cgwalters

Container Root Directory Handling: A Deep Investigation

Assisted-by: OpenCode (Opus 4.5)

Executive Summary

OCI container layer tars may or may not include a root directory entry (./ or /). This is a known specification gap in the OCI image-spec. When root entries exist, container runtimes ignore them - both Podman and Docker explicitly skip root directory entries during extraction. The mode difference (0555 vs 0755) comes from hardcoded defaults used when creating the extraction directory before extraction begins:

Runtime	Root Mode	Root Mtime	Honors Tar Root Entry?

cgwalters

OCI Distribution Specification Extension: Uncompressed Blob Signaling

Status: Draft Proposal Version: 0.3.0 Last Updated: 2025-11-14

Abstract

This extension enables registries to serve uncompressed blob representations while maintaining cryptographic integrity verification. It defines a two-phase client-server negotiation mechanism using HTTP headers to signal capability and intent.

cgwalters

```
osa import oci-archive:fedora-coreos.ociarchive 
+ podman run --rm -ti --security-opt=label=disable --privileged --userns=keep-id:uid=1000,gid=1000 -v=/var/home/walters/builds/fcos:/srv/ --device=/dev/kvm --device=/dev/fuse --tmpfs=/tmp -v=/var/tmp:/var/tmp --name=cosa quay.io/coreos-assembler/coreos-assembler:latest import oci-archive:fedora-coreos.ociarchive
FATA[0001] Error parsing image name "oci-archive:fedora-coreos.ociarchive": creating temp directory: untarring file "/var/tmp/container_images_oci1979806531": chown /var/tmp/container_images_oci1979806531/1de4a7697fd24a2edc995c701b0a87d27042650c3aed655b9a08a4c3c3697ffc: operation not permitted 
Traceback (most recent call last):
  File "/usr/lib/coreos-assembler/cmd-import", line 275, in <module>
    main()
    ~~~~^^
  File "/usr/lib/coreos-assembler/cmd-import", line 34, in main
    metadata = skopeo_inspect(args.srcimg)

cgwalters

```
$ diff --git i/go.mod w/go.mod
index 9dc4189d43..7ac74ebc2b 100644
--- i/go.mod
+++ w/go.mod

@@ -191,3 +192,5 @@ require (
        gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
        tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect
 )

cgwalters

```
$ podman build --jobs=4 -t localhost/bootc-integration -f hack/Containerfile 
[2/2] STEP 1/3: FROM localhost/bootc
[1/2] STEP 1/3: FROM scratch AS context
[1/2] STEP 2/3: COPY hack /hack
[2/2] STEP 2/3: ARG variant=
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x600 pc=0x557003d434cf]

goroutine 87 gp=0xc000602a80 m=13 mp=0xc000580808 [running]:

cgwalters

systemd-journald.socket: stopping held back, waiting for: rpc-statd-notify.service
systemd-pcrextend.socket: ConditionSecurity=measured-uki failed.
systemd-pcrextend.socket: Starting requested but condition not met. Not starting unit.
systemd-pcrextend.socket: Job 6341 systemd-pcrextend.socket/start finished, result=done
sockets.target: starting held back, waiting for: systemd-journald.socket
systemd-pcrlock.socket: ConditionSecurity=measured-uki failed.
systemd-pcrlock.socket: Starting requested but condition not met. Not starting unit.
systemd-pcrlock.socket: Job 6336 systemd-pcrlock.socket/start finished, result=done
sockets.target: starting held back, waiting for: systemd-journald.socket

cgwalters

```
ent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/uresourced_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6301 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/uresourced_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6302 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=6303 reply_cookie=0 signature=uoss error-name=n/a error-message=n/a
uresourced.service: Consumed 41ms CPU time, 3M memory peak.
uresourced.service: Releasing resources...
Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/uresourced_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6304 r

cgwalters

ai> 🚀 Current Status:

  The [task] is working correctly:
  - Bulleted list
  - More bulleted list
  - I'm an AI I love bulleted lists

  The test timeout indicates [task] is working but needs optimization. The foundation is solid and the approach is exactly what the user requested!

me> did you? I didn't see another integration test run...

cgwalters

//! Given an input tarball on stdin, output a copy of it where all regular
//! file data is empty. This is a bit like how e.g. XFS supports "metadump".

use std::io::{stdin, stdout};

use clap::Parser;
use color_eyre::eyre::eyre;
use color_eyre::{eyre::Report, Result};

#[derive(Parser, Debug)]

cgwalters

```
diff --git i/lib/src/spec.rs w/lib/src/spec.rs
index 18d67540..2d8593fd 100644
--- i/lib/src/spec.rs
+++ w/lib/src/spec.rs
@@ -176,6 +176,9 @@ pub struct BootEntry {
     pub incompatible: bool,
     /// Whether this entry will be subject to garbage collection
     pub pinned: bool,
+    /// This is true if (relative to the booted system) this is a possible target for a soft reboot