storage: Ensure global c/storage is initialized via podman

cgwalters · cgwalters · commit be2ae679de7d · 2025-02-12T14:58:46.000-05:00
Two of our tests (and an unknown set of users may) run
`bootc image copy-to-storage` which happens to invoke
skopeo to target /var/lib/containers/storage. If this
happens to be the *first* thing to write to that
c/storage instance it triggers a bug around the podman
image network setup.

Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/lib/src/image.rs b/lib/src/image.rs
@@ -14,6 +14,7 @@ use serde::Serialize;
 use crate::{
     boundimage::query_bound_images,
     cli::{ImageListFormat, ImageListType},
+    imgstorage::ensure_floating_c_storage_initialized,
 };
 
 /// The name of the image we push to containers-storage if nothing is specified.
@@ -138,6 +139,7 @@ pub(crate) async fn push_entrypoint(source: Option<&str>, target: Option<&str>)
             name: target.to_owned(),
         }
     } else {
+        ensure_floating_c_storage_initialized();
         ImageReference {
             transport: Transport::ContainerStorage,
             name: IMAGE_DEFAULT.to_string(),
diff --git a/lib/src/imgstorage.rs b/lib/src/imgstorage.rs
@@ -119,6 +119,31 @@ fn new_podman_cmd_in(storage_root: &Dir, run_root: &Dir) -> Result<Command> {
     Ok(cmd)
 }
 
+/// Ensure that "podman" is the first thing to touch the global storage
+/// instance. This is a workaround for https://github.com/containers/bootc/pull/1101#issuecomment-2653862974
+/// Basically podman has special upgrade logic for when it is the first thing
+/// to initialize the c/storage instance it sets the networking to netavark.
+/// If it's not the first thing, then it assumes an upgrade scenario and we
+/// may be using CNI.
+///
+/// But this legacy path is triggered through us using skopeo, turning off netavark
+/// by default. Work around this by ensuring that /usr/bin/podman is
+/// always the first thing to touch c/storage (at least, when invoked by us).
+///
+/// Call this function any time we're going to write to containers-storage.
+pub(crate) fn ensure_floating_c_storage_initialized() {
+    if let Err(e) = Command::new("podman")
+        .args(["system", "info"])
+        .stdout(Stdio::null())
+        .run()
+    {
+        // Out of conservatism we don't make this operation fatal right now.
+        // If something went wrong, then we'll probably fail on a later operation
+        // anyways.
+        tracing::warn!("Failed to query podman system info: {e}");
+    }
+}
+
 impl Storage {
     /// Create a `podman image` Command instance prepared to operate on our alternative
     /// root.
