mount: clean up mount APIs

allisonkarlitskaya · croissanne · allisonkarlitskaya · commit 828895ca25e6 · 2025-06-24T15:13:09.000+02:00
Change the Repository::mount() API to return the mounted filesystem as
an fd rather than taking the mountpoint as an argument.  Create a new
mount_at() API to replace the old one, replacing the canicalize() and
mount_at() calls that used to be in mount_composefs_at(), which we
remove.

Update the various users.

Making this change lets us simplify the logic in composefs-setup-root:
it no longer has to manually open the image in order to perform the
fsmount operation: it can use the new API on the repository.

This allows us to make Repository::open_image() private, so do that too.

Co-authored-by: Sanne Raymaekers &lt;sanne.raymaekers@gmail.com&gt;
Signed-off-by: Allison Karlitskaya &lt;allison.karlitskaya@redhat.com&gt;
diff --git a/crates/cfsctl/src/main.rs b/crates/cfsctl/src/main.rs
@@ -339,7 +339,7 @@ async fn main() -> Result<()> {
             fs.print_dumpfile()?;
         }
         Command::Mount { name, mountpoint } => {
-            repo.mount(&name, &mountpoint)?;
+            repo.mount_at(&name, &mountpoint)?;
         }
         Command::ImageObjects { name } => {
             let objects = repo.objects_for_image(&name)?;
diff --git a/crates/composefs-oci/src/lib.rs b/crates/composefs-oci/src/lib.rs
@@ -152,7 +152,7 @@ pub fn mount<ObjectID: FsVerityHashValue>(
     let Some(id) = config.get_config_annotation("containers.composefs.fsverity") else {
         bail!("Can only mount sealed containers");
     };
-    repo.mount(id, mountpoint)
+    repo.mount_at(id, mountpoint)
 }
 
 #[cfg(test)]
diff --git a/crates/composefs-setup-root/src/main.rs b/crates/composefs-setup-root/src/main.rs
@@ -19,7 +19,7 @@ use serde::Deserialize;
 
 use composefs::{
     fsverity::{FsVerityHashValue, Sha256HashValue},
-    mount::{composefs_fsmount, mount_at, FsHandle},
+    mount::{mount_at, FsHandle},
     mountcompat::{overlayfs_set_fd, overlayfs_set_lower_and_data_fds, prepare_mount},
     repository::Repository,
 };
@@ -166,8 +166,7 @@ fn open_root_fs(path: &Path) -> Result<OwnedFd> {
 
 fn mount_composefs_image(sysroot: &OwnedFd, name: &str) -> Result<OwnedFd> {
     let repo = Repository::<Sha256HashValue>::open_path(sysroot, "composefs")?;
-    let image = repo.open_image(name)?;
-    composefs_fsmount(image, name, repo.objects_dir()?).context("Failed to mount composefs image")
+    repo.mount(name)
 }
 
 fn mount_subdir(
diff --git a/crates/composefs/src/mount.rs b/crates/composefs/src/mount.rs
@@ -1,12 +1,9 @@
 use std::{
-    fs::canonicalize,
     io::Result,
     os::fd::{AsFd, BorrowedFd, OwnedFd},
-    path::Path,
 };
 
 use rustix::{
-    fs::CWD,
     mount::{
         fsconfig_create, fsconfig_set_flag, fsconfig_set_string, fsmount, fsopen, move_mount,
         FsMountFlags, FsOpenFlags, MountAttrFlags, MoveMountFlags,
@@ -95,13 +92,3 @@ pub fn composefs_fsmount(image: OwnedFd, name: &str, basedir: impl AsFd) -> Resu
         MountAttrFlags::empty(),
     )?)
 }
-
-pub fn mount_composefs_at(
-    image: OwnedFd,
-    name: &str,
-    basedir: impl AsFd,
-    mountpoint: impl AsRef<Path>,
-) -> Result<()> {
-    let mnt = composefs_fsmount(image, name, basedir)?;
-    Ok(mount_at(mnt, CWD, &canonicalize(mountpoint)?)?)
-}
diff --git a/crates/composefs/src/repository.rs b/crates/composefs/src/repository.rs
@@ -1,7 +1,7 @@
 use std::{
     collections::HashSet,
     ffi::CStr,
-    fs::File,
+    fs::{canonicalize, File},
     io::{Read, Write},
     os::fd::{AsFd, OwnedFd},
     path::{Path, PathBuf},
@@ -23,7 +23,7 @@ use crate::{
     fsverity::{
         compute_verity, enable_verity, ensure_verity_equal, measure_verity, FsVerityHashValue,
     },
-    mount::mount_composefs_at,
+    mount::{composefs_fsmount, mount_at},
     splitstream::{DigestMap, SplitStreamReader, SplitStreamWriter},
     util::{proc_self_fd, Sha256Digest},
 };
@@ -383,7 +383,7 @@ impl<ObjectID: FsVerityHashValue> Repository<ObjectID> {
         self.write_image(Some(name), &data)
     }
 
-    pub fn open_image(&self, name: &str) -> Result<OwnedFd> {
+    fn open_image(&self, name: &str) -> Result<OwnedFd> {
         let image = self.openat(&format!("images/{name}"), OFlags::RDONLY)?;
 
         if !name.contains("/") {
@@ -394,13 +394,16 @@ impl<ObjectID: FsVerityHashValue> Repository<ObjectID> {
         Ok(image)
     }
 
-    pub fn mount(&self, name: &str, mountpoint: &str) -> Result<()> {
+    pub fn mount(&self, name: &str) -> Result<OwnedFd> {
         let image = self.open_image(name)?;
-        Ok(mount_composefs_at(
-            image,
-            name,
-            self.objects_dir()?,
-            mountpoint,
+        Ok(composefs_fsmount(image, name, self.objects_dir()?)?)
+    }
+
+    pub fn mount_at(&self, name: &str, mountpoint: impl AsRef<Path>) -> Result<()> {
+        Ok(mount_at(
+            self.mount(name)?,
+            CWD,
+            &canonicalize(mountpoint)?,
         )?)
     }
 

Original file line number	Diff line number	Diff line change
`@@ -339,7 +339,7 @@ async fn main() -> Result<()> {`
`339`	`339`	`fs.print_dumpfile()?;`
`340`	`340`	`}`
`341`	`341`	`Command::Mount { name, mountpoint } => {`
`342`		`- repo.mount(&name, &mountpoint)?;`
	`342`	`+ repo.mount_at(&name, &mountpoint)?;`
`343`	`343`	`}`
`344`	`344`	`Command::ImageObjects { name } => {`
`345`	`345`	`let objects = repo.objects_for_image(&name)?;`
Original file line number	Diff line number	Diff line change
`@@ -152,7 +152,7 @@ pub fn mount<ObjectID: FsVerityHashValue>(`
`152`	`152`	`let Some(id) = config.get_config_annotation("containers.composefs.fsverity") else {`
`153`	`153`	`bail!("Can only mount sealed containers");`
`154`	`154`	`};`
`155`		`- repo.mount(id, mountpoint)`
	`155`	`+ repo.mount_at(id, mountpoint)`
`156`	`156`	`}`
`157`	`157`
`158`	`158`	`#[cfg(test)]`