Extend v1 EROFS to OCI and booting#297
Conversation
|
I think it is important to get this in and I'll start reviewing more carefully it on monday. Which PR is the latest though? Should i just ignore #225? Also, I'm not 100% sure about defaulting to v1, because the xattr think in v2 is likely to improve perfomance in significant ways. |
|
Thanks Alex! This one is an extension of #225 - I think that one should go first. |
cgwalters
force-pushed
the
composefs-c-compat-oci-and-booting
branch
2 times, most recently
from
a1e48b7 to
c87fe17
Compare
The adapt-composefs-rs-api branch still has the old get_cmdline_composefs import which was renamed in PR composefs#297. Point CI at the updated bootc branch (pushed separately to avoid disturbing the existing branch's CI), which carries the necessary adaptations: - OCI image ref API changes (image_ref_v1/v2) - V1 karg format string updates - Dual V1+V2 EROFS image generation TODO: revert to main once bootc-dev/bootc merges these adaptations. Assisted-by: OpenCode (Claude Sonnet 4.6) Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
composefs-c-compat-oci-and-booting
branch
from
c87fe17 to
7c55c75
Compare
| /// | ||
| /// Returns an error if a matching karg is found but the hex digest cannot be parsed | ||
| /// for the given `ObjectID` type. | ||
| pub fn from_cmdline(cmdline: &str) -> Result<Option<Self>> { |
There was a problem hiding this comment.
TODO: unify with bootc karg parsing
jeckersb
left a comment
jeckersb
left a comment
There was a problem hiding this comment.
Didn't review thoroughly but an AI-assisted review was mostly pointing out issues in the kargs parsing which I had already raised in a live call yesterday and we have a plan to remedy over in #180 so I'm not too worried about that for now.
|
Investigating the bootc revdep CI failure here. |
cgwalters
force-pushed
the
composefs-c-compat-oci-and-booting
branch
3 times, most recently
from
953ac7b to
d5470ef
Compare
|
OK! This one is finally passing the bootc revdep, should be good to go |
Migrate OCI crate callers to the new RepositoryConfig API and add dual-format (V1+V2) EROFS image generation during OCI pull. The V1 kernel cmdline karg uses a new self-describing format: composefs.digest=v1-sha256-12:<hex> composefs.digest=v1-sha512-12:<hex> The value encodes the EROFS format version, hash algorithm, and block size before the digest, mirroring how meta.json uses fsverity-sha256-12. The stable key name composefs.digest works naturally with ConditionKernelCommandLine= and allows multiple entries on the same cmdline for different algorithm/format combinations. The initramfs (composefs-setup-root) parses all composefs kargs from the kernel cmdline in order, then tries to mount each image in sequence — the first image that actually exists in the repository wins. mount_composefs_image_if_exists() maps ImageNotFound to Ok(None), letting the mount loop skip missing images without swallowing real errors (verity mismatch, permissions, etc.). The legacy composefs=<hex> karg continues to work for V2 EROFS. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
composefs-c-compat-oci-and-booting
branch
from
d5470ef to
23ca9c0
Compare
|
OK one more tweak...I noticed the composers-boot logic wasn't handling multiple |
|
@giuseppe this repo is configured so that pushes to a PR invalidate previous approvals (we're conservative) |
|
I worry about the kernel command line length with this. The docs say:
And, in the automotive space we've definitely had issues with such limits. For example, android boot is limited to 511 bytes of commandline. We do currently when producing such images use "bootconfig" to move options into the kernel binary itself, which would fix this. However, it may make sense, to ensure (while we have the chance) that the commandline is not unnecessary long, by e.g. using (or at least optionally supporting) a base64 encoded digest intead of a hex one. |
Yeah, good point. I think what we could do is add support for looking up the digest from e.g. It'd be relatively straightforward to change It'd be a good idea to land support for this soon, then we can more reasonably cut over late.
Hmm...that's a thing we could also do when generating a UKI too right? Do options injected that way show up in |
|
@cgwalters Yes, these options work like normal in e.g. /proc/cmdline. The only weakness is that some commandline options are read very early by the kernel before the boot config data has been read. What we do is extract a subset of options (https://gitlab.com/CentOS/automotive/src/aboot-deploy/-/blob/main/aboot-update.c?ref_type=heads#L126) and extract only these as the main commandline, and then we dump the rest in a file, and use In the end, it uses this: https://docs.kernel.org/admin-guide/bootconfig.html |
|
Hmm, actually I'm not sure they will be in /proc/cmdline, there seems to be a /proc/bootconfig thing instead... |
4 participants
Builds on #225
In a nutshell: I want to do a cutover to generating V1 EROFS (i.e. bit-for-bit compatible with the original https://github.com/composefs/composefs ). The rationale here is basically we want to be able to replace that project entirely in a compatible way and we need to support RHEL9 and our current EROFS ("v2") isn't compatible because we were implicitly relying on https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9ed50b8231e37b1ae863f5dec8153b98d9f389b4
Handling EROFS versions
In an OCI image splitstream, we can now generate and reference either or both versions. For new repositories, we default to v1. Apart from UKIs, we don't care about the binary checksum of the EROFS, so it's totally fine to just change what we do there. One can use composefs to fetch OCI images and mount them as before, and the fact the EROFS is different is largely invisible.
Sealed UKIs
However, we do care for sealed UKIs that have a checksum of the EROFS. A
composefs=karg signals that V2 EROFS is used. A newcomposefs.digest=karg signals that V1 EROFS is used.Conveniently, I'm also using this transition to get rid of the annoying kernel warning because presence of a
.signals it's for userspace, as is the case here.