image-rs: Handle gzip whiteouts correctly

[squarti]

This PR readds whiteout handling on platforms that support xattr

Fixes: #604

[Xynnn007]

I noticed that there are some duplicated logic between convert_whiteout and unpack after line 139. Could we do some refactoring upon this commit to avoid this?

[squarti]

Yes, I will refactor it

[squarti]

@Xynnn007 I pushed some changes. Is that what you have in mind?

[bpradipt]

@squarti @Xynnn007 are you aware of any tools that helps to inspect a container image to figure out if it contains gzip whiteouts?
Or any sample image that can be used for testing this PR?

[squarti]

@squarti @Xynnn007 are you aware of any tools that helps to inspect a container image to figure out if it contains gzip whiteouts? Or any sample image that can be used for testing this PR?

I am not aware of any tool. I used this image ghcr.io/actions/actions-runner:latest to test it

[Xynnn007]

Thanks for the refactoring! Two last comments and other parts looks perfect to me

[Xynnn007]

Let's move this

use anyhow::anyhow;

directly inside convert_whiteout

[Xynnn007]

Probably we could use a shared convert_whiteout funciton. With cfg-if to firstly judge the platform and return Ok(true) if needed. Thus we do not need two convert_whiteout versions.

[mythi]

@squarti @Xynnn007 are you aware of any tools that helps to inspect a container image to figure out if it contains gzip whiteouts? Or any sample image that can be used for testing this PR?

I am not aware of any tool. I used this image ghcr.io/actions/actions-runner:latest to test it

FWIW, I've built images with whiteouts using the distroless tooling in the past. In case it's useful..

[Xynnn007]

One last thing. Sorry I did not make it clear

[Xynnn007]

We can try to return ASAP to avoid big {..} block

if !cfg!(target_os = "linux") && !cfg!(target_os = "freebsd") && !cfg!(target_os = "macos") {
    return Ok(true)
}

... other logic

[Xynnn007]

good. A rebase is needed

[Xynnn007]

Do we need also to set_file_times() here?

[squarti]

Good question. Looking into the golang base implementation, set_file_times is not done.

The purpose of the whiteout file is to hide the original file. Even if we update the file times, it is not going to be visible in the file system.

[fitzthum]

Nice. A few comments. I guess this is mainly being ported from the Go code, but I'd like to understand a little better what's happening.

[fitzthum]

I guess you might have inherited some of this code, but the logic here seems a bit odd to me. convert_whiteout doesn't necessarily convert a whiteout. It checks if we are pointing to a whiteout file and then converts it if needed. This results in a slightly clunky Result<bool> being returned.

What about making two functions. One called is_whiteout which returns Result<bool> and one called convert_whiteout which just returns a Result<()>

This seem like a bit of messing around but I think it will make this nicer.

[fitzthum]

I'm a little confused by this part. Is this a trick to get rid of a file from a lower layer at the same location as the whiteout? It might be good to put a comment here (and maybe also a higher-level one with some reference to a spec) since this is a somewhat unusual operation. Why not just delete the file at that path or am I totally off here?

[fitzthum]

This mknod thing is still a bit mysterious to me, but I guess we can live with it.

[squarti]

mknod creates a character device with 0/0 device number which hides the file in the lower layer. The lower layer cannot be changed since it is read only.

[Xynnn007]

I am not sure we use nix here, s.t. https://docs.rs/nix/0.29.0/nix/sys/stat/fn.mknod.html If we can, we will get code w/o unsafe parts

[squarti]

I am not sure this is what you are after.

[fitzthum]

Thanks @squarti

Let's keep an eye on image unpacking when we next bump guest-components just in case.