grml-live: strip xattrs in squashfs #197
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mika
approved these changes
Dec 10, 2024
grml-live
Outdated
| if hasclass GRML_SMALL ; then | ||
| SQUASHFS_OPTIONS="$SQUASHFS_OPTIONS -e initrd.img* vmlinuz*" | ||
| fi | ||
|
|
||
| # log stuff |
There was a problem hiding this comment.
I suppose this change here is only visible due to (missing) rebase of previous change, FTR :)
There was a problem hiding this comment.
I rebased a bit too much, but indeed its the commit from #199.
Ignore all extended attributes from files in chroot when adding them to the squashfs. This avoids: 1) leaking containerization supplied selinux attributes into the squashfs, which can be seen when building in podman, and in docker. 2) prevents unpacking errors in a later build-only step in containers not supporting xattrs. Can also be seen in podman. On a normal machine and also on a normal (booted) Grml system, the only things having xattrs are: file: var/log/journal system.posix_acl_access system.posix_acl_default file: var/log/journal/1e77092b16004314a93d779757d513ac system.posix_acl_access system.posix_acl_default Both of these are apparently applied by systemd/journald during boot, even if the filesystem does not have them.
zeha
force-pushed
the
zeha/strip-xattrs
branch
from
2455102 to
56b8b77
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ignore all extended attributes from files in chroot when adding them to the squashfs.
This avoids:
leaking containerization supplied selinux attributes into the squashfs, which can be seen when building in podman, and in docker.
prevents unpacking errors in a later build-only step in containers not supporting xattrs. Can also be seen in podman.
On a normal machine and also on a normal (booted) Grml system, the only things having xattrs are:
Both of these are apparently applied by systemd/journald during boot, even if the filesystem does not have them.