FreeBSD support

[cyphar]

Now that umoci is supported on MacOS, we should probably also have it build on FreeBSD. The main issue is that Travis-CI doesn't support FreeBSD. So we might have to use some other CI which does...

[mateuszkwiatkowski]

I had to fix two files in order to build on FreeBSD:

# github.com/opencontainers/umoci/pkg/fseval
pkg/fseval/fseval_default.go:108:43: cannot use int(dev) (type int) as type uint64 in argument to unix.Mknod

# github.com/opencontainers/umoci/pkg/unpriv
pkg/unpriv/unpriv.go:454:44: cannot use int(dev) (type int) as type uint64 in argument to unix.Mknod

[mateuszkwiatkowski]

After that I get this runtime error:

# umoci unpack --image image bundle
   ⨯ create runtime bundle: unpack rootfs: unpack layer: unpack entry: usr/bin/ping: apply hdr metadata: restore xattr metadata: bundle/rootfs/usr/bin/ping: attribute not found

[mateuszkwiatkowski]

Extracting images without SELinux works fine! I was able to create FreeBSD Jail from alpine image:

monster-1 /jails # skopeo --override-os linux copy docker://alpine:latest oci:alpine:latest
Getting image source signatures
Copying blob 596ba82af5aa done
Copying config 685c3b45fa done
Writing manifest to image destination
Storing signatures
monster-1 /jails # umoci unpack --image alpine bundle
monster-1 /jails # jail -c name=alpine host.hostname=alpine ip4.addr=192.168.0.254 path=/jails/bundle/rootfs command=/bin/uname -a
Linux alpine 3.17.0 FreeBSD 13.0-ALPHA1 #19 main-c256122-g4bbfe4bf08d: Wed Jan 20 01 x86_64 Linux

Note: skopeo needs patching to work on FreeBSD. See PRs linked to this issue: containers/skopeo#1163

[cyphar]

The attribute error is almost certainly for the cap_net_raw fscap xattr -- not sure there's an obvious fix aside from using a container image that doesn't use that xattr (making it setuid seems like it's a bit too dangerous to do automatically).

[mateuszkwiatkowski]

The attribute error is almost certainly for the cap_net_raw fscap xattr -- not sure there's an obvious fix aside from using a container image that doesn't use that xattr (making it setuid seems like it's a bit too dangerous to do automatically).

How is this handled on macOS? Is it possible to ignore xattrs when OS doesn’t support them?

[cyphar]

To be honest I'm not sure it works under macOS either (unless macOS is missing the setxattr(2) syscalls entirely)? I don't have a macOS machine and our integration tests don't yet run under macOS...

We will need to switch CI systems soon (Travis is no longer usable for FOSS projects) so we will need to revisit the macOS testing as well...

[mateuszkwiatkowski]

For CI you can try https://cirrus-ci.org/. I think it supports all major platforms.

[cyphar]

Is it possible to ignore xattrs when OS doesn’t support them?

The issue is that FreeBSD does support xattrs, just not the particular one we have. Then again, ignoring -EOPNOTSUPP or whatever FreeBSD returns is /probably/ fine (I added code to Docker a while ago to do the same thing).

[mateuszkwiatkowski]

Is it possible to ignore xattrs when OS doesn’t support them?

The issue is that FreeBSD does support xattrs, just not the particular one we have. Then again, ignoring -EOPNOTSUPP or whatever FreeBSD returns is /probably/ fine (I added code to Docker a while ago to do the same thing).

That’s what I meant. :-) We should be able to extract CentOS and Fedora images too.

[cyphar]

Alright, I'll cook up a quick patch for this on Monday. Can you send a patch with the fixes for the files you needed to build on FreeBSD?

[mateuszkwiatkowski]

@cyphar This below is quick fix I made in order to unblock build on FreeBSD. Most probably it'll break build on other systems so it requires more work. I can try to do this next week, however I'm not GO expert and I'm not sure how to proceed. :-)

diff --git a/Makefile b/Makefile
index b6c9e90..65d08be 100644
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,7 @@
 # limitations under the License.

 # Use bash, so that we can do process substitution.
-SHELL = /bin/bash
+SHELL := $(shell which bash)
 # Go tools.
 GO ?= go
diff --git a/pkg/fseval/fseval_default.go b/pkg/fseval/fseval_default.go
index 1cb03f5..d339a77 100644
--- a/pkg/fseval/fseval_default.go
+++ b/pkg/fseval/fseval_default.go
@@ -105,7 +105,7 @@ func (fs osFsEval) RemoveAll(path string) error {

 // Mknod is equivalent to unix.Mknod.
 func (fs osFsEval) Mknod(path string, mode os.FileMode, dev uint64) error {
-       return unix.Mknod(path, uint32(mode), int(dev))
+       return unix.Mknod(path, uint32(mode), uint64(dev))
 }

 // MkdirAll is equivalent to os.MkdirAll.
diff --git a/pkg/unpriv/unpriv.go b/pkg/unpriv/unpriv.go
index 45614f0..e69bc0f 100644
--- a/pkg/unpriv/unpriv.go
+++ b/pkg/unpriv/unpriv.go
@@ -451,7 +451,7 @@ func MkdirAll(path string, perm os.FileMode) error {
 // required access bits to modify or resolve the path.
 func Mknod(path string, mode os.FileMode, dev uint64) error {
        return errors.Wrap(Wrap(path, func(path string) error {
-               return unix.Mknod(path, uint32(mode), int(dev))
+               return unix.Mknod(path, uint32(mode), uint64(dev))
        }), "unpriv.mknod")
 }

[cyphar]

That's okay, I can work with that change. We'll need to make a new OS-specific build file for that.

[mateuszkwiatkowski]

Hi @cyphar,

I went ahead and created a PR for you. Please review it or take it over whatever works best for you.
I also created a FreeBSD port of umoci which should expose this project to more FreeBSD users. I'll send it for review once we have FreeBSD support merged.

[cyphar]

Closing this since we now have FreeBSD support, and #364 tracks the issue with unpacking images.