buildroot: bind mount individual API endpoints
The current way API end points, i.e. sockets for API providers, are provided to the sandbox is via a temporary directory that is created by `BuildRoot` which later gets bind-mounted to a well known path, i.e. /run/osbuild/api inside the sandbox. API providers are expected to create their socket in that temporary directory. Now that `BuildRoot` has a `regsiter_api` method and each API has an `endpoint` property, the socket of each API provider, no matter where it is located, will get bind-mounted individually inside the sandbox at /run/osbuild/api using the `endpoint` identifier. For backwards compatibility reasons the temporary api directory will still be created by `BuildRoot`, but it is no longer bind mounted inside the container. This paves the way to remove that directory completely once all API providers are converted to not use that directory anymore.
This commit is contained in:
Christian Kellner
Tom Gundersen
parent
bc81e68727
commit
21a60324bc
1 changed files with 9 additions and 7 deletions
|
|
@ -61,10 +61,6 @@ class BuildRoot(contextlib.AbstractContextManager):
|
|||
#
|
||||
# For now, this includes:
|
||||
#
|
||||
# * We create an API directory where the caller can place sockets
|
||||
# before we bind-mount it into the container on
|
||||
# `/run/osbuild/api`.
|
||||
#
|
||||
# * We create a tmpfs instance *without* `nodev` which we then use
|
||||
# as `/dev` in the container. This is required for the container
|
||||
# to create device nodes for loop-devices.
|
||||
|
|
@ -74,6 +70,8 @@ class BuildRoot(contextlib.AbstractContextManager):
|
|||
# create throw-away data that it does not want to put into a
|
||||
# tmpfs.
|
||||
|
||||
# Used to be bound to /run/osbuild/api, but not anymore, still around
|
||||
# as the APIs have yet to be converted to not use temp directory anymore
|
||||
api = tempfile.TemporaryDirectory(prefix="osbuild-api-", dir=self._rundir)
|
||||
self.api = self._exitstack.enter_context(api)
|
||||
|
||||
|
|
@ -157,9 +155,6 @@ class BuildRoot(contextlib.AbstractContextManager):
|
|||
mounts += ["--proc", "/proc"]
|
||||
mounts += ["--bind", "/sys", "/sys"]
|
||||
|
||||
# Make osbuild API-calls accessible to the container.
|
||||
mounts += ["--ro-bind", f"{self.api}", "/run/osbuild/api"]
|
||||
|
||||
# We execute our own modules by bind-mounting them from the host into
|
||||
# the build-root. We have minimal requirements on the build-root, so
|
||||
# these modules can be executed. Everything else we provide ourselves.
|
||||
|
|
@ -180,6 +175,13 @@ class BuildRoot(contextlib.AbstractContextManager):
|
|||
for b in readonly_binds or []:
|
||||
mounts += ["--ro-bind"] + b.split(":")
|
||||
|
||||
# Prepare all registered API endpoints: bind mount the address with
|
||||
# the `endpoint` name, provided by the API, into the well known path
|
||||
mounts += ["--dir", "/run/osbuild/api"]
|
||||
for api in self._apis:
|
||||
api_path = "/run/osbuild/api/" + api.endpoint
|
||||
mounts += ["--bind", api.socket_address, api_path]
|
||||
|
||||
cmd = [
|
||||
"bwrap",
|
||||
"--cap-add", "CAP_MAC_ADMIN",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue