diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 719b7356..e4e9e5ad 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -67,6 +67,7 @@ jobs: - name: install dependencies run: | ./install-build-deps.sh + sudo apt-get install -y linux-modules-extra-$(uname -r) echo "running kernel is: $(uname -a)" - name: docker-clone run: | diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 9820da14..7adb6c1d 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -32,7 +32,7 @@ on: jobs: build: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 services: registry: image: ghcr.io/project-stacker/registry:2 diff --git a/cmd/stacker/build.go b/cmd/stacker/build.go index a46ea050..ea649e52 100644 --- a/cmd/stacker/build.go +++ b/cmd/stacker/build.go @@ -4,7 +4,7 @@ import ( "fmt" cli "github.com/urfave/cli/v2" - "machinerun.io/atomfs/squashfs" + "machinerun.io/atomfs/pkg/verity" "stackerbuild.io/stacker/pkg/stacker" "stackerbuild.io/stacker/pkg/types" ) @@ -52,12 +52,12 @@ func initCommonBuildFlags() []cli.Flag { }, &cli.StringSliceFlag{ Name: "layer-type", - Usage: "set the output layer type (supported values: tar, squashfs); can be supplied multiple times", + Usage: "set the output layer type (supported values: tar, squashfs, erofs); can be supplied multiple times", Value: cli.NewStringSlice("tar"), }, &cli.BoolFlag{ - Name: "no-squashfs-verity", - Usage: "do not append dm-verity data to squashfs archives", + Name: "no-verity", + Usage: "do not append dm-verity data to fs archives", }, &cli.BoolFlag{ Name: "require-hash", @@ -103,7 +103,7 @@ func newBuildArgs(ctx *cli.Context) (stacker.BuildArgs, error) { AnnotationsNamespace: ctx.String("annotations-namespace"), } var err error - verity := squashfs.VerityMetadata(!ctx.Bool("no-squashfs-verity")) + verity := verity.VerityMetadata(!ctx.Bool("no-verity")) args.LayerTypes, err = types.NewLayerTypes(ctx.StringSlice("layer-type"), verity) return args, err } diff --git a/cmd/stacker/inspect.go b/cmd/stacker/inspect.go index 43aeaee9..554de4b1 100644 --- a/cmd/stacker/inspect.go +++ b/cmd/stacker/inspect.go @@ -11,7 +11,7 @@ import ( "github.com/opencontainers/umoci/oci/casext" "github.com/pkg/errors" cli "github.com/urfave/cli/v2" - stackeroci "machinerun.io/atomfs/oci" + stackeroci "machinerun.io/atomfs/pkg/oci" ) var inspectCmd = cli.Command{ diff --git a/cmd/stacker/internal_go.go b/cmd/stacker/internal_go.go index 2e8fd992..92d08890 100644 --- a/cmd/stacker/internal_go.go +++ b/cmd/stacker/internal_go.go @@ -10,7 +10,7 @@ import ( "github.com/pkg/errors" cli "github.com/urfave/cli/v2" "golang.org/x/sys/unix" - "machinerun.io/atomfs" + "machinerun.io/atomfs/pkg/molecule" "stackerbuild.io/stacker/pkg/lib" "stackerbuild.io/stacker/pkg/log" "stackerbuild.io/stacker/pkg/overlay" @@ -182,15 +182,15 @@ func doAtomfsMount(ctx *cli.Context) error { return errors.WithStack(err) } - opts := atomfs.MountOCIOpts{ + opts := molecule.MountOCIOpts{ OCIDir: config.OCIDir, - MetadataPath: path.Join(wd, "atomfs-metadata"), + MetadataDir: path.Join(wd, "atomfs-metadata"), Tag: tag, Target: mountpoint, AllowMissingVerityData: true, } - mol, err := atomfs.BuildMoleculeFromOCI(opts) + mol, err := molecule.BuildMoleculeFromOCI(opts) if err != nil { return err } @@ -206,5 +206,5 @@ func doAtomfsUmount(ctx *cli.Context) error { } mountpoint := ctx.Args().Get(0) - return atomfs.Umount(mountpoint) + return molecule.Umount(mountpoint) } diff --git a/cmd/stacker/publish.go b/cmd/stacker/publish.go index 3eff0bb3..86ce6e64 100644 --- a/cmd/stacker/publish.go +++ b/cmd/stacker/publish.go @@ -3,7 +3,7 @@ package main import ( "github.com/pkg/errors" cli "github.com/urfave/cli/v2" - "machinerun.io/atomfs/squashfs" + "machinerun.io/atomfs/pkg/verity" "stackerbuild.io/stacker/pkg/lib" "stackerbuild.io/stacker/pkg/stacker" "stackerbuild.io/stacker/pkg/types" @@ -69,7 +69,7 @@ var publishCmd = cli.Command{ }, &cli.StringSliceFlag{ Name: "layer-type", - Usage: "set the output layer type (supported values: tar, squashfs); can be supplied multiple times", + Usage: "set the output layer type (supported values: tar, squashfs, erofs); can be supplied multiple times", Value: cli.NewStringSlice("tar"), }, &cli.StringSliceFlag{ @@ -108,7 +108,7 @@ func beforePublish(ctx *cli.Context) error { } func doPublish(ctx *cli.Context) error { - verity := squashfs.VerityMetadata(!ctx.Bool("no-squashfs-verity")) + verity := verity.VerityMetadata(!ctx.Bool("no-verity")) layerTypes, err := types.NewLayerTypes(ctx.StringSlice("layer-type"), verity) if err != nil { return err diff --git a/cmd/stacker/validate.go b/cmd/stacker/validate.go index 87a4033c..37dec461 100644 --- a/cmd/stacker/validate.go +++ b/cmd/stacker/validate.go @@ -50,6 +50,8 @@ func validateLayerTypeFlags(ctx *cli.Context) error { break case "squashfs": break + case "erofs": + break default: return errors.Errorf("unknown layer type: %s", layerType) } diff --git a/go.mod b/go.mod index 07d78cc2..37028cbc 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/mitchellh/hashstructure v1.1.0 github.com/moby/buildkit v0.11.4 github.com/opencontainers/go-digest v1.0.0 - github.com/opencontainers/image-spec v1.1.0-rc4 + github.com/opencontainers/image-spec v1.1.0 github.com/opencontainers/umoci v0.4.8-0.20220412065115-12453f247749 github.com/pkg/errors v0.9.1 github.com/pkg/xattr v0.4.9 @@ -30,8 +30,8 @@ require ( github.com/udhos/equalfile v0.3.0 github.com/urfave/cli/v2 v2.25.0 github.com/vbatts/go-mtree v0.5.3 - golang.org/x/sys v0.16.0 - golang.org/x/term v0.16.0 + golang.org/x/sys v0.26.0 + golang.org/x/term v0.25.0 gopkg.in/yaml.v2 v2.4.0 sigs.k8s.io/bom v0.6.0 sigs.k8s.io/yaml v1.3.0 @@ -260,19 +260,19 @@ require ( go.opentelemetry.io/otel/metric v1.21.0 // indirect go.opentelemetry.io/otel/trace v1.21.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.18.0 // indirect + golang.org/x/crypto v0.28.0 // indirect golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb // indirect - golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/sync v0.6.0 // indirect - golang.org/x/text v0.14.0 // indirect - golang.org/x/tools v0.17.0 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.25.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/text v0.19.0 // indirect + golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect golang.org/x/tools/go/vcs v0.1.0-deprecated // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 // indirect google.golang.org/grpc v1.60.0 // indirect - google.golang.org/protobuf v1.32.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect @@ -289,5 +289,6 @@ require ( replace ( github.com/opencontainers/umoci => github.com/project-stacker/umoci v0.0.0-20240906174318-e9397ba4ced0 + machinerun.io/atomfs => github.com/rchincha/atomfs v0.0.0-20241204024552-68b03282581c stackerbuild.io/stacker-bom => github.com/project-stacker/stacker-bom v0.0.0-20240509203427-4d685e046780 ) diff --git a/go.sum b/go.sum index 67559557..70f3c5de 100644 --- a/go.sum +++ b/go.sum @@ -751,8 +751,8 @@ github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3ev github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0= -github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/opencontainers/runc v1.1.8 h1:zICRlc+C1XzivLc3nzE+cbJV4LIi8tib6YG0MqC6OqA= github.com/opencontainers/runc v1.1.8/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v1.1.0-rc.1 h1:wHa9jroFfKGQqFHj0I1fMRKLl0pfj+ynAqBxo3v6u9w= @@ -818,6 +818,8 @@ github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+Gx github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/rchincha/atomfs v0.0.0-20241204024552-68b03282581c h1:bZ5FHJXuXq02Zz0Kn9WYEsIl34GB/zO+K96FqFQ9ii0= +github.com/rchincha/atomfs v0.0.0-20241204024552-68b03282581c/go.mod h1:woheEy3EVXE+AFLGwmBRSMtmcOKBM71qiDEYaq7Nwng= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= @@ -1080,8 +1082,8 @@ golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1122,8 +1124,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1173,8 +1175,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1206,8 +1208,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1293,16 +1295,16 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1315,8 +1317,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1384,8 +1386,8 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/tools/go/vcs v0.1.0-deprecated h1:cOIJqWBl99H1dH5LWizPa+0ImeeJq3t3cJjaeOWUAL4= golang.org/x/tools/go/vcs v0.1.0-deprecated/go.mod h1:zUrvATBAvEI9535oC0yWYsLsHIV4Z7g63sNPVMtuBy8= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1543,8 +1545,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/alexcesaro/statsd.v2 v2.0.0 h1:FXkZSCZIH17vLCO5sO2UucTHsH9pc+17F6pl3JVCwMc= gopkg.in/alexcesaro/statsd.v2 v2.0.0/go.mod h1:i0ubccKGzBVNBpdGV5MocxyA/XlLUJzA7SLonnE4drU= @@ -1592,8 +1594,6 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -machinerun.io/atomfs v1.1.1 h1:EprTiYMzAlKL+3S7woe9DsCJGwO2dkHTlvmjlVNO8pY= -machinerun.io/atomfs v1.1.1/go.mod h1:cidyEmsNeeo+9f7OiHl/nA+8KS7Vj5XOslR87VkIebM= modernc.org/libc v1.37.6 h1:orZH3c5wmhIQFTXF+Nt+eeauyd+ZIt2BX6ARe+kD+aw= modernc.org/libc v1.37.6/go.mod h1:YAXkAZ8ktnkCKaN9sw/UDeUVkGYJ/YquGO4FTi5nmHE= modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4= diff --git a/install-build-deps.sh b/install-build-deps.sh index bae0a887..e34fdb77 100755 --- a/install-build-deps.sh +++ b/install-build-deps.sh @@ -43,6 +43,7 @@ installdeps_ubuntu() { squashfs-tools squashfuse libarchive-tools + erofs-utils erofsfuse ) case "$VERSION_ID" in diff --git a/pkg/lib/image_test.go b/pkg/lib/image_test.go index db532a03..c387fa49 100644 --- a/pkg/lib/image_test.go +++ b/pkg/lib/image_test.go @@ -13,7 +13,8 @@ import ( "github.com/opencontainers/umoci/mutate" "github.com/opencontainers/umoci/oci/casext" "github.com/stretchr/testify/assert" - "machinerun.io/atomfs/squashfs" + "machinerun.io/atomfs/pkg/squashfs" + "machinerun.io/atomfs/pkg/verity" ) func createImage(dir string, tag string) error { @@ -48,7 +49,7 @@ func createImage(dir string, tag string) error { // need *something* in the layer, why not just recursively include the // OCI image for maximum confusion :) - layer, mediaType, _, err := squashfs.MakeSquashfs(dir, path.Join(dir, "oci"), nil, squashfs.VerityMetadataMissing) + layer, mediaType, _, err := squashfs.MakeSquashfs(dir, path.Join(dir, "oci"), nil, verity.VerityMetadataMissing) if err != nil { return err } diff --git a/pkg/overlay/metadata.go b/pkg/overlay/metadata.go index 27f4daa6..5901b9e3 100644 --- a/pkg/overlay/metadata.go +++ b/pkg/overlay/metadata.go @@ -10,7 +10,7 @@ import ( ispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/opencontainers/umoci/oci/casext" "github.com/pkg/errors" - stackeroci "machinerun.io/atomfs/oci" + stackeroci "machinerun.io/atomfs/pkg/oci" "stackerbuild.io/stacker/pkg/log" "stackerbuild.io/stacker/pkg/types" ) diff --git a/pkg/overlay/pack.go b/pkg/overlay/pack.go index 1053e306..e79973cd 100644 --- a/pkg/overlay/pack.go +++ b/pkg/overlay/pack.go @@ -22,8 +22,9 @@ import ( "github.com/opencontainers/umoci/oci/layer" "github.com/pkg/errors" "github.com/pkg/xattr" - stackeroci "machinerun.io/atomfs/oci" - "machinerun.io/atomfs/squashfs" + stackerfs "machinerun.io/atomfs/pkg/fs" + stackeroci "machinerun.io/atomfs/pkg/oci" + "machinerun.io/atomfs/pkg/verity" "stackerbuild.io/stacker/pkg/lib" "stackerbuild.io/stacker/pkg/log" "stackerbuild.io/stacker/pkg/storage" @@ -280,7 +281,8 @@ func generateBlob(layerType types.LayerType, contents string, ociDir string, low blob = layer.GenerateInsertLayer(contents, "/", false, &packOptions) mediaType = ispec.MediaTypeImageLayer } else { - blob, mediaType, rootHash, err = squashfs.MakeSquashfs(ociDir, contents, nil, layerType.Verity) + fsi := stackerfs.New(stackerfs.FilesystemType(layerType.Type)) + blob, mediaType, rootHash, err = fsi.Make(ociDir, contents, nil, layerType.Verity) if err != nil { return nil, "", "", err } @@ -303,7 +305,7 @@ func ociPutBlob(blob io.ReadCloser, config types.StackerConfig, layerMediaType s annotations := map[string]string{} if rootHash != "" { - annotations[squashfs.VerityRootHashAnnotation] = rootHash + annotations[verity.VerityRootHashAnnotation] = rootHash } desc := ispec.Descriptor{ @@ -443,7 +445,7 @@ func generateLayer(config types.StackerConfig, _ casext.Engine, mutators []*muta } else { annotations := map[string]string{} if rootHash != "" { - annotations[squashfs.VerityRootHashAnnotation] = rootHash + annotations[verity.VerityRootHashAnnotation] = rootHash } desc, err = mutator.Add(context.Background(), mediaType, blob, history, mutate.NoopCompressor, annotations) if err != nil { @@ -693,10 +695,11 @@ func unpackOne(l ispec.Descriptor, ociDir string, extractDir string) error { return nil } - if squashfs.IsSquashfsMediaType(l.MediaType) { - return squashfs.ExtractSingleSquash( + if fsi := stackerfs.NewFromMediaType(l.MediaType); fsi != nil { + return fsi.ExtractSingle( path.Join(ociDir, "blobs", "sha256", l.Digest.Encoded()), extractDir) } + switch l.MediaType { case ispec.MediaTypeImageLayer, ispec.MediaTypeImageLayerGzip: tarEx.Lock() diff --git a/pkg/types/layer_type.go b/pkg/types/layer_type.go index 8430a404..ab11e440 100644 --- a/pkg/types/layer_type.go +++ b/pkg/types/layer_type.go @@ -7,14 +7,16 @@ import ( ispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" - "machinerun.io/atomfs/squashfs" + "machinerun.io/atomfs/pkg/erofs" + "machinerun.io/atomfs/pkg/squashfs" + "machinerun.io/atomfs/pkg/verity" ) var ErrEmptyLayers = errors.New("empty layers") type LayerType struct { Type string - Verity squashfs.VerityMetadata + Verity verity.VerityMetadata } func (lt LayerType) String() string { @@ -44,15 +46,17 @@ func (lt *LayerType) UnmarshalText(text []byte) error { return errors.Wrapf(err, "bad verity bool: %s", fields[1]) } - lt.Verity = squashfs.VerityMetadata(result) + lt.Verity = verity.VerityMetadata(result) return nil } -func NewLayerType(lt string, verity squashfs.VerityMetadata) (LayerType, error) { +func NewLayerType(lt string, verity verity.VerityMetadata) (LayerType, error) { switch lt { case "squashfs": return LayerType{Type: lt, Verity: verity}, nil + case "erofs": + return LayerType{Type: lt, Verity: verity}, nil case "tar": return LayerType{Type: lt}, nil default: @@ -62,31 +66,38 @@ func NewLayerType(lt string, verity squashfs.VerityMetadata) (LayerType, error) func NewLayerTypeManifest(manifest ispec.Manifest) (LayerType, error) { if len(manifest.Layers) == 0 { - return NewLayerType("tar", squashfs.VerityMetadataMissing) + return NewLayerType("tar", verity.VerityMetadataMissing) } switch manifest.Layers[0].MediaType { case squashfs.BaseMediaTypeLayerSquashfs: // older stackers generated media types without compression information fallthrough - case squashfs.GenerateSquashfsMediaType(squashfs.GzipCompression, squashfs.VerityMetadataMissing): + case squashfs.GenerateSquashfsMediaType(squashfs.GzipCompression): + fallthrough + case squashfs.GenerateSquashfsMediaType(squashfs.ZstdCompression): + return NewLayerType("squashfs", verity.VerityMetadataMissing) + case squashfs.GenerateSquashfsMediaType(squashfs.GzipCompression): fallthrough - case squashfs.GenerateSquashfsMediaType(squashfs.ZstdCompression, squashfs.VerityMetadataMissing): - return NewLayerType("squashfs", squashfs.VerityMetadataMissing) - case squashfs.GenerateSquashfsMediaType(squashfs.GzipCompression, squashfs.VerityMetadataPresent): + case squashfs.GenerateSquashfsMediaType(squashfs.ZstdCompression): + return NewLayerType("squashfs", verity.VerityMetadataPresent) + case erofs.BaseMediaTypeLayerErofs: + // older stackers generated media types without compression information fallthrough - case squashfs.GenerateSquashfsMediaType(squashfs.ZstdCompression, squashfs.VerityMetadataPresent): - return NewLayerType("squashfs", squashfs.VerityMetadataPresent) + case erofs.GenerateErofsMediaType(erofs.LZ4HCCompression): + return NewLayerType("erofs", verity.VerityMetadataMissing) + case erofs.GenerateErofsMediaType(erofs.LZ4HCCompression): + return NewLayerType("erofs", verity.VerityMetadataPresent) case ispec.MediaTypeImageLayerGzip: fallthrough case ispec.MediaTypeImageLayer: - return NewLayerType("tar", squashfs.VerityMetadataMissing) + return NewLayerType("tar", verity.VerityMetadataMissing) default: return LayerType{}, errors.Errorf("invalid layer type %s", manifest.Layers[0].MediaType) } } -func NewLayerTypes(lts []string, verity squashfs.VerityMetadata) ([]LayerType, error) { +func NewLayerTypes(lts []string, verity verity.VerityMetadata) ([]LayerType, error) { ret := []LayerType{} for _, lt := range lts { hoisted, err := NewLayerType(lt, verity) diff --git a/test/atomfs-erofs.bats b/test/atomfs-erofs.bats new file mode 100644 index 00000000..6df71b14 --- /dev/null +++ b/test/atomfs-erofs.bats @@ -0,0 +1,164 @@ +load helpers + +function setup() { + stacker_setup +} + +function teardown() { + cleanup +} + +function verity_checkusedloops() { + # search for loopdevices which have backing files with the current + # BATS_TEST_DIRNAME value and complain if they're present. + local usedloops="" found="" x="" + for ((x=0; x<5; x++)); do + usedloops=$(losetup -a | grep $BATS_TEST_DIRNAME || echo) + if [ -n "$usedloops" ]; then + found=1 + udevadm settle + else + return 0 + fi + done + echo "found used loops in testdir=$BATS_TEST_DIRNAME :$usedloops" >&3 + [ $found = 1 ] +} + +function basic_test() { + require_privilege priv + local verity_arg=$1 + + cat > stacker.yaml <<"EOF" +test: + from: + type: oci + url: ${{BUSYBOX_OCI}} + run: | + touch /hello +EOF + stacker build --layer-type=erofs $verity_arg --substitute BUSYBOX_OCI=${BUSYBOX_OCI} + mkdir mountpoint + stacker internal-go atomfs mount test-erofs mountpoint + + [ -f mountpoint/hello ] + stacker internal-go atomfs umount mountpoint +} + +@test "--no-verity works" { + basic_test --no-verity + verity_checkusedloops +} + +@test "mount + umount works" { + basic_test + + # last layer shouldn't exist any more, since it is unique + manifest=$(cat oci/index.json | jq -r .manifests[0].digest | cut -f2 -d:) + last_layer_num=$(($(cat oci/blobs/sha256/$manifest | jq -r '.layers | length')-1)) + last_layer_hash=$(cat oci/blobs/sha256/$manifest | jq -r .layers[$last_layer].digest | cut -f2 -d:) + [ ! -b "/dev/mapper/$last_layer_hash-verity" ] + verity_checkusedloops +} + +@test "mount + umount + mount a tree of images works" { + require_privilege priv + cat > stacker.yaml <<"EOF" +base: + from: + type: oci + url: ${{BUSYBOX_OCI}} + run: touch /base +a: + from: + type: built + tag: base + run: touch /a +b: + from: + type: built + tag: base + run: touch /b +c: + from: + type: built + tag: base + run: touch /c +EOF + stacker build --layer-type=erofs --substitute BUSYBOX_OCI=${BUSYBOX_OCI} + + mkdir a + stacker internal-go atomfs mount a-erofs a + [ -f a/a ] + + mkdir b + stacker internal-go atomfs mount b-erofs b + [ -f b/b ] + + cat /proc/self/mountinfo + echo "mountinfo after b^" + + stacker internal-go atomfs umount b + + # first layer should still exist since a is still mounted + manifest=$(cat oci/index.json | jq -r .manifests[0].digest | cut -f2 -d:) + first_layer_hash=$(cat oci/blobs/sha256/$manifest | jq -r .layers[0].digest | cut -f2 -d:) + [ ! -b "/dev/mapper/$last_layer_hash-verity" ] + + mkdir c + stacker internal-go atomfs mount c-erofs c + [ -f c/c ] + + cat /proc/self/mountinfo + echo "mountinfo after c^" + + stacker internal-go atomfs umount a + + cat /proc/self/mountinfo + echo "mountinfo after umount a^" + + # first layer should still exist since c is still mounted + manifest=$(cat oci/index.json | jq -r .manifests[0].digest | cut -f2 -d:) + first_layer_hash=$(cat oci/blobs/sha256/$manifest | jq -r .layers[0].digest | cut -f2 -d:) + [ ! -b "/dev/mapper/$last_layer_hash-verity" ] + + # c should still be ok + [ -f c/c ] + [ -f c/bin/sh ] + stacker internal-go atomfs umount c + + # c's last layer shouldn't exist any more, since it is unique + manifest=$(cat oci/index.json | jq -r .manifests[0].digest | cut -f2 -d:) + last_layer_num=$(($(cat oci/blobs/sha256/$manifest | jq -r '.layers | length')-1)) + last_layer_hash=$(cat oci/blobs/sha256/$manifest | jq -r .layers[$last_layer].digest | cut -f2 -d:) + [ ! -b "/dev/mapper/$last_layer_hash-verity" ] + verity_checkusedloops +} + +@test "bad existing verity device is rejected" { + require_privilege priv + cat > stacker.yaml <<"EOF" +test: + from: + type: oci + url: ${{BUSYBOX_OCI}} + run: | + touch /hello +EOF + stacker build --layer-type=erofs --substitute BUSYBOX_OCI=${BUSYBOX_OCI} + + manifest=$(cat oci/index.json | jq -r .manifests[0].digest | cut -f2 -d:) + first_layer_hash=$(cat oci/blobs/sha256/$manifest | jq -r .layers[0].digest | cut -f2 -d:) + devname="$first_layer_hash-verity" + + # make an evil device and fake it as an existing verity device + dd if=/dev/random of=mydev bs=50K count=1 + root_hash=$(veritysetup format mydev mydev.hash | grep "Root hash:" | awk '{print $NF}') + echo "root hash $root_hash" + veritysetup open mydev "$devname" mydev.hash "$root_hash" + + mkdir mountpoint + bad_stacker internal-go atomfs mount test-erofs mountpoint | grep "invalid root hash" + veritysetup close "$devname" + verity_checkusedloops +} diff --git a/test/atomfs.bats b/test/atomfs.bats index 47210361..24f86bfa 100644 --- a/test/atomfs.bats +++ b/test/atomfs.bats @@ -45,8 +45,8 @@ EOF stacker internal-go atomfs umount mountpoint } -@test "--no-squashfs-verity works" { - basic_test --no-squashfs-verity +@test "--no-verity works" { + basic_test --no-verity verity_checkusedloops } diff --git a/test/helpers.bash b/test/helpers.bash index f61000eb..ac82cae4 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -8,6 +8,17 @@ if [ "$(id -u)" != "0" ]; then exit 1 fi +function give_user_ownership() { + if [ "$PRIVILEGE_LEVEL" = "priv" ]; then + return + fi + if [ -z "$SUDO_UID" ]; then + echo "PRIVILEGE_LEVEL=$PRIVILEGE_LEVEL but empty SUDO_USER" + exit 1 + fi + chown -R "$SUDO_USER:$SUDO_USER" "$@" +} + function skip_if_no_unpriv_overlay { local wdir="" # use a workdir to ensure no side effects to the caller @@ -80,17 +91,6 @@ function stacker_setup() { chown -R $SUDO_USER:$SUDO_USER . } -function give_user_ownership() { - if [ "$PRIVILEGE_LEVEL" = "priv" ]; then - return - fi - if [ -z "$SUDO_UID" ]; then - echo "PRIVILEGE_LEVEL=$PRIVILEGE_LEVEL but empty SUDO_USER" - exit 1 - fi - chown -R "$SUDO_USER:$SUDO_USER" "$@" - } - function cleanup() { cd "$ROOT_DIR/test" umount_under "$TEST_TMPDIR"