aufs,overlay: backfill intermediate directories when possible

When extracting layer contents, if we find ourselves needing to implicitly create a directory (due to its not being included in the layer diff), try to give it the permissions, ownership, attributes, and datestamp of the corresponding directory from the layer which would be stacked below it. When a layer omits any of the directories which contain items which that layer adds or modifies, this should prevent the default values that we would use from overriding those which correspond to the same directory in a lower layer, which could later be mistaken as an indication that one or more of those was intentionally changed, forcing the directory to be pulled up. Signed-off-by: Nalin Dahyabhai <[email protected]>
containers · Jul 6, 2023 · 2a0c3c2 · 2a0c3c2
1 parent dc79a0d
commit 2a0c3c2
Show file tree

Hide file tree

Showing 7 changed files with 1,104 additions and 1 deletion.
diff --git a/drivers/aufs/aufs.go b/drivers/aufs/aufs.go
@@ -38,6 +38,7 @@ import (
 	"time"
 
 	graphdriver "github.com/containers/storage/drivers"
+	"github.com/containers/storage/drivers/unionbackfill"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/chrootarchive"
 	"github.com/containers/storage/pkg/directory"
@@ -46,6 +47,7 @@ import (
 	mountpk "github.com/containers/storage/pkg/mount"
 	"github.com/containers/storage/pkg/parsers"
 	"github.com/containers/storage/pkg/system"
+	"github.com/containers/storage/pkg/tarbackfill"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
@@ -564,6 +566,16 @@ func (a *Driver) applyDiff(id string, idMappings *idtools.IDMappings, diff io.Re
 	if idMappings == nil {
 		idMappings = &idtools.IDMappings{}
 	}
+	parentDiffDirs, err := a.getParentLayerPaths(id)
+	if err != nil {
+		return err
+	}
+	if len(parentDiffDirs) > 0 {
+		backfiller := unionbackfill.NewBackfiller(idMappings, parentDiffDirs)
+		rc := tarbackfill.NewIOReaderWithBackfiller(diff, backfiller)
+		defer rc.Close()
+		diff = rc
+	}
 	return chrootarchive.UntarUncompressed(diff, path.Join(a.rootPath(), "diff", id), &archive.TarOptions{
 		UIDMaps: idMappings.UIDs(),
 		GIDMaps: idMappings.GIDs(),

diff --git a/drivers/overlay/overlay.go b/drivers/overlay/overlay.go
@@ -21,6 +21,7 @@ import (
 	graphdriver "github.com/containers/storage/drivers"
 	"github.com/containers/storage/drivers/overlayutils"
 	"github.com/containers/storage/drivers/quota"
+	"github.com/containers/storage/drivers/unionbackfill"
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/chrootarchive"
 	"github.com/containers/storage/pkg/directory"
@@ -30,6 +31,7 @@ import (
 	"github.com/containers/storage/pkg/mount"
 	"github.com/containers/storage/pkg/parsers"
 	"github.com/containers/storage/pkg/system"
+	"github.com/containers/storage/pkg/tarbackfill"
 	"github.com/containers/storage/pkg/unshare"
 	units "github.com/docker/go-units"
 	"github.com/hashicorp/go-multierror"
@@ -2116,7 +2118,18 @@ func (d *Driver) ApplyDiff(id, parent string, options graphdriver.ApplyDiffOpts)
 
 	logrus.Debugf("Applying tar in %s", applyDir)
 	// Overlay doesn't need the parent id to apply the diff
-	if err := untar(options.Diff, applyDir, &archive.TarOptions{
+	diff := options.Diff
+	lowerDiffDirs, err := d.getLowerDiffPaths(id)
+	if err != nil {
+		return 0, err
+	}
+	if len(lowerDiffDirs) > 0 {
+		backfiller := unionbackfill.NewBackfiller(idMappings, lowerDiffDirs)
+		rc := tarbackfill.NewIOReaderWithBackfiller(diff, backfiller)
+		defer rc.Close()
+		diff = rc
+	}
+	if err := untar(diff, applyDir, &archive.TarOptions{
 		UIDMaps:           idMappings.UIDs(),
 		GIDMaps:           idMappings.GIDs(),
 		IgnoreChownErrors: d.options.ignoreChownErrors,

diff --git a/drivers/unionbackfill/backfill.go b/drivers/unionbackfill/backfill.go
@@ -0,0 +1,106 @@
+package unionbackfill
+
+import (
+	"archive/tar"
+	"io/fs"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/containers/storage/pkg/archive"
+	"github.com/containers/storage/pkg/idtools"
+	"github.com/containers/storage/pkg/system"
+)
+
+// NewBackfiller supplies a backfiller whose Backfill method provides the
+// ownership/permissions/attributes of a directory from a lower layer so that
+// we don't have to create it in an upper layer using default values that will
+// be mistaken for a reason that the directory was pulled up to that layer.
+func NewBackfiller(idmap *idtools.IDMappings, lowerDiffDirs []string) *backfiller {
+	if idmap != nil {
+		uidMaps, gidMaps := idmap.UIDs(), idmap.GIDs()
+		if len(uidMaps) > 0 || len(gidMaps) > 0 {
+			idmap = idtools.NewIDMappingsFromMaps(append([]idtools.IDMap{}, uidMaps...), append([]idtools.IDMap{}, gidMaps...))
+		}
+	}
+	return &backfiller{idmap: idmap, lowerDiffDirs: append([]string{}, lowerDiffDirs...)}
+}
+
+type backfiller struct {
+	idmap         *idtools.IDMappings
+	lowerDiffDirs []string
+}
+
+// Backfill supplies the ownership/permissions/attributes of a directory from a
+// lower layer so that we don't have to create it in an upper layer using
+// default values that will be mistaken for a reason that the directory was
+// pulled up to that layer.
+func (b *backfiller) Backfill(pathname string) (*tar.Header, error) {
+	for _, lowerDiffDir := range b.lowerDiffDirs {
+		candidate := filepath.Join(lowerDiffDir, pathname)
+		// if the asked-for path is in this lower, return a tar header for it
+		if st, err := os.Lstat(candidate); err == nil {
+			var linkTarget string
+			if st.Mode()&fs.ModeType == fs.ModeSymlink {
+				target, err := os.Readlink(candidate)
+				if err != nil {
+					return nil, err
+				}
+				linkTarget = target
+			}
+			hdr, err := tar.FileInfoHeader(st, linkTarget)
+			if err != nil {
+				return nil, err
+			}
+			// this is where we'd delete "opaque" from the header, if FileInfoHeader read xattrs
+			hdr.Name = strings.Trim(filepath.ToSlash(pathname), "/")
+			if st.Mode()&fs.ModeType == fs.ModeDir {
+				hdr.Name += "/"
+			}
+			if b.idmap != nil && !b.idmap.Empty() {
+				if uid, gid, err := b.idmap.ToContainer(idtools.IDPair{UID: hdr.Uid, GID: hdr.Gid}); err == nil {
+					hdr.Uid, hdr.Gid = uid, gid
+				}
+			}
+			return hdr, nil
+		}
+		// if the directory or any of its parents is marked opaque, we're done looking at lowers
+		p := strings.Trim(pathname, "/")
+		subpathname := ""
+		for {
+			dir, subdir := filepath.Split(p)
+			dir = strings.Trim(dir, "/")
+			if dir == p {
+				break
+			}
+			// kernel overlay style
+			xval, err := system.Lgetxattr(filepath.Join(lowerDiffDir, dir), archive.GetOverlayXattrName("opaque"))
+			if err == nil && len(xval) == 1 && xval[0] == 'y' {
+				return nil, nil
+			}
+			// aufs or fuse-overlayfs using aufs-like whiteouts
+			if _, err := os.Stat(filepath.Join(lowerDiffDir, dir, archive.WhiteoutOpaqueDir)); err == nil {
+				return nil, nil
+			}
+			// kernel overlay "redirect" - starting with the next lower layer, we'll need to look elsewhere
+			subpathname = strings.Trim(path.Join(subdir, subpathname), "/")
+			xval, err = system.Lgetxattr(filepath.Join(lowerDiffDir, dir), archive.GetOverlayXattrName("redirect"))
+			if err == nil && len(xval) > 0 {
+				subdir := string(xval)
+				if path.IsAbs(subdir) {
+					// path is relative to the root of the mount point
+					pathname = path.Join(subdir, subpathname)
+				} else {
+					// path is relative to the current directory
+					parent, _ := filepath.Split(dir)
+					parent = strings.Trim(parent, "/")
+					pathname = path.Join(parent, subdir, subpathname)
+				}
+				break
+			}
+			p = dir
+		}
+	}
+	return nil, nil
+}