boundimage: Set HOME for podman if unset

bootc-image-builder runs us in a custom container without HOME or `/etc/passwd` initialized, and podman currently bombs out in this scenario. Signed-off-by: Colin Walters <[email protected]>
cgwalters · Jul 22, 2024 · 502c435 · 502c435
1 parent affe394
commit 502c435
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/lib/src/boundimage.rs b/lib/src/boundimage.rs
@@ -115,11 +115,22 @@ fn parse_container_file(file_contents: &tini::Ini) -> Result<BoundImage> {
 #[context("pull bound images")]
 pub(crate) fn pull_images(_deployment_root: &Dir, bound_images: Vec<BoundImage>) -> Result<()> {
     tracing::debug!("Pulling bound images: {}", bound_images.len());
+    // bootc-image-builder runs us under a custom bubblewrap container without $HOME
+    // set (and without /etc/passwd initialized, for that matter). podman bombs out
+    // in this scenario. Detect it and workaround.
+    let need_home = std::env::var_os("HOME").is_none();
+    if need_home {
+        // We only support being run as root right now
+        assert!(rustix::process::getuid().is_root());
+    }
     //TODO: do this in parallel
     for bound_image in bound_images {
         let mut task = Task::new("Pulling bound image", "/usr/bin/podman")
             .arg("pull")
             .arg(&bound_image.image);
+        if need_home {
+            task.cmd.env("HOME", "/root");
+        }
         if let Some(auth_file) = &bound_image.auth_file {
             task = task.arg("--authfile").arg(auth_file);
         }