Merge pull request #881 from ckyrouac/container-check

ckyrouac · web-flow · commit 1507a58ed9e8 · 2024-11-08T16:46:11.000-05:00
install: Check if running in container earlier
diff --git a/lib/src/containerenv.rs b/lib/src/containerenv.rs
@@ -20,6 +20,10 @@ pub(crate) struct ContainerExecutionInfo {
     pub(crate) rootless: Option<String>,
 }
 
+pub(crate) fn is_container(rootfs: &Dir) -> bool {
+    rootfs.exists(PATH)
+}
+
 /// Load and parse the `/run/.containerenv` file.
 #[context("Querying container")]
 pub(crate) fn get_container_execution_info(rootfs: &Dir) -> Result<ContainerExecutionInfo> {
diff --git a/lib/src/install.rs b/lib/src/install.rs
@@ -326,6 +326,8 @@ pub(crate) struct State {
     pub(crate) install_config: Option<config::InstallConfiguration>,
     /// The parsed contents of the authorized_keys (not the file path)
     pub(crate) root_ssh_authorized_keys: Option<String>,
+    #[allow(dead_code)]
+    pub(crate) host_is_container: bool,
     /// The root filesystem of the running container
     pub(crate) container_root: Dir,
     pub(crate) tempdir: TempDir,
@@ -1159,14 +1161,17 @@ async fn prepare_install(
     tracing::trace!("Preparing install");
     // We need full root privileges, i.e. --privileged in podman
     crate::cli::require_root()?;
-    require_host_pidns()?;
-
     let rootfs = cap_std::fs::Dir::open_ambient_dir("/", cap_std::ambient_authority())
         .context("Opening /")?;
 
+    let host_is_container = crate::containerenv::is_container(&rootfs);
     let external_source = source_opts.source_imgref.is_some();
     let source = match source_opts.source_imgref {
         None => {
+            if !host_is_container {
+                anyhow::bail!("Either --source-imgref must be defined or this command must be executed inside a podman container.")
+            }
+            require_host_pidns()?;
             // Out of conservatism we only verify the host userns path when we're expecting
             // to do a self-install (e.g. not bootc-image-builder or equivalent).
             require_host_userns()?;
@@ -1274,6 +1279,7 @@ async fn prepare_install(
         root_ssh_authorized_keys,
         container_root: rootfs,
         tempdir,
+        host_is_container,
     });
 
     Ok(state)
diff --git a/plans/test-23-install-outside-container.fmf b/plans/test-23-install-outside-container.fmf
@@ -0,0 +1,9 @@
+provision:
+  how: virtual
+  # Generated by make test-tmt
+  image: file://./target/testvm/disk.qcow2
+  disk: 20
+summary: Execute tests for installing outside of a container
+execute:
+  how: tmt
+  script: exec nu tests/booted/test-install-outside-container.nu
diff --git a/tests/booted/test-install-outside-container.nu b/tests/booted/test-install-outside-container.nu
@@ -0,0 +1,14 @@
+use std assert
+use tap.nu
+
+# setup filesystem
+mkdir /var/mnt
+truncate -s 100M disk.img
+mkfs.ext4 disk.img
+mount -o loop disk.img /var/mnt
+
+# attempt to install to filesystem without specifying a source-imgref
+let result = bootc install to-filesystem /var/mnt e>| ansi strip
+assert equal $result "ERROR Installing to filesystem: Either --source-imgref must be defined or this command must be executed inside a podman container."
+
+tap ok
