Exclude adding the self filestore whiteout to rootfs upper layer TAR archive.

Fixes #12056

PiperOrigin-RevId: 798050567

Author: ayushr2

pkg/fsutil/fsutil.go

@@ -18,6 +18,9 @@ package fsutil
 
 import "golang.org/x/sys/unix"
 
+// SelfFilestorePrefix is the prefix of the self filestore file name.
+const SelfFilestorePrefix = ".gvisor.filestore."
+
 // DirentHandler is a function that handles a dirent.
 type DirentHandler func(ino uint64, off int64, ftype uint8, name string, reclen uint16)
 

pkg/sentry/fsimpl/tmpfs/BUILD

@@ -106,6 +106,7 @@ go_library(
         "//pkg/errors/linuxerr",
         "//pkg/fd",
         "//pkg/fspath",
+        "//pkg/fsutil",
         "//pkg/hostarch",
         "//pkg/log",
         "//pkg/refs",

pkg/sentry/fsimpl/tmpfs/device_file.go

@@ -16,9 +16,11 @@ package tmpfs
 
 import (
 	"fmt"
+	"strings"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/atomicbitops"
+	"gvisor.dev/gvisor/pkg/fsutil"
 	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.dev/gvisor/pkg/sentry/vfs"
 )
@@ -31,6 +33,18 @@ type deviceFile struct {
 	minor uint32
 }
 
+// Precondition: fs.mu must be locked for at least reading.
+func (d *dentry) isSelfFilestoreWhiteout() bool {
+	if !strings.HasPrefix(d.name, fsutil.SelfFilestorePrefix) {
+		return false
+	}
+	dev, ok := d.inode.impl.(*deviceFile)
+	if !ok {
+		return false
+	}
+	return d.inode.fs.ovlWhiteout == dev
+}
+
 func isOvlWhiteoutDev(mode linux.FileMode, major, minor uint32) bool {
 	return mode.FileType() == linux.S_IFCHR &&
 		mode.Permissions() == linux.WHITEOUT_MODE &&

pkg/sentry/fsimpl/tmpfs/tar.go

@@ -88,6 +88,11 @@ func (d *dentry) writeToTar(ctx context.Context, tw *tar.Writer, baseDir string,
 
 // createTarHeader creates a tar header for the given dentry.
 func (d *dentry) createTarHeader(path string, inoToPath map[uint64]string) (*tar.Header, error) {
+	if d.isSelfFilestoreWhiteout() {
+		// Skip the self filestore whiteout.
+		return nil, nil
+	}
+
 	header := &tar.Header{
 		Name:    path,
 		Mode:    int64(d.inode.mode.Load() & ^uint32(linux.S_IFMT)),

runsc/boot/BUILD

@@ -47,6 +47,7 @@ go_library(
         "//pkg/fd",
         "//pkg/flipcall",
         "//pkg/fspath",
+        "//pkg/fsutil",
         "//pkg/gomaxprocs",
         "//pkg/hostos",
         "//pkg/log",

runsc/boot/vfs.go

@@ -34,6 +34,7 @@ import (
 	"gvisor.dev/gvisor/pkg/errors/linuxerr"
 	"gvisor.dev/gvisor/pkg/fd"
 	"gvisor.dev/gvisor/pkg/fspath"
+	"gvisor.dev/gvisor/pkg/fsutil"
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/sentry/devices/memdev"
 	"gvisor.dev/gvisor/pkg/sentry/devices/nvproxy"
@@ -70,9 +71,6 @@ const (
 	Nonefs = "none"
 )
 
-// SelfFilestorePrefix is the prefix of the self filestore file name.
-const SelfFilestorePrefix = ".gvisor.filestore."
-
 // SelfFilestorePath returns the path at which the self filestore file is
 // stored for a given mount.
 func SelfFilestorePath(mountSrc, sandboxID string) string {
@@ -84,7 +82,7 @@ func SelfFilestorePath(mountSrc, sandboxID string) string {
 }
 
 func selfFilestoreName(sandboxID string) string {
-	return SelfFilestorePrefix + sandboxID
+	return fsutil.SelfFilestorePrefix + sandboxID
 }
 
 // tmpfs has some extra supported options that we must pass through.

test/e2e/BUILD

@@ -44,9 +44,9 @@ go_test(
     ],
     visibility = ["//:sandbox"],
     deps = [
+        "//pkg/fsutil",
         "//pkg/test/dockerutil",
         "//pkg/test/testutil",
-        "//runsc/boot",
         "@com_github_docker_docker//api/types/mount:go_default_library",
         "@org_golang_x_sys//unix:go_default_library",
     ],

test/e2e/integration_runtime_test.go

@@ -36,9 +36,9 @@ import (
 
 	"github.com/docker/docker/api/types/mount"
 	"golang.org/x/sys/unix"
+	"gvisor.dev/gvisor/pkg/fsutil"
 	"gvisor.dev/gvisor/pkg/test/dockerutil"
 	"gvisor.dev/gvisor/pkg/test/testutil"
-	"gvisor.dev/gvisor/runsc/boot"
 )
 
 const (
@@ -237,10 +237,10 @@ func TestOverlayRootfsWhiteout(t *testing.T) {
 	opts := dockerutil.RunOpts{
 		Image: "basic/ubuntu",
 	}
-	if got, err := d.Run(ctx, opts, "bash", "-c", fmt.Sprintf("ls -al / | grep %q || true", boot.SelfFilestorePrefix)); err != nil {
+	if got, err := d.Run(ctx, opts, "bash", "-c", fmt.Sprintf("ls -al / | grep %q || true", fsutil.SelfFilestorePrefix)); err != nil {
 		t.Fatalf("docker run failed: %s, %v", got, err)
 	} else if got != "" {
-		t.Errorf("root directory contains a file/directory whose name contains %q: output = %q", boot.SelfFilestorePrefix, got)
+		t.Errorf("root directory contains a file/directory whose name contains %q: output = %q", fsutil.SelfFilestorePrefix, got)
 	}
 }