-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
treefile: Add ignore-devices #5114
Conversation
Skipping CI for Draft Pull Request. |
a29814f
to
0d7d52c
Compare
For osbuild/image-builder this is certainly possible for day-1 image creation from an ostree commit, but it would need work. For ISOs, it would need Anaconda support, which I think is coming (or already done?).
Isn't this making assumptions about the container image and the application it's meant to run? I suppose all the cases we've seen so far have included devices accidentally/carelessly, but regardless, with this change, we're modifying the container image. The fact that podman doesn't validate sounds more like a bug we're leaning into than a feature we can rely on. |
I cannot think of a use case for embedding device nodes in a container image - they represent dynamic state.
Yeah, definitely. Fortunately the fix for reliable incremental online verification (composefs) on the c/storage (podman) side will move the device nodes into the EROFS metadata file, avoiding this problem. That said I only lightly tested this case - I verified that I should also xref here bitnami/minideb#171 - hopefully they fix that. |
0d7d52c
to
97fe71c
Compare
I changed this to be enabled by default, because doing otherwise would require a complex version-detection ratchet ("enable only if we detect it's supported") I believe on the osbuild side and if we're just going to enable it by default, then let's just...enable it by default here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
/retest |
looks like we are still failing:
|
97fe71c
to
a9ca65c
Compare
Yeah I only changed the docs, not the actual code for the default. Done now and CI passes. |
We hit another case where people are pulling a container image with devices in `/dev` in the tar stream; they're then trying to commit this to an ostree. There's much better ways to fix this: - Change the image to stop including devices as there's no reason to do so - Switch to logically bound images instead of physically bound - Use the composefs backend for c/storage Eventually I may look at "quoting" generally in ostree, but it's fairly invasive: ostreedev/ostree#2568 In practice today, simply ignoring the files will happen to work for "podman run" of such images; podman will just use overlayfs to stitch together the `diff` directories, and doesn't try to do any validation of their contents today. (Queue the composefs integration, which *would* do that but would also fix this anwyays) Signed-off-by: Colin Walters <[email protected]>
a9ca65c
to
8bc826c
Compare
We hit another case where people are pulling a container image with devices in
/dev
in the tar stream; they're then trying to commit this to an ostree.There's much better ways to fix this:
Eventually I may look at "quoting" generally in ostree, but it's fairly invasive: ostreedev/ostree#2568
In practice today, simply ignoring the files will happen to work for "podman run" of such images; podman will just use overlayfs to stitch together the
diff
directories, and doesn't try to do any validation of their contents today.(Queue the composefs integration, which would do that but would
also fix this anwyays)