rpms/dnf
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Implement usr_drift_protected_paths, mark transient in history

Browse Source 
Resolves: RHEL-84512

Resolves: RHEL-84499
This commit is contained in:
Evan Goode 2025-06-26 19:33:13 +00:00
parent e4d584e6f1
commit f063ff11aa
9 changed files with 435 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
0049-bootc-tmt-testing.patch Normal file
View File

@ -0,0 +1,37 @@
From 72264e6ad00f90e7e261657f79dee7bae3ceb7e0 Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Thu, 10 Apr 2025 20:18:44 +0000
Subject: [PATCH 1/8] bootc tmt testing
---
.packit.yaml | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
create mode 100644 .packit.yaml
diff --git a/.packit.yaml b/.packit.yaml
new file mode 100644
index 000000000..0738de205
--- /dev/null
+++ b/.packit.yaml
@@ -0,0 +1,18 @@
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+specfile_path: dnf.spec
+
+jobs:
+ - job: copr_build
+ trigger: pull_request
+ targets:
+ - centos-stream-9-x86_64
+ - job: tests
+ trigger: pull_request
+ identifier: "dnf-tests"
+ targets:
+ - centos-stream-9-x86_64
+ fmf_url: https://github.com/evan-goode/ci-dnf-stack.git
+ fmf_ref: evan-goode/bootc
+ tmt_plan: "^/plans/integration/bootc-behave-dnf$"
--
2.49.0

117
0050-persistence-store-persist-transient-in-history-DB.patch Normal file
View File

@ -0,0 +1,117 @@
From 5f91b890799559d0a8fa5861ff8f5e2a16db1dbf Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Thu, 15 May 2025 20:48:58 +0000
Subject: [PATCH 2/8] persistence: store persist/transient in history DB
For all transactions, store whether the transaction was persistent or
transient in the history DB. Requires libdnf 0.75.0.
Moves some of the bootc logic to the `configure` phase.
For https://github.com/rpm-software-management/dnf/issues/2196.
---
dnf.spec | 2 +-
dnf/base.py | 6 ++++--
dnf/cli/cli.py | 3 +++
dnf/db/history.py | 8 +++++++-
4 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/dnf.spec b/dnf.spec
index 28fac9a09..4abc0084b 100644
--- a/dnf.spec
+++ b/dnf.spec
@@ -2,7 +2,7 @@
%define __cmake_in_source_build 1
# default dependencies
-%global hawkey_version 0.74.0
+%global hawkey_version 0.75.0
%global libcomps_version 0.1.8
%global libmodulemd_version 2.9.3
%global rpm_version 4.14.0
diff --git a/dnf/base.py b/dnf/base.py
index 168207b5f..d0ce6364c 100644
--- a/dnf/base.py
+++ b/dnf/base.py
@@ -118,6 +118,7 @@ class Base(object):
self._update_security_options = {}
self._allow_erasing = False
self._repo_set_imported_gpg_keys = set()
+ self._persistence = libdnf.transaction.TransactionPersistence_UNKNOWN
self.output = None
def __enter__(self):
@@ -964,7 +965,7 @@ class Base(object):
else:
rpmdb_version = old.end_rpmdb_version
- self.history.beg(rpmdb_version, [], [], cmdline)
+ self.history.beg(rpmdb_version, [], [], cmdline=cmdline, persistence=self._persistence)
self.history.end(rpmdb_version)
self._plugins.run_pre_transaction()
self._plugins.run_transaction()
@@ -1115,7 +1116,8 @@ class Base(object):
cmdline = ' '.join(self.cmds)
comment = self.conf.comment if self.conf.comment else ""
- tid = self.history.beg(rpmdbv, using_pkgs, [], cmdline, comment)
+ tid = self.history.beg(rpmdbv, using_pkgs, [], cmdline=cmdline,
+ comment=comment, persistence=self._persistence)
if self.conf.reset_nice:
onice = os.nice(0)
diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py
index 23170a82b..99ed1f282 100644
--- a/dnf/cli/cli.py
+++ b/dnf/cli/cli.py
@@ -244,11 +244,14 @@ class BaseCli(dnf.Base):
logger.info(_("A transient overlay will be created on /usr that will be discarded on reboot. "
"Keep in mind that changes to /etc and /var will still persist, and packages "
"commonly modify these directories."))
+ self._persistence = libdnf.transaction.TransactionPersistence_TRANSIENT
else:
# Not a bootc transaction.
if self.conf.persistence == "transient":
raise CliError(_("Transient transactions are only supported on bootc systems."))
+ self._persistence = libdnf.transaction.TransactionPersistence_PERSIST
+
if self._promptWanted():
if self.conf.assumeno or not self.output.userconfirm():
raise CliError(_("Operation aborted."))
diff --git a/dnf/db/history.py b/dnf/db/history.py
index bf9020ad0..2cde9cbc8 100644
--- a/dnf/db/history.py
+++ b/dnf/db/history.py
@@ -222,6 +222,10 @@ class TransactionWrapper(object):
def comment(self):
return self._trans.getComment()
+ @property
+ def persistence(self):
+ return self._trans.getPersistence()
+
def tids(self):
return [self._trans.getId()]
@@ -418,7 +422,8 @@ class SwdbInterface(object):
# return result
# TODO: rename to begin_transaction?
- def beg(self, rpmdb_version, using_pkgs, tsis, cmdline=None, comment=""):
+ def beg(self, rpmdb_version, using_pkgs, tsis, cmdline=None, comment="",
+ persistence=libdnf.transaction.TransactionPersistence_UNKNOWN):
try:
self.swdb.initTransaction()
except:
@@ -431,6 +436,7 @@ class SwdbInterface(object):
int(misc.getloginuid()),
comment)
self.swdb.setReleasever(self.releasever)
+ self.swdb.setPersistence(persistence)
self._tid = tid
return tid
--
2.49.0

31
0051-Print-persist-or-transient-in-history-info.patch Normal file
View File

@ -0,0 +1,31 @@
From 5f7fcae28541368d80fab9c9224c7974726a6b10 Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Fri, 16 May 2025 20:38:56 +0000
Subject: [PATCH 3/8] Print "persist" or "transient" in history info
---
dnf/cli/output.py | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/dnf/cli/output.py b/dnf/cli/output.py
index 7f1d62c5a..6c97c7dc9 100644
--- a/dnf/cli/output.py
+++ b/dnf/cli/output.py
@@ -1772,6 +1772,14 @@ Transaction Summary
else:
print(_("Command Line :"), old.cmdline)
+ if old.persistence == libdnf.transaction.TransactionPersistence_PERSIST:
+ persistence_str = "Persist"
+ elif old.persistence == libdnf.transaction.TransactionPersistence_TRANSIENT:
+ persistence_str = "Transient"
+ else:
+ persistence_str = "Unknown"
+ print(_("Persistence :"), persistence_str)
+
if old.comment is not None:
if isinstance(old.comment, (list, tuple)):
for comment in old.comment:
--
2.49.0

58
0052-history-persistence-for-MergedTransaction.patch Normal file
View File

@ -0,0 +1,58 @@
From ceaf4718a6c7435050f5bfb451077683baf01600 Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Mon, 19 May 2025 22:36:50 +0000
Subject: [PATCH 4/8] history: persistence for MergedTransaction
---
dnf/cli/output.py | 18 ++++++++++++------
dnf/db/history.py | 4 ++++
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/dnf/cli/output.py b/dnf/cli/output.py
index 6c97c7dc9..820ab88fa 100644
--- a/dnf/cli/output.py
+++ b/dnf/cli/output.py
@@ -1772,13 +1772,19 @@ Transaction Summary
else:
print(_("Command Line :"), old.cmdline)
- if old.persistence == libdnf.transaction.TransactionPersistence_PERSIST:
- persistence_str = "Persist"
- elif old.persistence == libdnf.transaction.TransactionPersistence_TRANSIENT:
- persistence_str = "Transient"
+ def print_persistence(persistence):
+ if old.persistence == libdnf.transaction.TransactionPersistence_PERSIST:
+ persistence_str = "Persist"
+ elif old.persistence == libdnf.transaction.TransactionPersistence_TRANSIENT:
+ persistence_str = "Transient"
+ else:
+ persistence_str = "Unknown"
+ print(_("Persistence :"), persistence_str)
+ if isinstance(old.persistence, (list, tuple)):
+ for persistence in old.persistence:
+ print_persistence(persistence)
else:
- persistence_str = "Unknown"
- print(_("Persistence :"), persistence_str)
+ print_persistence(old.persistence)
if old.comment is not None:
if isinstance(old.comment, (list, tuple)):
diff --git a/dnf/db/history.py b/dnf/db/history.py
index 2cde9cbc8..a2c1a8882 100644
--- a/dnf/db/history.py
+++ b/dnf/db/history.py
@@ -269,6 +269,10 @@ class MergedTransactionWrapper(TransactionWrapper):
def cmdline(self):
return self._trans.listCmdlines()
+ @property
+ def persistence(self):
+ return self._trans.listPersistences()
+
@property
def releasever(self):
return self._trans.listReleasevers()
--
2.49.0

52
0053-bootc-Check-whether-protected-paths-will-be-modified.patch Normal file
View File

@ -0,0 +1,52 @@
From abce1aabea6a28ef1d49a6530c521f9a48eedebb Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Wed, 28 May 2025 20:46:56 +0000
Subject: [PATCH 5/8] bootc: Check whether protected paths will be modified
For https://github.com/rpm-software-management/dnf/issues/2199.
Requires libdnf 0.75.0 with the new `usr_drift_protected_paths` option.
---
dnf/cli/cli.py | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py
index 99ed1f282..74cf418c4 100644
--- a/dnf/cli/cli.py
+++ b/dnf/cli/cli.py
@@ -29,6 +29,7 @@ try:
from collections.abc import Sequence
except ImportError:
from collections import Sequence
+from collections import defaultdict
import datetime
import logging
import operator
@@ -245,6 +246,24 @@ class BaseCli(dnf.Base):
"Keep in mind that changes to /etc and /var will still persist, and packages "
"commonly modify these directories."))
self._persistence = libdnf.transaction.TransactionPersistence_TRANSIENT
+
+ # Check whether the transaction modifies usr_drift_protected_paths
+ transaction_protected_paths = defaultdict(list)
+ for pkg in trans:
+ for pkg_file_path in sorted(pkg.files):
+ for protected_path in self.conf.usr_drift_protected_paths:
+ if pkg_file_path.startswith("%s/" % protected_path) or pkg_file_path == protected_path:
+ transaction_protected_paths[pkg.nevra].append(pkg_file_path)
+ if transaction_protected_paths:
+ logger.info(_('This operation would modify the following paths, possibly introducing '
+ 'inconsistencies when the transient overlay on /usr is discarded. See the '
+ 'usr_drift_protected_paths configuration option for more information.'))
+ for nevra, protected_paths in transaction_protected_paths.items():
+ logger.info(nevra)
+ for protected_path in protected_paths:
+ logger.info(" %s" % protected_path)
+ raise CliError(_("Operation aborted."))
+
else:
# Not a bootc transaction.
if self.conf.persistence == "transient":
--
2.49.0

57
0054-spec-package-etc-dnf-usr_drift_protected_paths.d.patch Normal file
View File

@ -0,0 +1,57 @@
From 1a47a316ef937f5f04e5f82e64c5aef1db45c717 Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Tue, 3 Jun 2025 22:43:46 +0000
Subject: [PATCH 6/8] spec: package /etc/dnf/usr_drift_protected_paths.d
---
dnf.spec | 1 +
dnf/cli/cli.py | 2 +-
etc/dnf/CMakeLists.txt | 1 +
etc/dnf/usr-drift-protected-paths.d/CMakeLists.txt | 1 +
4 files changed, 4 insertions(+), 1 deletion(-)
create mode 100644 etc/dnf/usr-drift-protected-paths.d/CMakeLists.txt
diff --git a/dnf.spec b/dnf.spec
index 4abc0084b..da5d5fd28 100644
--- a/dnf.spec
+++ b/dnf.spec
@@ -301,6 +301,7 @@ popd
%dir %{confdir}/modules.defaults.d
%dir %{pluginconfpath}
%dir %{confdir}/protected.d
+%dir %{confdir}/usr-drift-protected-paths.d
%dir %{confdir}/vars
%dir %{confdir}/aliases.d
%exclude %{confdir}/aliases.d/zypper.conf
diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py
index 74cf418c4..5602a07b1 100644
--- a/dnf/cli/cli.py
+++ b/dnf/cli/cli.py
@@ -262,7 +262,7 @@ class BaseCli(dnf.Base):
logger.info(nevra)
for protected_path in protected_paths:
logger.info(" %s" % protected_path)
- raise CliError(_("Operation aborted."))
+ raise CliError(_("Operation aborted. Pass --setopt=usr_drift_protected_paths= to disable this check and proceed anyway."))
else:
# Not a bootc transaction.
diff --git a/etc/dnf/CMakeLists.txt b/etc/dnf/CMakeLists.txt
index 6f0eec94e..7a60186d7 100644
--- a/etc/dnf/CMakeLists.txt
+++ b/etc/dnf/CMakeLists.txt
@@ -1,3 +1,4 @@
INSTALL (FILES "dnf-strict.conf" "dnf.conf" "automatic.conf" DESTINATION ${SYSCONFDIR}/dnf)
ADD_SUBDIRECTORY (aliases.d)
ADD_SUBDIRECTORY (protected.d)
+ADD_SUBDIRECTORY (usr-drift-protected-paths.d)
diff --git a/etc/dnf/usr-drift-protected-paths.d/CMakeLists.txt b/etc/dnf/usr-drift-protected-paths.d/CMakeLists.txt
new file mode 100644
index 000000000..206b1b281
--- /dev/null
+++ b/etc/dnf/usr-drift-protected-paths.d/CMakeLists.txt
@@ -0,0 +1 @@
+INSTALL(DIRECTORY DESTINATION ${SYSCONFDIR}/dnf/usr-drift-protected-paths.d)
--
2.49.0

35
0055-Support-globs-in-usr_drift_protected_paths.patch Normal file
View File

@ -0,0 +1,35 @@
From 26a9f2163c0d3828f474537687ead4e100f5911a Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Fri, 6 Jun 2025 21:24:20 +0000
Subject: [PATCH 7/8] Support globs in usr_drift_protected_paths
---
dnf/cli/cli.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py
index 5602a07b1..c41f31ed6 100644
--- a/dnf/cli/cli.py
+++ b/dnf/cli/cli.py
@@ -31,6 +31,7 @@ except ImportError:
from collections import Sequence
from collections import defaultdict
import datetime
+from fnmatch import fnmatch
import logging
import operator
import os
@@ -251,8 +252,8 @@ class BaseCli(dnf.Base):
transaction_protected_paths = defaultdict(list)
for pkg in trans:
for pkg_file_path in sorted(pkg.files):
- for protected_path in self.conf.usr_drift_protected_paths:
- if pkg_file_path.startswith("%s/" % protected_path) or pkg_file_path == protected_path:
+ for protected_pattern in self.conf.usr_drift_protected_paths:
+ if fnmatch(pkg_file_path, protected_pattern):
transaction_protected_paths[pkg.nevra].append(pkg_file_path)
if transaction_protected_paths:
logger.info(_('This operation would modify the following paths, possibly introducing '
--
2.49.0

32
0056-doc-Document-usr_drift_protected_paths.patch Normal file
View File

@ -0,0 +1,32 @@
From cb765957d546f7d28aef270885418afea4906b89 Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Fri, 6 Jun 2025 22:31:27 +0000
Subject: [PATCH 8/8] doc: Document `usr_drift_protected_paths`
---
doc/conf_ref.rst | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/doc/conf_ref.rst b/doc/conf_ref.rst
index a34e355b6..7ff286fee 100644
--- a/doc/conf_ref.rst
+++ b/doc/conf_ref.rst
@@ -549,6 +549,15 @@ configuration file by your distribution to override the DNF defaults.
Set this to False to disable the automatic running of ``group upgrade`` when running the ``upgrade`` command. Default is ``True`` (perform the operation).
+.. _usr_drift_protected_paths-label:
+
+``usr_drift_protected_paths``
+ :ref:`list <list-label>`
+
+ List of paths that are likely to cause problems when their contents drift with respect to ``/usr``, e.g. ``/etc/pam.d/*``. If a transient transaction would modify these paths, DNF aborts the operation and prints an error. Supports globs. Defaults to ``glob:/etc/dnf/usr-drift-protected-paths.d/*.conf``. So a list of paths can be protected by creating a ``.conf`` file in ``/etc/dnf/usr-drift-protected-paths.d/`` containing one path (or glob pattern) per line.
+
+ When using ``persistence=transient`` on bootc systems, a transient overlay is created on ``/usr``, and any changes DNF makes to ``/usr`` will be discarded on reboot. However, other paths such as ``/etc`` and ``/var`` are (often) not backed by a transient overlay, so changes to them will persist across reboots. Usually, this "filesystem drift" is fine, but it can cause problems in certain situations. For example, a configuration file in ``/etc`` that's shared by multiple packages might reference a ``.so`` file under ``/usr/lib64`` that no longer exists.
+
.. _varsdir_options-label:
``varsdir``
--
2.49.0

19
dnf.spec
View File

@ -2,7 +2,7 @@
%define __cmake_in_source_build 1
# default dependencies
%global hawkey_version 0.74.0
%global hawkey_version 0.75.0
%global libcomps_version 0.1.8
%global libmodulemd_version 2.9.3
%global rpm_version 4.14.0
@ -22,7 +22,7 @@
%endif
%if 0%{?rhel} == 9
%global hawkey_version 0.69.0-13
%global hawkey_version 0.69.0-15
%endif
# override dependencies for fedora 26
@ -73,7 +73,7 @@ It supports RPMs, modules and comps groups & environments.
Name: dnf
Version: 4.14.0
Release: 29%{?dist}
Release: 30%{?dist}
Summary: %{pkg_summary}
# For a breakdown of the licensing, see PACKAGE-LICENSING
License: GPLv2+
@ -127,6 +127,14 @@ Patch45: 0045-package-remote_location-takes-basedir-into-account.patch
Patch46: 0046-Usage-help-don-t-mark-mandatory-option-parameters-as.patch
Patch47: 0047-Fix-typo-from-previous-commit-left-over.patch
Patch48: 0048-disableexcludes-and-disableexcludepkgs-values-are-no.patch
Patch49: 0049-bootc-tmt-testing.patch
Patch50: 0050-persistence-store-persist-transient-in-history-DB.patch
Patch51: 0051-Print-persist-or-transient-in-history-info.patch
Patch52: 0052-history-persistence-for-MergedTransaction.patch
Patch53: 0053-bootc-Check-whether-protected-paths-will-be-modified.patch
Patch54: 0054-spec-package-etc-dnf-usr_drift_protected_paths.d.patch
Patch55: 0055-Support-globs-in-usr_drift_protected_paths.patch
Patch56: 0056-doc-Document-usr_drift_protected_paths.patch
BuildArch: noarch
BuildRequires: cmake
@ -353,6 +361,7 @@ popd
%dir %{confdir}/modules.defaults.d
%dir %{pluginconfpath}
%dir %{confdir}/protected.d
%dir %{confdir}/usr-drift-protected-paths.d
%dir %{confdir}/vars
%dir %{confdir}/aliases.d
%exclude %{confdir}/aliases.d/zypper.conf
@ -432,6 +441,10 @@ popd
# bootc subpackage does not include any files
%changelog
* Thu Jun 26 2025 Evan Goode <egoode@redhat.com> - 4.14.0-30
- Mark transient transactions in DNF history (RHEL-84512)
- Warn/disallow changes outside /usr, /etc with --transient (RHEL-84499)
* Fri May 02 2025 Ales Matej <amatej@redhat.com> - 4.14.0-27
- man page: don't mark mandatory option parameters as optional (RHEL-63958)