fix: handle opaque whiteouts before layer extraction#95
fix: handle opaque whiteouts before layer extraction#95hiroTamada wants to merge 3 commits intomainfrom
Conversation
Opaque whiteouts (.wh..wh..opq) mean "replace this directory entirely with this layer's contents." The previous approach processed them after extraction, which deleted the current layer's own files (e.g. /bin/sh) along with the lower layer files. Now: pre-scan each layer's tar for opaque whiteouts, clear those directories before extraction, then extract. Regular whiteouts are still processed after extraction. This fixes /bin/sh not found errors on images with layers that replace directories like /bin/. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The previous sync command was insufficient to flush writes through the virtio-blk layer. This caused the host to read stale/incomplete data from the source volume, resulting in LZ4 decompression errors when booting the erofs rootfs. Now: fsync the erofs file and directory entry, then unmount the source volume entirely before reporting the result. This guarantees all writes have reached the host-side block device file. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| for _, e := range entries { | ||
| os.RemoveAll(filepath.Join(opaqueDir, e.Name())) | ||
| } | ||
| } |
There was a problem hiding this comment.
Path traversal in pre-scan enables directory clearing outside exportDir
Low Severity
The pre-scan processes raw tar -tf output entries without sanitizing path traversal sequences. filepath.Join(exportDir, filepath.Dir(entry)) with an entry containing ../ resolves outside exportDir — e.g. a crafted entry like ../../../etc/.wh..wh..opq resolves opaqueDir to /etc, causing os.RemoveAll on every entry in that directory. Notably, tar -tf shows raw archive paths (including ../) while tar -xf strips them by default, creating an asymmetry where the pre-scan clears directories that extraction would never actually touch.
The idempotent create test only expected "pending" or "ready" but the second call can also return "pulling" or "converting" depending on timing. Add all valid intermediate statuses to fix the flaky test. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 participant
Summary
/bin/sh: no such file or directorycrash on images with layers that replace directories (e.g. Python base images).wh..wh..opq) must clear directories before extraction, not after — otherwise the current layer's own files get deleted along with lower layer filesTest plan
/bin/shexists in booted VM🤖 Generated with Claude Code
Note
Medium Risk
Changes core layer-unpack semantics and disk flush behavior inside the builder VM; mistakes could yield incorrect rootfs contents or flaky image readiness, though scope is limited to the in-VM
erofsfast-path.Overview
Fixes in-VM
erofscreation for images that rely on OCI opaque whiteouts by pre-scanning each layer tarball for.wh..wh..opq, clearing affected directories before extracting the layer, and then applying regular.wh.*deletions post-extract.Hardens the final
erofswriteout by replacing the previoussync-only flush withfsyncon the output file + source directory and anumount-based flush fallback, and relaxesTestCreateImage_Idempotentto accept additional in-progress statuses (pulling,converting).Written by Cursor Bugbot for commit 9d43543. This will update automatically on new commits. Configure here.