Fixes to use flakes as normal user

schaefi · schaefi · commit 13dd6306b175 · 2025-09-04T18:59:44.000+02:00
Running a flake is a container based instance provisioning
and startup. Some part of this process requires root permissions
for example mounting the container instance store for the
provisioning step. This commit fixes the required calls to
be properly managed by sudo.
diff --git a/common/src/user.rs b/common/src/user.rs
@@ -27,6 +27,8 @@ use std::{process::Command, ffi::OsStr};
 use serde::{Serialize, Deserialize};
 use crate::command::{CommandExtTrait, CommandError};
 use uzers::{get_current_uid, get_current_groupname};
+use crate::lookup::{Lookup};
+use crate::error::FlakeError;
 
 #[derive(Debug, Default, Clone, Copy, Serialize, Deserialize)]
 pub struct User<'a> {
@@ -69,11 +71,57 @@ impl User<'_> {
     }
 }
 
+pub fn exists(filename: &str, user: User) -> Result<bool, FlakeError> {
+    /*!
+    check file exists via sudo
+    !*/
+    let mut call = user.run("test");
+    call.arg("-e").arg(filename);
+    if Lookup::is_debug() {
+        debug!("{:?}", call.get_args());
+    }
+    let output = match call.output() {
+        Ok(output) => {
+            output
+        }
+        Err(error) => {
+            return Err(
+                FlakeError::IOError {
+                    kind: "call failed".to_string(),
+                    message: format!("{error:?}")
+                }
+            );
+        }
+    };
+    if output.status.success() {
+        return Ok(true)
+    }
+    Ok(false)
+}
+
+pub fn cp(source: &str, target: &str, user: User) -> Result<(), CommandError> {
+    /*!
+    copy filename via sudo
+    !*/
+    let mut call = user.run("cp");
+    call.arg(source).arg(target);
+    if Lookup::is_debug() {
+        debug!("{:?}", call.get_args());
+    }
+    call.perform()?;
+    Ok(())
+}
+
 pub fn chmod(filename: &str, mode: &str, user: User) -> Result<(), CommandError> {
     /*!
     Chmod filename via sudo
     !*/
-    user.run("chmod").arg(mode).arg(filename).perform()?;
+    let mut call = user.run("chmod");
+    call.arg(mode).arg(filename);
+    if Lookup::is_debug() {
+        debug!("{:?}", call.get_args());
+    }
+    call.perform()?;
     Ok(())
 }
 
@@ -90,10 +138,18 @@ pub fn mkdir(dirname: &str, mode: &str, user: User) -> Result<(), CommandError>
         targetdir = workdir.to_str().unwrap();
     }
     if ! Path::new(&targetdir).exists() {
-        user.run("mkdir")
-            .arg("-p").arg("-m").arg(mode).arg(targetdir).perform()?;
-        user.run("chmod")
-            .arg(mode).arg(targetdir).perform()?;
+        let mut mkdir_call = user.run("mkdir");
+        mkdir_call.arg("-p").arg("-m").arg(mode).arg(targetdir);
+        if Lookup::is_debug() {
+            debug!("{:?}", mkdir_call.get_args());
+        }
+        mkdir_call.perform()?;
+        let mut chmod_call = user.run("chmod");
+        chmod_call.arg(mode).arg(targetdir);
+        if Lookup::is_debug() {
+            debug!("{:?}", chmod_call.get_args());
+        }
+        chmod_call.perform()?;
     }
     Ok(())
 }
diff --git a/podman-pilot/src/podman.rs b/podman-pilot/src/podman.rs
@@ -29,7 +29,7 @@ use atty::Stream;
 use rand::prelude::*;
 use rand_chacha::ChaCha20Rng;
 
-use flakes::user::{User, mkdir};
+use flakes::user::{User, mkdir, cp, exists};
 use flakes::lookup::Lookup;
 use flakes::io::IO;
 use flakes::error::FlakeError;
@@ -49,6 +49,7 @@ use std::io::SeekFrom;
 
 use spinoff::{Spinner, spinners, Color};
 use tempfile::tempfile;
+use tempfile::NamedTempFile;
 use regex::Regex;
 
 use uzers::{get_current_username};
@@ -151,7 +152,7 @@ pub fn create(
     mkdir(defaults::FLAKES_REGISTRY, "777", User::ROOT)?;
 
     let current_user = get_current_username().unwrap();
-    let user = User::from(current_user.to_str().unwrap());
+    let user = User::from("root");
 
     let container_cid_file = format!(
         "{}/{}{}_{}.cid",
@@ -477,36 +478,35 @@ pub fn start(program_name: &str, cid: &str) -> Result<(), FlakeError> {
     let RuntimeSection { resume, attach, .. } = config().runtime();
 
     let pilot_options = Lookup::get_pilot_run_options();
-    let current_user = get_current_username().unwrap();
-    let user = User::from(current_user.to_str().unwrap());
+    let root_user = User::from("root");
 
-    let is_running = container_running(cid, user)?;
-    let is_created = container_exists(cid, user)?;
+    let is_running = container_running(cid, root_user)?;
+    let is_created = container_exists(cid, root_user)?;
     let mut is_removed = false;
 
     if is_running {
         if attach {
             // 1. Attach to running container
-            call_instance("attach", cid, program_name, user)?;
+            call_instance("attach", cid, program_name, root_user)?;
         } else {
             // 2. Execute app in running container
-            call_instance("exec", cid, program_name, user)?;
+            call_instance("exec", cid, program_name, root_user)?;
         }
     } else if resume {
         // 3. Startup resume type container and execute app
-        call_instance("start", cid, program_name, user)?;
-        call_instance("exec", cid, program_name, user)?;
+        call_instance("start", cid, program_name, root_user)?;
+        call_instance("exec", cid, program_name, root_user)?;
     } else {
         // 4. Startup container
-        call_instance("start", cid, program_name, user)?;
+        call_instance("start", cid, program_name, root_user)?;
         if ! attach || ! is_created {
-            call_instance("rm_force", cid, program_name, user)?;
+            call_instance("rm_force", cid, program_name, root_user)?;
             is_removed = true
         }
     };
 
     if pilot_options.contains_key("%remove") && ! is_removed {
-        call_instance("rm_force", cid, program_name, user)?;
+        call_instance("rm_force", cid, program_name, root_user)?;
     };
     Ok(())
 }
@@ -641,6 +641,7 @@ pub fn sync_host(
     !*/
     let mut removed_files_contents = String::new();
     let files_from = format!("{}/{}", &target, from);
+    let mut temp_files_from = NamedTempFile::new()?;
     removed_files.seek(SeekFrom::Start(0))?;
     removed_files.read_to_string(&mut removed_files_contents)?;
 
@@ -650,8 +651,8 @@ pub fn sync_host(
         }
         return Ok(())
     }
-
-    File::create(&files_from)?.write_all(removed_files_contents.as_bytes())?;
+    temp_files_from.write_all(removed_files_contents.as_bytes())?;
+    cp(temp_files_from.path().to_str().unwrap(), &files_from, User::ROOT)?;
 
     let mut call = user.run("rsync");
     call.arg("-av");
@@ -863,7 +864,7 @@ pub fn build_system_dependencies(
     to be provisioned from the host
     !*/
     let system_deps = format!("{}/{}", &target, dependency_file);
-    if Path::new(&system_deps).exists() {
+    if exists(&system_deps, User::ROOT)? {
         if Lookup::is_debug() {
             debug!("Calling system deps generator: {system_deps}");
         }
@@ -907,17 +908,19 @@ pub fn build_system_dependencies(
 
 pub fn update_removed_files(
     target: &String, mut accumulated_file: &File
-) -> Result<(), std::io::Error> {
+) -> Result<(), FlakeError> {
     /*!
     Take the contents of the given removed_file and append it
     to the accumulated_file
     !*/
     let host_deps = format!("{}/{}", &target, defaults::HOST_DEPENDENCIES);
-    if Path::new(&host_deps).exists() {
+    if exists(&host_deps, User::ROOT)? {
         if Lookup::is_debug() {
             debug!("Adding host deps from {host_deps}");
         }
-        let data = fs::read_to_string(&host_deps)?;
+        let temp_host_deps = NamedTempFile::new()?;
+        cp(&host_deps, temp_host_deps.path().to_str().unwrap(), User::ROOT)?;
+        let data = fs::read_to_string(temp_host_deps.path())?;
         // The subsequent rsync call logs enough information
         // Let's keep this for convenience debugging
         // if Lookup::is_debug() {
