Skip to content

Add tar xattr support#707

Open
bozaro wants to merge 1 commit intobazelbuild:mainfrom
bozaro:tar-xattr-support
Open

Add tar xattr support#707
bozaro wants to merge 1 commit intobazelbuild:mainfrom
bozaro:tar-xattr-support

Conversation

@bozaro
Copy link

@bozaro bozaro commented Jun 5, 2023

Motivation

I need tool to set "max locked memory" ulimit for mongos inside Kubernetes environment.
This tool need etcap cap_sys_resource+ep xattr on file.

This PR allows set xattr on files inside .tar artchives.

Example

Allow set xattr inside tar archives, for example:

pkg_tar(
    name = "tool-layer",
    extension = "tar",
    files = {
        ":ulimit-wrapper": "/usr/local/bin/ulimit-wrapper",
    },
    # setcap cap_sys_resource+ep ulimit-wrapper && getfattr -d -e hex -m - ulimit-wrapper
    xattr = [
        "security.capability=0x0100000200000001000000000000000000000000",
    ],
)

@bozaro bozaro force-pushed the tar-xattr-support branch 2 times, most recently from ba6e562 to 027f82d Compare June 5, 2023 11:59
@bozaro bozaro force-pushed the tar-xattr-support branch from 027f82d to 416e3e8 Compare June 5, 2023 12:29
@bozaro bozaro marked this pull request as ready for review June 5, 2023 12:31
@bozaro bozaro requested review from aiuto and nacl as code owners June 5, 2023 12:31
@aiuto
Copy link
Collaborator

aiuto commented Jun 5, 2023

Can you start a bug about this so we can get the requirements right first.
It looks like you are setting xattr on each file. If that is the need, then we should raise this to the level of other attributes, like owner and perms, so we can apply it to each file distinctly.

@bozaro
Copy link
Author

bozaro commented Jun 5, 2023

I want to make something like Dockerfile:

FROM ubuntu:22.04
...
COPY app /usr/local/bin/app
RUN setcap cap_sys_resource+ep /usr/local/bin/app

In BUILD.bazel I got rules like:

load("@rules_pkg//:pkg.bzl", "pkg_tar")
load("@io_bazel_rules_docker//container:container.bzl", "container_image")

...

pkg_tar(
    name = "app-tar",
    extension = "tar",
    files = {
        ":app": "/usr/local/bin/app",
    },
    xattr = [
        "security.capability=0x0100000200000001000000000000000000000000",
    ],
)

container_image(
    name = "app-image",
    ...
    tars = [
        ":app-tar",
    ],
)

In this example xattr I set xattr to all one file, but in this PR also supported xattrs attribute like:

    xattrs = {
    	"usr/local/bin/app": [
    	    "security.capability=0x0100000200000001000000000000000000000000",
        ]
    },

@aiuto
Copy link
Collaborator

aiuto commented Aug 9, 2023

Can you think about how this should be in pkg_files. Adding it only to pkg_tar is sort of a dead end.
We want tools that describe what you want independently of the final package type.

@aiuto aiuto mentioned this pull request Sep 19, 2023
Merged
fruechel-canva
fruechel-canva reviewed Mar 15, 2024
View reviewed changes
pkg/private/tar/build_tar.py
key = item[:idx]
raw = item[idx+1:]
if raw.startswith("0x"):
xattrs[key] = bytes.fromhex(raw[2:]).decode('latin-1')
Copy link

@fruechel-canva fruechel-canva Mar 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably want to use .decode('utf-8', "surrogateescape") here as certain xattrs will be re-encoded incorrectly otherwise. On re-encoding the tarfile module uses surrogateescape to restore any values that don't cleanly decode to UTF-8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aiuto aiuto Awaiting requested review from aiuto aiuto is a code owner

@nacl nacl Awaiting requested review from nacl

1 more reviewer

@fruechel-canva fruechel-canva fruechel-canva left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bozaro @aiuto @fruechel-canva