krane: write krane to a tempfile

Signed-off-by: Sam Berning <[email protected]>
bottlerocket-os · Nov 8, 2024 · 2020d62 · 2020d62
1 parent ebef61d
commit 2020d62
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 32 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -106,7 +106,6 @@ nix = "0.28"
 nonzero_ext = "0.3"
 num_cpus = "1"
 olpc-cjson = "0.1"
-pentacle = "1.1"
 rand = { version = "0.8", default-features = false }
 regex = "1"
 reqwest = { version = "0.11", default-features = false }

diff --git a/tools/krane/Cargo.toml b/tools/krane/Cargo.toml
@@ -10,7 +10,7 @@ publish = false
 anyhow.workspace = true
 flate2.workspace = true
 lazy_static.workspace = true
-pentacle.workspace = true
+tempfile.workspace = true
 
 [build-dependencies]
 flate2.workspace = true

diff --git a/tools/krane/README.md b/tools/krane/README.md
@@ -4,8 +4,7 @@ This crate packages the `krane` utility from [google/go-containerregistry].
 
 The utility is compiled by a build script, the output of which is compressed and stored in the Rust
 crate as via `include_bytes!`.
-At runtime, `krane-bundle` writes the decompressed binary to a [sealed anonymous file], passing the
+At runtime, `krane-bundle` writes the decompressed binary to a temp file, passing the
 filepath of that file to any caller.
 
 [google/go-containerregistry]: https://github.com/google/go-containerregistry
-[sealed anonymous file]: https://github.com/haha-business/pentacle
diff --git a/tools/krane/src/lib.rs b/tools/krane/src/lib.rs
@@ -1,10 +1,10 @@
-use anyhow::{Context, Result};
+use anyhow::Result;
 use flate2::read::GzDecoder;
-use std::fs::File;
-use std::os::fd::AsRawFd;
-use std::path::{Path, PathBuf};
+use std::fs::{File, Permissions};
+use std::os::unix::fs::PermissionsExt;
+use std::path::PathBuf;
 
-use pentacle::SealOptions;
+use tempfile::TempDir;
 
 const COMPRESSED_KRANE_BIN: &[u8] = include_bytes!(env!("KRANE_GZ_PATH"));
 
@@ -15,31 +15,30 @@ lazy_static::lazy_static! {
 #[derive(Debug)]
 pub struct Krane {
     // Hold the file in memory to keep the fd open
-    _sealed_binary: File,
+    _tmp_dir: TempDir,
     path: PathBuf,
 }
 
 impl Krane {
     fn seal() -> Result<Krane> {
-        let mut krane_reader = GzDecoder::new(COMPRESSED_KRANE_BIN);
+        let tmp_dir = TempDir::new()?;
+        let path = tmp_dir.path().join("krane");
+
+        let mut krane_file = File::create(&path)?;
+        let permissions = Permissions::from_mode(0o755);
+        krane_file.set_permissions(permissions)?;
 
-        let sealed_binary = SealOptions::new()
-            .close_on_exec(false)
-            .executable(true)
-            .copy_and_seal(&mut krane_reader)
-            .context("Failed to write krane binary to sealed anonymous file")?;
+        let mut krane_reader = GzDecoder::new(COMPRESSED_KRANE_BIN);
 
-        let fd = sealed_binary.as_raw_fd();
-        let pid = std::process::id();
-        let path = PathBuf::from(format!("/proc/{pid}/fd/{fd}"));
+        std::io::copy(&mut krane_reader, &mut krane_file)?;
 
         Ok(Krane {
-            _sealed_binary: sealed_binary,
+            _tmp_dir: tmp_dir,
             path,
         })
     }
 
-    pub fn path(&self) -> &Path {
+    pub fn path(&self) -> &PathBuf {
         &self.path
     }
 }