-
Notifications
You must be signed in to change notification settings - Fork 26
Exporting OSTree commit to OCI does not maintain xattrs #655
Comments
Dup of #654 right? |
Oh sorry, I see...you're actually arguing we should switch to encoding them in the tar stream; I was misled by the issue title. |
In addition to putting them in the OSTree repo. Just verified the xattrs are not preserved. Top image is the original bazzite image which installs gamescope that requires sys_nice. Bottom image is after passing through rechunk (different versions, but both have gamescope). ❯ sudo podman run -it --rm ghcr.io/ublue-os/bazzite-ally:40-20240427 bash -c "getcap /usr/bin/*"
/usr/bin/gamescope cap_sys_nice=eip
❯ sudo podman run -it --rm ghcr.io/hhd-dev/bazzite-automated-deck bash -c "getcap /usr/bin/*"
// no output Mind the fact that both images miss e.g.,:
Which end up breaking rootless podman. If you were to deploy straight away. Of course, ostree-rs-ext will pull the caps from the repo, and I quirk the files as part of rechunk currently. |
This issue also relates to containers/podman#18543 among others.
One giant problem though is that you can't set |
From my current understanding, we have yet to find a usecase for custom The problem with SELinux currently is that rpm-ostree derives the policy from the base commit. Which causes issues mainly with Waydroid and Cosmic at the moment. |
Seems like tar-rs does not support writing xattrs. |
It does, it's just not obvious or documented, but see e.g. https://github.com/microsoft/rpmoci/blob/47443c4312505222460dfcd185308db7153897bb/src/archive.rs#L126 |
Indeed, the tar format supports xattrs. But from looking at the tar-rs source code used in ostree-rs-ext it seems to only support reading them, not writing them. Seems like |
You were right, I looked over this today again. Then got lost trying to convert Looks like a simple addition though. I will probably give it another shot over the weekend. |
alexcrichton/tar-rs#382 will be helpful for this |
This relies on the new tar API. Closes: ostreedev#655 Signed-off-by: Colin Walters <[email protected]>
Part 2 of issue:
#654
As noted in the ostree-rs-ext readme, tar encoding used to have very poor characteristics for xattrs, which is why the format bare-split-xattrs exists for an OSTree repository, which maintains them.
This is not true anymore. The version of podman shipped in Ubuntu 2024 handles both SELinux and xattrs correctly.
The focus of this issue is that a quirk in the OSTree to OCI converter means that the xattrs of the files are not serialized to the tar stream.
This is not an issue during image deployment.
However, it does become an issue if I want to use rechunk on top of rechunk (e.g., extend a base image and then chunk it again), or deploy an OSTree image with future bootc.
As both will drop caps and ignore the xattrs in the OSTree repo of the image, which is discarded.
Therefore, ostree-rs-ext needs to encode those attributes into the tar stream, so that recent versions of podman can read and maintain them.
If a novice user extends an image with an old version of podman and drops the xattrs this is OK, as it is very unlikely that user will introduce files that need caps or special perms. Then, during deployment, rpm-ostree and bootc can reuse the xattrs and directory permissions from the bare-xattrs metadata. More advanced users will be aware of this requirement if they plan to rechunk their image.
The text was updated successfully, but these errors were encountered: