fix: mount host font configuration directories

[Iceyer]

Motivation

• Ensure containerized apps can read host fontconfig settings so CJK glyph fallback works (addresses issue Archlinux 安装应用（企业微信）字体缺失，显示为空白方块 #1584 where Chinese text renders as tofu boxes).

Description

• Add /etc/fonts and /usr/share/fontconfig to bindHostStatics() mounts in libs/oci-cfg-generators/src/linglong/oci-cfg-generators/container_cfg_builder.cpp so font configuration files are bound into the container alongside font files.

Testing

• Ran cmake -S . -B build -G Ninja to validate configuration, but the configure step failed in this environment due to missing GTest (Could NOT find GTest), so no unit tests were executed.

---

Codex Task

---

Note

Low Risk
Low risk: a small, read-only mount list change that only expands which host fontconfig directories are bind-mounted into containers.

Overview
Ensures containerized apps can see the host’s font configuration by adding read-only binds for /etc/fonts and /usr/share/fontconfig in ContainerCfgBuilder::bindHostStatics() alongside existing font-related mounts.

^{Written by Cursor Bugbot for commit eb8fdf6. This will update automatically on new commits. Configure here.}

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Iceyer

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-ci-robot]

deepin pr auto review

这段代码修改主要是在 ContainerCfgBuilder::bindHostStatics 函数中增加了对宿主机字体和字体配置目录的挂载。以下是对这段 diff 的审查意见，包括语法逻辑、代码质量、代码性能和代码安全四个方面：

1. 语法逻辑

• 审查结果：通过
• 分析：代码在 C++11 的初始化列表中正确地添加了两个新的 std::filesystem::path 字符串字面量。语法完全正确，符合 C++ 标准。

2. 代码质量

• 审查结果：良好，但有优化空间
• 分析：
  • 可读性：添加了 /etc/fonts 和 /usr/share/fontconfig，逻辑上是为了让容器内能够使用宿主机的字体资源，意图清晰。
  • 注释：代码中存在 FIXME 注释，提到 /etc/ssl 的问题。既然这里添加了字体支持，建议添加一行 // Support for host fonts 的注释，以便后续维护者理解这两行挂载的具体用途，保持代码风格的一致性。
  • 潜在问题：直接挂载整个 /etc/fonts 目录可能会引入不必要的配置文件或符号链接，导致容器内的字体解析行为与预期不符（例如宿主机和容器内字体库版本不一致时）。

3. 代码性能

• 审查结果：影响较小
• 分析：
  • I/O 开销：/usr/share/fonts 通常包含大量小文件。虽然原本就挂载了该目录，新增的 /etc/fonts 和 /usr/share/fontconfig 文件相对较少，对挂载时的性能开销影响不大。
  • 运行时开销：这主要影响容器启动时的挂载阶段。对于字体目录，容器内的应用（如 GTK/Qt 应用）在启动时需要扫描这些目录以构建字体缓存。如果宿主机的字体缓存文件（通常位于 /var/cache/fontconfig）没有同步挂载，容器内的应用可能会在首次运行时尝试重新生成缓存，这将导致显著的 CPU 和 I/O 开销，甚至导致应用启动缓慢。
  • 建议：检查是否需要同时挂载宿主机的字体缓存目录（如 /var/cache/fontconfig 或 /var/cache/fontconfig-<hash>），以避免容器内重复生成缓存。

4. 代码安全

• 审查结果：存在风险
• 分析：
  • 配置注入风险：挂载 /etc/fonts 意味着容器内的应用将完全遵循宿主机的字体配置。如果宿主机的 fonts.conf 中引用了容器内不存在的路径，或者配置了不受信任的额外字体目录，可能会导致容器内的应用崩溃或加载恶意字体。
  • 隔离性降低：OCI 容器的核心原则是隔离。直接挂载宿主机的系统目录会降低隔离性。如果宿主机上的字体库存在漏洞（例如字体解析引擎的漏洞），攻击者可能利用该漏洞从容器内逃逸或影响宿主机（虽然字体解析漏洞通常导致的是容器内的崩溃或代码执行，但挂载宿主机资源增加了攻击面）。
  • 建议：
    1. 评估是否确实需要挂载 /etc/fonts。如果只需要字体文件，挂载 /usr/share/fonts 可能已经足够（虽然可能缺少一些配置）。
    2. 如果必须挂载配置，建议在容器启动脚本中验证配置文件的合法性，或者在构建镜像时包含一套默认的安全配置，仅通过挂载覆盖字体文件路径。

总结与改进建议

这段修改解决了容器内显示字体的问题，但为了提高健壮性和安全性，建议进行以下改进：

1. 添加注释：明确说明挂载这两个目录是为了支持宿主机字体。
2. 考虑缓存挂载：为了避免容器内应用重复生成字体缓存导致启动慢，建议评估是否需要挂载宿主机的字体缓存目录（例如 /var/cache/fontconfig）。
3. 安全性考量：
   • 确认宿主机 /etc/fonts 配置的安全性。
   • 如果可能，考虑使用只读方式挂载（通常 bindHostStatics 暗示了这一点，但需确认实现层是否加了 ro 选项）。

改进后的代码示例（建议）：

ContainerCfgBuilder &ContainerCfgBuilder::bindHostStatics() noexcept
{
    std::vector<std::filesystem::path> statics{
        "/etc/machine-id",
        // Support for host fonts and font configurations
        "/etc/fonts",
        // FIXME: support for host /etc/ssl, ref https://github.com/p11-glue/p11-kit
        "/usr/lib/locale",
        "/usr/share/fontconfig",
        "/usr/share/fonts",
        "/usr/share/icons",
        "/usr/share/themes",
        // ...
    };
    // ... 后续处理逻辑
}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue where containerized applications failed to display CJK (Chinese, Japanese, Korean) characters correctly due to a lack of access to the host's font configuration settings. By bind-mounting essential font configuration directories from the host system into containers, applications can now properly utilize font fallback mechanisms, ensuring correct text rendering.

Highlights

• Font Configuration: Added /etc/fonts and /usr/share/fontconfig to the list of host static directories that are bind-mounted into containers.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• libs/oci-cfg-generators/src/linglong/oci-cfg-generators/container_cfg_builder.cpp
  • Added /etc/fonts and /usr/share/fontconfig to the statics vector within the bindHostStatics() method.

Activity

• The author attempted to validate the configuration by running cmake, but unit tests could not be executed due to a missing GTest dependency in the environment.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly adds the necessary host font configuration directories (/etc/fonts and /usr/share/fontconfig) to the container's bind mounts, which should resolve the CJK font rendering issue. The change is straightforward and follows the existing structure. While it's noted that tests could not be run due to environment issues, the change itself is low-risk. I have one suggestion to improve code consistency and maintainability.

[gemini-code-assist]

For better maintainability and consistency, please consider keeping the list of paths sorted alphabetically within their respective groups (e.g., /etc, /usr/share). The /usr/share paths are already sorted alphabetically, and applying the same convention to the /etc paths would improve readability as this list grows.

        "/etc/fonts",
        "/etc/machine-id",

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Files with missing lines	Coverage Δ
...glong/oci-cfg-generators/container_cfg_builder.cpp	0.00% <ø> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.