* [meta-virtualization][PATCH] image-oci: don't preserve ownership in directories/files/host layer copies
@ 2026-05-02 21:01 tim.orling
2026-05-11 20:16 ` Bruce Ashfield
0 siblings, 1 reply; 2+ messages in thread
From: tim.orling @ 2026-05-02 21:01 UTC (permalink / raw)
To: meta-virtualization; +Cc: Tim Orling
From: Tim Orling <tim.orling@konsulko.com>
The multi-layer 'directories', 'files', and 'host' branches in IMAGE_CMD:oci
copy delta content into the OCI bundle rootfs with 'cp -a'. 'cp -a' implies
'--preserve=all', which calls lchown() on the destination to copy ownership
from the source. When a directories/files layer copies a symbolic link whose
target does not exist at build time (for example, the '/dev/stdout' and
'/dev/stderr' log forwarding symlinks used by the official nginx Docker
image), lchown() can return EINVAL under pseudo and 'cp' aborts with:
cp: failed to preserve ownership for .../var/log/nginx/access.log: Invalid argument
failing the whole do_image_oci task.
The single-layer rootfs copy already handles this correctly:
cp -r -a --no-preserve=ownership ${IMAGE_ROOTFS}/* $image_bundle_name/rootfs
and the multi-layer 'packages' branch uses 'rsync -a --no-owner --no-group'
for the same reason. Bring the three remaining cp -a sites in line by adding
'--no-preserve=ownership'. Ownership inside an OCI image is set by umoci
based on the image config and source ownership has no meaning for symlinks
to runtime device nodes anyway, so dropping preservation is the correct
behaviour.
Reproduce: declare a directories: layer that copies a path containing a
symlink to '/dev/stdout' or '/dev/stderr' (e.g. a postprocess that creates
/var/log/nginx/{access,error}.log -> /dev/{stdout,stderr} to mirror the
upstream nginx Docker image).
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
---
classes/image-oci-umoci.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/classes/image-oci-umoci.inc b/classes/image-oci-umoci.inc
index bad6c5d0..a033d73a 100644
--- a/classes/image-oci-umoci.inc
+++ b/classes/image-oci-umoci.inc
@@ -611,7 +611,7 @@ IMAGE_CMD:oci() {
oci_dst_file="$image_bundle_name/rootfs$oci_rel_path"
if [ ! -e "$oci_dst_file" ]; then
mkdir -p "$(dirname "$oci_dst_file")"
- cp -a "$oci_src_file" "$oci_dst_file"
+ cp -a --no-preserve=ownership "$oci_src_file" "$oci_dst_file"
oci_delta_copied=$(expr $oci_delta_copied + 1)
else
oci_delta_skipped=$(expr $oci_delta_skipped + 1)
@@ -638,7 +638,7 @@ IMAGE_CMD:oci() {
oci_dst_file="$image_bundle_name/rootfs$oci_file"
if [ ! -e "$oci_dst_file" ]; then
mkdir -p "$(dirname "$oci_dst_file")"
- cp -a "${IMAGE_ROOTFS}$oci_file" "$oci_dst_file"
+ cp -a --no-preserve=ownership "${IMAGE_ROOTFS}$oci_file" "$oci_dst_file"
bbnote "OCI: Added file $oci_file"
else
bbnote "OCI: Skipped file $oci_file (already in bundle)"
@@ -657,7 +657,7 @@ IMAGE_CMD:oci() {
oci_host_dst="${oci_host_pair##*:}"
if [ -e "$oci_host_src" ]; then
mkdir -p "$image_bundle_name/rootfs$(dirname $oci_host_dst)"
- cp -a "$oci_host_src" "$image_bundle_name/rootfs$oci_host_dst"
+ cp -a --no-preserve=ownership "$oci_host_src" "$image_bundle_name/rootfs$oci_host_dst"
bbnote "OCI: Added from host: $oci_host_src -> $oci_host_dst"
else
bbfatal "OCI: Host path not found: $oci_host_src"
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [meta-virtualization][PATCH] image-oci: don't preserve ownership in directories/files/host layer copies
2026-05-02 21:01 [meta-virtualization][PATCH] image-oci: don't preserve ownership in directories/files/host layer copies tim.orling
@ 2026-05-11 20:16 ` Bruce Ashfield
0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2026-05-11 20:16 UTC (permalink / raw)
To: tim.orling; +Cc: meta-virtualization
merged.
Bruce
In message: [meta-virtualization][PATCH] image-oci: don't preserve ownership in directories/files/host layer copies
on 02/05/2026 Tim Orling via lists.yoctoproject.org wrote:
> From: Tim Orling <tim.orling@konsulko.com>
>
> The multi-layer 'directories', 'files', and 'host' branches in IMAGE_CMD:oci
> copy delta content into the OCI bundle rootfs with 'cp -a'. 'cp -a' implies
> '--preserve=all', which calls lchown() on the destination to copy ownership
> from the source. When a directories/files layer copies a symbolic link whose
> target does not exist at build time (for example, the '/dev/stdout' and
> '/dev/stderr' log forwarding symlinks used by the official nginx Docker
> image), lchown() can return EINVAL under pseudo and 'cp' aborts with:
>
> cp: failed to preserve ownership for .../var/log/nginx/access.log: Invalid argument
>
> failing the whole do_image_oci task.
>
> The single-layer rootfs copy already handles this correctly:
>
> cp -r -a --no-preserve=ownership ${IMAGE_ROOTFS}/* $image_bundle_name/rootfs
>
> and the multi-layer 'packages' branch uses 'rsync -a --no-owner --no-group'
> for the same reason. Bring the three remaining cp -a sites in line by adding
> '--no-preserve=ownership'. Ownership inside an OCI image is set by umoci
> based on the image config and source ownership has no meaning for symlinks
> to runtime device nodes anyway, so dropping preservation is the correct
> behaviour.
>
> Reproduce: declare a directories: layer that copies a path containing a
> symlink to '/dev/stdout' or '/dev/stderr' (e.g. a postprocess that creates
> /var/log/nginx/{access,error}.log -> /dev/{stdout,stderr} to mirror the
> upstream nginx Docker image).
>
> Signed-off-by: Tim Orling <tim.orling@konsulko.com>
> ---
> classes/image-oci-umoci.inc | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/classes/image-oci-umoci.inc b/classes/image-oci-umoci.inc
> index bad6c5d0..a033d73a 100644
> --- a/classes/image-oci-umoci.inc
> +++ b/classes/image-oci-umoci.inc
> @@ -611,7 +611,7 @@ IMAGE_CMD:oci() {
> oci_dst_file="$image_bundle_name/rootfs$oci_rel_path"
> if [ ! -e "$oci_dst_file" ]; then
> mkdir -p "$(dirname "$oci_dst_file")"
> - cp -a "$oci_src_file" "$oci_dst_file"
> + cp -a --no-preserve=ownership "$oci_src_file" "$oci_dst_file"
> oci_delta_copied=$(expr $oci_delta_copied + 1)
> else
> oci_delta_skipped=$(expr $oci_delta_skipped + 1)
> @@ -638,7 +638,7 @@ IMAGE_CMD:oci() {
> oci_dst_file="$image_bundle_name/rootfs$oci_file"
> if [ ! -e "$oci_dst_file" ]; then
> mkdir -p "$(dirname "$oci_dst_file")"
> - cp -a "${IMAGE_ROOTFS}$oci_file" "$oci_dst_file"
> + cp -a --no-preserve=ownership "${IMAGE_ROOTFS}$oci_file" "$oci_dst_file"
> bbnote "OCI: Added file $oci_file"
> else
> bbnote "OCI: Skipped file $oci_file (already in bundle)"
> @@ -657,7 +657,7 @@ IMAGE_CMD:oci() {
> oci_host_dst="${oci_host_pair##*:}"
> if [ -e "$oci_host_src" ]; then
> mkdir -p "$image_bundle_name/rootfs$(dirname $oci_host_dst)"
> - cp -a "$oci_host_src" "$image_bundle_name/rootfs$oci_host_dst"
> + cp -a --no-preserve=ownership "$oci_host_src" "$image_bundle_name/rootfs$oci_host_dst"
> bbnote "OCI: Added from host: $oci_host_src -> $oci_host_dst"
> else
> bbfatal "OCI: Host path not found: $oci_host_src"
> --
> 2.47.3
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9784): https://lists.yoctoproject.org/g/meta-virtualization/message/9784
> Mute This Topic: https://lists.yoctoproject.org/mt/119120580/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-11 20:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-02 21:01 [meta-virtualization][PATCH] image-oci: don't preserve ownership in directories/files/host layer copies tim.orling
2026-05-11 20:16 ` Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.