ostree-rs-ext icon indicating copy to clipboard operation
ostree-rs-ext copied to clipboard

Published 20 hours ago verified publisher icon ostreedev

extended attributes discarded for layered changes

Open cgwalters opened this issue 1 year ago • 7 comments
trafficstars

Right now when we filter the tar stream we end up discarding xattrs - there's a bit of nontrivial work necessary on our side to handle this.

It also opens up the interesting question of whether we try to e.g. honor any security.selinux that may be present.

It is clear that we definitely want security.capability, and for that matter we might as well propagate things like user..

cgwalters avatar Aug 20 '24 20:08 cgwalters

Here is a workaround required due to this at the moment. Since bazzite is using rechunk this can be removed, but it is used throughout Universal Blue images and derivatives. For other applications as well.

https://github.com/ublue-os/bazzite/blob/9a9a4861b025f44aaf6cd40ff006c911fa3abe01/system_files/desktop/shared/usr/lib/systemd/system/gamescope-workaround.service

I was told this might be corrupting OSTree file hashes, and might be partially behind https://github.com/secureblue/secureblue/issues/369 which fails when setting xattrs. Or at least the variant used there, since the only 5 files that error during ostree fsck in the secureboot family have had their caps modded.

antheas avatar Aug 21 '24 13:08 antheas

@cgwalters , the mentioned workaround is for an executable on the host file system.

If we know that we "lost" a capability in an executable inside a given image, is there a better way to set it rather than the following?

setcap 'cap_net_bind_service=+ep' ./vfs/dir/3f9f2616036a52ed598e7c806953ce61e0569a62429ab0080c46f78eea5faba3/usr/sbin/haproxy

ggiguash avatar Sep 16 '24 15:09 ggiguash

(edited) There's no trivial build-time workaround for this possible, the xattrs are being discarded on the client side.

What would fix it is "rechunking" an image and generating an ostree commit, which we're working on tooling for, but is more invasive.

cgwalters avatar Sep 16 '24 21:09 cgwalters

@cgwalters, do we other options than rechunking? IDM is blocked on this issue, so I am trying to educate myself a bit more in this problem space.

vrothberg avatar Oct 25 '24 09:10 vrothberg

Hi Valentin, as a dirty workaround something like the service I posted above works and was used for months in Universal Blue for multiple projects

antheas avatar Oct 25 '24 09:10 antheas

Thanks for sharing, @antheas !

vrothberg avatar Oct 25 '24 09:10 vrothberg

We are planning to move some of FreeIPA rpm post-install scripts into a separate service we can run on each reboot, so the approach to add capabilities through the hack is something that we might consider as well. However, for IdM customers modification of the immutable parts of the image at instantiation time would be unacceptable.

abbra avatar Oct 30 '24 10:10 abbra

This is fixed as part of https://github.com/ostreedev/ostree-rs-ext/pull/679

cgwalters avatar Nov 05 '24 21:11 cgwalters