts) -> Result<()> {
@@ -708,6 +731,9 @@ pub(crate) async fn run_impl(opts: RunEphemeralOpts) -> Result<()> {
 
     debug!("Running QEMU implementation inside container");
 
+    // Check for required binaries in the target container image early
+    check_required_container_binaries()?;
+
     // Initialize status writer for supervisor monitoring
     let status_writer = StatusWriter::new("/run/supervisor-status.json");
     status_writer.update_state(SupervisorState::WaitingForSystemd)?;
