Add --path flag to runsc tar rootfs-upper for subtree exports#12635
Draft
danielnorberg wants to merge 3 commits intogoogle:masterfrom
Draft
Add --path flag to runsc tar rootfs-upper for subtree exports#12635danielnorberg wants to merge 3 commits intogoogle:masterfrom
danielnorberg wants to merge 3 commits intogoogle:masterfrom
Conversation
The runsc tar rootfs-upper command does not preserve extended attributes (specifically trusted.overlay.opaque) on directories. When a directory from the lower layer is deleted and recreated, the overlay marks it as opaque to prevent lower layer contents from showing through. Without preserving this xattr in the tar, restoring from the snapshot causes stale files from the lower layer to be resurrected. This test reproduces the issue by: 1. Starting a container with overlay2 root:memory 2. Deleting /usr/share (which has files in the lower layer) 3. Recreating /usr/share with only a marker file 4. Tarring the upper layer and restoring into a new container 5. Verifying that only the marker file is visible (no stale files)
The tar serialization of the upper layer was not preserving extended attributes, causing trusted.overlay.opaque xattrs to be lost. When a directory tree in the lower layer is deleted and partially recreated, the overlay sets trusted.overlay.opaque=y on the new directory to prevent lower layer contents from showing through. Without this xattr in the tar, restoring from the snapshot would resurrect stale files from the lower layer. Fix by serializing xattrs to PAXRecords using the standard SCHILY.xattr. prefix during tar creation, and restoring them during tar extraction. This is done for all inode types: directories, regular files, symlinks, FIFOs, and device files. Two new unchecked accessor methods (RawXattrs/SetRawXattrs) are added to SimpleExtendedAttributes for use by the serialization path, which operates within the kernel and does not need credential checks.
Add a --path flag that restricts the tar output to only the subtree under the specified path (e.g., --path=/usr/share). Tar entries remain rooted at the internal upper root so that whiteouts and opaque directories along the path are preserved and can be properly processed against the base image by the invoker. The path is threaded through the full call chain: CLI flag, Container, Sandbox RPC, control handler, VFS TarSerializer interface, overlay delegator, and tmpfs serializer. The tmpfs implementation splits the path into components and walks the dentry tree, writing ancestor directory headers but only recursing into the matching child at each level. Once the target depth is reached, the full subtree is written. An empty path (the default) exports everything, preserving backward compatibility.
danielnorberg
force-pushed
the
tar-rootfs-upper-path-filter
branch
from
966b331 to
1bd3335
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--pathflag torunsc tar rootfs-upperthat restricts the tar output to the subtree under the specified path (e.g.,--path=/usr/share).TarSerializerinterface, overlay delegator, and tmpfs serializer.Builds on #12633.
Test plan
TestTarRootfsUpperLayerPathFilterthat creates files in two separate directories, tars with a path filter, and verifies only the filtered subtree is included.🤖 Generated with Claude Code