pub fn read_container_root<ObjectID: FsVerityHashValue>(
dirfd: impl AsFd,
path: &Path,
repo: Option<&Repository<ObjectID>>,
) -> Result<FileSystem<ObjectID>>Expand description
Load a container root filesystem from the given path.
This is a convenience wrapper around read_filesystem_filtered that also
applies OCI container transformations via FileSystem::transform_for_oci.
Equivalent to calling:
ⓘ
let mut fs = read_filesystem_filtered(dirfd, path, repo, is_allowed_container_xattr)?;
fs.transform_for_oci()?;This is the recommended way to read a container filesystem because:
- OCI container runtimes don’t preserve root directory metadata from layer tars
- Host xattrs (especially
security.selinux) can leak into mounted filesystems /runshould be empty (it’s a tmpfs at runtime)- Podman/buildah’s
RUN --mountcan leave directory stubs
By filtering xattrs and applying OCI transformations, we ensure consistent and reproducible composefs digests between build-time and install-time.