Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

store: Support importing images without /ostree #887

Merged
merged 1 commit into from
Nov 9, 2024
Merged

store: Support importing images without /ostree #887

merged 1 commit into from
Nov 9, 2024

Conversation

cgwalters
Copy link
Collaborator

A sticking point keeping ostree in the picture here for containers was SELinux handling. When we started this effort I'd feared rewriting.

But recently we changed things such that we label derived images using the policy from the final root.

This is a relatively small change in code size and complexity, that allows us to import images that don't have "ostree stuff" in them at all, i.e. there's no /ostree/repo/objects.

The advantage here is that this significantly simplifies constructing base images.

The main disadvantage today for people who build images this way is that we end up re-labeling and re-checksumming all objects.

But, the real fix for that in the future will be for us to rework things such that we support security.selinux for example as native xattrs in the tar stream.

@cgwalters
store: Support importing images without /ostree
1770055 
A sticking point keeping ostree in the picture here for
containers was SELinux handling. When we started this
effort I'd feared rewriting.

But recently we changed things such that we label derived images
using the policy from the final root.

This is a relatively small change in code size and complexity,
that allows us to import images that don't have "ostree stuff"
in them at all, i.e. there's no `/ostree/repo/objects`.

The advantage here is that this significantly simplifies
constructing base images.

The main disadvantage today for people who build images
this way is that we end up re-labeling and re-checksumming all objects.

But, the real fix for that in the future will be for us to
rework things such that we support `security.selinux` for example
as native xattrs in the tar stream.

Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters mentioned this pull request Nov 8, 2024
Open
@cgwalters
Copy link
Collaborator Author

This was migrated from ostreedev/ostree-rs-ext#674 btw.

@cgwalters cgwalters mentioned this pull request Nov 8, 2024
Open
jmarrero
jmarrero approved these changes Nov 9, 2024
View reviewed changes
Copy link
Member

@jmarrero jmarrero left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

if I understand correctly, there is still a requirement then for the container image to be composefs not just any image can be used? Or any image like ubi could end up being used here?

@cgwalters
Copy link
Collaborator Author

if I understand correctly, there is still a requirement then for the container image to be composefs not just any image can be used? Or any image like ubi could end up being used here?

composefs is something we generate client side; it's not directly related except in that today one needs to explicitly turn on ostree-composefs in the container image's content.

Or any image like ubi could end up being used here?

See https://gitlab.com/fedora/bootc/tracker/-/issues/32#note_2201993683 - so yes, one could derive from ubi too.

@cgwalters cgwalters merged commit c49ccec into containers:main Nov 9, 2024
32 checks passed
@cgwalters
Copy link
Collaborator Author

cgwalters commented Dec 11, 2024
edited
Loading

I was asked about this PR recently, and just to clarify: I'd consider this PR "supported" in the sense that we will absolutely fix any bugs that arise, and we do have some tests, but it's just less battle tested than the previous path.

At some point we will probably try to change fedora-bootc to do this by default, but we have to be really cautious because we need to support people upgrading from old systems where the bootc won't support this.

So the overall goal is basically:

  • Make it easier to onboard fresh new base images without /ostree stuff that don't have backcompat concerns
  • Let this support trickle back into existing systems using bootc and test it out more, planning to rework to a new image format when we're confident most systems-being-upgraded-from have the support

(This issue also touches on #640 in that in theory it could help us get out of these bootstrap requirements; the bootc-in-target could handle any fixups)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmarrero jmarrero jmarrero approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cgwalters @jmarrero