lib: Pass absolute authfile path when pulling LBIs

csssuf · csssuf · commit 999007f6f805 · 2025-12-14T12:22:40.000-05:00
ostree-ext explicitly handles authfile paths as relative; this works
fine for most callers of get_global_authfile, as they only read the
returned open file descriptor, and ignore the path. However, pulling
logically bound images requires passing the actual authfile path to
Podman, so we must resolve the absolute path in this case - otherwise,
we see errors like the following:

```
[root@fedora ~]# bootc upgrade
layers already present: 69; layers needed: 1 (242.2 MB)
Fetched layers: 230.95 MiB in 3 seconds (90.88 MiB/s)
  Deploying: done (3 seconds)
  Fetching bound image: quay.io/prometheus/node-exporter:v1.10.2: done (0 seconds)
error: Upgrading: Staging: Pulling bound images: Pulling bound images: Failed to pull image: Subprocess failed: ExitStatus(unix_wait_status(32000))
Error: credential file is not accessible: faccessat etc/ostree/auth.json: no such file or directory
```

Since cap_std::fs::Dir intentionally does not expose its filesystem
path, we must resort to reconstructing it from a file descriptor. We
could do this by inspectingthe file descriptor for `sysroot` and
combining that with the relative path returned by get_global_authfile,
but since get_global_authfile returns the descriptor of the actual
authfile, we can simply read that directly.

Signed-off-by: James Forcier &lt;csssuf@csssuf.net&gt;
diff --git a/crates/lib/src/podstorage.rs b/crates/lib/src/podstorage.rs
@@ -24,7 +24,7 @@ use cap_std_ext::cmdext::CapStdExtCommandExt;
 use cap_std_ext::dirext::CapStdExtDirExt;
 use fn_error_context::context;
 use ostree_ext::ostree::{self};
-use std::os::fd::OwnedFd;
+use std::os::fd::{AsRawFd, OwnedFd};
 use tokio::process::Command as AsyncCommand;
 
 // Pass only 100 args at a time just to avoid potentially overflowing argument
@@ -353,10 +353,15 @@ impl CStorage {
         cmd.stdin(Stdio::null());
         cmd.stdout(Stdio::null());
         cmd.args(["pull", image]);
-        let authfile = ostree_ext::globals::get_global_authfile(&self.sysroot)?
-            .map(|(authfile, _fd)| authfile);
-        if let Some(authfile) = authfile {
-            cmd.args(["--authfile", authfile.as_str()]);
+        let authfile_fd =
+            ostree_ext::globals::get_global_authfile(&self.sysroot)?.map(|(_authfile, fd)| fd);
+        if let Some(fd) = authfile_fd {
+            let authfile_path = std::fs::read_link(format!("/proc/self/fd/{}", fd.as_raw_fd()))
+                .map_err(Into::into)
+                .and_then(|p| {
+                    Utf8PathBuf::from_path_buf(p).map_err(|_| anyhow::anyhow!("Invalid UTF-8"))
+                })?;
+            cmd.args(["--authfile", authfile_path.as_str()]);
         }
         tracing::debug!("Pulling image: {image}");
         let mut cmd = AsyncCommand::from(cmd);
