mount: substantially rework mounting code

This represents a substantial rewrite of the mounting code.
composefs-pivot-sysroot is renamed to composefs-prepare-root and now
understands ostree's /usr/lib/ostree/prepare-root.conf file (supporting
transient overlays for /etc and /, also adding support /var).  In
addition it's possible to specify that /etc and /var are one of:
  - none: no mount, will be readonly contents of composefs at runtime
  - bind: straight bind-mount from the state directory
  - overlay: state directory contains the upperdir of an overlay
  - transient: alias for transient=true (ie: overlay with tmpfs)

This follows the /sysroot/state/ layout discussed in #38.

The default for /etc is 'overlay' and the default for /var is 'bind'.

In general the new command focuses less on absolute minimalism: we now
have proper commandline parsing and our config file is parsed as toml
via serde.  This makes the command (which gets included in the
initramfs) a fair bit bigger: it's 1.2MB now (but compresses to about
half that).  We can deal with that later if it's really a problem,
though.

We now use the system mount APIs in a more modern way: the filesystem
tree is now assembled purely from file descriptors and mounted in place
only after it's complete, resulting in very readable code.  This depends
on a very new kernel: the merge window on 6.15 isn't closed yet, but we
already depend on many of the feature of the mount API that got added in
this release.  Fortunately, rawhide already has a pre-release version
that we can test against: add a new integration test based on it.

At the same time, we preserve backwards compatibility to older kernels
via a compatibility layer which remains mostly isolated in a separate
file.  We even add compatibility with RHEL 9 (and add another integration
test for that).  The inclusion of the compatibility code is controlled
by the feature flags `pre-6.15` and `rhel9` (which implies `pre-6.15`).

Rework the examples a bit to add more explicit support for separate OSes
which are now accepted as the $1 parameter to each build script: the OS
parameter now controls the Containerfile used as well as the build
features.

Also remove the ssh-key generation at build time from all of the
examples: /etc overlay support is working now and all of the images will
generate their ssh keys at first boot, so we no longer need this cludge.

Add the start of a new integration test which can run unprivileged on
the host system inside of a fresh namespace.

Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>

Author: allisonkarlitskaya

.github/workflows/examples.yml

@@ -16,12 +16,14 @@ jobs:
     strategy:
       matrix:
         example:
-          - { dir: 'uki', file: 'Containerfile' }
-          - { dir: 'uki', file: 'Containerfile.arch' }
-          - { dir: 'bls', file: 'Containerfile' }
-          - { dir: 'bls', file: 'Containerfile.arch' }
-          - { dir: 'bls', file: 'Containerfile.ubuntu' }
-          - { dir: 'unified', file: 'Containerfile' }
+          - { dir: 'bls', os: 'arch' }
+          - { dir: 'bls', os: 'fedora' }
+          - { dir: 'bls', os: 'rawhide' }
+          - { dir: 'bls', os: 'rhel9' }
+          - { dir: 'bls', os: 'ubuntu' }
+          - { dir: 'uki', os: 'arch' }
+          - { dir: 'uki', os: 'fedora' }
+          - { dir: 'unified', os: 'fedora' }
       fail-fast: false
 
     steps:
@@ -67,4 +69,4 @@ jobs:
     - name: Run example tests
       run: |
         export PATH="${HOME}/bin:${PATH}"
-        examples/test/run ${{ matrix.example.dir }} -f ${{ matrix.example.file }}
+        examples/test/run ${{ matrix.example.dir }} ${{ matrix.example.os }}

Cargo.toml

@@ -11,6 +11,10 @@ readme = "README.md"
 default-run = "cfsctl"
 exclude = ["/.git*", "/examples/"]
 
+[features]
+rhel9 = ['pre-6.15']
+'pre-6.15' = []
+
 [dependencies]
 anyhow = { version = "1.0.97", default-features = false }
 async-compression = { version = "0.4.22", default-features = false, features = ["tokio", "gzip"] }
@@ -23,11 +27,13 @@ log = "0.4.27"
 oci-spec = "0.7.1"
 regex-automata = { version = "0.4.9", default-features = false }
 rustix = { version = "1.0.3", features = ["fs", "mount", "process"] }
+serde = "1.0.219"
 sha2 = "0.10.8"
 tar = { version = "0.4.44", default-features = false }
 tempfile = "3.19.1"
 thiserror = "2.0.12"
 tokio = "1.44.1"
+toml = "0.8.20"
 xxhash-rust = { version = "0.8.15", features = ["xxh32"] }
 zerocopy = { version = "0.8.24", features = ["derive"] }
 zstd = "0.13.3"

examples/.gitignore

@@ -1,6 +1,6 @@
 /*/VARS_CUSTOM.secboot.fd*
 /*/cfsctl
-/*/extra/usr/lib/dracut/modules.d/37composefs/composefs-pivot-sysroot
+/*/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root
 /*/*.qcow2
 /*/secureboot
 /*/tmp/

examples/bls/Containerfile

@@ -5,9 +5,6 @@ RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     set -eux
     dnf --setopt keepcache=1 install --allowerasing -y systemd util-linux skopeo composefs strace dosfstools kernel openssh-server
     systemctl enable systemd-networkd
-    /usr/libexec/openssh/sshd-keygen ed25519
-    /usr/libexec/openssh/sshd-keygen rsa
-    /usr/libexec/openssh/sshd-keygen ecdsa
     passwd -d root
     mkdir /sysroot
     mkdir /composefs-meta

examples/bls/Containerfile.arch

@@ -8,7 +8,6 @@ RUN <<EOF
     pacman -Syu --noconfirm
     pacman -Sy --noconfirm skopeo composefs strace dosfstools linux mkinitcpio btrfs-progs openssh
     systemctl enable systemd-networkd systemd-resolved sshd
-    ssh-keygen -A
     passwd -d root
     mkdir /sysroot
     kernel-install add "$(ls /usr/lib/modules)" /usr/lib/modules/"$(ls /usr/lib/modules)"/vmlinuz

examples/bls/Containerfile.rawhide

@@ -0,0 +1,14 @@
+FROM fedora:rawhide
+COPY extra /
+COPY cfsctl /usr/bin
+RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
+    set -eux
+    dnf --setopt keepcache=1 install --allowerasing -y systemd util-linux skopeo composefs strace dosfstools kernel openssh-server
+    systemctl enable systemd-networkd
+    passwd -d root
+    mkdir /sysroot
+    mkdir /composefs-meta
+    mv /boot /composefs-meta
+    mkdir /boot
+EOF
+RUN true  # hack to get an extra layer

examples/bls/Containerfile.rhel9

@@ -0,0 +1,27 @@
+# FROM docker.io/redhat/ubi9  missing: dosfstools, kernel
+FROM quay.io/centos/centos:9
+COPY extra /
+COPY cfsctl /usr/bin
+RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
+    set -eux
+    dnf --setopt keepcache=1 install --allowerasing -y \
+        systemd util-linux skopeo composefs strace dosfstools kernel openssh-server passwd NetworkManager
+    systemctl enable NetworkManager
+    kver="$(ls /usr/lib/modules)"
+    cp /usr/lib/modules/*/vmlinuz /boot  # ???
+    mkdir -p /boot/loader/entries
+    tee /boot/loader/entries/example.conf <<EOE
+title      composefs example
+options    root=/dev/vda2
+linux      /vmlinuz
+initrd     /initramfs-${kver}.img
+EOE
+    rm -r /tmp
+    ln -sf var/tmp /tmp
+    passwd -d root
+    mkdir /sysroot
+    mkdir /composefs-meta
+    mv /boot /composefs-meta
+    mkdir /boot
+EOF
+RUN true  # hack to get an extra layer

examples/bls/Containerfile.ubuntu

@@ -17,7 +17,6 @@ RUN <<EOF
      -I "/usr/lib/systemd/systemd-sysroot-fstab-check" \
      --kver $(ls /usr/lib/modules)   --force
     systemctl enable systemd-networkd systemd-resolved
-    ssh-keygen -A
     passwd -d root
     kernel-install add $(cd /usr/lib/modules && echo *) /boot/vmlinuz-$(cd /usr/lib/modules && echo *)
     apt clean

examples/bls/build

@@ -2,25 +2,53 @@
 
 set -eux
 
+os="${1:-fedora}"
 cd "${0%/*}"
 
 ../common/check-config
 
+case "${os}" in
+    fedora)
+        containerfile='Containerfile'
+        features='--features=pre-6.15'
+        ;;
+    arch)
+        containerfile='Containerfile.arch'
+        features='--features=pre-6.15'
+        ;;
+    rhel9)
+        containerfile='Containerfile.rhel9'
+        features='--features=rhel9'
+        ;;
+    ubuntu)
+        containerfile='Containerfile.ubuntu'
+        features='--features=pre-6.15'
+        ;;
+    rawhide)
+        containerfile='Containerfile.rawhide'
+        features='--no-default-features'
+        ;;
+    *)
+        echo "*** unknown variant ${os}"
+        false
+        ;;
+esac
+
 # https://github.com/containers/buildah/issues/5656
 PODMAN_BUILD="podman build --no-cache"
 
-cargo build --release
+cargo build --release "${features}"
 
 cp ../../target/release/cfsctl .
-cp ../../target/release/composefs-pivot-sysroot extra/usr/lib/dracut/modules.d/37composefs/
+cp ../../target/release/composefs-setup-root extra/usr/lib/dracut/modules.d/37composefs/
 CFSCTL='./cfsctl --repo tmp/sysroot/composefs'
 
 rm -rf tmp
-mkdir -p tmp/sysroot/composefs tmp/sysroot/var
+mkdir -p tmp/sysroot/composefs
 
 ${PODMAN_BUILD} \
     --iidfile=tmp/base.iid \
-    "$@" \
+    -f "${containerfile}" \
     .
 
 BASE_ID="$(sed s/sha256:// tmp/base.iid)"
@@ -29,6 +57,10 @@ ${CFSCTL} oci pull oci-archive:tmp/base.tar
 BASE_IMAGE_FSVERITY="$(${CFSCTL} oci create-image "${BASE_ID}")"
 fsck.erofs "tmp/sysroot/composefs/images/${BASE_IMAGE_FSVERITY}"
 
+mkdir -p "tmp/sysroot/state/${BASE_IMAGE_FSVERITY}/etc/work"
+mkdir -p "tmp/sysroot/state/${BASE_IMAGE_FSVERITY}/etc/upper"
+mkdir -p "tmp/sysroot/state/${BASE_IMAGE_FSVERITY}/var"
+
 mkdir -p tmp/efi/loader
 echo 'timeout 3' > tmp/efi/loader/loader.conf
 mkdir -p tmp/efi/EFI/BOOT tmp/efi/EFI/systemd
@@ -39,11 +71,12 @@ ${CFSCTL} oci prepare-boot "${BASE_ID}" tmp/efi
 OPTIONS="console=ttyS0,115200 composefs=${BASE_IMAGE_FSVERITY} rw"
 BLE="$(echo tmp/efi/loader/entries/*.conf)"
 test -f "${BLE}"
+
 if grep '^options ' "${BLE}"; then
     sed -i "s|^options .*$|\0 ${OPTIONS}|" "${BLE}"
 else
     echo "options    ${OPTIONS}" >> "${BLE}"
 fi
 sed -i 's@ /boot/@ /@' "${BLE}"
 
-../common/make-image composefs-bls-efi.qcow2
+../common/make-image "${os}-bls-efi.qcow2"

examples/bls/extra/usr/lib/dracut/modules.d/37composefs/composefs-pivot-sysroot.service renamed to examples/bls/extra/usr/lib/dracut/modules.d/37composefs/composefs-setup-root.service

@@ -27,7 +27,7 @@ OnFailureJobMode=isolate
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/composefs-pivot-sysroot
+ExecStart=/usr/bin/composefs-setup-root
 StandardInput=null
 StandardOutput=journal
 StandardError=journal+console