diff --git a/lib/src/tar/write.rs b/lib/src/tar/write.rs index cfb20859..5c5e07d7 100644 --- a/lib/src/tar/write.rs +++ b/lib/src/tar/write.rs @@ -129,12 +129,17 @@ fn normalize_validate_path(path: &Utf8Path) -> Result> if !found_first { if let Utf8Component::Normal(part) = part { found_first = true; - // Now, rewrite /etc -> /usr/etc, and discard everything not in /usr. match part { + // We expect all the OS content to live in usr in general "usr" => ret.push(part), + // ostree has special support for /etc "etc" => { ret.push("usr/etc"); } + // Content in /var will get copied by a systemd tmpfiles.d unit + "var" => { + ret.push("usr/share/factory/var"); + } o => return Ok(NormalizedPathResult::Filtered(o)), } } else { @@ -401,6 +406,8 @@ mod tests { ("usr/bin/blah", "./usr/bin/blah"), ("usr///share/.//blah", "./usr/share/blah"), ("./", "."), + ("var/lib/blah", "./usr/share/factory/var/lib/blah"), + ("./var/lib/blah", "./usr/share/factory/var/lib/blah"), ]; for &(k, v) in valid { let r = normalize_validate_path(k.into()).unwrap(); @@ -413,11 +420,7 @@ mod tests { } } } - let filtered = &[ - ("/boot/vmlinuz", "boot"), - ("var/lib/blah", "var"), - ("./var/lib/blah", "var"), - ]; + let filtered = &[("/boot/vmlinuz", "boot")]; for &(k, v) in filtered { match normalize_validate_path(k.into()).unwrap() { NormalizedPathResult::Filtered(f) => { diff --git a/lib/tests/it/main.rs b/lib/tests/it/main.rs index 29e5f55c..d363283e 100644 --- a/lib/tests/it/main.rs +++ b/lib/tests/it/main.rs @@ -391,8 +391,8 @@ async fn test_tar_write() -> Result<()> { ) .ignore_stdout() .run()?; - assert_eq!(r.filtered.len(), 2); - assert_eq!(*r.filtered.get("var").unwrap(), 4); + assert_eq!(r.filtered.len(), 1); + assert!(r.filtered.get("var").is_none()); assert_eq!(*r.filtered.get("boot").unwrap(), 1); Ok(()) @@ -943,7 +943,7 @@ async fn test_container_var_content() -> Result<()> { assert!( store::image_filtered_content_warning(fixture.destrepo(), &derived_imgref.imgref) .unwrap() - .is_some() + .is_none() ); Ok(())