fixup! Use supermin in unprivileged environments

src/cmd-init

@@ -66,13 +66,16 @@ if [ "$FORCE" != "1" -a ! -z "$(ls -A ./)" ]; then
    fatal "init: current directory is not empty, override with --force"
 fi
 
-set -x
 source=$1; shift
 subdir=${1:-}
 
 preflight
 
-sudo chown $USER: .
+if has_privileges; then
+    sudo chown $USER: .
+elif [ ! -w . ]; then
+    fatal "init: running unprivileged, and current directory not writable"
+fi
 
 INSTALLER=https://download.fedoraproject.org/pub/fedora/linux/releases/28/Everything/x86_64/iso/Fedora-Everything-netinst-x86_64-28-1.1.iso
 INSTALLER_CHECKSUM=https://download.fedoraproject.org/pub/fedora/linux/releases/28/Everything/x86_64/iso/Fedora-Everything-28-1.1-x86_64-CHECKSUM
@@ -117,6 +120,6 @@ mkdir -p builds
 mkdir -p tmp
 ostree --repo=repo init --mode=archive
 if ! has_privileges; then
-    LIBGUESTFS_BACKEND=direct qemu-img create -f qcow2 cache.qcow2 10G
-    virt-format --filesystem=xfs -a cache.qcow2
+    qemu-img create -f qcow2 cache/cache.qcow2 10G
+    LIBGUESTFS_BACKEND=direct virt-format --filesystem=xfs -a cache/cache.qcow2
 fi

src/cmdlib.sh

@@ -1,5 +1,7 @@
 # Shared shell script library
 
+DIR=$(dirname $0)
+
 info() {
     echo "info: $@" 1>&2
 }
@@ -21,6 +23,7 @@ has_privileges() {
             info "Missing sudo privs; using virt"
             _privileged=0
         else
+            info "Running in privileged mode"
             _privileged=1
         fi
     fi
@@ -64,7 +67,7 @@ prepare_build() {
     preflight
     if ! [ -d repo ]; then
         fatal "No $(pwd)/repo found; did you run coreos-assembler init?"
-    elif ! has_privileges && [ ! -f cache.qcow2 ]; then
+    elif ! has_privileges && [ ! -f cache/cache.qcow2 ]; then
         fatal "No cache.qcow2 found; did you run coreos-assembler init?"
     fi
 
@@ -112,10 +115,6 @@ prepare_build() {
 }
 
 runcompose() {
-    local treecompose_args=""
-    if ! grep -q '^# disable-unified-core' "${manifest}"; then
-        treecompose_args="${treecompose_args} --unified-core"
-    fi
     # Implement support for automatic local overrides:
     # https://github.com/coreos/coreos-assembler/issues/118
     local overridesdir=${workdir}/overrides/
@@ -144,44 +143,21 @@ EOF
 
     rm -f ${changed_stamp}
 
-    # really, we don't need to do this whole jazz for `fetch`, but meh, it's
-    # just some minimal I/O in that case
-    cat > ${TMPDIR}/compose.sh <<EOF
-SUDO=
-if [ \$(id -u) != 0 ]; then
-    SUDO=sudo
-fi
-
-# build in a temp bare-user repo in cache/ so we can hardlink from pkgcache
-\$SUDO ostree --repo=${workdir}/cache/repo-build init --mode=bare-user
-
-# seed with commit metadata of last build
-# TODO: don't rely on ${ref}
-if ostree --repo=${workdir}/repo rev-parse ${ref} 2>/dev/null; then
-    \$SUDO ostree --repo=${workdir}/cache/repo-build pull-local \
-        ${workdir}/repo ${ref} --commit-metadata-only
-fi
-
-\$SUDO rpm-ostree compose tree --repo=${workdir}/cache/repo-build \
-    --cachedir=${workdir}/cache --touch-if-changed "${changed_stamp}" \
-    ${treecompose_args} ${TREECOMPOSE_FLAGS:-} \
-    ${manifest} $@
-
-\$SUDO chmod -R a+rX ${workdir}/cache/repo-build/objects
-# can't use ${changed_stamp}; it has different semantics with --download-only
-if ostree --repo=${workdir}/cache/repo-build rev-parse ${ref} 2>/dev/null; then
-    ostree --repo=${workdir}/repo pull-local ${workdir}/cache/repo-build ${ref}
-fi
-
-# just nuke it instead of pruning, it's fast to rebuild from pkgcache hardlinks
-\$SUDO rm -rf ${workdir}/repo-build
-EOF
+    set - rpm-ostree compose tree --repo=${workdir}/repo \
+            --cachedir=${workdir}/cache --touch-if-changed "${changed_stamp}" \
+            ${manifest} "$@"
+
+    if ! grep -q '^# disable-unified-core' "${manifest}"; then
+        set - "$@" --unified-core
+    fi
+
+    echo "Running: $@"
 
     # this is the heart of the privs vs no privs dual path
     if has_privileges; then
-        . ${TMPDIR}/compose.sh
+        "$@"
     else
-        runvm bash ${TMPDIR}/compose.sh
+        runvm "$@"
     fi
 }
 
@@ -197,19 +173,23 @@ runvm() {
 
         local rpms=
         # then add all the base deps
-        for dep in $(grep -v '^#' /usr/lib/coreos-assembler/vmdeps.txt); do
+        for dep in $(grep -v '^#' ${DIR}/vmdeps.txt); do
             rpms+="$dep "
         done
 
         supermin --prepare --use-installed $rpms -o "${vmpreparedir}"
+
+        # the reason we do a heredoc here is so that the var substition takes
+        # place immediately instead of having to proxy them through to the VM
         cat > "${vmpreparedir}/init" <<EOF
 #!/bin/bash
 set -xeuo pipefail
 workdir=${workdir}
-$(cat /usr/lib/coreos-assembler/supermin-init-prelude.sh)
+$(cat ${DIR}/supermin-init-prelude.sh)
 rc=0
 sh ${TMPDIR}/cmd.sh || rc=\$?
-echo $rc > ${workdir}/tmp/rc
+echo \$rc > ${workdir}/tmp/rc
+/sbin/fstrim -v ${workdir}/cache
 /sbin/reboot -f
 EOF
         chmod a+x ${vmpreparedir}/init
@@ -220,7 +200,7 @@ EOF
 
     echo "$@" > ${TMPDIR}/cmd.sh
 
-    # support local dev cases wher src/config is a symlink
+    # support local dev cases where src/config is a symlink
     srcvirtfs=
     if [ -L "${workdir}/src/config" ]; then
         # qemu follows symlinks
@@ -235,7 +215,7 @@ EOF
         -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \
         -drive if=none,id=drive-scsi0-0-0-0,snapshot=on,file="${vmbuilddir}/root" \
         -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 \
-        -drive if=none,id=drive-scsi0-0-0-1,discard=unmap,file="${workdir}/cache.qcow2" \
+        -drive if=none,id=drive-scsi0-0-0-1,discard=unmap,file="${workdir}/cache/cache.qcow2" \
         -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=1,drive=drive-scsi0-0-0-1,id=scsi0-0-0-1 \
         -virtfs local,id=workdir,path="${workdir}",security_model=none,mount_tag=workdir \
         ${srcvirtfs} -serial stdio -append "root=/dev/sda console=ttyS0 selinux=1 enforcing=0 autorelabel=1"