Skip to content

Commit 9d57350

Browse files
committed
docs(extensions/netboot): document GNU tar requirement on the deploy target
The deploy hook untars the rootfs archive with --xattrs/--acls/--selinux, which are GNU-tar extensions. Busybox tar (Alpine, OpenWRT) silently drops xattrs on extract — file capabilities like security.capability on ping/mtr are lost and they fail at runtime, regardless of the host filesystem's xattr support. Capability-probe with fallback was considered and rejected: there is no Busybox-tar code path that preserves xattrs, so the only honest fallback would be silently broken caps. Document the requirement instead. Reported by coderabbitai (#9656 review, line 437). Assisted-by: Claude:claude-opus-4.7
1 parent fee527a commit 9d57350

1 file changed

Lines changed: 9 additions & 0 deletions

File tree

extensions/netboot/README.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -320,6 +320,15 @@ The minimal production setup is `tftpd-hpa` + `nfs-kernel-server` on
320320
one Linux host. **No DHCP runs on the server.** DHCP lives on the
321321
network router (see next section).
322322
323+
> **GNU tar required on the deploy target.** When the deploy hook
324+
> ships a rootfs archive over SSH, it extracts with
325+
> `tar -xp --xattrs --xattrs-include='*' --acls --selinux`. Busybox tar
326+
> (Alpine, OpenWRT) silently drops xattrs on extract — `security.capability`
327+
> for binaries like `ping`/`mtr` is lost and they fail at runtime
328+
> regardless of host filesystem support. The `--acls`/`--selinux` flags
329+
> are also unrecognized on Busybox. Use a regular Linux distribution
330+
> with GNU tar on the NFS server.
331+
323332
Directory layout:
324333
325334
```text

0 commit comments

Comments
 (0)