eln build is broken when run through bib #184

cgwalters · 2024-01-22T21:15:49Z

Let's move osbuild/bootc-image-builder#146 (comment) here - what I'm seeing is that running the eln image through bib doesn't boot, lots of selinux errors.

cgwalters · 2024-01-22T21:20:34Z

One thing I notice here...and I'm not yet certain if it's a bib regression or not, but looking at the disk image before it's booted:

$ guestfish --ro -a disk.qcow2                                                                                                                                                                                                                   
><fs> run
list-filesystems
><fs> list-filesystems
/dev/sda1: unknown
/dev/sda2: vfat
/dev/sda3: ext4
/dev/sda4: ext4
><fs> mount /dev/sda4 /
><fs> getxattrs /
[0] = {
  attrname: security.selinux
  attrval: system_u:object_r:container_file_t:s0\x00
}
><fs>

That's just really broken, we shouldn't end up with a physical disk image root labeled container_file_t! It looks like actually all of the labels up to the deployment root are similarly broken (they should be something like root_t or usr_t).

However once we get to the deployment things are fine:

><fs> getxattrs /ostree/deploy/default/deploy/3ef1290eacdb05e50127ed5a920e264f228dae248addb10d98224a2e04918c2c.0/etc/fstab
[0] = {
  attrname: security.selinux
  attrval: system_u:object_r:etc_t:s0\x00
}
><fs> getxattrs /ostree/deploy/default/deploy/3ef1290eacdb05e50127ed5a920e264f228dae248addb10d98224a2e04918c2c.0/etc/passwd 
[0] = {
  attrname: security.selinux
  attrval: system_u:object_r:passwd_file_t:s0\x00
}
><fs>

And it's specifically that /ostree/deploy/default/backing is also container_file_t, and the overlayfs picks up that context and that breaks everything.

cgwalters · 2024-01-22T21:29:27Z

And comparing with what I consider a baseline reference architecture in osbuildbootc, doing:

$ podman run --rm -ti --security-opt label=disable --device /dev/kvm -v .:/srv -w /srv ghcr.io/cgwalters/osbuildbootc:latest build-qcow2 -I quay.io/centos-bootc/fedora-bootc:eln example.qcow2
...
$ guestfish --ro -a example.qcow2
getxattrs /
[0] = {
  attrname: security.selinux
  attrval: system_u:object_r:root_t:s0\x00
}
><fs>

So this is something bib is doing incorrectly.

cgwalters · 2024-01-22T22:44:09Z

Let's move back to osbuild/bootc-image-builder#149

Because of the issues with the latest CentOS/centos-bootc#184 and osbuild#149 with the latest quay.io/centos-bootc/fedora-bootc:eln this commit moves to the last known good container id.

Because of the issues with the latest CentOS/centos-bootc#184 and #149 with the latest quay.io/centos-bootc/fedora-bootc:eln this commit moves to the last known good container id.

cgwalters mentioned this issue Jan 22, 2024

many: unbreak integration tests osbuild/bootc-image-builder#146

Merged

cgwalters mentioned this issue Jan 22, 2024

root filesystem label is container_file_t when it should be root_t osbuild/bootc-image-builder#149

Closed

cgwalters closed this as not planned Won't fix, can't repro, duplicate, stale Jan 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

eln build is broken when run through bib #184

eln build is broken when run through bib #184

cgwalters commented Jan 22, 2024

cgwalters commented Jan 22, 2024

cgwalters commented Jan 22, 2024 •

edited

Loading

cgwalters commented Jan 22, 2024

eln build is broken when run through bib #184

eln build is broken when run through bib #184

Comments

cgwalters commented Jan 22, 2024

cgwalters commented Jan 22, 2024

cgwalters commented Jan 22, 2024 • edited Loading

cgwalters commented Jan 22, 2024

cgwalters commented Jan 22, 2024 •

edited

Loading