vendor: github.com/containerd/nydus-snapshotter v0.14.0 #5204
Conversation
| // AppendFiles specifies the files that need to be appended to the bootstrap layer. | ||
| AppendFiles []File |
There was a problem hiding this comment.
I was curious what this was for; see it was added in this PR;
Not sure how it's controlled though; the mention of "user can add some files" scared me a bit; do you have more context on this @imeoer (from a security perspective?)
There was a problem hiding this comment.
Having a quick look, and it looks like this may be a continuation of containerd/nydus-snapshotter@a3fccd0, which (IIUC) allows for a custom image to be injected in the rootfs, for accelerated performance (containerd/nydus-snapshotter#244)
It allows nydus lazily load OCI targz layer with the nydus zran ref image.
So the previous code would allow for a "nydus zran" bootstrap image / tar to be used, from which the EntryBootstrap bootstrap-image would be loaded an injected into the init layer;
And the new option allows for custom files to be specified through AppendFiles to be added; https://github.com/containerd/nydus-snapshotter/blob/v0.13.13/pkg/converter/convert_unix.go#L628-L644
bootstrapRa, err := local.OpenReader(targetBootstrapPath)
if err != nil {
return nil, errors.Wrap(err, "open bootstrap reader")
}
defer bootstrapRa.Close()
files := append([]File{
{
Name: EntryBootstrap,
Reader: content.NewReader(bootstrapRa),
Size: bootstrapRa.Size(),
},
}, opt.AppendFiles...)
var rc io.ReadCloser
if opt.WithTar {
rc = packToTar(files, false)I guess my concern here ia; how can this behavior be controlled, as (IIUC, but I'm not super-familiar with all of this) this could result in arbitrary files to be injected?
There was a problem hiding this comment.
Hi @thaJeztah, here is a nydus image manifest example, the manifest consists of a bootstrap layer (containerd.io/snapshot/nydus-bootstrap) and several blob layers (containerd.io/snapshot/nydus-blob).
- The bootstrap: it contains meta-information (inode, attrs...) about files and directories of all layers.
- The blob: is the data of each layer.
The option AppendFiles allows image build / conversion tools to append some files to the bootstrap layer, the format like:
gzip(tar(bootstrap + appended_files...))
so that nydus runtime (for example nydus snapshotter) can get more information about image, but the image build / conversion tools can't inject arbitrary files to image filesystem (bootstrap) by the converter package. :)
- removes use of deprecated github.com/containerd/containerd/log package full diff: containerd/nydus-snapshotter@v0.13.7...v0.13.14 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- removes use of deprecated github.com/containerd/containerd/errdefs package - removes use of deprecated github.com/containerd/containerd/platforms package - removes use of deprecated github.com/containerd/containerd/reference/docker package - switch to dario.cat/mergo v1.0.0 dependency - remove use of deprecated CRI Alpha API containerd/nydus-snapshotter@v0.13.14...v0.14.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
vendor: github.com/containerd/nydus-snapshotter v0.13.14
full diff: containerd/nydus-snapshotter@v0.13.7...v0.13.14
vendor: github.com/containerd/nydus-snapshotter v0.14.0
containerd/nydus-snapshotter@v0.13.14...v0.14.0