Skip to content

examples: Pass --hash sha256 to unified examples #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cgwalters merged 1 commit into from
Jan 21, 2026
Merged

examples: Pass --hash sha256 to unified examples #211

cgwalters merged 1 commit into from
Jan 21, 2026

Conversation

@Johan-Liebert1
Copy link
Collaborator

@Johan-Liebert1 Johan-Liebert1 commented Jan 21, 2026
edited
Loading

Remove /var/lib/systemd/random-seed to prevent user. xattr diff
between dumpfile created from mounted fs and oci container

Also update to use fedora 43 for tests

@Johan-Liebert1
Copy link
Collaborator Author

Johan-Liebert1 commented Jan 21, 2026

Weird, hash computed from

RUN --mount=type=bind,from=base,target=/mnt/base <<EOF
    set -eux
    mkdir -p /tmp/sysroot/composefs
    COMPOSEFS_FSVERITY="$(cfsctl --repo /tmp/sysroot --hash sha256 compute-id --bootable /mnt/base)"
EOF

seems to mismatch hash computed from containers-storage

@Johan-Liebert1 Johan-Liebert1 force-pushed the ci-fix branch 2 times, most recently from 61868ba to 3912511 Compare January 21, 2026 11:43
@Johan-Liebert1
Copy link
Collaborator Author

Johan-Liebert1 commented Jan 21, 2026

I thought it was because of #209, but I guess not. Will need to debug it a bit more

cgwalters
cgwalters reviewed Jan 21, 2026
View reviewed changes
examples/unified-secureboot/Containerfile Outdated

mkdir -p /tmp/sysroot/composefs
COMPOSEFS_FSVERITY="$(cfsctl --repo /tmp/sysroot compute-id --bootable /mnt/base)"
COMPOSEFS_FSVERITY="$(cfsctl --repo /tmp/sysroot --hash sha256 compute-id --no-propagate-usr-to-root --bootable /mnt/base)"
Copy link
Collaborator

@cgwalters cgwalters Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is a bootable digest we should not have --no-propagate-usr-to-root - why did you add it?

Copy link
Collaborator Author

@Johan-Liebert1 Johan-Liebert1 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this example was failing without this change as well; I thought maybe this was the issue

@Johan-Liebert1
Copy link
Collaborator Author

Johan-Liebert1 commented Jan 21, 2026

Okay the issue seems to be the following xattr diff

30263c30263
< /var/lib/systemd/random-seed 32 100600 1 0 0 0 1769000852.0 - \x10\x93\x81.\xa8\xae\xc7\xcbvxB9h\x86O\xca~m\xaa\xc4\xca\xfb?\xb1\xab\xda^N\xf6\xe3\xd2\xf3 - security.selinux=system_u:object_r:random_seed_t:s0 user.random-seed-creditable=1
---
> /var/lib/systemd/random-seed 32 100600 1 0 0 0 1769000852.0 - \x10\x93\x81.\xa8\xae\xc7\xcbvxB9h\x86O\xca~m\xaa\xc4\xca\xfb?\xb1\xab\xda^N\xf6\xe3\xd2\xf3 - security.selinux=system_u:object_r:random_seed_t:s0

@Johan-Liebert1
Copy link
Collaborator Author

Johan-Liebert1 commented Jan 21, 2026

I think the we need the xattr filter on the Oci subcommands as well

@cgwalters
Copy link
Collaborator

cgwalters commented Jan 21, 2026

Ah hah! This is an interesting and relevant use of xattrs. I think in this case though, the correct thing is to delete that file at build time. It doesn't make any sense to include the random seed in images (especially generic base images).

This filtering is part of the bootc-base-imagectl builder for example, and bootc container lint also emits warnings about these things.

Bigger picture I think we will need to carefully balance the "show that composefs-rs (for bootable systems) can in theory be used outside of bootc" with "don't duplicate too much work".

Anyways basically I suggest rm -vf /var/lib/systemd/random-seed

@cgwalters
Copy link
Collaborator

cgwalters commented Jan 21, 2026

I think the we need the xattr filter on the Oci subcommands as well

But yes this too

@Johan-Liebert1
Copy link
Collaborator Author

Johan-Liebert1 commented Jan 21, 2026

Anyways basically I suggest rm -vf /var/lib/systemd/random-seed

This sounds good a temp measure, but yeah we'll need the filter on all commands that do anything with filesystem

@Johan-Liebert1
examples: Pass --hash sha256 to unified examples
8424c41 
Remove `/var/lib/systemd/random-seed` to prevent `user.` xattr diff
between dumpfile created from mounted fs and oci container

Also update to use fedora 43 for tests

Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
@Johan-Liebert1 Johan-Liebert1 mentioned this pull request Jan 21, 2026
Open
cgwalters
cgwalters approved these changes Jan 21, 2026
View reviewed changes
Copy link
Collaborator

@cgwalters cgwalters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@cgwalters cgwalters merged commit 6cbdb42 into containers:main Jan 21, 2026
24 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cgwalters cgwalters cgwalters approved these changes

@allisonkarlitskaya allisonkarlitskaya Awaiting requested review from allisonkarlitskaya

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Johan-Liebert1 @cgwalters