Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

core: Always sort incoming xattrs #3346

Merged
merged 1 commit into from
Dec 3, 2024
Merged

core: Always sort incoming xattrs #3346

merged 1 commit into from
Dec 3, 2024

Conversation

cgwalters
Copy link
Member

When recomputing selinux attrs during commit, we weren't sorting, which could cause various issues like fsck failures.

This is a big hammer; change things so we always canonicalize (i.e. sort) the incoming xattrs when creating a file header.

I think almost all places in the code were already keeping things sorted, but it's better to ensure correctness first. If we ever have some performance issue (I'm doubtful) we could add something like _ostree_file_header_known_canonicalized or so.

Closes: #3343

cgwalters
cgwalters commented Nov 27, 2024
View reviewed changes
tests/test-basic-c.c Outdated
g_assert_no_error (error);
}

/* And now with a swapped order */
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And I also verified that this test successfully fails if we drop the xattr canonicalization.

@prydom
Copy link

prydom commented Nov 27, 2024
edited
Loading

I get the following error when pulling an image into ostree layered on top of quay.io/fedora/fedora-kinoite. It has user.* xattrs in the container tar stream.

2024-11-27T18:39:25.0514353Z layers already present: 0; layers needed: 89 (4.5 GB)
2024-11-27T18:40:54.5755174Z error: Importing: Parsing layer blob sha256:4c7aee33c4535de34dfdde394e64174d0177144339e7d35846be7ce1663722f4: error: ostree-tar: Failed to handle directory: Incorrectly sorted xattr name, index=2: Processing tar: Failed to commit tar: ExitStatus(unix_wait_status(256))

EDIT: If you want to see the CI job, it is here: https://github.com/prydom/my-ostree-build/actions/runs/12056266866/job/33618838686. The build container has ostree and ostree-libs build from commit 2be4c52.

@prydom prydom mentioned this pull request Nov 27, 2024
Closed
@cgwalters cgwalters force-pushed the commit-label-ordering branch from 2be4c52 to c863558 Compare November 27, 2024 22:08
@cgwalters
Copy link
Member Author

Thanks for testing this out! I pushed an update that also covers directory metadata - only unit tested here so far.

@prydom
Copy link

prydom commented Nov 28, 2024
edited
Loading

I've done another round of end-to-end testing and the changes work well for me.

On github actions:

  • Updated ostree-libs to c863558 on CI build container.
  • Built multiple layers upon upstream bootable container image which introduced the librepo extended attributes in tar stream.
  • Pulled container image into empty bare ostree repository (this step is what failed earlier)
  • Checked out image with ostree, made some further changes that are not appropriate to do with image layering
  • Checked image back into new ostree ref and used --selinux-policy= to relabel based on policy in image
  • Ran rpm-ostree compose container-encapsulate to re-encapsulate commit as image and upload to registry

In podman on dev machine:

  • Added an additional container image layer with even more extended attributes. Signed & uploaded to registry.
  • In build container (same as CI) with updated ostree, created empty bare-user repo. Pulled image into repo. ostree fsck passes.
  • Run ostree fsck on the sysroot in the container created from new image (bare-split-xattrs). Passes.

On target machine:

  • Used bootc to switch/rebase to new image. Existing host with bootc and the new image does not have updated ostree library. Image pulls successfully.
  • Booted into staged image successfully.
  • Confirmed that introduced user xattrs are preserved.
  • ostree fsck run from the booted image on sysroot fails on files that have user xattrs. This is because the ostree library hasn't been updated in the image.
  • Activate usr-overlay, install rpms with ostree and ostree-libs from this PR, create new bare repo, pull container into fresh repo and ostree fsck passes.

allisonkarlitskaya
allisonkarlitskaya reviewed Nov 28, 2024
View reviewed changes
src/libostree/ostree-core.c Show resolved Hide resolved
src/libostree/ostree-core.c Show resolved Hide resolved
src/libostree/ostree-core.c Show resolved Hide resolved
tests/test-basic-c.c Outdated Show resolved Hide resolved
tests/test-basic-c.c Outdated Show resolved Hide resolved
tests/test-basic-c.c Show resolved Hide resolved
@cgwalters
core: Always sort incoming xattrs
1858d3d 
When recomputing selinux attrs during commit, we weren't sorting,
which could cause various issues like fsck failures.

This is a big hammer; change things so we always canonicalize
(i.e. sort) the incoming xattrs when creating a file header
and directory metadata.

I think almost all places in the code were already keeping
things sorted, but it's better to ensure correctness first.
If we ever have some performance issue (I'm doubtful) we
could add something like `_ostree_file_header_known_canonicalized`
or so.

Closes: ostreedev#3343

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/composefs that referenced this pull request Dec 2, 2024
@cgwalters
writer: Reject empty xattr names
e51631d 
Came out of a related discussion in ostree
ostreedev/ostree#3346 (comment)

Today we faithfully write this, and `fsck.erofs` doesn't seem
to complain...but such a thing makes no sense so we shouldn't
support it.

Actually digging in more here...in practice the way xattrs
work in Linux at least is they're restricted to starting with
one of the standard prefixes like `security.` or `user.`; but
enforcing/validating that is a whole other thing. For now
let's just deny this edge case.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/composefs that referenced this pull request Dec 2, 2024
@cgwalters
writer: Reject empty xattr names
02077e8 
Came out of a related discussion in ostree
ostreedev/ostree#3346 (comment)

Today we faithfully write this, and `fsck.erofs` doesn't seem
to complain...but such a thing makes no sense so we shouldn't
support it.

Actually digging in more here...in practice the way xattrs
work in Linux at least is they're restricted to starting with
one of the standard prefixes like `security.` or `user.`; but
enforcing/validating that is a whole other thing. For now
let's just deny this edge case.

Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters mentioned this pull request Dec 2, 2024
Merged
@cgwalters cgwalters enabled auto-merge December 2, 2024 20:30
@cgwalters
Copy link
Member Author

OK, updated this one, should be good to go!

@prydom prydom mentioned this pull request Dec 2, 2024
Closed
@cgwalters cgwalters force-pushed the commit-label-ordering branch from c863558 to 1858d3d Compare December 3, 2024 14:34
@cgwalters cgwalters merged commit 74efebd into ostreedev:main Dec 3, 2024
25 of 26 checks passed
This was referenced Jan 8, 2025
Closed
Open
@cgwalters cgwalters mentioned this pull request Jan 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@allisonkarlitskaya allisonkarlitskaya allisonkarlitskaya approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SELinux relabeling during commit causes the wrong content hash to be stored if ACLs or user xattrs are present
3 participants
@cgwalters @prydom @allisonkarlitskaya