Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add package-level support for erofs as root filesystem #159

Merged
merged 5 commits into from
Sep 25, 2024
Merged

add package-level support for erofs as root filesystem #159

merged 5 commits into from
Sep 25, 2024

Conversation

bcressey
Copy link
Contributor

Issue number:
Related: bottlerocket-os/twoliter#379

Description of changes:
This implements the core kit side of erofs support.

Require a 6.1 kernel for using erofs, and add the necessary kernel config and SELinux policy statements to make it work.

The ugly parts come from my goal of avoiding multiple forms of compression; since erofs includes its own compression, we can avoid compressing license and attribution data, kernel modules, and kernel development files.

Kernel module decompression is handled by twoliter: if we're building an erofs root filesystem, it decompresses any kernel modules. Uncompressed license and attribution data is mostly handled by twoliter, which skips generating the squashfs when using the erofs feature. However, we need to tell the OS not to try to mount the missing squashfs.

Handling the kernel development files is more complicated, because there's a lot of logic in the release package to handle setting up /usr/src/kernels as a writable mount. I couldn't see a great way to prevent the kernel-6.1 package from depending on some of the specific units in release, but I tried to minimize it. We now create two kernel-devel packages, one compressed with squashfs and the other left unpacked, and we use a drop-in to replace the squashfs mount in release with a regular bind mount.

Testing done:
Built aws-k8s-1.30 with and without the image feature enabled.

Without:

bash-5.1# findmnt / -o FSTYPE -n
ext4

bash-5.1# df -h /
Filesystem      Size  Used Avail Use% Mounted on
/dev/root       904M  700M  143M  84% /

# kernel-devel lower is a squashfs mount
bash-5.1# findmnt /var/lib/kernel-devel/.overlay/lower/ -o FSTYPE -n
squashfs

# /usr/share/licenses is a squashfs mount
bash-5.1# findmnt /usr/share/licenses -o FSTYPE -n
squashfs

# all licenses are present
bash-5.1# find /usr/share/licenses -type f | wc -l
2907

# mount has the correct label
bash-5.1# ls -latrZ /usr/bin/mount
-rwsr-xr-x. 1 root root system_u:object_r:mount_exec_t:s0 65608 Sep 22 00:56 /usr/bin/mount

With:

bash-5.1# findmnt / -o FSTYPE -n
erofs

bash-5.1# df -h /
Filesystem      Size  Used Avail Use% Mounted on
/dev/root       337M  337M     0 100% /

# kernel-devel lower is a bind mount
bash-5.1# findmnt /var/lib/kernel-devel/.overlay/lower/ -o FSTYPE -n
erofs

# /usr/share/licenses is not a mount
bash-5.1# findmnt /usr/share/licenses -o FSTYPE -n
<no output>

# all licenses are present
bash-5.1# find /usr/share/licenses -type f |wc -l
2907

# mount has the correct label
bash-5.1# ls -latrZ /usr/bin/mount
-rwsr-xr-x. 1 root root system_u:object_r:mount_exec_t:s0 65608 Sep 23 23:05 /usr/bin/mount

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
kernel-5.10, -5.15: conflict with erofs image feature
bf1bf33 
Some erofs filesystem features are only available in newer kernels,
and older kernels may be missing fixes.

Prevent older kernels from being used with erofs root filesystems,
just to be safe.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
kernel-6.1: enable EROFS as a built-in filesystem
640e21d 
erofs must be a built-in filesystem in order to be used for the root
filesystem.

lz4 decompression, which was previously available as a module, is now
also built-in to support decompressing erofs filesystems.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
kernel-6.1: also provide uncompressed devel files
76af8be 
When using erofs as the root filesystem, we want to avoid other forms
of compression, such as the squashfs used for the kernel development
files.

Include the uncompressed version of these files when the erofs image
feature is set, and override the configuration for the mount unit to
do a simple bind mount instead.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
selinux-policy: use xattrs for erofs labels
7f94e22 
This is required to use the SELinux labels applied to files on the
root filesystem during image creation.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
release: conditionalize license mount
071e76a 
License files on the root filesystem will not be compressed into a
squashfs when using the erofs image feature.

Signed-off-by: Ben Cressey <[email protected]>
arnaldo2792
arnaldo2792 approved these changes Sep 24, 2024
View reviewed changes
Copy link
Contributor

@arnaldo2792 arnaldo2792 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@bcressey bcressey merged commit f19e672 into bottlerocket-os:develop Sep 25, 2024
2 checks passed
@bcressey bcressey deleted the erofs-image-feature branch September 25, 2024 03:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@yeazelm yeazelm yeazelm approved these changes

@cbgbt cbgbt Awaiting requested review from cbgbt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcressey @arnaldo2792 @yeazelm