Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update umoci - minimize xattr warnings #4665

Merged
merged 1 commit into from
Oct 23, 2019
Merged

Update umoci - minimize xattr warnings #4665

merged 1 commit into from
Oct 23, 2019

Conversation

dtrudg
Copy link
Contributor

@dtrudg dtrudg commented Oct 23, 2019
edited
Loading

Description of the Pull Request (PR):

This updates our version of umoci to v0.4.2+singularity2 from the sylabs
fork.

This version contains a patch to only show a warning for the first
ENOTSUP error when handling xattrs on a filesystem that does not support
them (e.g. NFS mount). This prevents other warnings/errors being
obscured by huge numbers of unimportant ENOTSUP warnings.

Before:

singularity build -s mysandbox docker://centos:7
                      
INFO:    Starting build...
Getting image source signatures
Copying blob d8d02d457314 skipped: already exists
Copying config acab94af64 done
Writing manifest to image destination
Storing signatures
2019/10/23 12:20:43  info unpack layer: sha256:d8d02d45731499028db01b6fa35475f91d230628b4e25fab8e3c015594dc3261
2019/10/23 12:20:49  warn xattr{run/lock/lockdev} ignoring ENOTSUP on setxattr "user.rootlesscontainers"
2019/10/23 12:20:49  warn xattr{run/systemd/netif} ignoring ENOTSUP on setxattr "user.rootlesscontainers"
2019/10/23 12:20:49  warn xattr{run/systemd/netif/leases} ignoring ENOTSUP on setxattr "user.rootlesscontainers"
2019/10/23 12:20:49  warn xattr{run/systemd/netif/links} ignoring ENOTSUP on setxattr "user.rootlesscontainers"
2019/10/23 12:20:50  warn xattr{run/utmp} ignoring ENOTSUP on setxattr "user.rootlesscontainers"
2019/10/23 12:20:57  warn rootless{usr/bin/ping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2019/10/23 12:21:02  warn xattr{usr/bin/write} ignoring ENOTSUP on setxattr "user.rootlesscontainers"
...
more warnings...

After (with this PR):

INFO:    Starting build...
Getting image source signatures
Copying blob d8d02d457314 skipped: already exists
Copying config acab94af64 done
Writing manifest to image destination
Storing signatures
2019/10/23 12:13:42  info unpack layer: sha256:d8d02d45731499028db01b6fa35475f91d230628b4e25fab8e3c015594dc3261
2019/10/23 12:13:47  warn xattr{run/lock/lockdev} ignoring ENOTSUP on setxattr "user.rootlesscontainers"
2019/10/23 12:13:47  warn xattr{rootfs-73ff226d-f5b8-11e9-b105-e0d55e6c2d0d/run/lock/lockdev} destination filesystem does not support xattrs, further warnings will be suppressed
2019/10/23 12:13:55  warn rootless{usr/bin/ping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2019/10/23 12:15:18  warn rootless{usr/sbin/arping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2019/10/23 12:15:18  warn rootless{usr/sbin/clockdiff} ignoring (usually) harmless EPERM on setxattr "security.capability"
INFO:    Creating sandbox directory...
INFO:    Build complete: mysandbox

This fixes or addresses the following GitHub issues:

Before submitting a PR, make sure you have done the following:

Attn: @singularity-maintainers

@dtrudg
Update umoci - minimize xattr warnings
fecb6de 
Fixes: #4662

This updates our version of umoci to v0.4.2+singularity2 from the sylabs
fork.

This version contains a patch to only show a warning for the first
ENOTSUP error when handling xattrs on a filesystem that does not support
them (e.g. NFS mount). This prevents other warnings/errors being
obscured by huge numbers of unimportant ENOTSUP warnings.
@dtrudg dtrudg added this to the 3.5.0 milestone Oct 23, 2019
@dtrudg dtrudg requested a review from a team October 23, 2019 17:22
@dtrudg dtrudg added the ci:e2e label Oct 23, 2019
@dtrudg dtrudg merged commit 5c4a22b into apptainer:master Oct 23, 2019
@DrDaveD
Copy link
Collaborator

DrDaveD commented Oct 23, 2019

Looks good Dave, but what about the first warning that prompted us to fix the --silent option

warn rootless{usr/bin/ping} ignoring (usually) harmless EPERM on setxattr "security.capability"

which @afortiorama first reported in 4517?

@dtrudg dtrudg deleted the issue_4662 branch October 23, 2019 20:58
@dtrudg
Copy link
Contributor Author

dtrudg commented Oct 23, 2019
edited
Loading

@DrDaveD - Those are warnings that we are discarding something that may be there for a functional reason in the docker layer (ping does need a capability set to work). Having gone through some of the umoci stuff I'm not comfortable upstreaming something that would silence or downgrade them. They are warning of things that may actually create a rootfs in which things don't work as expected when you consider umoci being used other than for Singularity.

We are trying to move toward closer compliance with the original content of OCI layers, and e.g. Singularity is now usable as a CRI with k8s which inspires a need to think about more faithful compliance - so I don't really want to get rid of them.

On #4517 the log spam is mainly from selinux attrs which generally should be excluded from container images (I noted before that koji builds for some time should exclude them), and the -s is functional now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mem mem mem approved these changes

Assignees
No one assigned
Labels
ci:e2e
Projects
None yet
Milestone
3.5.0
Development

Successfully merging this pull request may close these issues.

Minimize xattr warnings from umoci
3 participants
@dtrudg @DrDaveD @mem