Fix signature handling with additionalimagestore #166
Conversation
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
from
dadf28e to
a8ed770
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a workaround to handle image signature invalidation errors by copying the image without signatures before installation. My review focuses on improving the robustness of the added shell script logic. I've suggested using trap for reliable temporary file cleanup and quoting variables to prevent potential shell injection or word-splitting issues.
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
from
a8ed770 to
a710bde
Compare
crates/kit/src/to_disk.rs
Outdated
| cat > "${SIG_POLICY}" <<'EOF' | ||
| {"default":[{"type":"insecureAcceptAnything"}],"transports":{"containers-storage":[{"type":"insecureAcceptAnything"}]}} | ||
| EOF | ||
| if skopeo copy --signature-policy "${SIG_POLICY}" --remove-signatures \ |
There was a problem hiding this comment.
It's not clear to me what the if is doing here. If skopeo fails due to being say out of disk space then we just...try to ignore that? That seems odd.
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
from
a710bde to
0b83293
Compare
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
3 times, most recently
from
e25b44d to
94a36f6
Compare
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
Offhand looks OK to me. Does it work?
crates/kit/src/to_disk.rs
Outdated
| # Create permissive policy.json (use /var/tmp since it's mounted into podman container) | ||
| # Mount as directory to /etc/containers so podman creates the directory if it doesn't exist | ||
| POLICY_DIR=/var/tmp/bcvk-policy-dir |
There was a problem hiding this comment.
I know this is an ephemeral isolated system but it's probably still good to avoid hardcoded filenames in /tmp or /var/tmp. So we could use e.g. policydir=$(mktemp -d) or so.
It might be a nicer cleanup to have this policy JSON string as a literal file in the Rust source that we include via include_str! and then template into the shell script.
crates/kit/src/to_disk.rs
Outdated
| --env=STORAGE_OPTS \ | ||
| {INSTALL_LOG} \ | ||
| {SOURCE_IMGREF} \ | ||
| "${SOURCE_REF}" \ |
There was a problem hiding this comment.
This change looks unrelated?
Some minor issues rn. Working on some changes to make the integration tests pass. |
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
from
94a36f6 to
ea1cb15
Compare
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
from
ea1cb15 to
e68793b
Compare
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
One nit, but looks sane to me; the key thing is verifying this works at least manually.
| # Execute bootc installation, having the outer podman pull from | ||
| # the virtiofs store on the host, as well as the inner bootc. | ||
| # Mount /var/tmp into inner container to avoid cross-device link errors (issue #125) | ||
| export STORAGE_OPTS=additionalimagestore=${AIS} |
There was a problem hiding this comment.
Why did this line move? See above
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
from
e68793b to
c1d7037
Compare
Did manually test it and the integration test |
|
I edited this issue just now to have Closes: #126 but let's try to be sure we're doing that kind of thing in general in the future |
|
Hmmm I get the same error trying this out with the reproducer from #126 |
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
2 times, most recently
from
9592974 to
914df59
Compare
|
@gursewak1997 what's the status of this one? Did it work for you? |
this fails since podman validates signatures when starting the container from the signed image, before our copy script runs. |
Hmm that seems odd since we should have overridden the signature requirements before podman starts. |
|
Ahh no I see. I think we just need to change from writing |
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
from
914df59 to
edb88ea
Compare
crates/kit/src/to_disk.rs
Outdated
| EOF | ||
| # Copy image without signatures to avoid "Would invalidate signatures" error | ||
| skopeo copy --remove-signatures {SOURCE_IMGREF} containers-storage:{SOURCE_IMAGE} |
There was a problem hiding this comment.
But this is still putting us back in a world of doing a deep copy of the image, which I'd really like to avoid. Generating disk images is already too slow; gigabytes add up fast. We're doing this copying in multiple places (bootc-dev/bootc#1601 is also doing that).
This relates to containers/container-libs#144 which at least should have a comment here.
It looks to me like you dropped the bind mount of the policy into the podman run below - why is that? I thought that was an important part of the fix here because again it's also bootc install inside that runs skopeo which will also fetch/access the image.
There was a problem hiding this comment.
Updating now:
-
You're right that this is important because bootc install internally runs skopeo which also needs to access the image. The bind mount ensures those internal operations work correctly.
-
Added comments referencing reflink by default (if possible) when copying between containers-storage: instances containers/container-libs#144 and lib: Add experimental unified storage support for install bootc#1601 to document this is a known workaround.
I tested the policy.json-only approach (without the skopeo copy) but it still fails with "Would invalidate signatures". Unfortunately the deep copy with --remove-signatures appears necessary for now.
Re: containers/container-libs#144 - Fixing that issue would make the copy much faster (via reflinks) and use less disk space, but we'd still need to copy because we're removing signatures.
The real fix would need to be in containers/image or bootc to handle signature validation differently when layer representation changes. Until then, afaik we're stuck with the copy, but at least it happens at the VM level using the additionalimagestore mount from the host rather than pulling over the network.
Open to other ideas though:)
There was a problem hiding this comment.
So bootc-image-builder did this unconditionally: osbuild/bootc-image-builder@22de964
But it was already (unnecessarily, IMO incorrectly) copying the whole container image anyways, so it didn't matter. (A lot of related discussion in #73 )
I dunno...I still think there should be some way (arguably, it might be something in bootc or skopeo like --ignore-signature-policy or so) to skip this requirement.
But I think even that's not the real fix...the real fix is we should be able to carry across the signature (which is actually containers/image#2590 )
Anyways...there is another option in the short term, which is to force this onto the user to decide via like bcvk to-disk --remove-signatures or so (and we'd need that in libvirt run too of course).
Maybe we could hackily parse the error message and look for that string and actually fall back to the copy only if we get that error...
There was a problem hiding this comment.
Looking short term for now: I like the second option; parse error and fallback automatically. Try without copy first, fallback to copy if we see "Would invalidate signatures":
First attempt: direct use (fast, preserves signatures if possible)
podman run ... {SOURCE_IMGREF} bootc install to-disk ...
If that fails with "Would invalidate signatures":
skopeo copy --remove-signatures {SOURCE_IMGREF} containers-storage:{SOURCE_IMAGE}
podman run ... containers-storage:{SOURCE_IMAGE} bootc install to-disk ...
Also, when containers/image#2590 is fixed, we automatically benefit (no more fallback needed)
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
from
edb88ea to
bdfdc98
Compare
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
3 times, most recently
from
a6bb8a7 to
b7f6ded
Compare
Try bootc install first using the image from additionalimagestore. If it fails with "Would invalidate signatures", automatically retry with skopeo copy --remove-signatures as a fallback. This avoids the deep copy when possible (e.g., for unsigned images or when containers/image#2590 is fixed), while still working with signed images like RHEL that currently fail. Fixes: #126 Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: gursewak1997 <gursmangat@gmail.com>
gursewak1997
force-pushed
the
fix/to-disk-signatures
branch
from
b7f6ded to
5cb1a1b
Compare
| skopeo copy --remove-signatures {SOURCE_IMGREF} containers-storage:{SOURCE_IMAGE} | ||
| # Retry bootc install with the unsigned local copy | ||
| podman run --rm -i ${tty} --privileged --pid=host --net=none -v /sys:/sys:ro \ |
There was a problem hiding this comment.
One thing I think would help here is to deduplicate this into a shared variable
Copy images to local storage without signatures before bootc install to avoid signature invalidation errors. Falls back to original behavior if copy fails.
Closes: #126