it solves a problem where the discard could be performed before the
compression handler was closed (through a deferred call).
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
add a fallback mechanism when openat2 is not supported by the
underlying kernel.
If a call to openat2 fails with ENOSYS, then fallback to a user space
lookup. Generally the user space lookup is not safe, since symlinks
lookups are vulnerable to TOCTOU attacks, but in this case where the
rootfs is being created, there are no other processes modifying it
thus such lookups can be considered safe.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when dealing with symlink, open the parent directory and use the
symlink basename to set its attributes.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when creating a new file, handle the case where any of the parent
directories are missing and create them automatically if needed.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
since we now support reading additional IDs with libsubid, clarify
that the /etc/subuid and /etc/subgid files are honored only when
shadow-utils is configured to use them.
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Using unix.AT_EMPTY_PATH requires CAP_DAC_READ_SEARCH. Use an
equivalent variant that uses /proc/self/fd that can be used with
rootless.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if the option ostree_repos is set:
[storage.options]
pull_options = {enable_partial_images = "true", ostree_repos = "/foo:/bar"}
then attempt to deduplicate from the specified list of OSTree repositories.
In order to be usable, an OSTree repository must be configured to track
the checksum for its files payload (payload link), that is disabled by
default:
ostree config --repo=/path/to/repo set core.payload-link-threshold N
Where N is the minimum size for files to be tracked by their payload
and must be a nonzero value.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Using unix.AT_EMPTY_PATH requires CAP_DAC_READ_SEARCH. Use an
equivalent variant that uses /proc/self/fd that can be used with
rootless.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
before deduplicating with hard links make sure the two files share the
same UID, GID, file mode and extended attributes.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
in addition to zstd:chunked, add support for the estargz format.
estargz is maintained at github.com/containerd/stargz-snapshotter
Images using estargz can be used on old clients and registries that
have no support for the zstd compression algorithm.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if the option use_hard_links is set:
[storage.options]
pull_options = {use_hard_links = "true"}
then attempt to deduplicate files using hard links first.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
enable partial pulls only when it is explicitely configured in the
storage.conf file:
[storage.options]
pull_options = {enable_partial_images = "true"}
This is to prevent the experimental feature to leak into CRI-O.
The default value will change in future once the feature is stable.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
containers/image/pkg/compression depends on that function, so it's
highly undesirable for it to drag in all of containers/storage.
So, move it into a separate subpackage, along with its exclusive
dependency tree.
Code that is called both from the new pkg/chunked/compressor
and the original pkg/chunked has been moved into pkg/chunked/internal ,
so that we don't expose any new public API. That move was made
purely mechanically without any concern for conceptual consistency,
to minimize the size of the dependency (and not to spend time on
that until the concept is proven to be useful).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Giuseppe Scrivano