Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

overlay: move the fs-verity measurement to the chunked package #1804

Merged
merged 4 commits into from Jan 22, 2024
Merged

overlay: move the fs-verity measurement to the chunked package #1804

merged 4 commits into from Jan 22, 2024

Conversation

giuseppe
Copy link
Member

move the logic to calculate the fs-verity for the files payload to the chunked package, so it is calculated when the files are first created.

@giuseppe giuseppe force-pushed the fsverity-package branch 2 times, most recently from 7d1962d to ba3e8cf Compare January 17, 2024 15:03
@giuseppe
pkg: new linux-only package fsverity
791a318 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
overlay: use the fsverity package
c5dd86d 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@rhatdan
Copy link
Member

rhatdan commented Jan 18, 2024

@alexlarsson PTAL

alexlarsson
alexlarsson reviewed Jan 19, 2024
View reviewed changes
pkg/chunked/storage_linux.go
// If it is not required, ignore the error if the filesystem does not support it.
if errors.Is(err, unix.ENOTSUP) || errors.Is(err, unix.ENOTTY) {
return nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we not return err here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess maybe we shouldn't fail if the error is "already enabled", so we'll get the error in the measure call? If so, maybe add a comment about this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EnableVerity doesn't return an error on EEXIST, I'll add a comment to make it clearer

alexlarsson
alexlarsson reviewed Jan 19, 2024
View reviewed changes
pkg/chunked/storage_linux.go

err := fsverity.EnableVerity(path, int(roFile.Fd()))
if err != nil {
if c.useFsVerity == graphdriver.DifferFsVerityRequired {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should handle EEXIST for the fs-verity already enabled case and make sure to then read and record the existing digest.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fsverity.EnableVerity returns nil if fs-verity was already enabled, so we should already get into the fsverity.MeasureVerity function even if DifferFsVerityRequired

@giuseppe
chunked: calculate the file fs-verity when it is written
81fc7c1 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
overlay: use the fs-verity computed by the differ
539d0fe 
avoid to reopen the files twice to calculate their fs-verity digest.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
alexlarsson
alexlarsson approved these changes Jan 19, 2024
View reviewed changes
Copy link
Contributor

@alexlarsson alexlarsson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexlarsson, giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rhatdan
Copy link
Member

rhatdan commented Jan 22, 2024

:GT<

@rhatdan rhatdan merged commit 2727147 into containers:main Jan 22, 2024
17 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexlarsson alexlarsson alexlarsson approved these changes

Assignees
No one assigned
Labels
approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@giuseppe @rhatdan @alexlarsson