src/create: Handle read-only /boot

CoreOS recently made /boot read-only[0]. This caused an issue with starting containers because /boot was mounted only with option rslave but missed the ro option. This caused a permission issue. This scenario is very similar to the one with /usr on Fedora Silverblue. The solution for this is to check mount options of the path and check if it uses the rw option or ro and then add it to the mount options in the --volume option in 'podman create'. Fixes: coreos/fedora-coreos-tracker#734 coreos/fedora-coreos-config@1de21ff
HarryMichal · Feb 25, 2021 · c3bd4ce · c3bd4ce
1 parent af602c7
commit c3bd4ce
Showing 1 changed file with 19 additions and 8 deletions.
diff --git a/src/cmd/create.go b/src/cmd/create.go
@@ -265,8 +265,19 @@ func createContainer(container, image, release string, showCommandToEnter bool)
 	logrus.Debugf("%s canonicalized to %s", currentUser.HomeDir, homeDirEvaled)
 	homeDirMountArg := homeDirEvaled + ":" + homeDirEvaled + ":rslave"
 
+	bootMountFlags := "rw"
+	isBootReadWrite, err := isPathReadWrite("/boot")
+	if err != nil {
+		return err
+	}
+	if !isBootReadWrite {
+		bootMountFlags = "ro"
+	}
+
+	bootMountArg := "/boot:/run/host/boot:" + bootMountFlags + ",rslave"
+
 	usrMountFlags := "ro"
-	isUsrReadWrite, err := isUsrReadWrite()
+	isUsrReadWrite, err := isPathReadWrite("/usr")
 	if err != nil {
 		return err
 	}
@@ -414,7 +425,7 @@ func createContainer(container, image, release string, showCommandToEnter bool)
 	createArgs = append(createArgs, []string{
 		"--userns", usernsArg,
 		"--user", "root:root",
-		"--volume", "/boot:/run/host/boot:rslave",
+		"--volume", bootMountArg,
 		"--volume", "/etc:/run/host/etc",
 		"--volume", "/dev:/dev:rslave",
 		"--volume", "/run:/run/host/run:rslave",
@@ -624,22 +635,22 @@ func getServiceSocket(serviceName string, unitName string) (string, error) {
 	return "", errors.New(errMsg)
 }
 
-func isUsrReadWrite() (bool, error) {
-	logrus.Debug("Checking if /usr is mounted read-only or read-write")
+func isPathReadWrite(path string) (bool, error) {
+	logrus.Debugf("Checking if %s is mounted read-only or read-write", path)
 
-	mountPoint, err := utils.GetMountPoint("/usr")
+	mountPoint, err := utils.GetMountPoint(path)
 	if err != nil {
-		return false, fmt.Errorf("failed to get the mount-point of /usr: %s", err)
+		return false, fmt.Errorf("failed to get the mount-point of %s: %s", path, err)
 	}
 
-	logrus.Debugf("Mount-point of /usr is %s", mountPoint)
+	logrus.Debugf("Mount-point of %s is %s", path, mountPoint)
 
 	mountFlags, err := utils.GetMountOptions(mountPoint)
 	if err != nil {
 		return false, fmt.Errorf("failed to get the mount options of %s: %s", mountPoint, err)
 	}
 
-	logrus.Debugf("Mount flags of /usr on the host are %s", mountFlags)
+	logrus.Debugf("Mount flags of %s on the host are %s", path, mountFlags)
 
 	if !strings.Contains(mountFlags, "ro") {
 		return true, nil