COPY multi-source support, configurable rootfs size, build fixes

- COPY now supports multiple sources: COPY a.txt b.txt /dest/ Last argument is always destination (matches Dockerfile semantics). - COPY resolves relative destinations against current WORKDIR. - WRENN_DEFAULT_ROOTFS_SIZE env var (e.g. 5G, 2Gi, 1000M, 512Mi) controls template rootfs expansion. Used both at agent startup (EnsureImageSizes) and after FlattenRootfs (shrink then re-expand). - Pre-build now sets WORKDIR /home/wrenn-user after USER switch. - Extracted archive files get chmod a+rX for readability. - Path traversal validation on COPY sources.
2026-04-12 03:39:17 +06:00
parent 46c43b95c2
commit 25b5258841
8 changed files with 110 additions and 29 deletions
--- a/cmd/host-agent/main.go
+++ b/cmd/host-agent/main.go
@ -63,15 +63,28 @@ func main() {
 		os.Exit(1)
 	}

-	// Expand base images to the standard disk size (sparse, no extra physical
+	// Parse default rootfs size from env (e.g. "5G", "2Gi", "1000M").
+	defaultRootfsSizeMB := sandbox.DefaultDiskSizeMB
+	if sizeStr := os.Getenv("WRENN_DEFAULT_ROOTFS_SIZE"); sizeStr != "" {
+		parsed, err := sandbox.ParseSizeToMB(sizeStr)
+		if err != nil {
+			slog.Error("invalid WRENN_DEFAULT_ROOTFS_SIZE", "value", sizeStr, "error", err)
+			os.Exit(1)
+		}
+		defaultRootfsSizeMB = parsed
+		slog.Info("using custom rootfs size", "size_mb", defaultRootfsSizeMB)
+	}
+
+	// Expand base images to the configured disk size (sparse, no extra physical
 	// disk). This ensures dm-snapshot sandboxes see the full size from boot.
-	if err := sandbox.EnsureImageSizes(rootDir, sandbox.DefaultDiskSizeMB); err != nil {
+	if err := sandbox.EnsureImageSizes(rootDir, defaultRootfsSizeMB); err != nil {
 		slog.Error("failed to expand base images", "error", err)
 		os.Exit(1)
 	}

 	cfg := sandbox.Config{
-		WrennDir: rootDir,
+		WrennDir:            rootDir,
+		DefaultRootfsSizeMB: defaultRootfsSizeMB,
 	}

 	mgr := sandbox.New(cfg)