Fix rootfs-upper tar to preserve opaque xattrs#12633
Open
danielnorberg wants to merge 2 commits intogoogle:masterfrom
Open
Fix rootfs-upper tar to preserve opaque xattrs#12633danielnorberg wants to merge 2 commits intogoogle:masterfrom
danielnorberg wants to merge 2 commits intogoogle:masterfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
The runsc tar rootfs-upper command does not preserve extended attributes (specifically trusted.overlay.opaque) on directories. When a directory from the lower layer is deleted and recreated, the overlay marks it as opaque to prevent lower layer contents from showing through. Without preserving this xattr in the tar, restoring from the snapshot causes stale files from the lower layer to be resurrected. This test reproduces the issue by: 1. Starting a container with overlay2 root:memory 2. Deleting /usr/share (which has files in the lower layer) 3. Recreating /usr/share with only a marker file 4. Tarring the upper layer and restoring into a new container 5. Verifying that only the marker file is visible (no stale files)
The tar serialization of the upper layer was not preserving extended attributes, causing trusted.overlay.opaque xattrs to be lost. When a directory tree in the lower layer is deleted and partially recreated, the overlay sets trusted.overlay.opaque=y on the new directory to prevent lower layer contents from showing through. Without this xattr in the tar, restoring from the snapshot would resurrect stale files from the lower layer. Fix by serializing xattrs to PAXRecords using the standard SCHILY.xattr. prefix during tar creation, and restoring them during tar extraction. This is done for all inode types: directories, regular files, symlinks, FIFOs, and device files. Two new unchecked accessor methods (RawXattrs/SetRawXattrs) are added to SimpleExtendedAttributes for use by the serialization path, which operates within the kernel and does not need credential checks.
danielnorberg
force-pushed
the
fix-tar-rootfs-upper-opaque-xattr
branch
from
8bcb467 to
4c7c190
Compare
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
runsc tar rootfs-uppercommand was not preserving extended attributes (xattrs) during serialization. This causedtrusted.overlay.opaqueto be lost, resulting in stale lower-layer files being resurrected when restoring from a tar snapshot.SCHILY.xattr.prefix during tar creation, and restored during tar extraction.RawXattrs/SetRawXattrsmethods toSimpleExtendedAttributesfor unchecked access in the kernel serialization path.Test plan
TestTarRootfsUpperLayerOpaqueDirregression test that deletes/usr/share(which has lower-layer files), recreates it with only a marker file, tars the upper layer, restores it, and verifies no stale files leak through.HEAD~1and running the test.🤖 Generated with Claude Code