Before (Saving this for when I can get an after)
Before (Saving this for when I can get an after)
message.txt5.45KB
KLayers data for this
message.txt16.93KB
RWhen proper support for handling the OCI layers is implemented in whatever package, wouldn't you want to have multiple layers so you're only pulling the changed layers, rather than everything?
E.g. pulling the 20MB for that added package rather than all 3GB of the image each day
E.g. pulling the 20MB for that added package rather than all 3GB of the image each day
Kthere an issue for this?
Kmuch prefer that
GI'd check out bootc
GIdk if they will do it there but that's the future of ostree native containers
RThe closest I could find:
https://github.com/coreos/rpm-ostree/issues/4012
But I think it's already partially implemented already.
If you add a new package now in a RUN statement at the end of the Containerfile and run
If you bundled all package installs together, you will have to download the entire layer/chunk containing not only your change, but all other packages installed in that layer.
I seem to remember there was some talk about how to handle this better since daily updates (updates in the base image) require the full 3gb or so to be downloaded
https://github.com/coreos/rpm-ostree/issues/4012
But I think it's already partially implemented already.
If you add a new package now in a RUN statement at the end of the Containerfile and run
rpm-ostree updateIf you bundled all package installs together, you will have to download the entire layer/chunk containing not only your change, but all other packages installed in that layer.
I seem to remember there was some talk about how to handle this better since daily updates (updates in the base image) require the full 3gb or so to be downloaded
GitHub
Today, the algorithm backing rpm-ostree compose container-encapsulate (and rpm-ostree compose image) is pretty simplistic. It basically tries to stick the largest RPMs in layers, and then "spi...
Kyeah, right now most updates are 1.5GB which is just massive for the changes being made
Kthat's with it split up though
RI guess that's after the daily rebuilds? Where the base is changed and therefore all subsequent steps have changed - meaning you must download all layers after the changed bit.
I thought there was an issue somewhere about how to prevent this upstream, but couldn't find it
I thought there was an issue somewhere about how to prevent this upstream, but couldn't find it
RI might be wrong with all of this. I'm going off best practices for building images for K8s, which is quite different to what we're doing with bootc or whatever.
J@Gerblesh did you ever figure anything else more about this selinux issue? https://github.com/ublue-os/main/issues/223 i bothered two incorrect upstreams, so i appreciate you filing the issue 
GitHub
this issue is detailing the repeated problems we had with greetd and SELinux in the discord, don't know if this will ever be solved or if it can be solved but it's good to have it as an iss...
GNot really
AThe last error message in that issue can probably be worked around by specifiying the full selinux label the file should have
AThis is probably a bug in rpm-ostree ultimately because the rpm package has the correct things set 
GIt works when layering in a booted image
GBut not when layering in the image
Ji feel like i layered it initially and still had a problem, perhaps i'm misremembering
Jalso tuigreet package maintainer said it wasn't a problem on his Sericea system, so that makes me think it's not an rpm-ostree issue
AWe should try having a minimum verified compilable/runnable example
Aif we do like:
ADoes it have the right label or not?
AIf we do
rpm-ostree install -y greetd
J
Jyields system_u:object_r:container_file_t:s0:c119,c174. seems wrong, but i don't know what i'm talking about on this.
AIt is wrong indeed
Acontainer_file_t is the default label for files created by a container
AAsystem_u:object_r:xdm_exec_t,s0
Shey? when updating my distrobox fedora 39 container it says: Unpack error: shadow-utils-2:4.13-8.fc39.x86_64 and in the logs its cpio: cap_set_file failed - No data available
Jright, well i suppose we have our reproducer then
ACould you try
rpm -E '%{with selinux}'I’m looking at different ways that this could be skipped
AIf that commands prints 0 then that could be the reason
Jit does print 0
ACould you try on your fedora system? It should print 1
AIf this prints 0 the package will skip selinux labeling
Sis this like official https://marketplace.visualstudio.com/items?itemName=skellock.just
Extension for Visual Studio Code - Provides syntax and recipe launcher for Just scripts.
Sprobably not
Sjust looking for extensions for just
AMm prints 0 on my fedora system (outside the container too)
Jsestatus reports disabled, though i'm not sure selinux has to be reported as enabled to have proper file labeling
AIt does, sort of - but the report can inaccurate from within a container
AThe kernel actually needs to have selinux enabled at least in permissive mode or it won’t do any file labeling
AWithin a container the report may be inaccurate due to lack of permissions, even if the underlying kernel has selinux enabled it can report disabled
Bi replied... i do have mild concern... mostly that it's not adding clear value and could add confusion.
Amm
getenforce and sestatus just straight up lie in a container contextAAah,
libselinux is looking for two things:/sys/fs/selinux needs to be mounted and /etc/selinux/config also needs to be mountedAbut even after this:
