Skip to content

content: ensure root directory exists before checking fs-verity support #12416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fuweid merged 1 commit into from
Jan 13, 2026
Merged

content: ensure root directory exists before checking fs-verity support #12416

fuweid merged 1 commit into from
Jan 13, 2026
+53 −5

Conversation

@ningmingxiao
Copy link
Contributor

@ningmingxiao ningmingxiao commented Oct 26, 2025
edited
Loading

if containerd run on a new host supported must be false

func NewLabeledStore(root string, ls LabelStore) (content.Store, error) {
	supported, _ := fsverity.IsSupported(root)

	s := &store{
		root:               root,
		ls:                 ls,
		integritySupported: supported,
		locks:              map[string]*lock{},
	}

because rootPath (io.containerd.content.v1.content) doesn't exist.

func IsSupported(rootPath string) (bool, error) {
	minKernelVersion := kernelversion.KernelVersion{Kernel: 5, Major: 4}
	s, err := kernelversion.GreaterEqualThan(minKernelVersion)
	if err != nil {
		return s, err
	}

	integrityDir, err := os.MkdirTemp(rootPath, ".fsverity-check-*")
	if err != nil {
		return false, err
	}

I find io.containerd.content.v1.content dir only be created when pull images.

@AkihiroSuda @mxpv @fuweid

@github-project-automation github-project-automation bot moved this to Needs Triage in Pull Request Review Oct 26, 2025
@dosubot dosubot bot added the kind/bug label Oct 26, 2025
@ningmingxiao ningmingxiao changed the title bugfix:make sure content dir exist bugfix:make sure content dir exist to fix integritySupported always false. Oct 27, 2025
@ningmingxiao ningmingxiao changed the title bugfix:make sure content dir exist to fix integritySupported always false. bugfix:make sure content dir exist to fix integritySupported always false Oct 27, 2025
fuweid
fuweid reviewed Oct 28, 2025
View reviewed changes
@fuweid fuweid changed the title bugfix:make sure content dir exist to fix integritySupported always false content: ensure root directory exists before checking fs-verity support Oct 28, 2025
@fuweid
Copy link
Member

fuweid commented Oct 28, 2025

This is the git commit message. Feel free to use this in your commit

Currently, fs-verity support detection fails on fresh containerd
installations because the content store root directory
(io.containerd.content.v1.content) doesn't exist yet. This directory
is only created when pulling images, causing checker to
always be false on new hosts.

The IsSupported() function attempts to create a temporary directory
within rootPath to test fs-verity support, but fails when rootPath
doesn't exist, returning an error that is silently ignored.

Fix this by ensuring the root directory exists before performing
the fs-verity support check in NewLabeledStore().

@ningmingxiao
Copy link
Contributor Author

ningmingxiao commented Oct 28, 2025

done thanks @fuweid

@ningmingxiao ningmingxiao force-pushed the fix_content_dir branch 3 times, most recently from 7f49254 to f49a85e Compare October 28, 2025 05:59
@ningmingxiao
Copy link
Contributor Author

ningmingxiao commented Oct 29, 2025
edited
Loading

@estesp @AkihiroSuda can this pr be merged it's easy to review.

@ningmingxiao
Copy link
Contributor Author

ningmingxiao commented Oct 29, 2025
edited
Loading

ping @dmcgowan @mxpv @akhilerm can you take a look ? thanks

@ningmingxiao ningmingxiao mentioned this pull request Nov 5, 2025
Merged
@ningmingxiao
Copy link
Contributor Author

ningmingxiao commented Nov 21, 2025

can you help review this pr it's easy to review @samuelkarp

@ningmingxiao
Copy link
Contributor Author

ningmingxiao commented Dec 2, 2025

ping @dmcgowan @mikebrow @mxpv can this pr be merged ?

mikebrow
mikebrow reviewed Dec 2, 2025
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see questions and a nit on the warning msg

mikebrow
mikebrow approved these changes Dec 3, 2025
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-project-automation github-project-automation bot moved this from Needs Triage to Review In Progress in Pull Request Review Dec 3, 2025
mikebrow
mikebrow reviewed Dec 3, 2025
View reviewed changes
@ningmingxiao
Copy link
Contributor Author

ningmingxiao commented Dec 18, 2025
edited
Loading

done thanks @AkihiroSuda

AkihiroSuda
AkihiroSuda reviewed Dec 18, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Dec 18, 2025
View reviewed changes
@ningmingxiao ningmingxiao force-pushed the fix_content_dir branch 4 times, most recently from 3da87e9 to e5caf33 Compare December 18, 2025 09:28
@ningmingxiao
Copy link
Contributor Author

ningmingxiao commented Dec 18, 2025

/retest

@k8s-ci-robot
Copy link

k8s-ci-robot commented Dec 18, 2025

@ningmingxiao: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ningmingxiao ningmingxiao force-pushed the fix_content_dir branch 2 times, most recently from faf577e to 57f8fc9 Compare December 24, 2025 15:22
@ningmingxiao
Copy link
Contributor Author

ningmingxiao commented Dec 24, 2025
edited
Loading

can you merge this pr ? I can create another pr change its mod to 0700 because the permission issue is unrelated to this pr
@AkihiroSuda @mikebrow @dmcgowan

@ningmingxiao ningmingxiao force-pushed the fix_content_dir branch 2 times, most recently from 03e1fed to 502d5a8 Compare December 30, 2025 10:41
@ningmingxiao
Copy link
Contributor Author

ningmingxiao commented Jan 12, 2026

can this pr be merged too? The file io.containerd.content.v1.content or permisson default is 755 , If it's not safety enough I can create another pr change it to 0700. ping @fuweid

@ningmingxiao @mikebrow
content: ensure root directory exists before checking fs-verity support
5f0f0dc 
Currently, fs-verity support detection fails on fresh containerd
installations because the content store root directory
(io.containerd.content.v1.content) doesn't exist yet. This directory
is only created when pulling images, causing checker to
always be false on new hosts.

The IsSupported() function attempts to create a temporary directory
within rootPath to test fs-verity support, but fails when rootPath
doesn't exist, returning an error that is silently ignored.

Fix this by ensuring the root directory exists before performing
the fs-verity support check in NewLabeledStore().

Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
@fuweid fuweid added this pull request to the merge queue Jan 13, 2026
Merged via the queue into containerd:main with commit f0e04e5 Jan 13, 2026
52 checks passed
@github-project-automation github-project-automation bot moved this from Review In Progress to Done in Pull Request Review Jan 13, 2026
@ningmingxiao ningmingxiao deleted the fix_content_dir branch January 14, 2026 01:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

@mikebrow mikebrow mikebrow approved these changes

@fuweid fuweid fuweid approved these changes

Assignees

No one assigned

Labels

kind/bug size/M

Projects

Pull Request Review
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ningmingxiao @fuweid @mikebrow @k8s-ci-robot @AkihiroSuda