-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oci: ignore system.nfs4_acl and extend forbidden-xattr handling #252
Conversation
23704f4
to
aa8200d
Compare
Alright, this should fix the issue. @besnardjb did you want to test this? |
Hi @cyphar, Thank you very much for the pull request, it is indeed much cleaner. I've made a quick test on the Centos OCI image (from docker) and the NFS part is solved for me when extracting on shared FS with your configurable filter. However, I've encountered another attribute (user.rootlesscontainers) in this same image. As a consequence, I still fail on lsetxattr as attributes are not supported on the target file-system (details below). Here is how it failed and how I got there:
As my FS returns EOPNOTSUPP on such calls, I fail on extracting the image. In fact, it seems that exrtended attributes are not supported on NFS v4. So (and to my knowledge) I see some ways here:
The later was my strategy here (besnardjb@612c1d2) although the implementation is clearly disputable 😄 !
Thanks for your great work ! I remain available. Cheers. |
Ah okay. Yeah, we should ignore (but print a warning) on ENOTSUP. The string comparison is not the best way of doing it -- but I do understand what you mean. I'll work on an updated patch for that. |
Okay, I've pushed a new patch that should fix it. Ignore the test failure, I'm working on that separately. |
I confirm this solved my issue on both images for an NFS extract. Thanks! |
Cool. I will merge this as soon as I've bumped the test coverage enough to make the tests succeed again. I'll also make a new release soon (sometime next week hopefully). |
This obsoletes the need for a dedicated pkg/rootlesscontainers-proto (because I effectively just copied the sources). This allows us to increase our test coverage as well as remove the need to keep rootlesscontainers.proto in sync with upstream (we get that for free because we now use the canonical repository for the .proto). Signed-off-by: Aleksa Sarai <asarai@suse.de>
f4a302a
to
6a28d78
Compare
This is to bump coverage and to make sure we test things that not all distributions ship (also include some fixes to previous tests -- in a future patchset I will add some further systemic fixes to avoid $BUNDLE_* bugs which appear to be common). Signed-off-by: Aleksa Sarai <asarai@suse.de>
It turns out that system.nfs4_acl is yet another xattr that we shouldn't be touching, but also that we should not be clearing (while we have permission to do so, clearing it results in NFS permissions breaking). So as an extension we now now use ignoreXattrs for both unpack and repack operations. Signed-off-by: Aleksa Sarai <asarai@suse.de>
6a28d78
to
1428960
Compare
This mirrors existing behaviour within Docker or similar tools, where we ignore lsetxattr(2) failures because there's not much you can do if the filesystem doesn't support it. Signed-off-by: Aleksa Sarai <asarai@suse.de>
1428960
to
88e46ad
Compare
LGTM. |
It turns out that system.nfs4_acl is yet another xattr that we shouldn't
be touching, but also that we should not be clearing (while we have
permission to do so, clearing it results in NFS permissions breaking).
So as an extension we now now use ignoreXattrs for both unpack and
repack operations.
Closes #248
Signed-off-by: Aleksa Sarai asarai@suse.de