From a01645e9631039f45acf32e6cbedb94aa5201835 Mon Sep 17 00:00:00 2001 From: Neal Gompa Date: Jan 29 2022 18:55:40 +0000 Subject: Backport fix for handling xattrs in container image builds --- diff --git a/0001-Fix-use-of-xattrs-for-container-sync.patch b/0001-Fix-use-of-xattrs-for-container-sync.patch new file mode 100644 index 0000000..fa84f12 --- /dev/null +++ b/0001-Fix-use-of-xattrs-for-container-sync.patch @@ -0,0 +1,251 @@ +From f163081d5e5d90d3d8cc85ec7ab71eeb0821d528 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marcus=20Sch=C3=A4fer?= +Date: Tue, 25 Jan 2022 21:53:36 +0100 +Subject: [PATCH] Fix use of xattrs for container sync + +when syncing data for containers only a subset of xattr +attributes can be applied. This Fixes #2009 +--- + kiwi/defaults.py | 5 ++++- + kiwi/oci_tools/buildah.py | 7 ++++++- + kiwi/oci_tools/umoci.py | 7 ++++++- + kiwi/utils/sync.py | 8 ++++---- + test/unit/filesystem/base_test.py | 5 ++++- + test/unit/oci_tools/buildah_test.py | 13 ++++++++++--- + test/unit/oci_tools/umoci_test.py | 13 ++++++++++--- + test/unit/utils/sync_test.py | 7 +++++-- + test/unit/volume_manager/base_test.py | 5 ++++- + test/unit/volume_manager/btrfs_test.py | 15 ++++++++++++--- + 10 files changed, 65 insertions(+), 20 deletions(-) + +diff --git a/kiwi/defaults.py b/kiwi/defaults.py +index 0ffb38a4d..7a2c8ac65 100644 +--- a/kiwi/defaults.py ++++ b/kiwi/defaults.py +@@ -314,7 +314,10 @@ class Defaults: + + :rtype: list + """ +- return ['-a', '-H', '-X', '-A', '--one-file-system', '--inplace'] ++ return [ ++ '--archive', '--hard-links', '--xattrs', '--acls', ++ '--one-file-system', '--inplace' ++ ] + + @staticmethod + def get_exclude_list_for_root_data_sync(): +diff --git a/kiwi/oci_tools/buildah.py b/kiwi/oci_tools/buildah.py +index 8c3a75dd1..3b56c442a 100644 +--- a/kiwi/oci_tools/buildah.py ++++ b/kiwi/oci_tools/buildah.py +@@ -161,7 +161,12 @@ class OCIBuildah(OCIBase): + self._sync_data( + ''.join([root_dir, os.sep]), self.oci_root_dir, + exclude_list=exclude_list, +- options=Defaults.get_sync_options() + ['--delete'] ++ options=Defaults.get_sync_options() + [ ++ '--filter', '-x! user.*', ++ '--filter', '-x! security.ima*', ++ '--filter', '-x! security.capability*', ++ '--delete' ++ ] + ) + + def import_rootfs(self, root_dir, exclude_list=None): +diff --git a/kiwi/oci_tools/umoci.py b/kiwi/oci_tools/umoci.py +index 41bcfaa68..04f7d7a27 100644 +--- a/kiwi/oci_tools/umoci.py ++++ b/kiwi/oci_tools/umoci.py +@@ -123,7 +123,12 @@ class OCIUmoci(OCIBase): + ''.join([root_dir, os.sep]), + os.sep.join([self.oci_root_dir, 'rootfs']), + exclude_list=exclude_list, +- options=Defaults.get_sync_options() + ['--delete'] ++ options=Defaults.get_sync_options() + [ ++ '--filter', '-x! user.*', ++ '--filter', '-x! security.ima*', ++ '--filter', '-x! security.capability*', ++ '--delete' ++ ] + ) + + def import_rootfs(self, root_dir, exclude_list=None): +diff --git a/kiwi/utils/sync.py b/kiwi/utils/sync.py +index e1ca8990d..b350e7e4d 100644 +--- a/kiwi/utils/sync.py ++++ b/kiwi/utils/sync.py +@@ -89,11 +89,11 @@ class DataSync: + rsync_options = options + if not self.target_supports_extended_attributes(): + warn_me = False +- if '-X' in rsync_options: +- rsync_options.remove('-X') ++ if '--xattrs' in rsync_options: ++ rsync_options.remove('--xattrs') + warn_me = True +- if '-A' in rsync_options: +- rsync_options.remove('-A') ++ if '--acls' in rsync_options: ++ rsync_options.remove('--acls') + warn_me = True + if warn_me: + log.warning( +diff --git a/test/unit/filesystem/base_test.py b/test/unit/filesystem/base_test.py +index ac97a6978..088873985 100644 +--- a/test/unit/filesystem/base_test.py ++++ b/test/unit/filesystem/base_test.py +@@ -60,7 +60,10 @@ class TestFileSystemBase: + mock_sync.assert_called_once_with('root_dir', 'tmpdir') + data_sync.sync_data.assert_called_once_with( + exclude=['exclude_me'], +- options=['-a', '-H', '-X', '-A', '--one-file-system', '--inplace'] ++ options=[ ++ '--archive', '--hard-links', '--xattrs', ++ '--acls', '--one-file-system', '--inplace' ++ ] + ) + mock_mount.assert_called_once_with( + device='/dev/loop0' +diff --git a/test/unit/oci_tools/buildah_test.py b/test/unit/oci_tools/buildah_test.py +index 96d54eeea..073cf9e0c 100644 +--- a/test/unit/oci_tools/buildah_test.py ++++ b/test/unit/oci_tools/buildah_test.py +@@ -67,8 +67,12 @@ class TestOCIBuildah: + sync.sync_data.assert_called_once_with( + exclude=['/dev', '/proc'], + options=[ +- '-a', '-H', '-X', '-A', '--one-file-system', +- '--inplace', '--delete' ++ '--archive', '--hard-links', '--xattrs', '--acls', ++ '--one-file-system', '--inplace', ++ '--filter', '-x! user.*', ++ '--filter', '-x! security.ima*', ++ '--filter', '-x! security.capability*', ++ '--delete' + ] + ) + +@@ -83,7 +87,10 @@ class TestOCIBuildah: + ) + sync.sync_data.assert_called_once_with( + exclude=['/dev', '/proc'], +- options=['-a', '-H', '-X', '-A', '--one-file-system', '--inplace'] ++ options=[ ++ '--archive', '--hard-links', '--xattrs', '--acls', ++ '--one-file-system', '--inplace' ++ ] + ) + + @patch('kiwi.oci_tools.umoci.Command.run') +diff --git a/test/unit/oci_tools/umoci_test.py b/test/unit/oci_tools/umoci_test.py +index 8c7f098a0..f427d9729 100644 +--- a/test/unit/oci_tools/umoci_test.py ++++ b/test/unit/oci_tools/umoci_test.py +@@ -51,8 +51,12 @@ class TestOCIUmoci: + sync.sync_data.assert_called_once_with( + exclude=['/dev', '/proc'], + options=[ +- '-a', '-H', '-X', '-A', '--one-file-system', +- '--inplace', '--delete' ++ '--archive', '--hard-links', '--xattrs', '--acls', ++ '--one-file-system', '--inplace', ++ '--filter', '-x! user.*', ++ '--filter', '-x! security.ima*', ++ '--filter', '-x! security.capability*', ++ '--delete' + ] + ) + +@@ -67,7 +71,10 @@ class TestOCIUmoci: + ) + sync.sync_data.assert_called_once_with( + exclude=['/dev', '/proc'], +- options=['-a', '-H', '-X', '-A', '--one-file-system', '--inplace'] ++ options=[ ++ '--archive', '--hard-links', '--xattrs', '--acls', ++ '--one-file-system', '--inplace' ++ ] + ) + + @patch('kiwi.oci_tools.umoci.Temporary') +diff --git a/test/unit/utils/sync_test.py b/test/unit/utils/sync_test.py +index de7682c6a..ce601ff1f 100644 +--- a/test/unit/utils/sync_test.py ++++ b/test/unit/utils/sync_test.py +@@ -26,12 +26,15 @@ class TestDataSync: + mock_xattr_support.return_value = False + with self._caplog.at_level(logging.WARNING): + self.sync.sync_data( +- options=['-a', '-H', '-X', '-A', '--one-file-system'], ++ options=[ ++ '--archive', '--hard-links', '--xattrs', ++ '--acls', '--one-file-system' ++ ], + exclude=['exclude_me'] + ) + mock_command.assert_called_once_with( + [ +- 'rsync', '-a', '-H', '--one-file-system', ++ 'rsync', '--archive', '--hard-links', '--one-file-system', + '--exclude', '/exclude_me', 'source_dir', 'target_dir' + ] + ) +diff --git a/test/unit/volume_manager/base_test.py b/test/unit/volume_manager/base_test.py +index 365865994..4b81b2a0d 100644 +--- a/test/unit/volume_manager/base_test.py ++++ b/test/unit/volume_manager/base_test.py +@@ -232,7 +232,10 @@ class TestVolumeManagerBase: + ) + data_sync.sync_data.assert_called_once_with( + exclude=['exclude_me'], +- options=['-a', '-H', '-X', '-A', '--one-file-system', '--inplace'] ++ options=[ ++ '--archive', '--hard-links', '--xattrs', ++ '--acls', '--one-file-system', '--inplace' ++ ] + ) + assert self.volume_manager.get_mountpoint() == 'mountpoint' + +diff --git a/test/unit/volume_manager/btrfs_test.py b/test/unit/volume_manager/btrfs_test.py +index ba0739bd6..f18d2e94b 100644 +--- a/test/unit/volume_manager/btrfs_test.py ++++ b/test/unit/volume_manager/btrfs_test.py +@@ -437,7 +437,10 @@ class TestVolumeManagerBtrfs: + ) + sync.sync_data.assert_called_once_with( + exclude=['exclude_me'], +- options=['-a', '-H', '-X', '-A', '--one-file-system', '--inplace'] ++ options=[ ++ '--archive', '--hard-links', '--xattrs', ++ '--acls', '--one-file-system', '--inplace' ++ ] + ) + assert m_open.call_args_list == [ + call('tmpdir/@/.snapshots/1/info.xml', 'w'), +@@ -496,7 +499,10 @@ class TestVolumeManagerBtrfs: + ) + sync.sync_data.assert_called_once_with( + exclude=['exclude_me'], +- options=['-a', '-H', '-X', '-A', '--one-file-system', '--inplace'] ++ options=[ ++ '--archive', '--hard-links', '--xattrs', '--acls', ++ '--one-file-system', '--inplace' ++ ] + ) + assert m_open.call_args_list == [ + call('tmpdir/@/.snapshots/1/info.xml', 'w'), +@@ -530,7 +536,10 @@ class TestVolumeManagerBtrfs: + ) + sync.sync_data.assert_called_once_with( + exclude=['exclude_me'], +- options=['-a', '-H', '-X', '-A', '--one-file-system', '--inplace'] ++ options=[ ++ '--archive', '--hard-links', '--xattrs', '--acls', ++ '--one-file-system', '--inplace' ++ ] + ) + + @patch('kiwi.volume_manager.btrfs.Command.run') +-- +2.34.1 + diff --git a/kiwi.spec b/kiwi.spec index 946a676..4546952 100644 --- a/kiwi.spec +++ b/kiwi.spec @@ -12,7 +12,7 @@ and cloud systems like Xen, KVM, VMware, EC2 and more. Name: kiwi Version: 9.24.19 -Release: 1%{?dist} +Release: 2%{?dist} URL: http://osinside.github.io/kiwi/ Summary: Flexible operating system image builder License: GPLv3+ @@ -20,6 +20,7 @@ License: GPLv3+ Source0: https://files.pythonhosted.org/packages/source/k/%{name}/%{name}-%{version}.tar.gz # Backports from upstream +Patch0001: 0001-Fix-use-of-xattrs-for-container-sync.patch # Fedora-specific patches ## Use buildah instead of umoci by default for OCI image builds @@ -538,6 +539,9 @@ done # Empty metapackage %changelog +* Sat Jan 29 2022 Neal Gompa - 9.24.19-2 +- Backport fix for handling xattrs in container image builds + * Tue Jan 25 2022 Neal Gompa - 9.24.19-1 - Update to 9.24.19