lints: Add nonempty-run-tmp warning for runtime-only directories #1912
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new lint, nonempty-run-tmp, which warns if the /run or /tmp directories contain any files in the container image. These directories are mounted as tmpfs at runtime and should be empty in the base image to avoid issues, particularly with composefs. The implementation of the lint in Rust is robust, correctly handling mount points to avoid false positives from runtime-injected content. The associated changes in the Dockerfile and Dockerfile.cfsuki are excellent, adopting the modern RUN --mount=type=tmpfs pattern to prevent build artifacts from leaking into these directories. The changes are clean, correct, and improve the quality and correctness of the built container images. The addition of tests for the new lint is also appreciated.
cgwalters
force-pushed
the
lint-check-run
branch
from
e1a4679 to
1a801d9
Compare
|
I guess moving the linting to the end to allow the bind mounts to release in the sealed case isn't working: |
|
Hm if I run Whereas locally I have |
cgwalters
force-pushed
the
lint-check-run
branch
3 times, most recently
from
114703e to
835aa92
Compare
This should be fixed now, had to avoid the global |
|
Now: 😭 |
cgwalters
force-pushed
the
lint-check-run
branch
from
835aa92 to
23ee55a
Compare
|
Hmm yes I wasn't reproducing that locally; I think it may indeed be a difference in the podman networking setup. I tried enforcing a tmpfs for |
|
No you were right it is a podman version difference, my agent research turned up containers/buildah#6233 which looks like the likely fix. |
Good job agent! 🤖 |
|
Disabling automerge for this until we do a point release |
When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
Add a lint that warns when /run or /tmp contain any content. These directories are tmpfs at runtime and should be empty in container images. Common causes of content in these directories include: - podman/buildah's RUN --mount leaving directory stubs - Build tools leaving temporary files This is particularly important for bootc with composefs because content in these directories can cause digest mismatches between build-time (mounted filesystem) and install-time (OCI tar layers) views, leading to sealed boot failures. The lint uses the walk API with noxdev() to automatically skip mount points, and filters out content injected by container runtimes (.containerenv, secrets, packages). Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
Add a helper function that returns WalkConfiguration with noxdev() enabled by default. This ensures consistent behavior across all filesystem walks in the linting code. The doc comment clarifies that noxdev skips directory mount points (to avoid descending into bind mounts, tmpfs, etc.) but non-directory mount points like bind-mounted regular files will still be visited. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
lint-check-run
branch
from
23ee55a to
84c4be0
Compare
2 participants
Add a lint that warns when /run or /tmp contain any content. These
directories are tmpfs at runtime and should be empty in container images.
Common causes of content in these directories include:
This is particularly important for bootc with composefs because content
in these directories can cause digest mismatches between build-time
(mounted filesystem) and install-time (OCI tar layers) views, leading
to sealed boot failures.
The lint uses the walk API with noxdev() to automatically skip mount
points, and filters out content injected by container runtimes
(.containerenv, secrets, packages).
Assisted-by: OpenCode (Opus 4.5)