diff --git a/0040-bootc-unlock-only-if-usr-is-read-only.patch b/0040-bootc-unlock-only-if-usr-is-read-only.patch new file mode 100644 index 0000000..85092bc --- /dev/null +++ b/0040-bootc-unlock-only-if-usr-is-read-only.patch @@ -0,0 +1,57 @@ +From c1c66613c04a476a3b85582ae5214a3f9301d485 Mon Sep 17 00:00:00 2001 +From: Evan Goode +Date: Mon, 1 Dec 2025 13:40:26 -0500 +Subject: [PATCH 1/2] bootc: unlock only if /usr is read-only + +DNF should only run `ostree admin unlock --transient` if `/usr` is +actually read-only. `/usr` may be writable via OSTree's `root.transient = +true` even if the `ostree admin status` is not transient. + +Resolves: https://redhat.atlassian.net/browse/RHEL-145780 +--- + dnf/cli/cli.py | 4 +++- + dnf/util.py | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py +index d4bf811c1..07cc62cb1 100644 +--- a/dnf/cli/cli.py ++++ b/dnf/cli/cli.py +@@ -225,6 +225,7 @@ class BaseCli(dnf.Base): + # Handle bootc transactions. `--transient` must be specified if + # /usr is not already writeable. + bootc_system = None ++ bootc_system_needs_unlock = False + if is_bootc_transaction: + if self.conf.persistence == "persist": + logger.info(_("Persistent transactions aren't supported on bootc systems.")) +@@ -246,6 +247,7 @@ class BaseCli(dnf.Base): + logger.info(_("A transient overlay will be created on /usr that will be discarded on reboot. " + "Keep in mind that changes to /etc and /var will still persist, and packages " + "commonly modify these directories.")) ++ bootc_system_needs_unlock = True + self._persistence = libdnf.transaction.TransactionPersistence_TRANSIENT + + # Check whether the transaction modifies usr_drift_protected_paths +@@ -276,7 +278,7 @@ class BaseCli(dnf.Base): + if self.conf.assumeno or not self.output.userconfirm(): + raise CliError(_("Operation aborted.")) + +- if bootc_system: ++ if bootc_system and bootc_system_needs_unlock: + bootc_system.make_writable() + else: + logger.info(_('Nothing to do.')) +diff --git a/dnf/util.py b/dnf/util.py +index eb987bb8a..e058bc187 100644 +--- a/dnf/util.py ++++ b/dnf/util.py +@@ -749,4 +749,4 @@ class _BootcSystem: + # read-only. Set up a mount namespace for DNF. + self._set_up_mountns() + +- assert os.access(self.usr, os.W_OK) ++ assert self.is_writable() +-- +2.53.0 + diff --git a/0041-bootc-Call-make_writable-when-DeploymentUnlockedStat.patch b/0041-bootc-Call-make_writable-when-DeploymentUnlockedStat.patch new file mode 100644 index 0000000..cc6c512 --- /dev/null +++ b/0041-bootc-Call-make_writable-when-DeploymentUnlockedStat.patch @@ -0,0 +1,37 @@ +From 0b6ed2e107d1fe8744f45a771729cb0290413d67 Mon Sep 17 00:00:00 2001 +From: Evan Goode +Date: Fri, 20 Mar 2026 16:28:14 -0400 +Subject: [PATCH 2/2] bootc: Call make_writable when + DeploymentUnlockedState.TRANSIENT + +Fixes a bug in 1afe4328334f27b45b5c4599b6f1e8ac69d465e4. +bootc_system.make_writable should still be called even when the system +is already in DeploymentUnlockedState.TRANSIENT, since the DNF mount +namespace needs to be set up either way. +--- + dnf/cli/cli.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py +index 07cc62cb1..17cf9165e 100644 +--- a/dnf/cli/cli.py ++++ b/dnf/cli/cli.py +@@ -235,6 +235,7 @@ class BaseCli(dnf.Base): + bootc_system = dnf.util._BootcSystem() + + if not bootc_system.is_writable(): ++ bootc_system_needs_unlock = True + if self.conf.persistence == "auto": + logger.info(_("This bootc system is configured to be read-only. Pass --transient to " + "perform this transaction in a transient overlay which will reset when " +@@ -247,7 +248,6 @@ class BaseCli(dnf.Base): + logger.info(_("A transient overlay will be created on /usr that will be discarded on reboot. " + "Keep in mind that changes to /etc and /var will still persist, and packages " + "commonly modify these directories.")) +- bootc_system_needs_unlock = True + self._persistence = libdnf.transaction.TransactionPersistence_TRANSIENT + + # Check whether the transaction modifies usr_drift_protected_paths +-- +2.53.0 + diff --git a/dnf.spec b/dnf.spec index 94bf358..33334a2 100644 --- a/dnf.spec +++ b/dnf.spec @@ -72,7 +72,7 @@ It supports RPMs, modules and comps groups & environments. Name: dnf Version: 4.20.0 -Release: 21%{?dist}.alma.1 +Release: 22%{?dist}.alma.1 Summary: %{pkg_summary} # For a breakdown of the licensing, see PACKAGE-LICENSING License: GPL-2.0-or-later AND GPL-1.0-only @@ -117,6 +117,8 @@ Patch36: 0036-automatic-Fix-detecting-releasever_minor.patch Patch37: 0037-automatic-Expand-email_to-in-command_email-emitter-t.patch Patch38: 0038-rpmkeys-Ignore-untrusted-signatures-if-there-is-trus.patch Patch39: 0039-autoremove-warn-and-skip-dangling-protected-dependen.patch +Patch40: 0040-bootc-unlock-only-if-usr-is-read-only.patch +Patch41: 0041-bootc-Call-make_writable-when-DeploymentUnlockedStat.patch # AlmaLinux Patch Patch1001: 0001-Add-link-to-AlmaLinux-bugtracker.patch @@ -482,10 +484,13 @@ popd # bootc subpackage does not include any files %changelog -* Tue Feb 17 2026 Eduard Abdullin - 4.20.0-21.alma.1 +* Fri Mar 27 2026 Eduard Abdullin - 4.20.0-22.alma.1 - Add x86_64_v2 to _BASEARCH_MAP - Add link to AlmaLinux bugtracker +* Wed Mar 25 2026 Evan Goode - 4.20.0-22 +- bootc: unlock only if /usr is read-only (RHEL-145780) + * Mon Feb 16 2026 Ales Matej - 4.20.0-21 - autoremove: when a dangling protected dependency is found produce a warning and skip it (RHEL-128445)