install: Verify target image fetch by default

Now that we've dropped the `--net=none` by default, let's
avoid two major footguns by verifying the target image specification
by default.

- Forgetting to use `--target-no-signature-verification` (most people are going to need this in demos right now)
- When the target OS requires an authenticated pull, but one didn't embed the pull secret in the target OS

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

docs/install.md

@@ -59,6 +59,26 @@ The `--pid=host --security-opt label=type:unconfined_t` today
 make it more convenient for bootc to perform some privileged
 operations; in the future these requirement may be dropped.
 
+### "day 2" updates, security and fetch configuration
+
+Note that by default the `bootc install` path will find the pull specification used
+for the `podman run` invocation and use it to set up "day 2" OS updates that `bootc update`
+will use.
+
+For example, if you invoke `podman run --privileged ... quay.io/examplecorp/exampleos:latest bootc install ...`
+then the installed operating system will fetch updates from `quay.io/examplecorp/exampleos:latest`.
+This can be overridden via `--target_imgref`; this is handy in cases like performing
+installation in a manufacturing environment from a mirrored registry.
+
+By default, the installation process will verify that the container (representing the target OS)
+can fetch its own updates.  A common cause of failure here is not changing the security settings
+in `/etc/containers/policy.json` in the target OS to verify signatures.
+
+If you are pushing an unsigned image, you must specify `bootc install --target-no-signature-verification`.
+
+Additionally note that to perform an install from an authenticated registry, you must also embed
+the pull secret into the image to pass this check.  If you are fetching
+
 ### Operating system install configuration required
 
 The container image must define its default install configuration.  For example,

lib/src/install.rs

@@ -73,6 +73,18 @@ pub(crate) struct InstallTargetOpts {
     /// Enable verification via an ostree remote
     #[clap(long)]
     pub(crate) target_ostree_remote: Option<String>,
+
+    /// By default, the accessiblity of the target image will be verified (just the manifest will be fetched).
+    /// Specifying this option suppresses the check; use this when you know the issues it might find
+    /// are addressed.
+    ///
+    /// Two main reasons this might fail:
+    ///
+    ///  - Forgetting `--target-no-signature-verification` if needed
+    ///  - Using a registry which requires authentication, but not embedding the pull secret in the image.
+    #[clap(long)]
+    #[serde(default)]
+    pub(crate) skip_fetch_check: bool,
 }
 
 #[derive(clap::Args, Debug, Clone, Serialize, Deserialize)]
@@ -765,6 +777,28 @@ pub(crate) fn propagate_tmp_mounts_to_host() -> Result<()> {
     Ok(())
 }
 
+/// Verify that we can load the manifest of the target image
+#[context("Verifying fetch")]
+async fn verify_target_fetch(imgref: &ostree_container::OstreeImageReference) -> Result<()> {
+    let tmpdir = tempfile::tempdir()?;
+    let tmprepo = &ostree::Repo::new_for_path(tmpdir.path());
+    tmprepo
+        .create(ostree::RepoMode::Bare, ostree::gio::Cancellable::NONE)
+        .context("Init tmp repo")?;
+
+    tracing::trace!("Verifying fetch for {imgref}");
+    let mut imp =
+        ostree_container::store::ImageImporter::new(&tmprepo, imgref, Default::default()).await?;
+    use ostree_container::store::PrepareResult;
+    let prep = match imp.prepare().await? {
+        // SAFETY: It's impossible that the image was already fetched into this newly created temporary repository
+        PrepareResult::AlreadyPresent(_) => unreachable!(),
+        PrepareResult::Ready(r) => r,
+    };
+    tracing::debug!("Fetched manifest with digest {}", prep.manifest_digest);
+    Ok(())
+}
+
 /// Preparation for an install; validates and prepares some (thereafter immutable) global state.
 async fn prepare_install(
     config_opts: InstallConfigOpts,
@@ -816,6 +850,10 @@ async fn prepare_install(
     };
     tracing::debug!("Target image reference: {target_imgref}");
 
+    if !target_opts.skip_fetch_check {
+        verify_target_fetch(&target_imgref).await?;
+    }
+
     ensure_var()?;
     propagate_tmp_mounts_to_host()?;
 

lib/src/privtests.rs

@@ -152,7 +152,7 @@ fn test_install_filesystem(image: &str, blockdev: &Utf8Path) -> Result<()> {
     let mountpoint: &Utf8Path = mountpoint_dir.path().try_into().unwrap();
 
     // And run the install
-    cmd!(sh, "podman run --rm --privileged --pid=host --env=RUST_LOG -v /usr/bin/bootc:/usr/bin/bootc -v {mountpoint}:/target-root {image} bootc install-to-filesystem /target-root").run()?;
+    cmd!(sh, "podman run --rm --privileged --pid=host --env=RUST_LOG -v /usr/bin/bootc:/usr/bin/bootc -v {mountpoint}:/target-root {image} bootc install-to-filesystem --target-no-signature-verification /target-root").run()?;
 
     cmd!(sh, "umount -R {mountpoint}").run()?;
 

tests/kolainst/install

@@ -19,7 +19,7 @@ cd $(mktemp -d)
 
 case "${AUTOPKGTEST_REBOOT_MARK:-}" in
   "")
-    podman run --rm -ti --privileged --pid=host -v /usr/bin/bootc:/usr/bin/bootc ${IMAGE} bootc install --karg=foo=bar ${DEV}
+    podman run --rm -ti --privileged --pid=host -v /usr/bin/bootc:/usr/bin/bootc ${IMAGE} bootc install --target-no-signature-verification --karg=foo=bar ${DEV}
     # In theory we could e.g. wipe the bootloader setup on the primary disk, then reboot;
     # but for now let's just sanity test that the install command executes.
     lsblk ${DEV}