Hello,
I recently encountered an issue and from investigating it i realised that for some reason the file permissions that i list in my .tcattr for files that go into /etc/ folder doesn’t apply on the final system.
My changes directory file structure:
changes_device_metrics_iso/
└── usr
├── etc
│ ├── fluent-bit
│ │ ├── custom-parsers.conf
│ │ ├── fluent-bit.conf
│ │ └── fluent-bit.d
│ │ └── custom-invendor-containers.conf
│ └── .tcattr
└── lib
├── systemd
│ └── system
│ └── fluent-bit.service
└── .tcattr
usr/etc/.tcattr file:
# file: fluent-bit/fluent-bit.conf
# owner: 0
# group: 0
user::rwx
group::r-x
other::r-x
# file: fluent-bit/fluent-bit.d/custom-invendor-containers.conf
# owner: 0
# group: 0
user::rw-
group::r--
other::r--
# file: fluent-bit/custom-parsers.conf
# owner: 0
# group: 0
user::rw-
group::r--
other::r--
tcbuild.yaml (relevant section):
customization:
device-tree:
include-dirs:
- linux/arch/arm64/boot/dts/ti/
- linux/include/
custom: linux/arch/arm64/boot/dts/ti/k3-am625-verdin-wifi-mallow.dts
overlays:
clear: true
add:
- device-tree-overlays/verdin-am62_pin_names_overlay.dts
- device-tree-overlays/invendor_verdin-am62_overlay.dts
filesystem:
- changes_password_iso/
- changes_device_metrics_iso/
build command:
source .conf/tcb-env-setup.sh -s $SCRIPTDIR/storage -t 3.15
torizoncore-builder build --file $TCBUILD_FILE
On the freshly built system:
root@verdin-am62-15645559:/var/rootdirs/home/torizon# uname -a
Linux verdin-am62-15645559 6.6.138-7.6.1 #1-Torizon SMP PREEMPT Fri May 8 07:27:41 UTC 2026 aarch64 GNU/Linux
root@verdin-am62-15645559:/var/rootdirs/home/torizon# tdx-info
Software summary
------------------------------------------------------------
Bootloader: U-Boot
Kernel version: 6.6.138-7.6.1 #1-Torizon SMP PREEMPT Fri May 8 07:27:41 UTC 2026
Kernel command line: root=LABEL=otaroot rootfstype=ext4 quiet logo.nologo vt.global_cursor_default=0 plymouth.ignore-serial-consoles splash fbcon=map:3 ostree=/ostree/boot.1/torizon/924a112d873d82de6dd7eb68769c91104084f6470f9112bfda5bbc372066b893/0 firmware_class.path=/etc/btfw/
Distro name: NAME="Torizon OS"
Distro version: VERSION_ID=7.6.1-build.38
Distro variant: VARIANT="Docker"
Hostname: verdin-am62-15645559
------------------------------------------------------------
Hardware info
------------------------------------------------------------
HW model: Toradex Verdin AM62 WB on Mallow Board
Toradex version: 0075 V1.2A
Serial number: 15645559
Processor arch: aarch64
------------------------------------------------------------
root@verdin-am62-15645559:/var/rootdirs/home/torizon# stat /etc/fluent-bit/fluent-bit.conf
File: /etc/fluent-bit/fluent-bit.conf
Size: 2827 Blocks: 8 IO Block: 4096 regular file
Device: 179,1 Inode: 141039 Links: 1
Access: (0770/-rwxrwx---) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-03-09 12:35:21.892000000 +0000
Modify: 2026-06-25 12:43:55.158819060 +0000
Change: 2018-03-09 12:35:21.892000000 +0000
Birth: 2018-03-09 12:35:21.892000000 +0000
root@verdin-am62-15645559:/var/rootdirs/home/torizon# stat /etc/fluent-bit/fluent-bit.d/custom-invendor-containers.conf
File: /etc/fluent-bit/fluent-bit.d/custom-invendor-containers.conf
Size: 4511 Blocks: 16 IO Block: 4096 regular file
Device: 179,1 Inode: 141038 Links: 1
Access: (0660/-rw-rw----) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-03-09 12:35:21.888000000 +0000
Modify: 2026-06-25 12:43:55.159083223 +0000
Change: 2018-03-09 12:35:21.888000000 +0000
Birth: 2018-03-09 12:35:21.888000000 +0000
root@verdin-am62-15645559:/var/rootdirs/home/torizon# stat /etc/fluent-bit/custom-parsers.conf
File: /etc/fluent-bit/custom-parsers.conf
Size: 91 Blocks: 8 IO Block: 4096 regular file
Device: 179,1 Inode: 141040 Links: 1
Access: (0660/-rw-rw----) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-03-09 12:35:21.892000000 +0000
Modify: 2026-06-25 12:43:55.158627776 +0000
Change: 2018-03-09 12:35:21.892000000 +0000
Birth: 2018-03-09 12:35:21.892000000 +0000
It seems like the file permissions set in my .tcattr are not surviving the ostree merge (file is set to default permissions used by ostree):
sudo ostree --repo=storage/ostree-archive ls cabinet-fw-update /usr/etc/fluent-bit/fluent-bit.conf
-00770 0 0 2827 /usr/etc/fluent-bit/fluent-bit.conf
But I can’t figure out why… My .tcattr has the same structure as one generated by isolate command (and same permissions). My changes_password_iso/ directory also has some modifications to the /etc/ folder, could they be clashing somehow?
Currently this is not really an issue for the fluent-bit files, but this becomes a problem when i try to add auto-provisioning-overrides.sh to /etc/sota for example, as default permissions set by the ostree don’t pass the auto-provisioning service permission check…