Ensure ESP is mounted

Following coreos/fedora-coreos-config#794,
the mount unit for `/boot/efi` will be dropped, since there is no
longer going to be a "canonical ESP" to mount.

No longer `ProtectClock=yes` in `bootupd.service` to allow bootupd
to mount the ESP.

Author: kelvinfan001

src/efi.rs

@@ -24,6 +24,8 @@ use crate::util::CommandRunExt;
 
 /// The path to the ESP mount
 pub(crate) const MOUNT_PATH: &str = "boot/efi";
+/// The ESP partition label
+pub(crate) const ESP_PART_LABEL: &str = "EFI-SYSTEM";
 
 #[derive(Default)]
 pub(crate) struct EFI {}
@@ -33,16 +35,47 @@ impl EFI {
         Path::new(MOUNT_PATH).join("EFI")
     }
 
+    fn esp_device(&self) -> PathBuf {
+        Path::new("/dev/disk/by-partlabel/").join(ESP_PART_LABEL)
+    }
+
     fn open_esp_optional(&self) -> Result<Option<openat::Dir>> {
+        self.ensure_mounted_esp()?;
         let sysroot = openat::Dir::open("/")?;
         let esp = sysroot.sub_dir_optional(&self.esp_path())?;
         Ok(esp)
     }
     fn open_esp(&self) -> Result<openat::Dir> {
+        self.ensure_mounted_esp()?;
         let sysroot = openat::Dir::open("/")?;
         let esp = sysroot.sub_dir(&self.esp_path())?;
         Ok(esp)
     }
+
+    fn ensure_mounted_esp(&self) -> Result<()> {
+        let mount_point = &Path::new("/").join(MOUNT_PATH);
+        let output = std::process::Command::new("mountpoint")
+            .arg(mount_point)
+            .output()
+            .expect("Failed to determine if EFI mounted");
+        if !output.status.success() {
+            let status = std::process::Command::new("mkdir")
+                .arg("-p")
+                .arg(mount_point)
+                .status()?;
+            if !status.success() {
+                anyhow::bail!("Failed to create directory {:?}", mount_point);
+            }
+            let status = std::process::Command::new("mount")
+                .arg(&self.esp_device())
+                .arg(mount_point)
+                .status()?;
+            if !status.success() {
+                anyhow::bail!("Failed to mount {:?}", &self.esp_device());
+            }
+        };
+        Ok(())
+    }
 }
 
 impl Component for EFI {
@@ -112,6 +145,7 @@ impl Component for EFI {
         };
         let srcdir_name = component_updatedirname(self);
         let ft = crate::filetree::FileTree::new_from_dir(&src_root.sub_dir(&srcdir_name)?)?;
+        self.ensure_mounted_esp()?;
         let destdir = Path::new(dest_root).join(MOUNT_PATH);
         {
             let destd = openat::Dir::open(&destdir)
@@ -151,6 +185,7 @@ impl Component for EFI {
             .context("opening update dir")?;
         let updatef = filetree::FileTree::new_from_dir(&updated).context("reading update dir")?;
         let diff = currentf.diff(&updatef)?;
+        self.ensure_mounted_esp()?;
         let destdir = openat::Dir::open(&Path::new("/").join(MOUNT_PATH).join("EFI"))
             .context("opening EFI dir")?;
         validate_esp(&destdir)?;
@@ -178,7 +213,8 @@ impl Component for EFI {
                     std::fs::remove_dir_all(&p)?;
                 }
             }
-
+            
+            self.ensure_mounted_esp()?;
             let efisrc = ostreebootdir.join("efi/EFI");
             if !efisrc.exists() {
                 bail!("Failed to find {:?}", &efisrc);
@@ -256,6 +292,7 @@ impl Component for EFI {
             .filetree
             .as_ref()
             .ok_or_else(|| anyhow::anyhow!("No filetree for installed EFI found!"))?;
+        self.ensure_mounted_esp()?;
         let efidir = openat::Dir::open(&Path::new("/").join(MOUNT_PATH).join("EFI"))?;
         let diff = currentf.relative_diff_to(&efidir)?;
         let mut errs = Vec::new();

systemd/bootupd.service

@@ -19,7 +19,6 @@ ProtectHome=yes
 ReadOnlyPaths=/usr
 PrivateTmp=yes
 PrivateNetwork=yes
-ProtectClock=yes
 ProtectHostname=yes
 ProtectControlGroups=yes
 RestrictSUIDSGID=yes