cmd-osbuild: support running as root

dustymabe · dustymabe · commit f289edce55c4 · 2025-08-13T16:47:08.000-04:00
In some limited cases we don't have access to /dev/kvm. For example,
riscv just added support for KVM virtualization, but there is very
little to no hardware that actually supports it. In order to build
disk images for riscv using osbuild we'll need to support running
outside the supermin VM. This code change allows for that.

This is mostly a hack and shouldn't be used unless absolutely required.

Here is the cosa alias I used to get this to work:

```
cosa() {
    env | grep COREOS_ASSEMBLER &gt;&amp;2
    rm -f "${COREOS_ASSEMBLER_CONTAINER_NAME}-variant-config.json"
    if [ "$COREOS_ASSEMBLER_CONFIG_VARIANT" != "" ]; then
        cat &lt;&lt;EOF &gt; "${COREOS_ASSEMBLER_CONTAINER_NAME}-variant-config.json"
{
  "coreos-assembler.config-variant": "${COREOS_ASSEMBLER_CONFIG_VARIANT}"
}
EOF
    fi
    set -x # so we can see what command gets run
    sudo podman run --rm -ti --security-opt label=disable --privileged                                 \
               --user root --userns host -v /dev/:/dev/ -e COSA_NO_KVM=1                               \
               -v ${PWD}:/srv/                                                                         \
               --tmpfs /tmp -v /var/tmp:/var/tmp --name ${COREOS_ASSEMBLER_CONTAINER_NAME:-cosa}       \
               ${COREOS_ASSEMBLER_CONFIG_VARIANT:+-v ./"${COREOS_ASSEMBLER_CONTAINER_NAME}-variant-config.json":/srv/src/config.json:ro} \
               ${COREOS_ASSEMBLER_CONFIG_GIT:+-v $COREOS_ASSEMBLER_CONFIG_GIT:/srv/src/config/:ro}     \
               ${COREOS_ASSEMBLER_RHCOS_REPOS:+-v $COREOS_ASSEMBLER_RHCOS_REPOS:/srv/src/yumrepos/:ro} \
               ${COREOS_ASSEMBLER_FCOS_SUBMODULE:+-v $COREOS_ASSEMBLER_FCOS_SUBMODULE:/srv/src/config/fedora-coreos-config:ro} \
               ${COREOS_ASSEMBLER_GIT:+-v $COREOS_ASSEMBLER_GIT/src/:/usr/lib/coreos-assembler/:ro}    \
               ${COREOS_ASSEMBLER_ADD_CERTS:+-v /etc/pki/ca-trust:/etc/pki/ca-trust:ro}                \
               ${COREOS_ASSEMBLER_CONTAINER_RUNTIME_ARGS}                                              \
               ${COREOS_ASSEMBLER_CONTAINER:-quay.io/coreos-assembler/coreos-assembler:latest} "$@"
   rc=$?; set +x; return $rc
}
```

Of note is the `--user root --userns host -v /dev/:/dev/ -e COSA_NO_KVM=1` line and the fact that
we are using `sudo` to become root.
diff --git a/src/cmd-osbuild b/src/cmd-osbuild
@@ -397,7 +397,12 @@ main() {
     fi
 
     outdir=$(mktemp -p "${tmp_builddir}" -d)
-    runvm_with_cache -- /usr/lib/coreos-assembler/runvm-osbuild                                         \
+    if has_privileges && [ "${COSA_NO_KVM:-}" == "1" ]; then
+        cmd="env" # run outside of supermin if we are root already
+    else
+        cmd="runvm_with_cache"
+    fi
+    $cmd -- /usr/lib/coreos-assembler/runvm-osbuild                                                     \
                 --config "${runvm_osbuild_config_json}"                                                 \
                 --mpp "/usr/lib/coreos-assembler/osbuild-manifests/coreos.osbuild.${basearch}.mpp.yaml" \
                 --outdir "${outdir}"                                                                    \
