Support for readonly-executables in ex rebuild?

[samhclark]

Hey hey, I'm new to all this so I felt like this was more of a discussion than an issue.

When I'm building an rpm-ostree container image, and I'm using the ex rebuild command with this origin file

cliwrap: true
readonly-executables: true
packages:
  # ... omitted for brevity
override-remove:
  # ... omitted for brevity

Then I get an error like this:

error: the following base fields are not supported:
{
  "basearch": "x86_64",
  "readonly-executables": true
}

I think I found the spot where there's a short allowlist of what treefile features are supported in containers.

rpm-ostree/rust/src/treefile.rs

Line 1548 in 9fe53a1

// neuter everything we *do* support

Does anyone know if the lack of readonly-executables is a fundamental limitation of the container flow? I guess I don't need this feature, but I was hoping to enable it since it seems to be recommended in the treefile docs? https://coreos.github.io/rpm-ostree/treefile/

[jlebon]

It's not clear currently if the ex rebuild and treefile dropins flow will see investments in the future. I think having a declarative way to do a layered container build is still highly desirable, and rpm-ostree treefiles may be that. But currently there's an incredible amount of mindshare around more traditional Containerfile flows and so polishing that UX where possible is where a lot of work is going into. So e.g. the equivalent of that option would be something like RUN find -type f -executable -exec chmod a-w {} \+ (not tested, but you get the idea). I could also imagine helpers like this being folded into a toolbox too as proposed elsewhere.

[samhclark]

Ah, okay, that makes sense. I was using ex rebuild in a container anyway, so it was easy enough to do the add/remove with a bespoke JSON file, jq, and xargs to construct a rpm-ostree override remove --install=foo bar command.

This command worked just fine from the Containerfile for the record. Didn't need to escape the +. Spent time working my way to that from chattr and xargs. Writing that down here to maybe save others some time (doing it on all of /usr caused me to run out of disk space in GitHub Actions. YMMV)

RUN find /usr/bin -type f -executable -exec chmod a-w {} +

I liked the idea of not needing to do JSON stuff or my own RUN commands. Using something built-in seemed nice, but it wasn't hard to change and that if ex rebuild has an uncertain future, I wanna stick to the well worn path.

Thanks for the answer!