Skip to content

container: Add export --format=tar command#1969

Draft
cgwalters wants to merge 1 commit intomainfrom
tar-export-work
Draft

container: Add export --format=tar command#1969
cgwalters wants to merge 1 commit intomainfrom
tar-export-work

Conversation

@cgwalters
Copy link
Collaborator

@cgwalters cgwalters commented Feb 2, 2026
edited
Loading

This adds bootc container export which is designed for compatibility
with the Anaconda "liveimg" verb:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/automatically_installing_rhel/kickstart-commands-and-options-reference_rhel-installer#liveimg_kickstart-commands-for-installation-program-configuration-and-flow-control

Fixes #1957

Assisted-by: OpenCode (Sonnet 4.5)
Signed-off-by: Colin Walters walters@verbum.org

@bootc-bot bootc-bot bot requested a review from jeckersb February 2, 2026 15:42
gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 2, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new bootc container export --format=tar command, a significant feature for creating bootable tar archives from container filesystems. However, the implementation has critical security issues related to symlink handling and metadata preservation. Specifically, the use of symlink-following metadata calls and ambient directory handles could lead to information disclosure of host files if a malicious container image is exported. Additionally, directory metadata is not correctly preserved, resulting in incorrect permissions in the exported archive. Beyond these security concerns, there are also suggestions to improve performance by avoiding unnecessary memory allocations when adding SELinux attributes in container_export.rs and to refactor duplicated code in the kernel relocation logic for better maintainability.

@github-actions github-actions bot added the area/documentation Updates to the documentation label Feb 2, 2026
@cgwalters
container: Add export --format=tar command
46b0bac 
Some people want to use container build tools, but for compatibility
with older systems export a tar format of the OS state e.g.
Anaconda liveimg expects this.

Basically this is only *slightly* more than just `tar cf`; we need
to handle SELinux labeling and move the kernel.

Ref: #1957

Assisted-by: OpenCode (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeckersb jeckersb Awaiting requested review from jeckersb

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/documentation Updates to the documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add bootc container export --format=tar

1 participant

@cgwalters