Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tar xattr support #707

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add tar xattr support #707

wants to merge 1 commit into from

Conversation

bozaro
Copy link

@bozaro bozaro commented Jun 5, 2023

Motivation

I need tool to set "max locked memory" ulimit for mongos inside Kubernetes environment.
This tool need etcap cap_sys_resource+ep xattr on file.

This PR allows set xattr on files inside .tar artchives.

Example

Allow set xattr inside tar archives, for example:

pkg_tar(
    name = "tool-layer",
    extension = "tar",
    files = {
        ":ulimit-wrapper": "/usr/local/bin/ulimit-wrapper",
    },
    # setcap cap_sys_resource+ep ulimit-wrapper && getfattr -d -e hex -m - ulimit-wrapper
    xattr = [
        "security.capability=0x0100000200000001000000000000000000000000",
    ],
)

@bozaro bozaro force-pushed the tar-xattr-support branch 2 times, most recently from ba6e562 to 027f82d Compare June 5, 2023 11:59
@bozaro bozaro marked this pull request as ready for review June 5, 2023 12:31
@bozaro bozaro requested review from aiuto and nacl as code owners June 5, 2023 12:31
@aiuto
Copy link
Collaborator

aiuto commented Jun 5, 2023

Can you start a bug about this so we can get the requirements right first.
It looks like you are setting xattr on each file. If that is the need, then we should raise this to the level of other attributes, like owner and perms, so we can apply it to each file distinctly.

@bozaro
Copy link
Author

bozaro commented Jun 5, 2023

I want to make something like Dockerfile:

FROM ubuntu:22.04
...
COPY app /usr/local/bin/app
RUN setcap cap_sys_resource+ep /usr/local/bin/app

In BUILD.bazel I got rules like:

load("@rules_pkg//:pkg.bzl", "pkg_tar")
load("@io_bazel_rules_docker//container:container.bzl", "container_image")

...

pkg_tar(
    name = "app-tar",
    extension = "tar",
    files = {
        ":app": "/usr/local/bin/app",
    },
    xattr = [
        "security.capability=0x0100000200000001000000000000000000000000",
    ],
)

container_image(
    name = "app-image",
    ...
    tars = [
        ":app-tar",
    ],
)

In this example xattr I set xattr to all one file, but in this PR also supported xattrs attribute like:

    xattrs = {
    	"usr/local/bin/app": [
    	    "security.capability=0x0100000200000001000000000000000000000000",
        ]
    },

@aiuto
Copy link
Collaborator

aiuto commented Aug 9, 2023

Can you think about how this should be in pkg_files. Adding it only to pkg_tar is sort of a dead end.
We want tools that describe what you want independently of the final package type.

@aiuto aiuto mentioned this pull request Sep 19, 2023
Merged
fruechel-canva
fruechel-canva reviewed Mar 15, 2024
View reviewed changes
pkg/private/tar/build_tar.py
key = item[:idx]
raw = item[idx+1:]
if raw.startswith("0x"):
xattrs[key] = bytes.fromhex(raw[2:]).decode('latin-1')
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably want to use .decode('utf-8', "surrogateescape") here as certain xattrs will be re-encoded incorrectly otherwise. On re-encoding the tarfile module uses surrogateescape to restore any values that don't cleanly decode to UTF-8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fruechel-canva fruechel-canva fruechel-canva left review comments

@aiuto aiuto Awaiting requested review from aiuto aiuto is a code owner

@nacl nacl Awaiting requested review from nacl

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bozaro @aiuto @fruechel-canva