-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authfile paths can't be absolute #679
Comments
Try |
Ah @cgwalters, seems like an issue with resolving a symlink to my registry auth token.
Please let me know if you'd like me to contribute a PR or if this is easy enough to fix yourself. |
This workaround is sufficient as
Would allowing absolute symlink resolution present a (security) risk here? In any case, the error message presented is non-obvious and the original symlink works with |
Yeah, this is a bug. You can work around it by making the symlink relative, not absolute. IOW something like For fixing it in the code...it's a bug in the code around https://github.com/ostreedev/ostree-rs-ext/blob/dc5faade367e8cb20997163a6b56a8da8f1596e5/lib/src/globals.rs#L56 but it's an annoying thing to fix and we are going to randomly hit things related to this until we address it in a more structured fashion. cc bytecodealliance/cap-std#353 (comment) |
In fact this is a regression from ostreedev/ostree-rs-ext#636 and a bad one because anyone who was using an absolute path is just going to get broken in rpm-ostree too...I will look at this today or Monday. |
bootc upgrade
Thanks for the full RCA! I don't bundle auth.json in my image so this is something that gets carried forward in the /etc three-way merge. |
Where is the symlink coming from? Is it something in |
No. Just good old manual bootstrapping prior to rebasing from upstream Kinoite or after initial deployment of the image. e.g. Doing the deployment with I usually do the deployment entirely by hand from a recovery image that I build from rawhide - so that I control the bootloader as I use systemd-stub UKIs, systemd-cryptenroll, and setup my own secure boot signing chain. |
If you meant before |
Use the API from coreos/cap-std-ext#54 to fix absolute symlinks for `/etc/ostree/auth.json`. cc containers/bootc#679 Signed-off-by: Colin Walters <walters@verbum.org>
I did:
Then we just need to do an ostree-rs-ext release and bump here. |
Use the API from coreos/cap-std-ext#54 to fix absolute symlinks for `/etc/ostree/auth.json`. cc containers/bootc#679 Signed-off-by: Colin Walters <walters@verbum.org>
Use the API from coreos/cap-std-ext#54 to fix absolute symlinks for `/etc/ostree/auth.json`. cc containers/bootc#679 Signed-off-by: Colin Walters <walters@verbum.org>
…1.0.204 build(deps): bump serde from 1.0.203 to 1.0.204
tar: Propagate PAX extensions (including xattrs)
I get the following error when attempting to use
bootc
to upgrade my laptop.This same error does not occur when using
rpm-ostree
. Additional layers are successfully deployed.I am using the current Fedora rawhide packages for both tools. Both tools seem to use https://github.com/ostreedev/ostree-rs-ext/blob/dc5faade367e8cb20997163a6b56a8da8f1596e5/lib/src/container/store.rs#L451 and the "a path led outside of the filesystem" error seems to trace to the https://github.com/bytecodealliance/cap-std/tree/v3.0.0 crate. This started occurring recently although I can't pinpoint exactly when. This is as far as I've gotten so far with a RCA.
(EDIT: removed irrelevant environmental details.)
Is there any suggested way to continue to debug this error?
The text was updated successfully, but these errors were encountered: