usroverlay: Add --read-only flag

Signed-off-by: Evan Goode <mail@evangoo.de>

Author: evan-goode

crates/lib/src/bootc_composefs/state.rs

@@ -21,6 +21,7 @@ use ostree_ext::container::deploy::ORIGIN_CONTAINER;
 use rustix::{
     fd::AsFd,
     fs::{Mode, OFlags, StatVfsMountFlags, open},
+    mount::MountAttrFlags,
     path::Arg,
 };
 
@@ -330,7 +331,7 @@ pub(crate) async fn write_composefs_state(
     Ok(())
 }
 
-pub(crate) fn composefs_usr_overlay() -> Result<()> {
+pub(crate) fn composefs_usr_overlay(access_mode: FilesystemOverlayAccessMode) -> Result<()> {
     let status = get_composefs_usr_overlay_status()?;
     if status.is_some() {
         println!("An overlayfs is already mounted on /usr");
@@ -343,9 +344,14 @@ pub(crate) fn composefs_usr_overlay() -> Result<()> {
     let usr_metadata = usr.metadata(".").context("Getting /usr metadata")?;
     let usr_mode = Mode::from_raw_mode(usr_metadata.permissions().mode());
 
-    overlay_transient(usr, Some(usr_mode))?;
+    let mount_attr_flags = match access_mode {
+        FilesystemOverlayAccessMode::ReadOnly => Some(MountAttrFlags::MOUNT_ATTR_RDONLY),
+        FilesystemOverlayAccessMode::ReadWrite => None,
+    };
 
-    println!("A writeable overlayfs is now mounted on /usr");
+    overlay_transient(usr, Some(usr_mode), mount_attr_flags)?;
+
+    println!("A {} overlayfs is now mounted on /usr", access_mode);
     println!("All changes there will be discarded on reboot.");
 
     Ok(())

crates/lib/src/cli.rs

@@ -50,6 +50,7 @@ use crate::bootc_composefs::{
 use crate::deploy::{MergeState, RequiredHostSpec};
 use crate::podstorage::set_additional_image_store;
 use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
+use crate::spec::FilesystemOverlayAccessMode;
 use crate::spec::Host;
 use crate::spec::ImageReference;
 use crate::status::get_host;
@@ -265,6 +266,14 @@ pub(crate) struct StatusOpts {
     pub(crate) verbose: bool,
 }
 
+/// Add a transient overlayfs on /usr
+#[derive(Debug, Parser, PartialEq, Eq)]
+pub(crate) struct UsrOverlayOpts {
+    /// Mount the overlayfs as read-only.
+    #[clap(long)]
+    pub(crate) read_only: bool,
+}
+
 #[derive(Debug, clap::Subcommand, PartialEq, Eq)]
 pub(crate) enum InstallOpts {
     /// Install to the target block device.
@@ -788,7 +797,7 @@ pub(crate) enum Opt {
     ///
     /// Allows temporary package installation that will be discarded on reboot.
     #[clap(alias = "usroverlay")]
-    UsrOverlay,
+    UsrOverlay(UsrOverlayOpts),
     /// Install the running container to a target.
     ///
     /// Takes a container image and installs it to disk in a bootable format.
@@ -1445,13 +1454,16 @@ async fn edit(opts: EditOpts) -> Result<()> {
 }
 
 /// Implementation of `bootc usroverlay`
-async fn usroverlay() -> Result<()> {
+async fn usroverlay(access_mode: FilesystemOverlayAccessMode) -> Result<()> {
     // This is just a pass-through today.  At some point we may make this a libostree API
     // or even oxidize it.
-    Err(Command::new("ostree")
-        .args(["admin", "unlock"])
-        .exec()
-        .into())
+    let args = match access_mode {
+        // In this context, "--transient" means "read-only overlay"
+        FilesystemOverlayAccessMode::ReadOnly => ["admin", "unlock", "--transient"].as_slice(),
+
+        FilesystemOverlayAccessMode::ReadWrite => ["admin", "unlock"].as_slice(),
+    };
+    Err(Command::new("ostree").args(args).exec().into())
 }
 
 /// Perform process global initialization. This should be called as early as possible
@@ -1562,12 +1574,17 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
             Ok(())
         }
         Opt::Edit(opts) => edit(opts).await,
-        Opt::UsrOverlay => {
+        Opt::UsrOverlay(opts) => {
             use crate::store::Environment;
             let env = Environment::detect()?;
+            let access_mode = if opts.read_only {
+                FilesystemOverlayAccessMode::ReadOnly
+            } else {
+                FilesystemOverlayAccessMode::ReadWrite
+            };
             match env {
-                Environment::OstreeBooted => usroverlay().await,
-                Environment::ComposefsBooted(_) => composefs_usr_overlay(),
+                Environment::OstreeBooted => usroverlay(access_mode).await,
+                Environment::ComposefsBooted(_) => composefs_usr_overlay(access_mode),
                 _ => anyhow::bail!("usroverlay only applies on booted hosts"),
             }
         }