fedora-bootc-meeting
LOGS
<@jbrooks:matrix.org>
15:00:34
!startmeeting fedora_bootc_meeting
<@meetbot:fedora.im>
15:00:36
Meeting started at 2025-02-11 15:00:34 UTC
<@meetbot:fedora.im>
15:00:36
The Meeting name is 'fedora_bootc_meeting'
<@dustymabe:matrix.org>
15:00:46
!hi
<@jbrooks:matrix.org>
15:00:46
!topic roll call
<@zodbot:fedora.im>
15:00:47
Dusty Mabe (dustymabe) - he / him / his
<@rsturla:fedora.im>
15:00:57
!hi
<@zodbot:fedora.im>
15:00:59
None (rsturla)
<@walters:fedora.im>
15:01:05
!hi
<@zodbot:fedora.im>
15:01:06
Colin Walters (walters)
<@jbrooks:matrix.org>
15:01:08
!hi jasonbrooks
<@zodbot:fedora.im>
15:01:10
Jason Brooks (jasonbrooks) - he / him / his
<@hricky:fedora.im>
15:01:29
!hi
<@zodbot:fedora.im>
15:01:30
Hristo Marinov (hricky) - he / him / his
<@jmarrero:matrix.org>
15:01:33
!hi
<@jlebon:fedora.im>
15:01:34
!hi
<@zodbot:fedora.im>
15:01:36
None (jlebon)
<@zodbot:fedora.im>
15:01:37
Joseph Marrero (jmarrero)
<@bbaude:matrix.org>
15:01:53
!hi
<@zodbot:fedora.im>
15:01:55
No Fedora Accounts users have the @bbaude:matrix.org Matrix Account defined
<@jbrooks:matrix.org>
15:02:14
How's everyone doing today?
<@siosm:matrix.org>
15:02:20
!hi
<@zodbot:fedora.im>
15:02:21
Timothée Ravier (siosm) - he / him / his
<@jbtrystram:matrix.org>
15:02:35
!hi
<@dustymabe:matrix.org>
15:02:36
Good good. Hope you are Jason Brooks
<@zodbot:fedora.im>
15:02:37
Jean-Baptiste Trystram (jbtrystram) - he / him / his
<@walters:fedora.im>
15:04:04
this the first chat meeting right? Previously we were using https://etherpad.opensuse.org/p/bootc-initiative-meetings
<@jbrooks:matrix.org>
15:04:24
We had one other chat meeting: https://meetbot.fedoraproject.org/meeting-1_matrix_fedoraproject-org/2025-01-28/fedora-bootc-initiative.2025-01-28-15.00.log.html
<@jbrooks:matrix.org>
15:04:36
two weeks ago
<@walters:fedora.im>
15:05:06
Ah OK cool.
<@walters:fedora.im>
15:05:21
I think we can get started? Is the first topic https://github.com/containers/buildah/issues/5952 ?
<@jbrooks:matrix.org>
15:05:33
Right
<@walters:fedora.im>
15:05:40
!topic https://github.com/containers/buildah/issues/5952
<@walters:fedora.im>
15:06:36
TL;DR previously buildah made it possible to write a Dockerfile that generated [chunked](https://github.com/ostreedev/ostree-rs-ext/issues/69) images, it got dropped in a security update, we are debating re-adding it
<@walters:fedora.im>
15:07:08
I guess from my PoV I'd say in the end we needed to support doing this outside of Dockerfile anyways too, so that just accelerated our plans for that
<@dustymabe:matrix.org>
15:07:46
I had originally asked to bring everyone together to discuss this before https://github.com/containers/buildah/pull/5975 existed to resolve the issue
<@jlebon:fedora.im>
15:08:44
glad to see there's a PR to re-add (a version of) it
<@walters:fedora.im>
15:09:32
I guess one question for the wider group is around the ergonomics of "rechunking post build" (as is doc'd here https://coreos.github.io/rpm-ostree/experimental-build-chunked-oci/ ) vs "rechunking in one podman build step"; they have quite different tradeoffs
<@rsturla:fedora.im>
15:11:07
What are the primary tradeoffs for each? On first glance, they appeared mostly the same, except for how the commands are invoked
<@rsturla:fedora.im>
15:11:07
Personally, I like the idea of doing this "rechunking" as part of the regular build. It allows users to use their existing application OCI image pipelines as-is, without needing to alter their workflows.
<@rsturla:fedora.im>
15:11:07
<@dustymabe:matrix.org>
15:12:27
> "rechunking in one podman build step"
<@dustymabe:matrix.org>
15:12:27
<@dustymabe:matrix.org>
15:12:27
I think this makes it quite attractive for new people to the process being able to try it out and also operationalize it.
<@siosm:matrix.org>
15:12:28
AFAIK: The in-Containerfile-build one requires podman/buildah to be the builder, the out-of-Containerfile-build one requires rpm-ostree on the host
<@siosm:matrix.org>
15:13:09
(I think we'll need both depending on the use cases)
<@dustymabe:matrix.org>
15:13:10
Colin Walters: could you summarize the "they have quite different tradeoffs" part?
<@walters:fedora.im>
15:13:33
It is possible to run it from a container too actually, I will try to make this clear. But yeah this problem exposes a lot of operational/cognitive complexity because especially in the "on the host" path you need to think about `-v /var/lib/containers:/var/lib/containers` etc
<@walters:fedora.im>
15:13:54
In our current CI flow I just installed rpm-ostree inside the quay.io/buildah:stable image...
<@walters:fedora.im>
15:14:53
But it may push us to more formally create a derived image...actually a minor annoyance here is we don't ship buildah in coreos/bootc (but we do ship podman) but the buildah image doesn't ship podman of course, so we need to have this podman/buildah abstraction
<@walters:fedora.im>
15:15:49
(tangentially related to that, longer term the only way to make this operation even remotely efficient would be to drive c/storage at a pretty low level to ensure we're e.g. reflinking instead of copying file content etc.)
<@dustymabe:matrix.org>
15:16:39
> "on the host" path you need to think about -v /var/lib/containers:/var/lib/containers etc
<@dustymabe:matrix.org>
15:16:39
<@dustymabe:matrix.org>
15:16:39
I'm not the biggest fan of this option. Especially when we've already seen it work without something like this.
<@walters:fedora.im>
15:16:51
dustymabe: I think the summary is that if buildah/podman support this you *can* just do this as part of `podman build` and it seamlessly slots into any tools that wrap that (of which there are like, a lot)
<@dustymabe:matrix.org>
15:17:38
I'm interested in podman folks opinions here.. since you were all nice enough to join us here 👋
<@dustymabe:matrix.org>
15:17:52
I'm interested in podman folks opinions.. since you were all nice enough to join us here 👋
<@mheon:matrix.org>
15:18:38
nalind would be the best to comment here
<@nalind:matrix.org>
15:21:31
well i don't think we'll be able to turn support for [FROM things that aren't just image names] off any time soon, but the additional logic that we're going to have to add to try to avoid toc/tou symlink attacks in that content will involve a space tradeoff as we copy that content to a place where it can't be changed out from under us by a concurrently-running bad actor
<@nalind:matrix.org>
15:22:08
but yeah, i don't recommend the "mount /var/lib/containers from the host's /var/lib/containers" pattern
<@walters:fedora.im>
15:24:08
for `FROM oci:` I think we'd generally always be safe against concurrent mutation?
<@nalind:matrix.org>
15:24:52
we have to pass that location through a few API layers to the image library, which we depend on elsewhere to follow symlinks when it's reading the contents of the layout
<@nalind:matrix.org>
15:25:01
but here, we kind of want to not
<@jlebon:fedora.im>
15:25:24
nalind: if i look at the tests added in https://github.com/containers/buildah/pull/5975/files, i see e.g. `FROM oci-archive:archive2.tar` which is quite similar to what we had. do you expect that to change before the PR merges?
<@walters:fedora.im>
15:26:07
In https://docs.rs/ocidir/latest/ocidir/ we use cap-std to constrain everything to the oci subdirectory
<@nalind:matrix.org>
15:26:10
no, i don't expect to break that. that test is there because i expect it to pass when it's marked as ready for review/merge
<@walters:fedora.im>
15:26:59
(cap-std here == openat2(, RESOLVE_BENEATH)
<@walters:fedora.im>
15:28:05
anyways overall I'd summarize this as: that PR will continue, but we'll also just invest in rechunking outside of Containerfile for now and mainly am to "productize" that more
<@walters:fedora.im>
15:28:13
anyways overall I'd summarize this as: that PR will continue, but we'll also just invest in rechunking outside of Containerfile for now and mainly aim to "productize" that more
<@nalind:matrix.org>
15:28:49
in that other context, i actually do depend on the not-beneath behavior
<@walters:fedora.im>
15:29:50
ok, we can probably debate those details in that PR I guess
<@walters:fedora.im>
15:30:21
I don't have more on this topic
<@jbrooks:matrix.org>
15:30:38
Anything to follow up on on this in future meetings?
<@jbrooks:matrix.org>
15:31:38
Also, this meeting is 30 min, and we're at time, I don't know if having it via chat now increases anyone's length wishes
<@dustymabe:matrix.org>
15:32:12
for the fcos meeting we have it set to an hour
<@dustymabe:matrix.org>
15:32:21
for matrix meetings
<@jlebon:fedora.im>
15:32:26
I think one thing to emphasize is that most people will not need to rechunk or worry about this. For those that do want to, I think having access to both workflows (within podman build, and outside) is valuable
<@dustymabe:matrix.org>
15:32:28
if we run out of topics we close it out
<@dustymabe:matrix.org>
15:32:50
Thank you container folks for coming!
<@dustymabe:matrix.org>
15:33:06
nalind++ Matt Heon++ Brent Baude++
<@zodbot:fedora.im>
15:33:07
No Fedora Accounts users have the @nalind:matrix.org Matrix Account defined
<@dustymabe:matrix.org>
15:33:09
did I miss anyone?
<@jbrooks:matrix.org>
15:34:10
OK, let's close this one off, and I'll ask in https://matrix.to/#/#bootc:fedoraproject.org for topics for next week
<@jbrooks:matrix.org>
15:34:36
!endmeeting