Various composefs work #1662
Various composefs work #1662
Conversation
github-actions
bot
added
area/install
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a significant amount of work related to composefs, including switching the fs-verity hashing algorithm from SHA256 to SHA512, adding a new workflow for building 'sealed' images with Unified Kernel Images (UKIs), and making the composefs backend a default feature. The changes are mostly consistent and well-structured, with good use of type aliases to improve code clarity.
However, I've found a few issues that need attention:
- There's some dead and potentially buggy code in the new
xtaskfor building sealed images. - A new Dockerfile contains a leftover command that should be removed.
- The documentation for newly added CLI options and subcommands is incomplete.
Please see my detailed comments for suggestions on how to address these points.
| **--composefs-native** | ||
|
|
||
|
|
||
|
|
||
| **--insecure** | ||
|
|
||
|
|
||
|
|
||
| Default: false | ||
|
|
||
| **--bootloader**=*BOOTLOADER* | ||
|
|
||
|
|
||
|
|
||
| Default: grub |
There was a problem hiding this comment.
The documentation for the new options --composefs-native, --insecure, and --bootloader is incomplete. Please add descriptions for these options to explain their purpose and usage.
| | **bootc usr-overlay** | Add a transient writable overlayfs on `/usr` | | ||
| | **bootc install** | Install the running container to a target | | ||
| | **bootc container** | Operations which can be executed as part of a container build | | ||
| | **bootc composefs-finalize-staged** | | |
There was a problem hiding this comment.
The description for the new subcommand bootc composefs-finalize-staged is missing. Please add a description to explain what this command does.
|
Split prep work for this to #1665 |
cgwalters
force-pushed
the
composefs-by-default
branch
from
837dc44 to
cccc2f8
Compare
|
@jeckersb I ended up reworking this one to use the bootc-in-container for the sealing side because it would be too annoying in our CI to have it be on the host (which is ubuntu here). |
| // Allocate a tempdir | ||
| let td = tempdir_in("/var/tmp")?; | ||
| let td = td.path(); | ||
| let td = &Dir::open_ambient_dir(td, cap_std::ambient_authority())?; |
There was a problem hiding this comment.
I don't think this is an issue even though claude pointed it out, but I still want to comment here to clarify.
Claude seems to think because this shadows the original td via the let td = td.path(); line, that the tempdir might get dropped early and there could potentially be issues with it getting cleaned up. But it's my impression that shadowing the variable doesn't change the semantics around when things get dropped. Which means that in this case, the original TempDir remains valid for the entire scope and won't be dropped until the end. Same as if it was called td_dir or something else unshadowed.
|
I'm guessing this is something to do with me running |
|
Hmm I don't know what's up with that error. Offhand it's perhaps something to do with the source bind path when it's relative? Does it work if you make it an absolute path? What's your wrapper for |
Nope still doesn't work with absolute paths I don't have any wrapper for and then... I suspect there's just something weird going on with passing secrets across via podman-remote from inside of the toolbox. I'll poke at it more tomorrow. Given the eyeball test the changes look good to me. From CI it looks like it needs a |
Testing a stripped-down case this morning, it works fine for me to pass secrets inside of the toolbox over podman-remote to the host. I've also verified that if I run the original podman command directly on the host, it works properly. So I'm thinking now that it has something to do with passing secrets over podman-remote in combination with multistage builds. |
Ahhhhhh it's this - containers/podman#25314 I'll put in a separate PR to add that silly workaround to our .dockerignore |
cgwalters
force-pushed
the
composefs-by-default
branch
from
cccc2f8 to
d8c0ea4
Compare
It's too spammy. Signed-off-by: Colin Walters <[email protected]>
The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <[email protected]>
Signed-off-by: Colin Walters <[email protected]>
So it can be executed more generically on any container image as input and write to output. Signed-off-by: Colin Walters <[email protected]>
Signed-off-by: Colin Walters <[email protected]>
This ensures we're SHA-512 across the board. Signed-off-by: Colin Walters <[email protected]>
- Add build infrastructure to toplevel to seal - Change the install logic to detect UKIs and automatically enable composefs Signed-off-by: Colin Walters <[email protected]>
See containers/composefs-rs#131 Signed-off-by: Colin Walters <[email protected]>
cgwalters
force-pushed
the
composefs-by-default
branch
from
d8c0ea4 to
c03e6c6
Compare
Signed-off-by: Colin Walters <[email protected]>
cgwalters
force-pushed
the
composefs-by-default
branch
from
c03e6c6 to
e12b574
Compare
No description provided.