-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
File attributes are not correctly hashed or preserved by ostree container encapsulate
resulting in a failure to pull images with bootc and rpm-ostree
#920
Comments
Hmmmm.... ostreedev/ostree-rs-ext#679 should only be affecting "layered" (i.e. non-ostree) paths. To be clear this container image is a "pure ostree" one, you haven't created any additional layers?
That seems sane as a workaround - there's no real reason to ship those xattrs anyways, right? But yes...it does look like there's some sort of bug here. |
This reproduces with the same result on rpm-ostree layered images as I'm running into this on my own image builds. This narrows the scope for the bug a bit since rpm-ostree calls the "pure ostree" path: https://github.com/coreos/rpm-ostree/blob/main/rust/src/container.rs#L519C36-L519C47. My workflow is to create a "pure ostree" image (layered/chunked with rpm-ostree) and then layer further software on top with buildah. Both the base image and the later layered images fail to pull. It is just much harder to write a small reproduction script to share here using a real bootable image because I need a RPM database or to download a bootstrap image. |
Also, on later images that build on the workaround base image that can be pulled using The machines boot fine and the file contents are OK, so that doesn't matter as much but might cause users to become concerned if they layer xattrs during a container build. EDIT: This is a different bug when I layer xattrs on a working base image. I can separately file that one if you want @cgwalters. |
I think I can answer why this happens for the "pure ostree" case, @cgwalters. It seems the root cause has been in https://github.com/ostreedev/ostree for a while and it may just be some coincidental changes in libdnf5, librpm or librepo which caused this to start failing container pulls now. libglnx will always sort the extended attributes returned from However, during commit the way Linux capabilities have been working because "security.capabilities" always comes before "security.selinux". However the existence of any "user.*" attributes means that list will no longer be sorted and therefore the hash calculated at commit time will not match what is stored in the bare repo and what is copied into the encapsulated commit container image. So, preserving # Create a new commit with just a single file with an extended attribute
mkdir commit
cd commit
echo "hello world" > test.txt
setfattr -n security.selinux -v "system_u:object_r:etc_runtime_t:s0" test.txt
setfacl -m "u:root:rw-" test.txt
setcap 'cap_net_bind_service=ep' test.txt
getfattr -d -m - -- *
stat test.txt
cd .. |
I have completed some end-to-end testing to confirm the behavior of bootc that I was encountering are root caused in and fully resolved by ostreedev/ostree#3346. Extended attributes of all types stored in bare, bare-user, and bare-split-xattrs ostree repositories and those in derived layers' tar streams will be properly handled by both OSTree and Composefs when the commit from the PR is merged. There were no backwards compatibility concerns encountered during testing. See ostreedev/ostree#3346 (comment) for details of the testing. I'm closing this issue now since there is nothing that needs to be changed in bootc or ostree-rs-ext. The issue can be tracked in ostreedev/ostree#3343 until the PR is merged. |
Recently I've observed pulling down images created with
rpm-ostree compose container-encapsulate
results in errors similar to this when runningbootc upgrade
:I determined on my images the content objects causing issues were files where
dnf5
wrote "user.librepo.checksum.mtime" and "user.librepo.checksum.sha256" extended attributes. These are written on RPMs installed from a (local to the container) repository.It is possible this is a regression due to ostreedev/ostree-rs-ext#679 because it's the only recent ostree-rs-ext/bootc commit touching extended attributes. It is also possible this is a bug that's always existed but is uncovered by preserving extended attributes from the container image tar stream. Regardless, this only started happening during the past week or so after rpm-ostree 2024.9-1 got released to rawhide.
I have written a minimal reproduction using
ostree container encapsulate
andostree container image pull
.Review and run this script with the working directory set to an empty directory or one you don't care about. It creates small ostree repos, commits, and container images in the current directory.
There are 3 changes to this script you can make to cause the test to pass with some degree of success (container pull succeeds and possibly
ostree fsck
as well; ideally both would succeed):--selinux-policy
argument on theostree commit
command. This is not a viable workaround because I need to relabel at this stage of building an image.user.*
extended attributes from the image. This is the workaround I went with for now, onlyuser.librepo.*
attributes are triggering this bug for me.ostree container image pull
to proceed butostree fsck -a
in a bare repo we pull into later doesn't pass.Reproduction script
Expand this to see reproduction script
Running this script on the rpm-ostree versions I detail below results in the following output.
Expand this to see reproduction output
Here's what the extended attributes look like in the container image:
Expand this to see interrogating the container
Software versions and environment
The underlying filesystem is btrfs. I use the Fedora 41 kernel, not the rawhide one.
The text was updated successfully, but these errors were encountered: