overlay, composefs: use mkcomposefs to generate composefs #1727
Conversation
|
@alexlarsson PTAL |
giuseppe
force-pushed
the
mkcomposefs-dump
branch
from
1bfe620
to
9beb89f
Compare
giuseppe
force-pushed
the
mkcomposefs-dump
branch
2 times, most recently
from
d01ce8b
to
aa7a442
Compare
|
marked as a draft for now, I'll try to move the fsverity logic into the chunked package so we don't need to carry the digests around |
looked into it, we will still need to propagate the digests anyway since composefs lives in the overlay driver. Moving the fsverity measurement in the chunked package can be done later. |
pkg/chunked/dump/dump.go
Outdated
| ESCAPE_STANDARD | ||
| ) | ||
|
|
||
| func escaped(val string, length int, escape int) string { |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
pkg/chunked/dump/dump.go
Outdated
| length = len(val) | ||
| } | ||
|
|
||
| if escapeLoneDash && length == 1 && val[0] == '-' { |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
pkg/chunked/dump/dump.go
Outdated
| NOESCAPE_SPACE = 1 << iota | ||
| ESCAPE_EQUAL | ||
| ESCAPE_LONE_DASH | ||
| ESCAPE_STANDARD |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
pkg/chunked/dump/dump.go
Outdated
| path = "/" + path | ||
| } | ||
|
|
||
| if _, err := fmt.Fprint(out, escaped(path, len(path), ESCAPE_STANDARD)); err != nil { |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| @@ -71,24 +87,42 @@ func enableVerityRecursive(path string) error { | |||
| if err := enableVerity(path, int(f.Fd())); err != nil { | |||
| return err | |||
| } | |||
|
|
|||
| verity, err := measureVerity(path, int(f.Fd())) | |||
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| @@ -109,10 +143,10 @@ func generateComposeFsBlob(toc []byte, composefsDir string) error { | |||
| // a scope to close outFd before setting fsverity on the read-only fd. | |||
| defer outFd.Close() | |||
|
|
|||
| cmd := exec.Command(writerJson, "--format=erofs", "--out=/proc/self/fd/3", "/proc/self/fd/0") | |||
| cmd := exec.Command(writerJson, "--from-file", "/proc/self/fd/0", "/proc/self/fd/3") | |||
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
I just released composefs 1.0.1 with the required dependencies for this. @smooge is packaging it up for fedora. |
giuseppe
force-pushed
the
mkcomposefs-dump
branch
from
aa7a442
to
c78e858
Compare
|
thanks for the review. I've addressed the comments and pushed a new version |
giuseppe
force-pushed
the
mkcomposefs-dump
branch
2 times, most recently
from
536aa21
to
195c208
Compare
if the file doesn't have a digest but its size is 0, we can hard code the known sha256 digest. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
so the differ can export arbitrary data that is not written as a big file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
so that the users of the function can get access to the already unmarshalled TOC instead of having to unmarshal it again. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
mkcomposefs-dump
branch
from
195c208
to
870bb43
Compare
|
@alexlarsson I've encountered a small issue (still investigating): something like the following doesn't seem to preserve the st_nlink: anything obviously wrong? EDIT: overseen the nlink is part of the dump itself, going to fix it. |
giuseppe
force-pushed
the
mkcomposefs-dump
branch
from
870bb43
to
b4e200c
Compare
giuseppe
force-pushed
the
mkcomposefs-dump
branch
from
b4e200c
to
ac15fd2
Compare
|
addressed the new comments and pushed a new version |
provide a way to format the TOC in the same format that is generated by composefs-info, this is a preparation patch for the next commit. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
use mkcomposefs to generate composefs, instead of using the custom composefs-from-json. As part of the integration, retrieve the verity fs measurement after the files are written so that they can be embedded in the composefs image and their payload is validated each time the files are accessed. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
mkcomposefs-dump
branch
from
ac15fd2
to
4f1bf01
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexlarsson, giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@flouthoc PTAL |
|
LGTM |
|
Please let the bot handle merges. |
|
I know this question isn't related to this PR, just reusing it as a handy discussion forum...it looks like right now enabling this logic requires a build tag. And once the build tag is set, we unconditionally use composefs? Is there any reason not to switch to having this be an option in |
|
I agree, it is better to drop the build tag. I've used it when it was just a PoC and that required some custom binary to be present, but now there is no need to hide the feature |
use mkcomposefs to generate composefs, instead of using the custom composefs-from-json.
As part of the integration, retrieve the verity fs measurement after the files are written so that they can be embedded in the composefs image and their payload is validated each time the files are accessed.