drop rofiles-fuse, start using overlayfs

Question

drop rofiles-fuse, start using overlayfs

Closed this issue 5 months ago · 7 comments

On an automotive cs9 image, using composefs this command fails:

# rpm-ostree install --apply-live --idempotent --allow-inactive -y fontconfig
...
error: Running %posttrans for fontconfig: bwrap(/bin/sh): Child process killed by signal 2; 
run `journalctl -t 'rpm-ostree(fontconfig.posttrans)'` for more information

The log says is:

# journalctl -t 'rpm-ostree(fontconfig.posttrans)'
Feb 12 09:33:16 74fb4ccc-a8ac-435e-83be-4b69a8bdd037.testing-farm rpm-ostree(fontconfig.posttrans)[1154]: 
could not open /etc/xml/catalog for saving

The actual post-trans is:

%posttrans
if [ -e %{_sysconfdir}/xml/catalog ]; then
  %{_bindir}/xmlcatalog --noout --add system \
                        "urn:fontconfig:fonts.dtd" \
                        "file://%{_datadir}/xml/fontconfig/fonts.dtd" \
                        %{_sysconfdir}/xml/catalog
fi

I don't understand why this breaks, because /etc should still be the regular bind-mount even though composefs is used (i.e. it is not using e.g. transient /etc. However, I don't know the details of apply-live.

Answer 1 · 2024-02-12T13:18:52.000Z

I did some investigation, and /etc is on a rofiles-fuse mount with -copyup, so writes to it should work. However, it doesn't. Trying to modify an existing file (which should break the hardlink and replace it) like so:

echo foo > $ETC/fuse.conf

Fails with:

/tmp/rpmostree-rofiles-fusedtvOpD/fuse.conf: Operation not permitted

I wonder if it somehow is using the composefs dir as backing for the rofiles, and not the deploy dirs.

Answer 2 · 2024-02-12T18:47:48.000Z

In a quick test, I am not reproducing this on FCOS (fedora 39).

That said, I can't even enable composefs in the current centos-bootc:stream9 images as dbus-broker.service fails to launch...wait...this used to work...

(some debugging)

Argh it it's that's dang patch for rhel to disable tmp.mount by default...this is a recent bug there.

Answer 3 · 2024-02-14T14:40:55.000Z

So, the problem happens because the file we're replacing has fs-verity enabled.

Answer 4 · 2024-02-14T15:28:48.000Z

Oh yeah duh, so this is an ostree bug: verify_write_or_copyup is just not prepared for this.

Answer 5 · 2024-02-14T15:30:45.000Z

Obviously package layering here should stop using rofiles-fuse and use overlayfs instead (and more generally align with container builds).

Answer 6 · 2024-02-14T15:53:27.000Z

Its not actually in verify_write_or_copyup(), but before it, see the linked PR.

Answer 7 · 2024-02-15T15:54:18.000Z

Fixed by ostreedev/ostree#3175