Skip to content

lib: Pass absolute authfile path when pulling LBIs #1852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cgwalters merged 2 commits into from
Dec 16, 2025
Merged

lib: Pass absolute authfile path when pulling LBIs #1852

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
999007f
lib: Pass absolute authfile path when pulling LBIs
csssuf Dec 14, 2025
37382b6
podstorage: Improve authfile handling more
cgwalters Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 10 additions & 5 deletions crates/lib/src/podstorage.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ use cap_std_ext::cmdext::CapStdExtCommandExt;
use cap_std_ext::dirext::CapStdExtDirExt;
use fn_error_context::context;
use ostree_ext::ostree::{self};
use std::os::fd::OwnedFd;
use std::os::fd::{AsRawFd, OwnedFd};
use tokio::process::Command as AsyncCommand;

// Pass only 100 args at a time just to avoid potentially overflowing argument
Expand Down Expand Up @@ -353,10 +353,15 @@ impl CStorage {
cmd.stdin(Stdio::null());
cmd.stdout(Stdio::null());
cmd.args(["pull", image]);
let authfile = ostree_ext::globals::get_global_authfile(&self.sysroot)?
.map(|(authfile, _fd)| authfile);
if let Some(authfile) = authfile {
cmd.args(["--authfile", authfile.as_str()]);
let authfile_fd =
ostree_ext::globals::get_global_authfile(&self.sysroot)?.map(|(_authfile, fd)| fd);
if let Some(fd) = authfile_fd {
let authfile_path = std::fs::read_link(format!("/proc/self/fd/{}", fd.as_raw_fd()))
Copy link
Copy Markdown
Collaborator

@cgwalters cgwalters Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this will work because the fd should have O_CLOEXEC and won't be passed to the child by default.

The general pattern we use here instead is using https://docs.rs/cap-std-ext/latest/cap_std_ext/cmdext/trait.CapStdExtCommandExt.html#tymethod.take_fd_n

In fact we should just make this code identical to the one in containers-image-proxy-rs: https://github.com/bootc-dev/containers-image-proxy-rs/blob/b5e0861ad5065f47eaf9cda0d48da3529cc1bc43/src/imageproxy.rs#L310

Copy link
Copy Markdown
Contributor Author

@csssuf csssuf Dec 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't believe we rely on passing it to the child here - we only use the fd in the current process to look up the absolute path through /proc, and just pass the path to the child since podman's --authfile option expects a path.

Using /proc here does feel a little hacky, but as far as I can tell cap_std::fs::Dir is very deliberate in not exposing the underlying path, but open to other suggestions here - would copying the contents as in the imageproxy implementation be preferable to resolving the absolute path this way?

Copy link
Copy Markdown
Collaborator

@cgwalters cgwalters Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pushed a followup commit here, can you review it?

.map_err(Into::into)
.and_then(|p| {
Utf8PathBuf::from_path_buf(p).map_err(|_| anyhow::anyhow!("Invalid UTF-8"))
})?;
cmd.args(["--authfile", authfile_path.as_str()]);
}
tracing::debug!("Pulling image: {image}");
let mut cmd = AsyncCommand::from(cmd);
Expand Down
Loading