Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
examples: do /composefs-meta whiteout differently
When we create the final image containing the kernel UKI we need to make sure that it's exactly equivalent to the original image (so that it gets the same fs-verity digest). We do that by removing the only thing we added: the `/composefs-meta` directory. The most obvious way to do this would be `RUN rm -rf /composefs-meta` and that's the first thing I tried, but this creates a `.containerenv` file in `/run` to use as a mountpoint for the containerenv file (present for the duration of the `RUN` command), which modifies the timestamp of `/run` as a side-effect, producing a different image. I worked around that before by manually recording a whiteout by copying an empty file to `/.wh.composefs-meta`. I was surprised that this worked, but it seemed to work, so I went with it. While pairing with Timothée today we discovered that this doesn't work on his system, probably due to using a different podman storage driver. Let's take another workaround: we can mount a tmpfs as `/run` for the duration of the operation in order to protect the underlying filesystem from being modified. This is a cleaner approach anyway. See containers/buildah#5950 Signed-off-by: Allison Karlitskaya <[email protected]> Co-Authored-By: Timothée Ravier <[email protected]>
- Loading branch information
1 parent
d72b248
commit da4dd6d