Skip to content
This repository has been archived by the owner on Nov 7, 2024. It is now read-only.

extended attributes discarded for layered changes #654

Closed
cgwalters opened this issue Aug 20, 2024 · 8 comments
Closed

extended attributes discarded for layered changes #654

cgwalters opened this issue Aug 20, 2024 · 8 comments
Labels
bug Something isn't working

Comments

@cgwalters
Copy link
Member

Right now when we filter the tar stream we end up discarding xattrs - there's a bit of nontrivial work necessary on our side to handle this.

It also opens up the interesting question of whether we try to e.g. honor any security.selinux that may be present.

It is clear that we definitely want security.capability, and for that matter we might as well propagate things like user..
@cgwalters cgwalters added the bug Something isn't working label Aug 20, 2024
@antheas antheas mentioned this issue Aug 21, 2024
Closed
@antheas
Copy link
Collaborator

antheas commented Aug 21, 2024
edited
Loading

Here is a workaround required due to this at the moment. Since bazzite is using rechunk this can be removed, but it is used throughout Universal Blue images and derivatives. For other applications as well.

https://github.com/ublue-os/bazzite/blob/9a9a4861b025f44aaf6cd40ff006c911fa3abe01/system_files/desktop/shared/usr/lib/systemd/system/gamescope-workaround.service

I was told this might be corrupting OSTree file hashes, and might be partially behind secureblue/secureblue#369 which fails when setting xattrs. Or at least the variant used there, since the only 5 files that error during ostree fsck in the secureboot family have had their caps modded.

@ggiguash
Copy link

ggiguash commented Sep 16, 2024
edited
Loading

@cgwalters , the mentioned workaround is for an executable on the host file system.

If we know that we "lost" a capability in an executable inside a given image, is there a better way to set it rather than the following?

setcap 'cap_net_bind_service=+ep' ./vfs/dir/3f9f2616036a52ed598e7c806953ce61e0569a62429ab0080c46f78eea5faba3/usr/sbin/haproxy

@cgwalters
Copy link
Member Author

cgwalters commented Sep 16, 2024
edited
Loading

(edited) There's no trivial build-time workaround for this possible, the xattrs are being discarded on the client side.

What would fix it is "rechunking" an image and generating an ostree commit, which we're working on tooling for, but is more invasive.

@vrothberg
Copy link

@cgwalters, do we other options than rechunking? IDM is blocked on this issue, so I am trying to educate myself a bit more in this problem space.

@antheas
Copy link
Collaborator

antheas commented Oct 25, 2024

Hi Valentin, as a dirty workaround something like the service I posted above works and was used for months in Universal Blue for multiple projects

@vrothberg
Copy link

Thanks for sharing, @antheas !

@abbra
Copy link

abbra commented Oct 30, 2024

We are planning to move some of FreeIPA rpm post-install scripts into a separate service we can run on each reboot, so the approach to add capabilities through the hack is something that we might consider as well. However, for IdM customers modification of the immutable parts of the image at instantiation time would be unacceptable.

@cgwalters
Copy link
Member Author

This is fixed as part of #679

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@abbra @cgwalters @antheas @vrothberg @ggiguash