Compare commits
No commits in common. "c9" and "c8" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/libostree-2024.7.tar.xz
|
SOURCES/libostree-2022.2.tar.xz
|
||||||
|
@ -1 +1 @@
|
|||||||
7d1cb267442682402152ed4bb5379853e666f06b SOURCES/libostree-2024.7.tar.xz
|
9f1cc3796da8b7892a8ef930a5086d4ff42c475f SOURCES/libostree-2022.2.tar.xz
|
||||||
|
@ -0,0 +1,374 @@
|
|||||||
|
From a6d45dc165e48e2a463880ebb90f34c2b9d3c4ce Mon Sep 17 00:00:00 2001
|
||||||
|
From: Colin Walters <walters@verbum.org>
|
||||||
|
Date: Fri, 22 Apr 2022 18:46:28 -0400
|
||||||
|
Subject: [PATCH 1/6] Add an `ostree-boot-complete.service` to propagate
|
||||||
|
staging failures
|
||||||
|
|
||||||
|
Quite a while ago we added staged deployments, which solved
|
||||||
|
a bunch of issues around the `/etc` merge. However...a persistent
|
||||||
|
problem since then is that any failures in that process that
|
||||||
|
happened in the *previous* boot are not very visible.
|
||||||
|
|
||||||
|
We ship custom code in `rpm-ostree status` to query the previous
|
||||||
|
journal. But that has a few problems - one is that on systems
|
||||||
|
that have been up a while, that failure message may even get
|
||||||
|
rotated out. And second, some systems may not even have a persistent
|
||||||
|
journal at all.
|
||||||
|
|
||||||
|
A general thing we do in e.g. Fedora CoreOS testing is to check
|
||||||
|
for systemd unit failures. We do that both in our automated tests,
|
||||||
|
and we even ship code that displays them on ssh logins. And beyond
|
||||||
|
that obviously a lot of other projects do the same; it's easy via
|
||||||
|
`systemctl --failed`.
|
||||||
|
|
||||||
|
So to make failures more visible, change our `ostree-finalize-staged.service`
|
||||||
|
to have an internal wrapper around the process that "catches" any
|
||||||
|
errors, and copies the error message into a file in `/boot/ostree`.
|
||||||
|
|
||||||
|
Then, a new `ostree-boot-complete.service` looks for this file on
|
||||||
|
startup and re-emits the error message, and fails.
|
||||||
|
|
||||||
|
It also deletes the file. The rationale is to avoid *continually*
|
||||||
|
warning. For example we need to handle the case when an upgrade
|
||||||
|
process creates a new staged deployment. Now, we could change the
|
||||||
|
ostree core code to delete the warning file when that happens instead,
|
||||||
|
but this is trying to be a conservative change.
|
||||||
|
|
||||||
|
This should make failures here much more visible as is.
|
||||||
|
---
|
||||||
|
Makefile-boot.am | 2 +
|
||||||
|
Makefile-ostree.am | 1 +
|
||||||
|
src/boot/ostree-boot-complete.service | 33 +++++++++++
|
||||||
|
src/libostree/ostree-cmdprivate.c | 1 +
|
||||||
|
src/libostree/ostree-cmdprivate.h | 1 +
|
||||||
|
src/libostree/ostree-impl-system-generator.c | 2 +
|
||||||
|
src/libostree/ostree-sysroot-deploy.c | 62 ++++++++++++++++++--
|
||||||
|
src/libostree/ostree-sysroot-private.h | 7 +++
|
||||||
|
src/libostree/ostree-sysroot.c | 2 +
|
||||||
|
src/ostree/ot-admin-builtin-boot-complete.c | 58 ++++++++++++++++++
|
||||||
|
src/ostree/ot-admin-builtins.h | 1 +
|
||||||
|
src/ostree/ot-builtin-admin.c | 3 +
|
||||||
|
tests/kolainst/destructive/staged-deploy.sh | 12 ++++
|
||||||
|
13 files changed, 181 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100644 src/boot/ostree-boot-complete.service
|
||||||
|
create mode 100644 src/ostree/ot-admin-builtin-boot-complete.c
|
||||||
|
|
||||||
|
diff --git a/Makefile-boot.am b/Makefile-boot.am
|
||||||
|
index ec10a0d6..e42e5180 100644
|
||||||
|
--- a/Makefile-boot.am
|
||||||
|
+++ b/Makefile-boot.am
|
||||||
|
@@ -38,6 +38,7 @@ endif
|
||||||
|
if BUILDOPT_SYSTEMD
|
||||||
|
systemdsystemunit_DATA = src/boot/ostree-prepare-root.service \
|
||||||
|
src/boot/ostree-remount.service \
|
||||||
|
+ src/boot/ostree-boot-complete.service \
|
||||||
|
src/boot/ostree-finalize-staged.service \
|
||||||
|
src/boot/ostree-finalize-staged.path \
|
||||||
|
$(NULL)
|
||||||
|
@@ -64,6 +65,7 @@ endif
|
||||||
|
EXTRA_DIST += src/boot/dracut/module-setup.sh \
|
||||||
|
src/boot/dracut/ostree.conf \
|
||||||
|
src/boot/mkinitcpio \
|
||||||
|
+ src/boot/ostree-boot-complete.service \
|
||||||
|
src/boot/ostree-prepare-root.service \
|
||||||
|
src/boot/ostree-finalize-staged.path \
|
||||||
|
src/boot/ostree-remount.service \
|
||||||
|
diff --git a/Makefile-ostree.am b/Makefile-ostree.am
|
||||||
|
index 82af1681..0fe2c5f8 100644
|
||||||
|
--- a/Makefile-ostree.am
|
||||||
|
+++ b/Makefile-ostree.am
|
||||||
|
@@ -70,6 +70,7 @@ ostree_SOURCES += \
|
||||||
|
src/ostree/ot-admin-builtin-diff.c \
|
||||||
|
src/ostree/ot-admin-builtin-deploy.c \
|
||||||
|
src/ostree/ot-admin-builtin-finalize-staged.c \
|
||||||
|
+ src/ostree/ot-admin-builtin-boot-complete.c \
|
||||||
|
src/ostree/ot-admin-builtin-undeploy.c \
|
||||||
|
src/ostree/ot-admin-builtin-instutil.c \
|
||||||
|
src/ostree/ot-admin-builtin-cleanup.c \
|
||||||
|
diff --git a/src/boot/ostree-boot-complete.service b/src/boot/ostree-boot-complete.service
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..5c09fdc9
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/boot/ostree-boot-complete.service
|
||||||
|
@@ -0,0 +1,33 @@
|
||||||
|
+# Copyright (C) 2022 Red Hat, Inc.
|
||||||
|
+#
|
||||||
|
+# This library is free software; you can redistribute it and/or
|
||||||
|
+# modify it under the terms of the GNU Lesser General Public
|
||||||
|
+# License as published by the Free Software Foundation; either
|
||||||
|
+# version 2 of the License, or (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This library is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+# Lesser General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU Lesser General Public
|
||||||
|
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
+
|
||||||
|
+[Unit]
|
||||||
|
+Description=OSTree Complete Boot
|
||||||
|
+Documentation=man:ostree(1)
|
||||||
|
+# For now, this is the only condition on which we start, but it's
|
||||||
|
+# marked as a triggering condition in case in the future we want
|
||||||
|
+# to do something else.
|
||||||
|
+ConditionPathExists=|/boot/ostree/finalize-failure.stamp
|
||||||
|
+RequiresMountsFor=/boot
|
||||||
|
+# Ensure that we propagate the failure into the current boot before
|
||||||
|
+# any further finalization attempts.
|
||||||
|
+Before=ostree-finalize-staged.service
|
||||||
|
+
|
||||||
|
+[Service]
|
||||||
|
+Type=oneshot
|
||||||
|
+# To write to /boot while keeping it read-only
|
||||||
|
+MountFlags=slave
|
||||||
|
+RemainAfterExit=yes
|
||||||
|
+ExecStart=/usr/bin/ostree admin boot-complete
|
||||||
|
diff --git a/src/libostree/ostree-cmdprivate.c b/src/libostree/ostree-cmdprivate.c
|
||||||
|
index c9a6e2e1..f6c114f4 100644
|
||||||
|
--- a/src/libostree/ostree-cmdprivate.c
|
||||||
|
+++ b/src/libostree/ostree-cmdprivate.c
|
||||||
|
@@ -51,6 +51,7 @@ ostree_cmd__private__ (void)
|
||||||
|
_ostree_repo_static_delta_delete,
|
||||||
|
_ostree_repo_verify_bindings,
|
||||||
|
_ostree_sysroot_finalize_staged,
|
||||||
|
+ _ostree_sysroot_boot_complete,
|
||||||
|
};
|
||||||
|
|
||||||
|
return &table;
|
||||||
|
diff --git a/src/libostree/ostree-cmdprivate.h b/src/libostree/ostree-cmdprivate.h
|
||||||
|
index 46452ebd..17f943c8 100644
|
||||||
|
--- a/src/libostree/ostree-cmdprivate.h
|
||||||
|
+++ b/src/libostree/ostree-cmdprivate.h
|
||||||
|
@@ -33,6 +33,7 @@ typedef struct {
|
||||||
|
gboolean (* ostree_static_delta_delete) (OstreeRepo *repo, const char *delta_id, GCancellable *cancellable, GError **error);
|
||||||
|
gboolean (* ostree_repo_verify_bindings) (const char *collection_id, const char *ref_name, GVariant *commit, GError **error);
|
||||||
|
gboolean (* ostree_finalize_staged) (OstreeSysroot *sysroot, GCancellable *cancellable, GError **error);
|
||||||
|
+ gboolean (* ostree_boot_complete) (OstreeSysroot *sysroot, GCancellable *cancellable, GError **error);
|
||||||
|
} OstreeCmdPrivateVTable;
|
||||||
|
|
||||||
|
/* Note this not really "public", we just export the symbol, but not the header */
|
||||||
|
diff --git a/src/libostree/ostree-impl-system-generator.c b/src/libostree/ostree-impl-system-generator.c
|
||||||
|
index 769f0cbd..92d71605 100644
|
||||||
|
--- a/src/libostree/ostree-impl-system-generator.c
|
||||||
|
+++ b/src/libostree/ostree-impl-system-generator.c
|
||||||
|
@@ -134,6 +134,8 @@ require_internal_units (const char *normal_dir,
|
||||||
|
return FALSE;
|
||||||
|
if (symlinkat (SYSTEM_DATA_UNIT_PATH "/ostree-finalize-staged.path", normal_dir_dfd, "multi-user.target.wants/ostree-finalize-staged.path") < 0)
|
||||||
|
return glnx_throw_errno_prefix (error, "symlinkat");
|
||||||
|
+ if (symlinkat (SYSTEM_DATA_UNIT_PATH "/ostree-boot-complete.service", normal_dir_dfd, "multi-user.target.wants/ostree-boot-complete.service") < 0)
|
||||||
|
+ return glnx_throw_errno_prefix (error, "symlinkat");
|
||||||
|
|
||||||
|
return TRUE;
|
||||||
|
#else
|
||||||
|
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
index b7cc232f..fc5916d8 100644
|
||||||
|
--- a/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
+++ b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
@@ -3255,10 +3255,10 @@ ostree_sysroot_stage_tree_with_options (OstreeSysroot *self,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Invoked at shutdown time by ostree-finalize-staged.service */
|
||||||
|
-gboolean
|
||||||
|
-_ostree_sysroot_finalize_staged (OstreeSysroot *self,
|
||||||
|
- GCancellable *cancellable,
|
||||||
|
- GError **error)
|
||||||
|
+static gboolean
|
||||||
|
+_ostree_sysroot_finalize_staged_inner (OstreeSysroot *self,
|
||||||
|
+ GCancellable *cancellable,
|
||||||
|
+ GError **error)
|
||||||
|
{
|
||||||
|
/* It's totally fine if there's no staged deployment; perhaps down the line
|
||||||
|
* though we could teach the ostree cmdline to tell systemd to activate the
|
||||||
|
@@ -3355,9 +3355,63 @@ _ostree_sysroot_finalize_staged (OstreeSysroot *self,
|
||||||
|
if (!ostree_sysroot_prepare_cleanup (self, cancellable, error))
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
+ // Cleanup will have closed some FDs, re-ensure writability
|
||||||
|
+ if (!_ostree_sysroot_ensure_writable (self, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Invoked at shutdown time by ostree-finalize-staged.service */
|
||||||
|
+gboolean
|
||||||
|
+_ostree_sysroot_finalize_staged (OstreeSysroot *self,
|
||||||
|
+ GCancellable *cancellable,
|
||||||
|
+ GError **error)
|
||||||
|
+{
|
||||||
|
+ g_autoptr(GError) finalization_error = NULL;
|
||||||
|
+ if (!_ostree_sysroot_ensure_boot_fd (self, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ if (!_ostree_sysroot_finalize_staged_inner (self, cancellable, &finalization_error))
|
||||||
|
+ {
|
||||||
|
+ g_autoptr(GError) writing_error = NULL;
|
||||||
|
+ g_assert_cmpint (self->boot_fd, !=, -1);
|
||||||
|
+ if (!glnx_file_replace_contents_at (self->boot_fd, _OSTREE_FINALIZE_STAGED_FAILURE_PATH,
|
||||||
|
+ (guint8*)finalization_error->message, -1,
|
||||||
|
+ 0, cancellable, &writing_error))
|
||||||
|
+ {
|
||||||
|
+ // We somehow failed to write the failure message...that's not great. Maybe ENOSPC on /boot.
|
||||||
|
+ g_printerr ("Failed to write %s: %s\n", _OSTREE_FINALIZE_STAGED_FAILURE_PATH, writing_error->message);
|
||||||
|
+ }
|
||||||
|
+ g_propagate_error (error, g_steal_pointer (&finalization_error));
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+ return TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Invoked at bootup time by ostree-boot-complete.service */
|
||||||
|
+gboolean
|
||||||
|
+_ostree_sysroot_boot_complete (OstreeSysroot *self,
|
||||||
|
+ GCancellable *cancellable,
|
||||||
|
+ GError **error)
|
||||||
|
+{
|
||||||
|
+ if (!_ostree_sysroot_ensure_boot_fd (self, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
+ glnx_autofd int failure_fd = -1;
|
||||||
|
+ if (!ot_openat_ignore_enoent (self->boot_fd, _OSTREE_FINALIZE_STAGED_FAILURE_PATH, &failure_fd, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ // If we didn't find a failure log, then there's nothing to do right now.
|
||||||
|
+ // (Actually this unit shouldn't even be invoked, but we may do more in the future)
|
||||||
|
+ if (failure_fd == -1)
|
||||||
|
+ return TRUE;
|
||||||
|
+ g_autofree char *failure_data = glnx_fd_readall_utf8 (failure_fd, NULL, cancellable, error);
|
||||||
|
+ if (failure_data == NULL)
|
||||||
|
+ return glnx_prefix_error (error, "Reading from %s", _OSTREE_FINALIZE_STAGED_FAILURE_PATH);
|
||||||
|
+ // Remove the file; we don't want to continually error out.
|
||||||
|
+ (void) unlinkat (self->boot_fd, _OSTREE_FINALIZE_STAGED_FAILURE_PATH, 0);
|
||||||
|
+ return glnx_throw (error, "ostree-finalize-staged.service failed on previous boot: %s", failure_data);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* ostree_sysroot_deployment_set_kargs:
|
||||||
|
* @self: Sysroot
|
||||||
|
diff --git a/src/libostree/ostree-sysroot-private.h b/src/libostree/ostree-sysroot-private.h
|
||||||
|
index cb34eeb3..a49a406c 100644
|
||||||
|
--- a/src/libostree/ostree-sysroot-private.h
|
||||||
|
+++ b/src/libostree/ostree-sysroot-private.h
|
||||||
|
@@ -96,6 +96,9 @@ struct OstreeSysroot {
|
||||||
|
#define _OSTREE_SYSROOT_BOOT_INITRAMFS_OVERLAYS "ostree/initramfs-overlays"
|
||||||
|
#define _OSTREE_SYSROOT_INITRAMFS_OVERLAYS "boot/" _OSTREE_SYSROOT_BOOT_INITRAMFS_OVERLAYS
|
||||||
|
|
||||||
|
+// Relative to /boot, consumed by ostree-boot-complete.service
|
||||||
|
+#define _OSTREE_FINALIZE_STAGED_FAILURE_PATH "ostree/finalize-failure.stamp"
|
||||||
|
+
|
||||||
|
gboolean
|
||||||
|
_ostree_sysroot_ensure_writable (OstreeSysroot *self,
|
||||||
|
GError **error);
|
||||||
|
@@ -142,6 +145,10 @@ gboolean
|
||||||
|
_ostree_sysroot_finalize_staged (OstreeSysroot *self,
|
||||||
|
GCancellable *cancellable,
|
||||||
|
GError **error);
|
||||||
|
+gboolean
|
||||||
|
+_ostree_sysroot_boot_complete (OstreeSysroot *self,
|
||||||
|
+ GCancellable *cancellable,
|
||||||
|
+ GError **error);
|
||||||
|
|
||||||
|
OstreeDeployment *
|
||||||
|
_ostree_sysroot_deserialize_deployment_from_variant (GVariant *v,
|
||||||
|
diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c
|
||||||
|
index 266a2975..f083f950 100644
|
||||||
|
--- a/src/libostree/ostree-sysroot.c
|
||||||
|
+++ b/src/libostree/ostree-sysroot.c
|
||||||
|
@@ -356,6 +356,8 @@ _ostree_sysroot_ensure_writable (OstreeSysroot *self,
|
||||||
|
ostree_sysroot_unload (self);
|
||||||
|
if (!ensure_sysroot_fd (self, error))
|
||||||
|
return FALSE;
|
||||||
|
+ if (!_ostree_sysroot_ensure_boot_fd (self, error))
|
||||||
|
+ return FALSE;
|
||||||
|
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
diff --git a/src/ostree/ot-admin-builtin-boot-complete.c b/src/ostree/ot-admin-builtin-boot-complete.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..6e1052f5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/ostree/ot-admin-builtin-boot-complete.c
|
||||||
|
@@ -0,0 +1,58 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (C) 2022 Red Hat, Inc.
|
||||||
|
+ *
|
||||||
|
+ * SPDX-License-Identifier: LGPL-2.0+
|
||||||
|
+ *
|
||||||
|
+ * This library is free software; you can redistribute it and/or
|
||||||
|
+ * modify it under the terms of the GNU Lesser General Public
|
||||||
|
+ * License as published by the Free Software Foundation; either
|
||||||
|
+ * version 2 of the License, or (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * This library is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+ * Lesser General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU Lesser General Public
|
||||||
|
+ * License along with this library. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include "config.h"
|
||||||
|
+
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+
|
||||||
|
+#include "ot-main.h"
|
||||||
|
+#include "ot-admin-builtins.h"
|
||||||
|
+#include "ot-admin-functions.h"
|
||||||
|
+#include "ostree.h"
|
||||||
|
+#include "otutil.h"
|
||||||
|
+
|
||||||
|
+#include "ostree-cmdprivate.h"
|
||||||
|
+
|
||||||
|
+static GOptionEntry options[] = {
|
||||||
|
+ { NULL }
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+gboolean
|
||||||
|
+ot_admin_builtin_boot_complete (int argc, char **argv, OstreeCommandInvocation *invocation, GCancellable *cancellable, GError **error)
|
||||||
|
+{
|
||||||
|
+ /* Just a sanity check; we shouldn't be called outside of the service though.
|
||||||
|
+ */
|
||||||
|
+ struct stat stbuf;
|
||||||
|
+ if (fstatat (AT_FDCWD, OSTREE_PATH_BOOTED, &stbuf, 0) < 0)
|
||||||
|
+ return TRUE;
|
||||||
|
+ // We must have been invoked via systemd which should have set up a mount namespace.
|
||||||
|
+ g_assert (getenv ("INVOCATION_ID"));
|
||||||
|
+
|
||||||
|
+ g_autoptr(GOptionContext) context = g_option_context_new ("");
|
||||||
|
+ g_autoptr(OstreeSysroot) sysroot = NULL;
|
||||||
|
+ if (!ostree_admin_option_context_parse (context, options, &argc, &argv,
|
||||||
|
+ OSTREE_ADMIN_BUILTIN_FLAG_SUPERUSER,
|
||||||
|
+ invocation, &sysroot, cancellable, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
+ if (!ostree_cmd__private__()->ostree_boot_complete (sysroot, cancellable, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
+ return TRUE;
|
||||||
|
+}
|
||||||
|
diff --git a/src/ostree/ot-admin-builtins.h b/src/ostree/ot-admin-builtins.h
|
||||||
|
index d32b617e..8d9451be 100644
|
||||||
|
--- a/src/ostree/ot-admin-builtins.h
|
||||||
|
+++ b/src/ostree/ot-admin-builtins.h
|
||||||
|
@@ -39,6 +39,7 @@ BUILTINPROTO(deploy);
|
||||||
|
BUILTINPROTO(cleanup);
|
||||||
|
BUILTINPROTO(pin);
|
||||||
|
BUILTINPROTO(finalize_staged);
|
||||||
|
+BUILTINPROTO(boot_complete);
|
||||||
|
BUILTINPROTO(unlock);
|
||||||
|
BUILTINPROTO(status);
|
||||||
|
BUILTINPROTO(set_origin);
|
||||||
|
diff --git a/src/ostree/ot-builtin-admin.c b/src/ostree/ot-builtin-admin.c
|
||||||
|
index e0d2a60c..af09a614 100644
|
||||||
|
--- a/src/ostree/ot-builtin-admin.c
|
||||||
|
+++ b/src/ostree/ot-builtin-admin.c
|
||||||
|
@@ -43,6 +43,9 @@ static OstreeCommand admin_subcommands[] = {
|
||||||
|
{ "finalize-staged", OSTREE_BUILTIN_FLAG_NO_REPO | OSTREE_BUILTIN_FLAG_HIDDEN,
|
||||||
|
ot_admin_builtin_finalize_staged,
|
||||||
|
"Internal command to run at shutdown time" },
|
||||||
|
+ { "boot-complete", OSTREE_BUILTIN_FLAG_NO_REPO | OSTREE_BUILTIN_FLAG_HIDDEN,
|
||||||
|
+ ot_admin_builtin_boot_complete,
|
||||||
|
+ "Internal command to run at boot after an update was applied" },
|
||||||
|
{ "init-fs", OSTREE_BUILTIN_FLAG_NO_REPO,
|
||||||
|
ot_admin_builtin_init_fs,
|
||||||
|
"Initialize a root filesystem" },
|
515
SOURCES/0001-Support-overlayfs-whiteouts-on-checkout.patch
Normal file
515
SOURCES/0001-Support-overlayfs-whiteouts-on-checkout.patch
Normal file
@ -0,0 +1,515 @@
|
|||||||
|
From 0085494e350c72599fc5c0e00422885d80b3c660 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Miguel Angel Ajo <majopela@redhat.com>
|
||||||
|
Date: Mon, 19 Sep 2022 17:15:24 +0200
|
||||||
|
Subject: [PATCH] Support overlayfs whiteouts on checkout
|
||||||
|
|
||||||
|
Introduces an intermediate format for overlayfs storage, where
|
||||||
|
.wh-ostree. prefixed files will be converted into char 0:0
|
||||||
|
whiteout devices used by overlayfs to mark deletions across layers.
|
||||||
|
|
||||||
|
The CI scripts now uses a volume for the scratch directories
|
||||||
|
previously in /var/tmp otherwise we cannot create whiteout
|
||||||
|
devices into an overlayfs mounted filesystem.
|
||||||
|
|
||||||
|
Related-Issue: #2712
|
||||||
|
(cherry picked from commit e234b630f85b97e48ecf45d5aaba9b1aa64e6b54)
|
||||||
|
---
|
||||||
|
.github/workflows/tests.yml | 8 +-
|
||||||
|
Makefile-tests.am | 1 +
|
||||||
|
bash/ostree | 1 +
|
||||||
|
man/ostree-checkout.xml | 11 ++
|
||||||
|
src/libostree/ostree-repo-checkout.c | 129 ++++++++++++++++++++-
|
||||||
|
src/libostree/ostree-repo.h | 5 +-
|
||||||
|
src/libostree/ostree-sysroot-deploy.c | 2 +-
|
||||||
|
src/ostree/ot-builtin-checkout.c | 7 +-
|
||||||
|
tests/archive-test.sh | 7 +-
|
||||||
|
tests/basic-test.sh | 29 ++++-
|
||||||
|
tests/kolainst/data-shared/libtest-core.sh | 7 ++
|
||||||
|
tests/libtest.sh | 52 ++++++++-
|
||||||
|
tests/test-admin-deploy-whiteouts.sh | 42 +++++++
|
||||||
|
13 files changed, 292 insertions(+), 9 deletions(-)
|
||||||
|
create mode 100755 tests/test-admin-deploy-whiteouts.sh
|
||||||
|
|
||||||
|
--- a/Makefile-tests.am
|
||||||
|
+++ b/Makefile-tests.am
|
||||||
|
@@ -107,6 +107,7 @@ _installed_or_uninstalled_test_scripts = \
|
||||||
|
tests/test-admin-deploy-nomerge.sh \
|
||||||
|
tests/test-admin-deploy-none.sh \
|
||||||
|
tests/test-admin-deploy-bootid-gc.sh \
|
||||||
|
+ tests/test-admin-deploy-whiteouts.sh \
|
||||||
|
tests/test-osupdate-dtb.sh \
|
||||||
|
tests/test-admin-instutil-set-kargs.sh \
|
||||||
|
tests/test-admin-upgrade-not-backwards.sh \
|
||||||
|
diff --git a/bash/ostree b/bash/ostree
|
||||||
|
index 46363315..6f3b86ea 100644
|
||||||
|
--- a/bash/ostree
|
||||||
|
+++ b/bash/ostree
|
||||||
|
@@ -249,6 +249,7 @@ _ostree_checkout() {
|
||||||
|
--union-identical
|
||||||
|
--user-mode -U
|
||||||
|
--whiteouts
|
||||||
|
+ --process-passthrough-whiteouts
|
||||||
|
"
|
||||||
|
|
||||||
|
local options_with_args="
|
||||||
|
diff --git a/man/ostree-checkout.xml b/man/ostree-checkout.xml
|
||||||
|
index 4ed53a91..8f7d4f9b 100644
|
||||||
|
--- a/man/ostree-checkout.xml
|
||||||
|
+++ b/man/ostree-checkout.xml
|
||||||
|
@@ -114,6 +114,17 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term><option>--process-passthrough-whiteouts</option></term>
|
||||||
|
+
|
||||||
|
+ <listitem><para>
|
||||||
|
+ Enable overlayfs whiteout extraction into 0:0 character devices.
|
||||||
|
+ Overlayfs whiteouts are encoded inside ostree as <literal>.ostree-wh.filename</literal>
|
||||||
|
+ and extracted as 0:0 character devices. This is useful to carry
|
||||||
|
+ container storage embedded into ostree.
|
||||||
|
+ </para></listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--allow-noent</option></term>
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c
|
||||||
|
index 663292a9..7c7d0cc7 100644
|
||||||
|
--- a/src/libostree/ostree-repo-checkout.c
|
||||||
|
+++ b/src/libostree/ostree-repo-checkout.c
|
||||||
|
@@ -35,6 +35,8 @@
|
||||||
|
#define WHITEOUT_PREFIX ".wh."
|
||||||
|
#define OPAQUE_WHITEOUT_NAME ".wh..wh..opq"
|
||||||
|
|
||||||
|
+#define OVERLAYFS_WHITEOUT_PREFIX ".ostree-wh."
|
||||||
|
+
|
||||||
|
/* Per-checkout call state/caching */
|
||||||
|
typedef struct {
|
||||||
|
GString *path_buf; /* buffer for real path if filtering enabled */
|
||||||
|
@@ -582,6 +584,117 @@ checkout_file_hardlink (OstreeRepo *self,
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static gboolean
|
||||||
|
+_checkout_overlayfs_whiteout_at_no_overwrite (OstreeRepoCheckoutAtOptions *options,
|
||||||
|
+ int destination_dfd,
|
||||||
|
+ const char *destination_name,
|
||||||
|
+ GFileInfo *file_info,
|
||||||
|
+ GVariant *xattrs,
|
||||||
|
+ gboolean *found_exant_file,
|
||||||
|
+ GCancellable *cancellable,
|
||||||
|
+ GError **error)
|
||||||
|
+{
|
||||||
|
+ if (found_exant_file != NULL)
|
||||||
|
+ *found_exant_file = FALSE;
|
||||||
|
+ guint32 file_mode = g_file_info_get_attribute_uint32 (file_info, "unix::mode");
|
||||||
|
+ if (mknodat(destination_dfd, destination_name, (file_mode & ~S_IFMT) | S_IFCHR, (dev_t)0) < 0)
|
||||||
|
+ {
|
||||||
|
+ if (errno == EEXIST && found_exant_file != NULL)
|
||||||
|
+ {
|
||||||
|
+ *found_exant_file = TRUE;
|
||||||
|
+ return TRUE;
|
||||||
|
+ }
|
||||||
|
+ return glnx_throw_errno_prefix (error, "Creating whiteout char device");
|
||||||
|
+ }
|
||||||
|
+ if (options->mode != OSTREE_REPO_CHECKOUT_MODE_USER)
|
||||||
|
+ {
|
||||||
|
+ if (xattrs != NULL &&
|
||||||
|
+ !glnx_dfd_name_set_all_xattrs(destination_dfd, destination_name, xattrs,
|
||||||
|
+ cancellable, error))
|
||||||
|
+ return glnx_throw_errno_prefix (error, "Setting xattrs for whiteout char device");
|
||||||
|
+
|
||||||
|
+ if (TEMP_FAILURE_RETRY(fchownat(destination_dfd, destination_name,
|
||||||
|
+ g_file_info_get_attribute_uint32 (file_info, "unix::uid"),
|
||||||
|
+ g_file_info_get_attribute_uint32 (file_info, "unix::gid"),
|
||||||
|
+ AT_SYMLINK_NOFOLLOW) < 0))
|
||||||
|
+ return glnx_throw_errno_prefix (error, "fchownat");
|
||||||
|
+ if (TEMP_FAILURE_RETRY (fchmodat (destination_dfd, destination_name, file_mode & ~S_IFMT, 0)) < 0)
|
||||||
|
+ return glnx_throw_errno_prefix (error, "fchmodat %s to 0%o", destination_name, file_mode & ~S_IFMT);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static gboolean
|
||||||
|
+_checkout_overlayfs_whiteout_at (OstreeRepo *repo,
|
||||||
|
+ OstreeRepoCheckoutAtOptions *options,
|
||||||
|
+ int destination_dfd,
|
||||||
|
+ const char *destination_name,
|
||||||
|
+ GFileInfo *file_info,
|
||||||
|
+ GVariant *xattrs,
|
||||||
|
+ GCancellable *cancellable,
|
||||||
|
+ GError **error)
|
||||||
|
+{
|
||||||
|
+ gboolean found_exant_file = FALSE;
|
||||||
|
+ if (!_checkout_overlayfs_whiteout_at_no_overwrite(options, destination_dfd, destination_name,
|
||||||
|
+ file_info, xattrs,&found_exant_file,
|
||||||
|
+ cancellable, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
+ if (!found_exant_file)
|
||||||
|
+ return TRUE;
|
||||||
|
+
|
||||||
|
+ guint32 uid = g_file_info_get_attribute_uint32 (file_info, "unix::uid");
|
||||||
|
+ guint32 gid = g_file_info_get_attribute_uint32 (file_info, "unix::gid");
|
||||||
|
+ guint32 file_mode = g_file_info_get_attribute_uint32 (file_info, "unix::mode");
|
||||||
|
+
|
||||||
|
+ struct stat dest_stbuf;
|
||||||
|
+
|
||||||
|
+ switch(options->overwrite_mode)
|
||||||
|
+ {
|
||||||
|
+ case OSTREE_REPO_CHECKOUT_OVERWRITE_NONE:
|
||||||
|
+ return FALSE;
|
||||||
|
+ case OSTREE_REPO_CHECKOUT_OVERWRITE_UNION_FILES:
|
||||||
|
+ if (!ot_ensure_unlinked_at (destination_dfd, destination_name, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ return _checkout_overlayfs_whiteout_at_no_overwrite(options, destination_dfd, destination_name,
|
||||||
|
+ file_info, xattrs, NULL, cancellable, error);
|
||||||
|
+ case OSTREE_REPO_CHECKOUT_OVERWRITE_ADD_FILES:
|
||||||
|
+ return TRUE;
|
||||||
|
+
|
||||||
|
+ case OSTREE_REPO_CHECKOUT_OVERWRITE_UNION_IDENTICAL:
|
||||||
|
+ if (!glnx_fstatat(destination_dfd, destination_name, &dest_stbuf, AT_SYMLINK_NOFOLLOW,
|
||||||
|
+ error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ if (!(repo->disable_xattrs || repo->mode == OSTREE_REPO_MODE_BARE_USER_ONLY))
|
||||||
|
+ {
|
||||||
|
+ g_autoptr(GVariant) fs_xattrs;
|
||||||
|
+ if (!glnx_dfd_name_get_all_xattrs (destination_dfd, destination_name,
|
||||||
|
+ &fs_xattrs, cancellable, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ if (!g_variant_equal(fs_xattrs, xattrs))
|
||||||
|
+ return glnx_throw(error, "existing destination file %s xattrs don't match",
|
||||||
|
+ destination_name);
|
||||||
|
+ }
|
||||||
|
+ if (options->mode != OSTREE_REPO_CHECKOUT_MODE_USER)
|
||||||
|
+ {
|
||||||
|
+ if (gid != dest_stbuf.st_gid)
|
||||||
|
+ return glnx_throw(error, "existing destination file %s does not match gid %d",
|
||||||
|
+ destination_name, gid);
|
||||||
|
+
|
||||||
|
+ if (uid != dest_stbuf.st_uid)
|
||||||
|
+ return glnx_throw(error, "existing destination file %s does not match uid %d",
|
||||||
|
+ destination_name, gid);
|
||||||
|
+
|
||||||
|
+ if ((file_mode & ALLPERMS) != (dest_stbuf.st_mode & ALLPERMS))
|
||||||
|
+ return glnx_throw(error, "existing destination file %s does not match mode %o",
|
||||||
|
+ destination_name, file_mode);
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ return TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static gboolean
|
||||||
|
checkout_one_file_at (OstreeRepo *repo,
|
||||||
|
OstreeRepoCheckoutAtOptions *options,
|
||||||
|
@@ -603,7 +716,8 @@ checkout_one_file_at (OstreeRepo *repo,
|
||||||
|
|
||||||
|
/* FIXME - avoid the GFileInfo here */
|
||||||
|
g_autoptr(GFileInfo) source_info = NULL;
|
||||||
|
- if (!ostree_repo_load_file (repo, checksum, NULL, &source_info, NULL,
|
||||||
|
+ g_autoptr(GVariant) source_xattrs = NULL;
|
||||||
|
+ if (!ostree_repo_load_file (repo, checksum, NULL, &source_info, &source_xattrs,
|
||||||
|
cancellable, error))
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
@@ -623,6 +737,7 @@ checkout_one_file_at (OstreeRepo *repo,
|
||||||
|
const gboolean is_unreadable = (!is_symlink && (source_mode & S_IRUSR) == 0);
|
||||||
|
const gboolean is_whiteout = (!is_symlink && options->process_whiteouts &&
|
||||||
|
g_str_has_prefix (destination_name, WHITEOUT_PREFIX));
|
||||||
|
+ const gboolean is_overlayfs_whiteout = (!is_symlink && g_str_has_prefix (destination_name, OVERLAYFS_WHITEOUT_PREFIX));
|
||||||
|
const gboolean is_reg_zerosized = (!is_symlink && g_file_info_get_size (source_info) == 0);
|
||||||
|
const gboolean override_user_unreadable = (options->mode == OSTREE_REPO_CHECKOUT_MODE_USER && is_unreadable);
|
||||||
|
|
||||||
|
@@ -643,6 +758,18 @@ checkout_one_file_at (OstreeRepo *repo,
|
||||||
|
|
||||||
|
need_copy = FALSE;
|
||||||
|
}
|
||||||
|
+ else if (is_overlayfs_whiteout && options->process_passthrough_whiteouts)
|
||||||
|
+ {
|
||||||
|
+ const char *name = destination_name + (sizeof (OVERLAYFS_WHITEOUT_PREFIX) - 1);
|
||||||
|
+
|
||||||
|
+ if (!name[0])
|
||||||
|
+ return glnx_throw (error, "Invalid empty overlayfs whiteout '%s'", name);
|
||||||
|
+
|
||||||
|
+ g_assert (name[0] != '/'); /* Sanity */
|
||||||
|
+
|
||||||
|
+ return _checkout_overlayfs_whiteout_at(repo, options, destination_dfd, name,
|
||||||
|
+ source_info, source_xattrs, cancellable, error);
|
||||||
|
+ }
|
||||||
|
else if (is_reg_zerosized || override_user_unreadable)
|
||||||
|
{
|
||||||
|
/* In https://github.com/ostreedev/ostree/commit/673cacd633f9d6b653cdea530657d3e780a41bbd we
|
||||||
|
diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h
|
||||||
|
index 98571170..b3d7f986 100644
|
||||||
|
--- a/src/libostree/ostree-repo.h
|
||||||
|
+++ b/src/libostree/ostree-repo.h
|
||||||
|
@@ -989,8 +989,9 @@ typedef struct {
|
||||||
|
gboolean force_copy; /* Since: 2017.6 */
|
||||||
|
gboolean bareuseronly_dirs; /* Since: 2017.7 */
|
||||||
|
gboolean force_copy_zerosized; /* Since: 2018.9 */
|
||||||
|
- gboolean unused_bools[4];
|
||||||
|
- /* 4 byte hole on 64 bit */
|
||||||
|
+ gboolean process_passthrough_whiteouts;
|
||||||
|
+ gboolean unused_bools[3];
|
||||||
|
+ /* 3 byte hole on 64 bit */
|
||||||
|
|
||||||
|
const char *subpath;
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
index 404f336f..5c98103b 100644
|
||||||
|
--- a/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
+++ b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
@@ -641,7 +641,7 @@ checkout_deployment_tree (OstreeSysroot *sysroot,
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
/* Generate hardlink farm, then opendir it */
|
||||||
|
- OstreeRepoCheckoutAtOptions checkout_opts = { 0, };
|
||||||
|
+ OstreeRepoCheckoutAtOptions checkout_opts = { .process_passthrough_whiteouts = TRUE };
|
||||||
|
if (!ostree_repo_checkout_at (repo, &checkout_opts, osdeploy_dfd,
|
||||||
|
checkout_target_name, csum,
|
||||||
|
cancellable, error))
|
||||||
|
diff --git a/src/ostree/ot-builtin-checkout.c b/src/ostree/ot-builtin-checkout.c
|
||||||
|
index d69c8b0b..bfa43885 100644
|
||||||
|
--- a/src/ostree/ot-builtin-checkout.c
|
||||||
|
+++ b/src/ostree/ot-builtin-checkout.c
|
||||||
|
@@ -37,6 +37,7 @@ static gboolean opt_union;
|
||||||
|
static gboolean opt_union_add;
|
||||||
|
static gboolean opt_union_identical;
|
||||||
|
static gboolean opt_whiteouts;
|
||||||
|
+static gboolean opt_process_passthrough_whiteouts;
|
||||||
|
static gboolean opt_from_stdin;
|
||||||
|
static char *opt_from_file;
|
||||||
|
static gboolean opt_disable_fsync;
|
||||||
|
@@ -77,6 +78,7 @@ static GOptionEntry options[] = {
|
||||||
|
{ "union-add", 0, 0, G_OPTION_ARG_NONE, &opt_union_add, "Keep existing files/directories, only add new", NULL },
|
||||||
|
{ "union-identical", 0, 0, G_OPTION_ARG_NONE, &opt_union_identical, "When layering checkouts, error out if a file would be replaced with a different version, but add new files and directories", NULL },
|
||||||
|
{ "whiteouts", 0, 0, G_OPTION_ARG_NONE, &opt_whiteouts, "Process 'whiteout' (Docker style) entries", NULL },
|
||||||
|
+ { "process-passthrough-whiteouts", 0, 0, G_OPTION_ARG_NONE, &opt_process_passthrough_whiteouts, "Enable overlayfs whiteout extraction into char 0:0 devices", NULL },
|
||||||
|
{ "allow-noent", 0, 0, G_OPTION_ARG_NONE, &opt_allow_noent, "Do nothing if specified path does not exist", NULL },
|
||||||
|
{ "from-stdin", 0, 0, G_OPTION_ARG_NONE, &opt_from_stdin, "Process many checkouts from standard input", NULL },
|
||||||
|
{ "from-file", 0, 0, G_OPTION_ARG_STRING, &opt_from_file, "Process many checkouts from input file", "FILE" },
|
||||||
|
@@ -129,7 +131,8 @@ process_one_checkout (OstreeRepo *repo,
|
||||||
|
if (opt_disable_cache || opt_whiteouts || opt_require_hardlinks ||
|
||||||
|
opt_union_add || opt_force_copy || opt_force_copy_zerosized ||
|
||||||
|
opt_bareuseronly_dirs || opt_union_identical ||
|
||||||
|
- opt_skiplist_file || opt_selinux_policy || opt_selinux_prefix)
|
||||||
|
+ opt_skiplist_file || opt_selinux_policy || opt_selinux_prefix ||
|
||||||
|
+ opt_process_passthrough_whiteouts)
|
||||||
|
{
|
||||||
|
OstreeRepoCheckoutAtOptions checkout_options = { 0, };
|
||||||
|
|
||||||
|
@@ -162,6 +165,8 @@ process_one_checkout (OstreeRepo *repo,
|
||||||
|
}
|
||||||
|
if (opt_whiteouts)
|
||||||
|
checkout_options.process_whiteouts = TRUE;
|
||||||
|
+ if (opt_process_passthrough_whiteouts)
|
||||||
|
+ checkout_options.process_passthrough_whiteouts = TRUE;
|
||||||
|
if (subpath)
|
||||||
|
checkout_options.subpath = subpath;
|
||||||
|
|
||||||
|
diff --git a/tests/archive-test.sh b/tests/archive-test.sh
|
||||||
|
index b6d84979..6b45790e 100644
|
||||||
|
--- a/tests/archive-test.sh
|
||||||
|
+++ b/tests/archive-test.sh
|
||||||
|
@@ -71,6 +71,11 @@ mkdir -p test-overlays
|
||||||
|
date > test-overlays/overlaid-file
|
||||||
|
$OSTREE commit ${COMMIT_ARGS} -b test-base --base test2 --owner-uid 42 --owner-gid 42 test-overlays/
|
||||||
|
$OSTREE ls -R test-base > ls.txt
|
||||||
|
-assert_streq "$(wc -l < ls.txt)" 14
|
||||||
|
+if can_create_whiteout_devices; then
|
||||||
|
+ assert_streq "$(wc -l < ls.txt)" 17
|
||||||
|
+else
|
||||||
|
+ assert_streq "$(wc -l < ls.txt)" 14
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
assert_streq "$(grep '42.*42' ls.txt | wc -l)" 2
|
||||||
|
echo "ok commit overlay base"
|
||||||
|
diff --git a/tests/basic-test.sh b/tests/basic-test.sh
|
||||||
|
index 04506c3d..0878e6f6 100644
|
||||||
|
--- a/tests/basic-test.sh
|
||||||
|
+++ b/tests/basic-test.sh
|
||||||
|
@@ -19,7 +19,7 @@
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
-echo "1..$((87 + ${extra_basic_tests:-0}))"
|
||||||
|
+echo "1..$((89 + ${extra_basic_tests:-0}))"
|
||||||
|
|
||||||
|
CHECKOUT_U_ARG=""
|
||||||
|
CHECKOUT_H_ARGS="-H"
|
||||||
|
@@ -1187,3 +1187,30 @@ if test "$(id -u)" != "0"; then
|
||||||
|
else
|
||||||
|
echo "ok # SKIP not run when root"
|
||||||
|
fi
|
||||||
|
+
|
||||||
|
+if ! skip_one_without_whiteouts_devices; then
|
||||||
|
+ cd ${test_tmpdir}
|
||||||
|
+ rm checkout-test2 -rf
|
||||||
|
+ $OSTREE checkout test2 checkout-test2
|
||||||
|
+
|
||||||
|
+ assert_not_has_file checkout-test2/whiteouts/whiteout
|
||||||
|
+ assert_not_has_file checkout-test2/whiteouts/whiteout2
|
||||||
|
+ assert_has_file checkout-test2/whiteouts/.ostree-wh.whiteout
|
||||||
|
+ assert_has_file checkout-test2/whiteouts/.ostree-wh.whiteout2
|
||||||
|
+
|
||||||
|
+ echo "ok checkout: no whiteout passthrough by default"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if ! skip_one_without_whiteouts_devices; then
|
||||||
|
+ cd ${test_tmpdir}
|
||||||
|
+ rm checkout-test2 -rf
|
||||||
|
+ $OSTREE checkout --process-passthrough-whiteouts test2 checkout-test2
|
||||||
|
+
|
||||||
|
+ assert_not_has_file checkout-test2/whiteouts/.ostree-wh.whiteout
|
||||||
|
+ assert_not_has_file checkout-test2/whiteouts/.ostree-wh.whiteout2
|
||||||
|
+
|
||||||
|
+ assert_is_whiteout_device checkout-test2/whiteouts/whiteout
|
||||||
|
+ assert_is_whiteout_device checkout-test2/whiteouts/whiteout2
|
||||||
|
+
|
||||||
|
+ echo "ok checkout: whiteout with overlayfs passthrough processing"
|
||||||
|
+fi
|
||||||
|
diff --git a/tests/libtest.sh b/tests/libtest.sh
|
||||||
|
index 686f08dc..5830f210 100755
|
||||||
|
--- a/tests/libtest.sh
|
||||||
|
+++ b/tests/libtest.sh
|
||||||
|
@@ -148,6 +148,20 @@ if ! have_selinux_relabel; then
|
||||||
|
fi
|
||||||
|
echo done
|
||||||
|
|
||||||
|
+# whiteout char 0:0 devices can be created as regular users, but
|
||||||
|
+# cannot be created inside containers mounted via overlayfs
|
||||||
|
+can_create_whiteout_devices() {
|
||||||
|
+ mknod -m 000 ${test_tmpdir}/.test-whiteout c 0 0 || return 1
|
||||||
|
+ rm -f ${test_tmpdir}/.test-whiteout
|
||||||
|
+ return 0
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+echo -n checking for overlayfs whiteouts...
|
||||||
|
+if ! can_create_whiteout_devices; then
|
||||||
|
+ export OSTREE_NO_WHITEOUTS=1
|
||||||
|
+fi
|
||||||
|
+echo done
|
||||||
|
+
|
||||||
|
if test -n "${OT_TESTS_DEBUG:-}"; then
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
|
@@ -245,6 +259,15 @@ setup_test_repository () {
|
||||||
|
ln -s nonexistent baz/alink
|
||||||
|
mkdir baz/another/
|
||||||
|
echo x > baz/another/y
|
||||||
|
+
|
||||||
|
+ # if we are running inside a container we cannot test
|
||||||
|
+ # the overlayfs whiteout marker passthrough
|
||||||
|
+ if ! test -n "${OSTREE_NO_WHITEOUTS:-}"; then
|
||||||
|
+ mkdir whiteouts
|
||||||
|
+ touch whiteouts/.ostree-wh.whiteout
|
||||||
|
+ touch whiteouts/.ostree-wh.whiteout2
|
||||||
|
+ chmod 755 whiteouts/.ostree-wh.whiteout2
|
||||||
|
+ fi
|
||||||
|
umask "${oldumask}"
|
||||||
|
|
||||||
|
cd ${test_tmpdir}/files
|
||||||
|
@@ -406,7 +429,7 @@ setup_os_repository () {
|
||||||
|
mkdir osdata
|
||||||
|
cd osdata
|
||||||
|
kver=3.6.0
|
||||||
|
- mkdir -p usr/bin ${bootdir} usr/lib/modules/${kver} usr/share usr/etc
|
||||||
|
+ mkdir -p usr/bin ${bootdir} usr/lib/modules/${kver} usr/share usr/etc usr/container/layers/abcd
|
||||||
|
kernel_path=${bootdir}/vmlinuz
|
||||||
|
initramfs_path=${bootdir}/initramfs.img
|
||||||
|
# the HMAC file is only in /usr/lib/modules
|
||||||
|
@@ -449,6 +472,17 @@ EOF
|
||||||
|
mkdir -p usr/etc/testdirectory
|
||||||
|
echo "a default daemon file" > usr/etc/testdirectory/test
|
||||||
|
|
||||||
|
+ # if we are running inside a container we cannot test
|
||||||
|
+ # the overlayfs whiteout marker passthrough
|
||||||
|
+ if ! test -n "${OSTREE_NO_WHITEOUTS:-}"; then
|
||||||
|
+ # overlayfs whiteout passhthrough marker files
|
||||||
|
+ touch usr/container/layers/abcd/.ostree-wh.whiteout
|
||||||
|
+ chmod 400 usr/container/layers/abcd/.ostree-wh.whiteout
|
||||||
|
+
|
||||||
|
+ touch usr/container/layers/abcd/.ostree-wh.whiteout2
|
||||||
|
+ chmod 777 usr/container/layers/abcd/.ostree-wh.whiteout2
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
${CMD_PREFIX} ostree --repo=${test_tmpdir}/testos-repo commit ${bootable_flag} --add-metadata-string version=1.0.9 -b testos/buildmain/x86_64-runtime -s "Build"
|
||||||
|
|
||||||
|
# Ensure these commits have distinct second timestamps
|
||||||
|
@@ -588,6 +622,22 @@ skip_without_user_xattrs () {
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
+# Usage: if ! skip_one_without_whiteouts_devices; then ... more tests ...; fi
|
||||||
|
+skip_one_without_whiteouts_devices() {
|
||||||
|
+ if ! can_create_whiteout_devices; then
|
||||||
|
+ echo "ok # SKIP - this test requires whiteout device support (test outside containers)"
|
||||||
|
+ return 0
|
||||||
|
+ else
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+skip_without_whiteouts_devices () {
|
||||||
|
+ if ! can_create_whiteout_devices; then
|
||||||
|
+ skip "this test requires whiteout device support (test outside containers)"
|
||||||
|
+ fi
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
_have_systemd_and_libmount=''
|
||||||
|
have_systemd_and_libmount() {
|
||||||
|
if test "${_have_systemd_and_libmount}" = ''; then
|
||||||
|
diff --git a/tests/test-admin-deploy-whiteouts.sh b/tests/test-admin-deploy-whiteouts.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 00000000..66421949
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/test-admin-deploy-whiteouts.sh
|
||||||
|
@@ -0,0 +1,42 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+#
|
||||||
|
+# Copyright (C) 2022 Red Hat, Inc.
|
||||||
|
+#
|
||||||
|
+# SPDX-License-Identifier: LGPL-2.0+
|
||||||
|
+#
|
||||||
|
+# This library is free software; you can redistribute it and/or
|
||||||
|
+# modify it under the terms of the GNU Lesser General Public
|
||||||
|
+# License as published by the Free Software Foundation; either
|
||||||
|
+# version 2 of the License, or (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This library is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+# Lesser General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU Lesser General Public
|
||||||
|
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
+
|
||||||
|
+set -euox pipefail
|
||||||
|
+
|
||||||
|
+. $(dirname $0)/libtest.sh
|
||||||
|
+
|
||||||
|
+skip_without_whiteouts_devices
|
||||||
|
+
|
||||||
|
+# Exports OSTREE_SYSROOT so --sysroot not needed.
|
||||||
|
+setup_os_repository "archive" "syslinux"
|
||||||
|
+${CMD_PREFIX} ostree --repo=sysroot/ostree/repo pull-local --remote=testos testos-repo testos/buildmain/x86_64-runtime
|
||||||
|
+
|
||||||
|
+echo "1..3"
|
||||||
|
+${CMD_PREFIX} ostree admin deploy --os=testos --karg=root=LABEL=foo --karg=testkarg=1 testos:testos/buildmain/x86_64-runtime
|
||||||
|
+origdeployment=$(${CMD_PREFIX} ostree admin --sysroot=sysroot --print-current-dir)
|
||||||
|
+
|
||||||
|
+assert_is_whiteout_device "${origdeployment}"/usr/container/layers/abcd/whiteout
|
||||||
|
+echo "ok whiteout deployment"
|
||||||
|
+
|
||||||
|
+assert_not_has_file "${origdeployment}"/usr/container/layers/abcd/.ostree-wh.whiteout
|
||||||
|
+echo "ok .ostree-wh.whiteout not created"
|
||||||
|
+
|
||||||
|
+assert_file_has_mode "${origdeployment}"/usr/container/layers/abcd/whiteout 400
|
||||||
|
+assert_file_has_mode "${origdeployment}"/usr/container/layers/abcd/whiteout2 777
|
||||||
|
+echo "ok whiteout permissions are preserved"
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -1,52 +0,0 @@
|
|||||||
From 6756841a7d04c3cc651a1ce7de35c55c754578d3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Colin Walters <walters@verbum.org>
|
|
||||||
Date: Mon, 29 Jul 2024 15:17:10 -0400
|
|
||||||
Subject: [PATCH 1/1] repo: NUL terminate readlinkat result
|
|
||||||
|
|
||||||
Coverity was correctly complaining about this.
|
|
||||||
|
|
||||||
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
||||||
---
|
|
||||||
src/libostree/ostree-repo-commit.c | 11 ++++++++---
|
|
||||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
|
|
||||||
index 4d12d5ec..db83ebf2 100644
|
|
||||||
--- a/src/libostree/ostree-repo-commit.c
|
|
||||||
+++ b/src/libostree/ostree-repo-commit.c
|
|
||||||
@@ -794,7 +794,7 @@ _try_clone_from_payload_link (OstreeRepo *self, OstreeRepo *dest_repo, const cha
|
|
||||||
glnx_autofd int fdf = -1;
|
|
||||||
char loose_path_buf[_OSTREE_LOOSE_PATH_MAX];
|
|
||||||
char loose_path_target_buf[_OSTREE_LOOSE_PATH_MAX];
|
|
||||||
- char target_buf[_OSTREE_LOOSE_PATH_MAX + _OSTREE_PAYLOAD_LINK_PREFIX_LEN];
|
|
||||||
+ char target_buf[_OSTREE_LOOSE_PATH_MAX + _OSTREE_PAYLOAD_LINK_PREFIX_LEN + 1];
|
|
||||||
char target_checksum[OSTREE_SHA256_STRING_LEN + 1];
|
|
||||||
int dfd = dfd_searches[i];
|
|
||||||
ssize_t size;
|
|
||||||
@@ -804,16 +804,21 @@ _try_clone_from_payload_link (OstreeRepo *self, OstreeRepo *dest_repo, const cha
|
|
||||||
_ostree_loose_path (loose_path_buf, payload_checksum, OSTREE_OBJECT_TYPE_PAYLOAD_LINK,
|
|
||||||
self->mode);
|
|
||||||
|
|
||||||
- size = TEMP_FAILURE_RETRY (readlinkat (dfd, loose_path_buf, target_buf, sizeof (target_buf)));
|
|
||||||
+ size = TEMP_FAILURE_RETRY (
|
|
||||||
+ readlinkat (dfd, loose_path_buf, target_buf, sizeof (target_buf) - 1));
|
|
||||||
if (size < 0)
|
|
||||||
{
|
|
||||||
if (errno == ENOENT)
|
|
||||||
continue;
|
|
||||||
return glnx_throw_errno_prefix (error, "readlinkat");
|
|
||||||
}
|
|
||||||
+ target_buf[size] = '\0';
|
|
||||||
|
|
||||||
+ const size_t expected_len = OSTREE_SHA256_STRING_LEN + _OSTREE_PAYLOAD_LINK_PREFIX_LEN;
|
|
||||||
if (size < OSTREE_SHA256_STRING_LEN + _OSTREE_PAYLOAD_LINK_PREFIX_LEN)
|
|
||||||
- return glnx_throw (error, "invalid data size for %s", loose_path_buf);
|
|
||||||
+ return glnx_throw (error, "invalid data size for %s; expected=%llu found=%llu",
|
|
||||||
+ loose_path_buf, (unsigned long long)expected_len,
|
|
||||||
+ (unsigned long long)size);
|
|
||||||
|
|
||||||
snprintf (target_checksum, size, "%.2s%.62s", target_buf + _OSTREE_PAYLOAD_LINK_PREFIX_LEN,
|
|
||||||
target_buf + _OSTREE_PAYLOAD_LINK_PREFIX_LEN + 3);
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
@ -0,0 +1,40 @@
|
|||||||
|
From e5b45f861a4d5738679f37d46ebca6e171bb3212 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Colin Walters <walters@verbum.org>
|
||||||
|
Date: Mon, 4 Apr 2022 10:25:35 -0400
|
||||||
|
Subject: [PATCH 2/6] libarchive: Handle `archive_entry_symlink()` returning
|
||||||
|
NULL
|
||||||
|
|
||||||
|
The `archive_entry_symlink()` API can definitely return `NULL`,
|
||||||
|
reading through the libarchive sources.
|
||||||
|
|
||||||
|
I hit this in the wild when using old ostree-ext to try to unpack
|
||||||
|
a chunked archive.
|
||||||
|
|
||||||
|
I didn't try to characterize this more, and sorry no unit test right
|
||||||
|
now.
|
||||||
|
---
|
||||||
|
src/libostree/ostree-repo-libarchive.c | 8 ++++++--
|
||||||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-repo-libarchive.c b/src/libostree/ostree-repo-libarchive.c
|
||||||
|
index 679aa44d..631c6d4b 100644
|
||||||
|
--- a/src/libostree/ostree-repo-libarchive.c
|
||||||
|
+++ b/src/libostree/ostree-repo-libarchive.c
|
||||||
|
@@ -146,8 +146,12 @@ file_info_from_archive_entry (struct archive_entry *entry)
|
||||||
|
|
||||||
|
g_autoptr(GFileInfo) info = _ostree_stbuf_to_gfileinfo (&stbuf);
|
||||||
|
if (S_ISLNK (stbuf.st_mode))
|
||||||
|
- g_file_info_set_attribute_byte_string (info, "standard::symlink-target",
|
||||||
|
- archive_entry_symlink (entry));
|
||||||
|
+ {
|
||||||
|
+ const char *target = archive_entry_symlink (entry);
|
||||||
|
+ if (target != NULL)
|
||||||
|
+ g_file_info_set_attribute_byte_string (info, "standard::symlink-target",
|
||||||
|
+ target);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return g_steal_pointer (&info);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,82 @@
|
|||||||
|
From 4a997ae08605ebe6ca02d9f422082f954e667a6c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Sat, 30 Apr 2022 12:20:11 +0100
|
||||||
|
Subject: [PATCH 3/6] repo: Factor out _ostree_repo_auto_transaction_new()
|
||||||
|
|
||||||
|
This will allow the direct allocation in
|
||||||
|
ostree_repo_prepare_transaction() to be replaced with a call to this
|
||||||
|
function, avoiding breaking encapsulation.
|
||||||
|
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
(cherry picked from commit 540e60c3e3ace66dd4e6cf825488fc918260a642)
|
||||||
|
---
|
||||||
|
src/libostree/ostree-repo-private.h | 4 ++++
|
||||||
|
src/libostree/ostree-repo.c | 32 ++++++++++++++++++++++++-----
|
||||||
|
2 files changed, 31 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-repo-private.h b/src/libostree/ostree-repo-private.h
|
||||||
|
index 988c2179..96253e77 100644
|
||||||
|
--- a/src/libostree/ostree-repo-private.h
|
||||||
|
+++ b/src/libostree/ostree-repo-private.h
|
||||||
|
@@ -554,4 +554,8 @@ GType _ostree_repo_auto_transaction_get_type (void);
|
||||||
|
|
||||||
|
G_DEFINE_AUTOPTR_CLEANUP_FUNC (OstreeRepoAutoTransaction, _ostree_repo_auto_transaction_unref);
|
||||||
|
|
||||||
|
+/* Internal function to break a circular dependency:
|
||||||
|
+ * should not be made into public API, even if the rest is */
|
||||||
|
+OstreeRepoAutoTransaction *_ostree_repo_auto_transaction_new (OstreeRepo *repo);
|
||||||
|
+
|
||||||
|
G_END_DECLS
|
||||||
|
diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c
|
||||||
|
index a27591b3..f6bffd60 100644
|
||||||
|
--- a/src/libostree/ostree-repo.c
|
||||||
|
+++ b/src/libostree/ostree-repo.c
|
||||||
|
@@ -709,6 +709,32 @@ ostree_repo_auto_lock_cleanup (OstreeRepoAutoLock *auto_lock)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+/**
|
||||||
|
+ * _ostree_repo_auto_transaction_new:
|
||||||
|
+ * @repo: (not nullable): an #OsreeRepo object
|
||||||
|
+ * @cancellable: Cancellable
|
||||||
|
+ * @error: a #GError
|
||||||
|
+ *
|
||||||
|
+ * Return a guard for a transaction in @repo.
|
||||||
|
+ *
|
||||||
|
+ * Do not call this function outside the OstreeRepo transaction implementation.
|
||||||
|
+ * Use _ostree_repo_auto_transaction_start() instead.
|
||||||
|
+ *
|
||||||
|
+ * Returns: (transfer full): an #OstreeRepoAutoTransaction guard on success,
|
||||||
|
+ * %NULL otherwise.
|
||||||
|
+ */
|
||||||
|
+OstreeRepoAutoTransaction *
|
||||||
|
+_ostree_repo_auto_transaction_new (OstreeRepo *repo)
|
||||||
|
+{
|
||||||
|
+ g_assert (repo != NULL);
|
||||||
|
+
|
||||||
|
+ OstreeRepoAutoTransaction *txn = g_malloc(sizeof(OstreeRepoAutoTransaction));
|
||||||
|
+ txn->atomic_refcount = 1;
|
||||||
|
+ txn->repo = g_object_ref (repo);
|
||||||
|
+
|
||||||
|
+ return g_steal_pointer (&txn);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* _ostree_repo_auto_transaction_start:
|
||||||
|
* @repo: (not nullable): an #OsreeRepo object
|
||||||
|
@@ -730,11 +756,7 @@ _ostree_repo_auto_transaction_start (OstreeRepo *repo,
|
||||||
|
if (!ostree_repo_prepare_transaction (repo, NULL, cancellable, error))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
- OstreeRepoAutoTransaction *txn = g_malloc(sizeof(OstreeRepoAutoTransaction));
|
||||||
|
- txn->atomic_refcount = 1;
|
||||||
|
- txn->repo = g_object_ref (repo);
|
||||||
|
-
|
||||||
|
- return g_steal_pointer (&txn);
|
||||||
|
+ return _ostree_repo_auto_transaction_new (repo);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,39 @@
|
|||||||
|
From 51c7960bea081446ad217e9725408ce5cb531157 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon McVittie <smcv@collabora.com>
|
||||||
|
Date: Sat, 30 Apr 2022 12:53:42 +0100
|
||||||
|
Subject: [PATCH 4/6] repo: Correctly initialize refcount of temporary
|
||||||
|
transaction
|
||||||
|
|
||||||
|
Previously, the reference count was left uninitialized as a result of
|
||||||
|
bypassing the constructor, and the intended abort-on-error usually
|
||||||
|
wouldn't have happened.
|
||||||
|
|
||||||
|
Fixes: 8a9737a "repo/private: move OstreeRepoAutoTransaction to a boxed type"
|
||||||
|
Resolves: https://github.com/ostreedev/ostree/issues/2592
|
||||||
|
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||||
|
(cherry picked from commit 71304e854cdb344adb8b1ae7866929fbdde6c327)
|
||||||
|
---
|
||||||
|
src/libostree/ostree-repo-commit.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
|
||||||
|
index 5b16be5b..dba98c32 100644
|
||||||
|
--- a/src/libostree/ostree-repo-commit.c
|
||||||
|
+++ b/src/libostree/ostree-repo-commit.c
|
||||||
|
@@ -1688,10 +1688,10 @@ ostree_repo_prepare_transaction (OstreeRepo *self,
|
||||||
|
g_debug ("Preparing transaction in repository %p", self);
|
||||||
|
|
||||||
|
/* Set up to abort the transaction if we return early from this function.
|
||||||
|
- * This needs to be manually built here due to a circular dependency. */
|
||||||
|
- g_autoptr(OstreeRepoAutoTransaction) txn = g_malloc(sizeof(OstreeRepoAutoTransaction));
|
||||||
|
+ * We can't call _ostree_repo_auto_transaction_start() here, because that
|
||||||
|
+ * would be a circular dependency; use the lower-level version instead. */
|
||||||
|
+ g_autoptr(OstreeRepoAutoTransaction) txn = _ostree_repo_auto_transaction_new (self);
|
||||||
|
g_assert (txn != NULL);
|
||||||
|
- txn->repo = self;
|
||||||
|
|
||||||
|
memset (&self->txn.stats, 0, sizeof (OstreeRepoTransactionStats));
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,172 @@
|
|||||||
|
From 62e62bcfd8a1770b906faed083d11e451a50f566 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||||
|
Date: Wed, 9 Mar 2022 15:27:11 +0100
|
||||||
|
Subject: [PATCH 5/6] deploy: Try to rebuild policy in new deployment if needed
|
||||||
|
|
||||||
|
Whenever the user has SELinux enabled and has any local
|
||||||
|
modules/modifications installed, it is necessary to rebuild the policy
|
||||||
|
in the final deployment, otherwise ostree will leave the binary policy
|
||||||
|
files unchanged from last deployment as it detects difference against
|
||||||
|
the base content (in rpm-ostree case this is the RPM content).
|
||||||
|
|
||||||
|
To avoid the situation where the policy binaries go stale once any local
|
||||||
|
customization of the policy is made, try to rebuild the policy as part
|
||||||
|
of sysroot_finalize_deployment(). Use the special
|
||||||
|
--rebuild-if-modules-changed switch, which detects if the input module
|
||||||
|
files have changed relative to last time the policy was built and skips
|
||||||
|
the most time-consuming part of the rebuild process if modules are
|
||||||
|
unchanged (thus making this a relatively cheap operation if the user
|
||||||
|
hasn't made any modifications to the shipped policy).
|
||||||
|
|
||||||
|
As suggested by Jonathan Lebon, this uses bubblewrap (via
|
||||||
|
g_spawn_sync()) to perform the rebuild inside the deployment's
|
||||||
|
filesystem tree, which also means that ostree will have a runtime
|
||||||
|
dependency on bubblewrap.
|
||||||
|
|
||||||
|
Partially addresses: https://github.com/coreos/fedora-coreos-tracker/issues/701
|
||||||
|
|
||||||
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||||
|
(cherry picked from commit edb4f3893474736156c654aa43bdbf3784991811)
|
||||||
|
---
|
||||||
|
ci/gh-install.sh | 1 +
|
||||||
|
src/libostree/ostree-sysroot-deploy.c | 117 ++++++++++++++++++++++++++
|
||||||
|
2 files changed, 118 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
index fc5916d8..a44721d8 100644
|
||||||
|
--- a/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
+++ b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
@@ -2830,6 +2830,118 @@ get_var_dfd (OstreeSysroot *self,
|
||||||
|
return glnx_opendirat (base_dfd, base_path, TRUE, ret_fd, error);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef HAVE_SELINUX
|
||||||
|
+static void
|
||||||
|
+child_setup_fchdir (gpointer data)
|
||||||
|
+{
|
||||||
|
+ int fd = (int) (uintptr_t) data;
|
||||||
|
+ int rc __attribute__((unused));
|
||||||
|
+
|
||||||
|
+ rc = fchdir (fd);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Derived from rpm-ostree's rust/src/bwrap.rs
|
||||||
|
+ */
|
||||||
|
+static gboolean
|
||||||
|
+run_in_deployment (int deployment_dfd,
|
||||||
|
+ const gchar * const *child_argv,
|
||||||
|
+ gsize child_argc,
|
||||||
|
+ gint *exit_status,
|
||||||
|
+ gchar **stdout,
|
||||||
|
+ GError **error)
|
||||||
|
+{
|
||||||
|
+ static const gchar * const COMMON_ARGV[] = {
|
||||||
|
+ "/usr/bin/bwrap",
|
||||||
|
+ "--dev", "/dev", "--proc", "/proc", "--dir", "/run", "--dir", "/tmp",
|
||||||
|
+ "--chdir", "/",
|
||||||
|
+ "--die-with-parent",
|
||||||
|
+ "--unshare-pid",
|
||||||
|
+ "--unshare-uts",
|
||||||
|
+ "--unshare-ipc",
|
||||||
|
+ "--unshare-cgroup-try",
|
||||||
|
+ "--ro-bind", "/sys/block", "/sys/block",
|
||||||
|
+ "--ro-bind", "/sys/bus", "/sys/bus",
|
||||||
|
+ "--ro-bind", "/sys/class", "/sys/class",
|
||||||
|
+ "--ro-bind", "/sys/dev", "/sys/dev",
|
||||||
|
+ "--ro-bind", "/sys/devices", "/sys/devices",
|
||||||
|
+ "--bind", "usr", "/usr",
|
||||||
|
+ "--bind", "etc", "/etc",
|
||||||
|
+ "--bind", "var", "/var",
|
||||||
|
+ "--symlink", "/usr/lib", "/lib",
|
||||||
|
+ "--symlink", "/usr/lib32", "/lib32",
|
||||||
|
+ "--symlink", "/usr/lib64", "/lib64",
|
||||||
|
+ "--symlink", "/usr/bin", "/bin",
|
||||||
|
+ "--symlink", "/usr/sbin", "/sbin",
|
||||||
|
+ };
|
||||||
|
+ static const gsize COMMON_ARGC = sizeof (COMMON_ARGV) / sizeof (*COMMON_ARGV);
|
||||||
|
+
|
||||||
|
+ gsize i;
|
||||||
|
+ GPtrArray *args = g_ptr_array_sized_new (COMMON_ARGC + child_argc + 1);
|
||||||
|
+ g_autofree gchar **args_raw = NULL;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < COMMON_ARGC; i++)
|
||||||
|
+ g_ptr_array_add (args, (gchar *) COMMON_ARGV[i]);
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < child_argc; i++)
|
||||||
|
+ g_ptr_array_add (args, (gchar *) child_argv[i]);
|
||||||
|
+
|
||||||
|
+ g_ptr_array_add (args, NULL);
|
||||||
|
+
|
||||||
|
+ args_raw = (gchar **) g_ptr_array_free (args, FALSE);
|
||||||
|
+
|
||||||
|
+ return g_spawn_sync (NULL, args_raw, NULL, 0, &child_setup_fchdir,
|
||||||
|
+ (gpointer) (uintptr_t) deployment_dfd,
|
||||||
|
+ stdout, NULL, exit_status, error);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Run semodule to check if the module content changed after merging /etc
|
||||||
|
+ * and rebuild the policy if needed.
|
||||||
|
+ */
|
||||||
|
+static gboolean
|
||||||
|
+sysroot_finalize_selinux_policy (int deployment_dfd, GError **error)
|
||||||
|
+{
|
||||||
|
+ struct stat stbuf;
|
||||||
|
+ gint exit_status;
|
||||||
|
+ g_autofree gchar *stdout = NULL;
|
||||||
|
+
|
||||||
|
+ if (!glnx_fstatat_allow_noent (deployment_dfd, "etc/selinux/config", &stbuf,
|
||||||
|
+ AT_SYMLINK_NOFOLLOW, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
+ /* Skip the SELinux policy refresh if /etc/selinux/config doesn't exist. */
|
||||||
|
+ if (errno != 0)
|
||||||
|
+ return TRUE;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Skip the SELinux policy refresh if the --rebuild-if-modules-changed
|
||||||
|
+ * flag is not supported by semodule.
|
||||||
|
+ */
|
||||||
|
+ static const gchar * const SEMODULE_HELP_ARGV[] = {
|
||||||
|
+ "semodule", "--help"
|
||||||
|
+ };
|
||||||
|
+ static const gsize SEMODULE_HELP_ARGC = sizeof (SEMODULE_HELP_ARGV) / sizeof (*SEMODULE_HELP_ARGV);
|
||||||
|
+ if (!run_in_deployment (deployment_dfd, SEMODULE_HELP_ARGV,
|
||||||
|
+ SEMODULE_HELP_ARGC, &exit_status, &stdout, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ if (!g_spawn_check_exit_status (exit_status, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ if (!strstr(stdout, "--rebuild-if-modules-changed"))
|
||||||
|
+ return TRUE;
|
||||||
|
+
|
||||||
|
+ static const gchar * const SEMODULE_REBUILD_ARGV[] = {
|
||||||
|
+ "semodule", "-N", "--rebuild-if-modules-changed"
|
||||||
|
+ };
|
||||||
|
+ static const gsize SEMODULE_REBUILD_ARGC = sizeof (SEMODULE_REBUILD_ARGV) / sizeof (*SEMODULE_REBUILD_ARGV);
|
||||||
|
+
|
||||||
|
+ if (!run_in_deployment (deployment_dfd, SEMODULE_REBUILD_ARGV,
|
||||||
|
+ SEMODULE_REBUILD_ARGC, &exit_status, NULL, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ return g_spawn_check_exit_status (exit_status, error);
|
||||||
|
+}
|
||||||
|
+#endif /* HAVE_SELINUX */
|
||||||
|
+
|
||||||
|
static gboolean
|
||||||
|
sysroot_finalize_deployment (OstreeSysroot *self,
|
||||||
|
OstreeDeployment *deployment,
|
||||||
|
@@ -2866,6 +2978,11 @@ sysroot_finalize_deployment (OstreeSysroot *self,
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef HAVE_SELINUX
|
||||||
|
+ if (!sysroot_finalize_selinux_policy(deployment_dfd, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+#endif /* HAVE_SELINUX */
|
||||||
|
+
|
||||||
|
const char *osdeploypath = glnx_strjoina ("ostree/deploy/", ostree_deployment_get_osname (deployment));
|
||||||
|
glnx_autofd int os_deploy_dfd = -1;
|
||||||
|
if (!glnx_opendirat (self->sysroot_fd, osdeploypath, TRUE, &os_deploy_dfd, error))
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,35 @@
|
|||||||
|
From dd194eca7272afa457541abb2d8c25f90c4f478a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Colin Walters <walters@verbum.org>
|
||||||
|
Date: Mon, 28 Mar 2022 17:46:59 -0400
|
||||||
|
Subject: [PATCH 6/6] deploy: Be a bit more verbose about SELinux bits
|
||||||
|
|
||||||
|
Let's log when we don't find the expected CLI argument which
|
||||||
|
will help debug things.
|
||||||
|
|
||||||
|
(cherry picked from commit c58a4fe661d9d3bf2c515aa5605b1e094c0a62ca)
|
||||||
|
---
|
||||||
|
src/libostree/ostree-sysroot-deploy.c | 7 +++++--
|
||||||
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
index a44721d8..404f336f 100644
|
||||||
|
--- a/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
+++ b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
@@ -2926,9 +2926,12 @@ sysroot_finalize_selinux_policy (int deployment_dfd, GError **error)
|
||||||
|
SEMODULE_HELP_ARGC, &exit_status, &stdout, error))
|
||||||
|
return FALSE;
|
||||||
|
if (!g_spawn_check_exit_status (exit_status, error))
|
||||||
|
- return FALSE;
|
||||||
|
+ return glnx_prefix_error (error, "failed to run semodule");
|
||||||
|
if (!strstr(stdout, "--rebuild-if-modules-changed"))
|
||||||
|
- return TRUE;
|
||||||
|
+ {
|
||||||
|
+ ot_journal_print (LOG_INFO, "semodule does not have --rebuild-if-modules-changed");
|
||||||
|
+ return TRUE;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
static const gchar * const SEMODULE_REBUILD_ARGV[] = {
|
||||||
|
"semodule", "-N", "--rebuild-if-modules-changed"
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,298 @@
|
|||||||
|
From 00697be199c08242e54c02e4557e20834030aaf3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nikita Dubrovskii <nikita@linux.ibm.com>
|
||||||
|
Date: Mon, 4 Apr 2022 16:09:50 +0200
|
||||||
|
Subject: [PATCH 1/5] s390x: generate sd-boot at its own partition
|
||||||
|
|
||||||
|
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/libostree/ostree-bootloader-zipl.c | 36 ++++++++++++++++++++++----
|
||||||
|
src/libostree/s390x-se-luks-gencpio | 4 +--
|
||||||
|
2 files changed, 33 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
index 02c10826c3..fe024d8046 100644
|
||||||
|
--- a/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
+++ b/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
@@ -21,12 +21,17 @@
|
||||||
|
#include "ostree-bootloader-zipl.h"
|
||||||
|
#include "ostree-deployment-private.h"
|
||||||
|
#include "otutil.h"
|
||||||
|
+#include <sys/mount.h>
|
||||||
|
+#include <sys/stat.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
-#define SECURE_EXECUTION_BOOT_IMAGE "/boot/sd-boot"
|
||||||
|
+#define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
|
||||||
|
+#define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
|
||||||
|
+#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
|
||||||
|
#define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/"
|
||||||
|
#define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
|
||||||
|
#define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"
|
||||||
|
+#define SECURE_EXECUTION_LUKS_BOOT_KEY "/etc/luks/boot"
|
||||||
|
#define SECURE_EXECUTION_LUKS_CONFIG "/etc/crypttab"
|
||||||
|
#define SECURE_EXECUTION_RAMDISK_TOOL PKGLIBEXECDIR "/s390x-se-luks-gencpio"
|
||||||
|
|
||||||
|
@@ -67,6 +72,25 @@ _ostree_bootloader_zipl_get_name (OstreeBootloader *bootloader)
|
||||||
|
return "zipl";
|
||||||
|
}
|
||||||
|
|
||||||
|
+static gboolean
|
||||||
|
+_ostree_secure_execution_mount(GError **error)
|
||||||
|
+{
|
||||||
|
+ const char *device = realpath (SECURE_EXECUTION_PARTITION, NULL);
|
||||||
|
+ if (device == NULL)
|
||||||
|
+ return glnx_throw_errno_prefix(error, "s390x SE: resolving %s", SECURE_EXECUTION_PARTITION);
|
||||||
|
+ if (mount (device, SECURE_EXECUTION_MOUNTPOINT, "ext4", 0, NULL) < 0)
|
||||||
|
+ return glnx_throw_errno_prefix (error, "s390x SE: Mounting %s", device);
|
||||||
|
+ return TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static gboolean
|
||||||
|
+_ostree_secure_execution_umount(GError **error)
|
||||||
|
+{
|
||||||
|
+ if (umount (SECURE_EXECUTION_MOUNTPOINT) < 0)
|
||||||
|
+ return glnx_throw_errno_prefix (error, "s390x SE: Unmounting %s", SECURE_EXECUTION_MOUNTPOINT);
|
||||||
|
+ return TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static gboolean
|
||||||
|
_ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
|
||||||
|
int bootversion,
|
||||||
|
@@ -152,8 +176,8 @@ _ostree_secure_execution_get_bls_config (OstreeBootloaderZipl *self,
|
||||||
|
static gboolean
|
||||||
|
_ostree_secure_execution_luks_key_exists (void)
|
||||||
|
{
|
||||||
|
- return (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 &&
|
||||||
|
- access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0);
|
||||||
|
+ return (access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0 &&
|
||||||
|
+ (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 || access(SECURE_EXECUTION_LUKS_BOOT_KEY, F_OK) == 0));
|
||||||
|
}
|
||||||
|
|
||||||
|
static gboolean
|
||||||
|
@@ -250,7 +274,7 @@ static gboolean
|
||||||
|
_ostree_secure_execution_call_zipl (GError **error)
|
||||||
|
{
|
||||||
|
int status = 0;
|
||||||
|
- const char *const zipl_argv[] = {"zipl", "-V", "-t", "/boot", "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
|
||||||
|
+ const char *const zipl_argv[] = {"zipl", "-V", "-t", SECURE_EXECUTION_MOUNTPOINT, "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
|
||||||
|
if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH,
|
||||||
|
NULL, NULL, NULL, NULL, &status, error))
|
||||||
|
return glnx_prefix_error(error, "s390x SE: spawning zipl");
|
||||||
|
@@ -274,9 +298,11 @@ _ostree_secure_execution_enable (OstreeBootloaderZipl *self,
|
||||||
|
g_autofree gchar* options = NULL;
|
||||||
|
|
||||||
|
gboolean rc =
|
||||||
|
+ _ostree_secure_execution_mount (error) &&
|
||||||
|
_ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) &&
|
||||||
|
_ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) &&
|
||||||
|
- _ostree_secure_execution_call_zipl (error);
|
||||||
|
+ _ostree_secure_execution_call_zipl (error) &&
|
||||||
|
+ _ostree_secure_execution_umount (error);
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio
|
||||||
|
index f0ad24eb32..7d62258a31 100755
|
||||||
|
--- a/src/libostree/s390x-se-luks-gencpio
|
||||||
|
+++ b/src/libostree/s390x-se-luks-gencpio
|
||||||
|
@@ -12,11 +12,11 @@ gzip -cd ${old_initrd} | cpio -imd --quiet
|
||||||
|
|
||||||
|
# Adding LUKS root key and crypttab config
|
||||||
|
mkdir -p etc/luks
|
||||||
|
-cp -f /etc/luks/root etc/luks/
|
||||||
|
+cp -f /etc/luks/* etc/luks/
|
||||||
|
cp -f /etc/crypttab etc/
|
||||||
|
|
||||||
|
# Creating new initramdisk image
|
||||||
|
-find . | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
|
||||||
|
+find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
rm -rf ${workdir}
|
||||||
|
|
||||||
|
From 91e71022ebc2422f278c285e55f4c88d7f572eeb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nikita Dubrovskii <nikita@linux.ibm.com>
|
||||||
|
Date: Mon, 23 May 2022 17:28:54 +0200
|
||||||
|
Subject: [PATCH 2/5] s390x: ensure SecureExecution is enabled before sd-boot
|
||||||
|
generation
|
||||||
|
|
||||||
|
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/libostree/ostree-bootloader-zipl.c | 24 ++++++++++++++++++------
|
||||||
|
1 file changed, 18 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
index fe024d8046..348dfe036d 100644
|
||||||
|
--- a/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
+++ b/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
@@ -25,6 +25,7 @@
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
+#define SECURE_EXECUTION_SYSFS_FLAG "/sys/firmware/uv/prot_virt_guest"
|
||||||
|
#define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
|
||||||
|
#define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
|
||||||
|
#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
|
||||||
|
@@ -109,6 +110,14 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static gboolean _ostree_secure_execution_is_enabled (GCancellable *cancellable) {
|
||||||
|
+ gsize len = 0;
|
||||||
|
+ g_autofree char *data = glnx_file_get_contents_utf8_at (-1, SECURE_EXECUTION_SYSFS_FLAG, &len, cancellable, NULL);
|
||||||
|
+ if (!data)
|
||||||
|
+ return FALSE;
|
||||||
|
+ return strstr (data, "1") != NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static gboolean
|
||||||
|
_ostree_secure_execution_get_keys (GPtrArray **keys,
|
||||||
|
GCancellable *cancellable,
|
||||||
|
@@ -329,12 +338,15 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader,
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
/* Try with Secure Execution */
|
||||||
|
- g_autoptr(GPtrArray) keys = NULL;
|
||||||
|
- if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
|
||||||
|
- return FALSE;
|
||||||
|
- if (keys && keys->len)
|
||||||
|
- return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
|
||||||
|
-
|
||||||
|
+ if ( _ostree_secure_execution_is_enabled (cancellable) )
|
||||||
|
+ {
|
||||||
|
+ g_autoptr(GPtrArray) keys = NULL;
|
||||||
|
+ if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ if (!keys || keys->len == 0)
|
||||||
|
+ return glnx_throw (error, "s390x SE: no keys");
|
||||||
|
+ return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
|
||||||
|
+ }
|
||||||
|
/* Fallback to non-SE setup */
|
||||||
|
const char *const zipl_argv[] = {"zipl", NULL};
|
||||||
|
int estatus;
|
||||||
|
|
||||||
|
From 2e2854239189044cc1ffd100959b7c7bfe92b0f9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nikita Dubrovskii <nikita@linux.ibm.com>
|
||||||
|
Date: Tue, 24 May 2022 19:30:35 +0200
|
||||||
|
Subject: [PATCH 3/5] s390x: fail on error during reading of SecureExecution
|
||||||
|
sysfs flag
|
||||||
|
|
||||||
|
---
|
||||||
|
src/libostree/ostree-bootloader-zipl.c | 24 ++++++++++++++++++------
|
||||||
|
1 file changed, 18 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
index 348dfe036d..87b9b67aec 100644
|
||||||
|
--- a/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
+++ b/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
@@ -110,12 +110,21 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static gboolean _ostree_secure_execution_is_enabled (GCancellable *cancellable) {
|
||||||
|
- gsize len = 0;
|
||||||
|
- g_autofree char *data = glnx_file_get_contents_utf8_at (-1, SECURE_EXECUTION_SYSFS_FLAG, &len, cancellable, NULL);
|
||||||
|
+static gboolean _ostree_secure_execution_is_enabled (gboolean *out_enabled,
|
||||||
|
+ GCancellable *cancellable,
|
||||||
|
+ GError **error)
|
||||||
|
+{
|
||||||
|
+ *out_enabled = FALSE;
|
||||||
|
+ glnx_autofd int fd = -1;
|
||||||
|
+ if (!ot_openat_ignore_enoent (AT_FDCWD, SECURE_EXECUTION_SYSFS_FLAG, &fd, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ if (fd == -1)
|
||||||
|
+ return TRUE; //ENOENT --> SecureExecution is disabled
|
||||||
|
+ g_autofree char *data = glnx_fd_readall_utf8 (fd, NULL, cancellable, error);
|
||||||
|
if (!data)
|
||||||
|
return FALSE;
|
||||||
|
- return strstr (data, "1") != NULL;
|
||||||
|
+ *out_enabled = strstr (data, "1") != NULL;
|
||||||
|
+ return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static gboolean
|
||||||
|
@@ -338,13 +347,16 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader,
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
/* Try with Secure Execution */
|
||||||
|
- if ( _ostree_secure_execution_is_enabled (cancellable) )
|
||||||
|
+ gboolean se_enabled = FALSE;
|
||||||
|
+ if ( !_ostree_secure_execution_is_enabled (&se_enabled, cancellable, error))
|
||||||
|
+ return FALSE;
|
||||||
|
+ if (se_enabled)
|
||||||
|
{
|
||||||
|
g_autoptr(GPtrArray) keys = NULL;
|
||||||
|
if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
|
||||||
|
return FALSE;
|
||||||
|
if (!keys || keys->len == 0)
|
||||||
|
- return glnx_throw (error, "s390x SE: no keys");
|
||||||
|
+ return glnx_throw (error, "s390x SE: no keys");
|
||||||
|
return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
|
||||||
|
}
|
||||||
|
/* Fallback to non-SE setup */
|
||||||
|
|
||||||
|
From 89ed46e8a9f584e2a6c1966fbf4c99f0fe51424e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nikita Dubrovskii <nikita@linux.ibm.com>
|
||||||
|
Date: Fri, 27 May 2022 09:13:18 +0200
|
||||||
|
Subject: [PATCH 4/5] s390x: do not unpack existing initrd, just append LUKS
|
||||||
|
keys to its copy
|
||||||
|
|
||||||
|
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/libostree/s390x-se-luks-gencpio | 12 ++++++------
|
||||||
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio
|
||||||
|
index 7d62258a31..f444198a40 100755
|
||||||
|
--- a/src/libostree/s390x-se-luks-gencpio
|
||||||
|
+++ b/src/libostree/s390x-se-luks-gencpio
|
||||||
|
@@ -4,19 +4,19 @@ set -euo pipefail
|
||||||
|
|
||||||
|
old_initrd=$1
|
||||||
|
new_initrd=$2
|
||||||
|
+currdir=$PWD
|
||||||
|
|
||||||
|
-# Unpacking existing initramdisk
|
||||||
|
+# Copying existing initramdisk
|
||||||
|
+cp ${old_initrd} ${new_initrd}
|
||||||
|
+
|
||||||
|
+# Appending LUKS root keys and crypttab config to the end of initrd
|
||||||
|
workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX)
|
||||||
|
cd ${workdir}
|
||||||
|
-gzip -cd ${old_initrd} | cpio -imd --quiet
|
||||||
|
-
|
||||||
|
-# Adding LUKS root key and crypttab config
|
||||||
|
mkdir -p etc/luks
|
||||||
|
cp -f /etc/luks/* etc/luks/
|
||||||
|
cp -f /etc/crypttab etc/
|
||||||
|
-
|
||||||
|
-# Creating new initramdisk image
|
||||||
|
find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
+cd ${currdir}
|
||||||
|
rm -rf ${workdir}
|
||||||
|
|
||||||
|
From 2c8d5b95c7f2fee90e73bdd9222e002c44e797b7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nikita Dubrovskii <nikita@linux.ibm.com>
|
||||||
|
Date: Thu, 23 Jun 2022 15:54:04 +0200
|
||||||
|
Subject: [PATCH 5/5] s390x: rename sd-boot to sdboot
|
||||||
|
|
||||||
|
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/libostree/ostree-bootloader-zipl.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
index 87b9b67aec..0ff350f942 100644
|
||||||
|
--- a/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
+++ b/src/libostree/ostree-bootloader-zipl.c
|
||||||
|
@@ -28,7 +28,7 @@
|
||||||
|
#define SECURE_EXECUTION_SYSFS_FLAG "/sys/firmware/uv/prot_virt_guest"
|
||||||
|
#define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
|
||||||
|
#define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
|
||||||
|
-#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
|
||||||
|
+#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sdboot"
|
||||||
|
#define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/"
|
||||||
|
#define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
|
||||||
|
#define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"
|
@ -0,0 +1,32 @@
|
|||||||
|
From 56820e54392efc5dd59032f8872aaf219190ad4f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Colin Walters <walters@verbum.org>
|
||||||
|
Date: Thu, 14 Jul 2022 14:42:19 -0400
|
||||||
|
Subject: [PATCH] sign/ed25519: Verify signatures are minimum length
|
||||||
|
|
||||||
|
The ed25519 signature verification code does not
|
||||||
|
check that the signature is a minimum/correct length.
|
||||||
|
As a result, if the signature is too short, libsodium will end up
|
||||||
|
reading a few bytes out of bounds.
|
||||||
|
|
||||||
|
Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
|
||||||
|
Co-authored-by: Demi Marie Obenour <demi@invisiblethingslab.com>
|
||||||
|
|
||||||
|
Closes: https://github.com/ostreedev/ostree/security/advisories/GHSA-gqf4-p3gv-g8vw
|
||||||
|
---
|
||||||
|
src/libostree/ostree-sign-ed25519.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-sign-ed25519.c b/src/libostree/ostree-sign-ed25519.c
|
||||||
|
index 809ffe8790..f271fd49e0 100644
|
||||||
|
--- a/src/libostree/ostree-sign-ed25519.c
|
||||||
|
+++ b/src/libostree/ostree-sign-ed25519.c
|
||||||
|
@@ -209,6 +209,9 @@ gboolean ostree_sign_ed25519_data_verify (OstreeSign *self,
|
||||||
|
g_autoptr (GVariant) child = g_variant_get_child_value (signatures, i);
|
||||||
|
g_autoptr (GBytes) signature = g_variant_get_data_as_bytes(child);
|
||||||
|
|
||||||
|
+ if (g_bytes_get_size (signature) != crypto_sign_BYTES)
|
||||||
|
+ return glnx_throw (error, "Invalid signature length of %" G_GSIZE_FORMAT " bytes, expected %" G_GSIZE_FORMAT, (gsize) g_bytes_get_size (signature), (gsize) crypto_sign_BYTES);
|
||||||
|
+
|
||||||
|
g_autofree char * hex = g_malloc0 (crypto_sign_PUBLICKEYBYTES*2 + 1);
|
||||||
|
|
||||||
|
g_debug("Read signature %d: %s", (gint)i, g_variant_print(child, TRUE));
|
@ -0,0 +1,57 @@
|
|||||||
|
From 9053aaffab2ec02ed377a82389422cc4e77dff8a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Abylay Ospan <aospan@amazon.com>
|
||||||
|
Date: Tue, 6 Jun 2023 02:13:14 +0000
|
||||||
|
Subject: [PATCH 16/17] commit: fix ostree deployment on 64-bit inode fs
|
||||||
|
|
||||||
|
This commit addresses a bug that was causing ostree deployment
|
||||||
|
to become corrupted on the large fs, when any package was installed using
|
||||||
|
'rpm-ostree install'.
|
||||||
|
|
||||||
|
In such instances, multiple files were assigned the same inode. For
|
||||||
|
example, the '/home' directory and a regular file 'pkg-get' were
|
||||||
|
assigned the same inode (2147484070), making the deployment unusable.
|
||||||
|
|
||||||
|
A root cause analysis was performed, running the process under gdb,
|
||||||
|
which revealed a lossy conversion from guint64 to guint32, for example
|
||||||
|
6442451366 converted to 2147484070:
|
||||||
|
|
||||||
|
(gdb) p name
|
||||||
|
$10 = 0x7fe9224d2d70 "home"
|
||||||
|
|
||||||
|
(gdb) p inode
|
||||||
|
$73 = 6442451366
|
||||||
|
|
||||||
|
(gdb) s
|
||||||
|
device=66311, modifier=0x7fe914791840) at
|
||||||
|
src/libostree/ostree-repo-commit.c:1590
|
||||||
|
|
||||||
|
The conversion resulted in entirely independent files potentially
|
||||||
|
receiving the same inode.
|
||||||
|
|
||||||
|
The issue was discovered on PoC machine equipped with a large NVME
|
||||||
|
(3.4TB), but the bug can be easily reproduced using `cosa run -m 4000
|
||||||
|
--qemu-size +3TB', followed by installation of any package using
|
||||||
|
`rpm-ostree install`. The resulting deployment will be unusable due to
|
||||||
|
many files being "corrupted" by the aforementioned issue.
|
||||||
|
|
||||||
|
(cherry picked from commit de6fddc6adee09a93901243dc7074090828a1912)
|
||||||
|
---
|
||||||
|
src/libostree/ostree-repo-commit.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
|
||||||
|
index dba98c32..e224d1cb 100644
|
||||||
|
--- a/src/libostree/ostree-repo-commit.c
|
||||||
|
+++ b/src/libostree/ostree-repo-commit.c
|
||||||
|
@@ -1584,7 +1584,7 @@ static const char *
|
||||||
|
devino_cache_lookup (OstreeRepo *self,
|
||||||
|
OstreeRepoCommitModifier *modifier,
|
||||||
|
guint32 device,
|
||||||
|
- guint32 inode)
|
||||||
|
+ guint64 inode)
|
||||||
|
{
|
||||||
|
OstreeDevIno dev_ino_key;
|
||||||
|
OstreeDevIno *dev_ino_val;
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
33
SOURCES/0017-Add-an-always-on-inode64-feature.patch
Normal file
33
SOURCES/0017-Add-an-always-on-inode64-feature.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From 8b86c6c0b520f6856f9f8dba09c97114113d3244 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Colin Walters <walters@verbum.org>
|
||||||
|
Date: Thu, 20 Jul 2023 09:13:43 -0400
|
||||||
|
Subject: [PATCH 17/17] Add an always-on `inode64` feature
|
||||||
|
|
||||||
|
As I (and others) will be backporting the fix in
|
||||||
|
https://github.com/ostreedev/ostree/pull/2874/commits/de6fddc6adee09a93901243dc7074090828a1912
|
||||||
|
pretty far, I want a way for sysadmins and OS builders to
|
||||||
|
be able to reliably see when their version of ostree has this fix
|
||||||
|
(Because comparing version numbers isn't portable).
|
||||||
|
---
|
||||||
|
configure.ac | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 3bd735ed..b58d0a67 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -82,7 +82,10 @@ AM_COND_IF([BUILDOPT_TSAN],
|
||||||
|
LT_PREREQ([2.2.4])
|
||||||
|
LT_INIT([disable-static])
|
||||||
|
|
||||||
|
-OSTREE_FEATURES=""
|
||||||
|
+dnl We have an always-on feature now to signify the fix for
|
||||||
|
+dnl https://github.com/ostreedev/ostree/pull/2874/commits/de6fddc6adee09a93901243dc7074090828a1912
|
||||||
|
+dnl "commit: fix ostree deployment on 64-bit inode fs"
|
||||||
|
+OSTREE_FEATURES="inode64"
|
||||||
|
AC_SUBST([OSTREE_FEATURES])
|
||||||
|
|
||||||
|
GLIB_TESTS
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -0,0 +1,27 @@
|
|||||||
|
From 3443baa6e63b36d169f57027d7e80df614592c8e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Joseph Marrero <jmarrero@redhat.com>
|
||||||
|
Date: Fri, 4 Aug 2023 16:09:20 -0400
|
||||||
|
Subject: [PATCH] Backport: 7f70614a1ac1950ebde3df0e26cc9ab1d72b2f1f
|
||||||
|
|
||||||
|
---
|
||||||
|
src/libostree/ostree-sysroot-deploy.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
index 2454a587..4d6d796e 100644
|
||||||
|
--- a/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
+++ b/src/libostree/ostree-sysroot-deploy.c
|
||||||
|
@@ -1613,9 +1613,8 @@ static void *
|
||||||
|
sync_in_thread (void *ptr)
|
||||||
|
{
|
||||||
|
SyncData *syncdata = ptr;
|
||||||
|
- // Ensure that the caller is blocked waiting
|
||||||
|
- g_mutex_lock (&syncdata->mutex);
|
||||||
|
sync ();
|
||||||
|
+ g_mutex_lock (&syncdata->mutex);
|
||||||
|
// Signal success
|
||||||
|
syncdata->success = true;
|
||||||
|
g_cond_broadcast (&syncdata->cond);
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,81 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# Update an existing system to use a read only sysroot
|
|
||||||
# and https://bugzilla.redhat.com/show_bug.cgi?id=2060976
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
main() {
|
|
||||||
|
|
||||||
# Used to condition execution of this unit at the systemd level
|
|
||||||
local -r stamp_file="/var/lib/.ostree-readonly-sysroot"
|
|
||||||
|
|
||||||
if [[ -f "${stamp_file}" ]]; then
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
local -r ostree_sysroot_readonly="$(ostree config --repo=/sysroot/ostree/repo get "sysroot.readonly" &> /dev/null || echo "false")"
|
|
||||||
if [[ "${ostree_sysroot_readonly}" == "true" ]]; then
|
|
||||||
# Nothing to do
|
|
||||||
touch "${stamp_file}"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
local -r boot_entries="$(ls -A /boot/loader/entries/ | wc -l)"
|
|
||||||
|
|
||||||
# Ensure that we can read BLS entries to avoid touching systems where /boot
|
|
||||||
# is not mounted
|
|
||||||
if [[ "${boot_entries}" -eq 0 ]]; then
|
|
||||||
echo "No BLS entry found: Maybe /boot is not mounted?" 1>&2
|
|
||||||
echo "This is unexpected thus no migration will be performed" 1>&2
|
|
||||||
touch "${stamp_file}"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if any existing deployment is still missing the rw karg
|
|
||||||
local rw_kargs_found=0
|
|
||||||
local count=0
|
|
||||||
for f in "/boot/loader/entries/"*; do
|
|
||||||
count="$(grep -c "^options .* rw" "${f}" || true)"
|
|
||||||
if [[ "${count}" -ge 1 ]]; then
|
|
||||||
rw_kargs_found=$((rw_kargs_found + 1))
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
# Some deployments are still missing the rw karg. Let's try to update them
|
|
||||||
if [[ "${boot_entries}" -ne "${rw_kargs_found}" ]]; then
|
|
||||||
# work around https://github.com/ostreedev/ostree/issues/2734#issuecomment-2353739450
|
|
||||||
stateroot=$(ls /ostree/deploy | head -n1)
|
|
||||||
if ls /boot/loader/entries/ostree-*-$stateroot.conf &>/dev/null; then
|
|
||||||
echo "Enabling bootloader naming workaround" 1>&2
|
|
||||||
export OSTREE_SYSROOT_OPTS=bootloader-naming-1
|
|
||||||
fi
|
|
||||||
ostree admin kargs edit-in-place --append-if-missing=rw || \
|
|
||||||
echo "Failed to edit kargs in place with ostree" 1>&2
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Re-check if any existing deployment is still missing the rw karg
|
|
||||||
rw_kargs_found=0
|
|
||||||
count=0
|
|
||||||
for f in "/boot/loader/entries/"*; do
|
|
||||||
count="$(grep -c "^options .* rw" "${f}" || true)"
|
|
||||||
if [[ "${count}" -ge 1 ]]; then
|
|
||||||
rw_kargs_found=$((rw_kargs_found + 1))
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
unset count
|
|
||||||
|
|
||||||
# If all deployments are good, then we can set the sysroot.readonly option
|
|
||||||
# in the ostree repo config
|
|
||||||
if [[ "${boot_entries}" -eq "${rw_kargs_found}" ]]; then
|
|
||||||
echo "Setting up the sysroot.readonly option in the ostree repo config"
|
|
||||||
ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true"
|
|
||||||
touch "${stamp_file}"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# If anything else before failed, we will retry on next boot
|
|
||||||
echo "Will retry next boot" 1>&2
|
|
||||||
exit 0
|
|
||||||
}
|
|
||||||
|
|
||||||
main "${@}"
|
|
@ -1,15 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=Read-Only Sysroot Migration
|
|
||||||
Documentation=https://ostreedev.github.io/ostree
|
|
||||||
ConditionPathExists=!/var/lib/.ostree-readonly-sysroot
|
|
||||||
ConditionPathExists=/run/ostree-booted
|
|
||||||
RequiresMountsFor=/sysroot /boot
|
|
||||||
ConditionPathIsReadWrite=/sysroot
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/usr/libexec/ostree-readonly-sysroot-migration
|
|
||||||
RemainAfterExit=yes
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
@ -1,4 +1,4 @@
|
|||||||
# We haven't yet "productized" the tests
|
# Don't ship tests on RHEL > 7.
|
||||||
%if 0%{?rhel} > 7
|
%if 0%{?rhel} > 7
|
||||||
%bcond_with tests
|
%bcond_with tests
|
||||||
%else
|
%else
|
||||||
@ -7,17 +7,29 @@
|
|||||||
|
|
||||||
Summary: Tool for managing bootable, immutable filesystem trees
|
Summary: Tool for managing bootable, immutable filesystem trees
|
||||||
Name: ostree
|
Name: ostree
|
||||||
Version: 2024.7
|
Version: 2022.2
|
||||||
Release: 3%{?dist}
|
Release: 8%{?dist}
|
||||||
Source0: https://github.com/ostreedev/%{name}/releases/download/v%{version}/libostree-%{version}.tar.xz
|
Source0: https://github.com/ostreedev/%{name}/releases/download/v%{version}/libostree-%{version}.tar.xz
|
||||||
Source1: ostree-readonly-sysroot-migration
|
|
||||||
Source2: ostree-readonly-sysroot-migration.service
|
|
||||||
|
|
||||||
Patch0: 0001-repo-NUL-terminate-readlinkat-result.patch
|
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: https://ostree.readthedocs.io/en/latest/
|
URL: https://ostree.readthedocs.io/en/latest/
|
||||||
|
|
||||||
|
# We now track the rhel8 branch upstream, these are the patches
|
||||||
|
# since the 2022.2 release.
|
||||||
|
Patch0: 0001-Add-an-ostree-boot-complete.service-to-propagate-sta.patch
|
||||||
|
Patch1: 0002-libarchive-Handle-archive_entry_symlink-returning-NU.patch
|
||||||
|
Patch2: 0003-repo-Factor-out-_ostree_repo_auto_transaction_new.patch
|
||||||
|
Patch3: 0004-repo-Correctly-initialize-refcount-of-temporary-tran.patch
|
||||||
|
Patch4: 0005-deploy-Try-to-rebuild-policy-in-new-deployment-if-ne.patch
|
||||||
|
Patch5: 0006-deploy-Be-a-bit-more-verbose-about-SELinux-bits.patch
|
||||||
|
Patch6: 0007-backport-GH2694-secure-execution-enablement-s390x.patch
|
||||||
|
Patch7: 0008-backport-GH2696-ed25519-verify-signatures-minimum-length.patch
|
||||||
|
Patch8: 0001-Support-overlayfs-whiteouts-on-checkout.patch
|
||||||
|
# The original intention was to sync to the rhel8 branch upstream; that appears not to have happened
|
||||||
|
# Patches for https://bugzilla.redhat.com/show_bug.cgi?id=2224102
|
||||||
|
Patch16: 0016-commit-fix-ostree-deployment-on-64-bit-inode-fs.patch
|
||||||
|
Patch17: 0017-Add-an-always-on-inode64-feature.patch
|
||||||
|
Patch18: 0018-Backport-7f70614a1ac1950ebde3df0e26cc9ab1d72b2f1f.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: git
|
BuildRequires: git
|
||||||
# We always run autogen.sh
|
# We always run autogen.sh
|
||||||
@ -28,7 +40,6 @@ BuildRequires: gtk-doc
|
|||||||
BuildRequires: pkgconfig(zlib)
|
BuildRequires: pkgconfig(zlib)
|
||||||
BuildRequires: pkgconfig(libcurl)
|
BuildRequires: pkgconfig(libcurl)
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: pkgconfig(composefs)
|
|
||||||
# The tests still require soup
|
# The tests still require soup
|
||||||
BuildRequires: pkgconfig(libsoup-2.4)
|
BuildRequires: pkgconfig(libsoup-2.4)
|
||||||
BuildRequires: libattr-devel
|
BuildRequires: libattr-devel
|
||||||
@ -51,7 +62,6 @@ Requires: dracut
|
|||||||
Requires: /usr/bin/gpgv2
|
Requires: /usr/bin/gpgv2
|
||||||
Requires: systemd-units
|
Requires: systemd-units
|
||||||
Requires: %{name}-libs%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
|
||||||
Requires: composefs
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
libostree is a shared library designed primarily for
|
libostree is a shared library designed primarily for
|
||||||
@ -100,27 +110,17 @@ the functionality of the installed %{name} package.
|
|||||||
%autosetup -Sgit -n libostree-%{version}
|
%autosetup -Sgit -n libostree-%{version}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# gobject introspection does not work with LTO. There is an effort to fix this
|
|
||||||
# in the appropriate project upstreams, so hopefully LTO can be enabled someday
|
|
||||||
# Disable LTO.
|
|
||||||
%define _lto_cflags %{nil}
|
|
||||||
|
|
||||||
env NOCONFIGURE=1 ./autogen.sh
|
env NOCONFIGURE=1 ./autogen.sh
|
||||||
%configure --disable-silent-rules \
|
%configure --disable-silent-rules \
|
||||||
--enable-gtk-doc \
|
--enable-gtk-doc \
|
||||||
--with-selinux \
|
--with-selinux \
|
||||||
--with-curl \
|
--with-curl \
|
||||||
--with-openssl \
|
--with-openssl \
|
||||||
--with-composefs \
|
|
||||||
%{?with_tests:--enable-installed-tests=exclusive} \
|
%{?with_tests:--enable-installed-tests=exclusive} \
|
||||||
--with-dracut=yesbutnoconf
|
--with-dracut=yesbutnoconf
|
||||||
%make_build
|
%make_build
|
||||||
|
|
||||||
%install
|
%install
|
||||||
install -m 644 -D %{SOURCE2} %{buildroot}/usr/lib/systemd/system/ostree-readonly-sysroot-migration.service
|
|
||||||
install -m 755 -D %{SOURCE1} %{buildroot}/usr/libexec/ostree-readonly-sysroot-migration
|
|
||||||
install -dm0755 %{buildroot}%{_unitdir}/multi-user.target.wants/
|
|
||||||
ln -sf ../ostree-readonly-sysroot-migration.service %{buildroot}%{_unitdir}/multi-user.target.wants/
|
|
||||||
%make_install INSTALL="install -p -c"
|
%make_install INSTALL="install -p -c"
|
||||||
find %{buildroot} -name '*.la' -delete
|
find %{buildroot} -name '*.la' -delete
|
||||||
|
|
||||||
@ -146,13 +146,11 @@ find %{buildroot} -name '*.la' -delete
|
|||||||
%{_prefix}/lib/systemd/system-generators/ostree-system-generator
|
%{_prefix}/lib/systemd/system-generators/ostree-system-generator
|
||||||
%exclude %{_sysconfdir}/grub.d/*ostree
|
%exclude %{_sysconfdir}/grub.d/*ostree
|
||||||
%exclude %{_libexecdir}/libostree/grub2*
|
%exclude %{_libexecdir}/libostree/grub2*
|
||||||
|
%exclude %{_libexecdir}/libostree/ostree-trivial-httpd
|
||||||
%{_prefix}/lib/tmpfiles.d/*
|
%{_prefix}/lib/tmpfiles.d/*
|
||||||
%{_prefix}/lib/ostree
|
%{_prefix}/lib/ostree
|
||||||
# Moved in git master
|
# Moved in git master
|
||||||
%{_libexecdir}/libostree/*
|
%{_libexecdir}/libostree/*
|
||||||
%{_prefix}/lib/systemd/system/ostree-readonly-sysroot-migration.service
|
|
||||||
%{_libexecdir}/ostree-readonly-sysroot-migration
|
|
||||||
%{_unitdir}/multi-user.target.wants/ostree-readonly-sysroot-migration.service
|
|
||||||
|
|
||||||
%files libs
|
%files libs
|
||||||
%{_sysconfdir}/ostree
|
%{_sysconfdir}/ostree
|
||||||
@ -178,246 +176,98 @@ find %{buildroot} -name '*.la' -delete
|
|||||||
%files tests
|
%files tests
|
||||||
%{_libexecdir}/installed-tests
|
%{_libexecdir}/installed-tests
|
||||||
%{_datadir}/installed-tests
|
%{_datadir}/installed-tests
|
||||||
|
%{_libexecdir}/libostree/ostree-trivial-httpd
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Sep 12 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.7-3
|
* Tue Aug 08 2023 Joseph Marrero <jmarrero@fedoraproject.org> - 2022.2-8
|
||||||
- Rebuild to pickup changes to ostree-readonly-sysroot-migration
|
- Backport for https://github.com/ostreedev/ostree/commit/7f70614a1ac1950ebde3df0e26cc9ab1d72b2f1f
|
||||||
Resolves: #RHEL-58437
|
- Resolves: rhbz#2229895
|
||||||
|
|
||||||
* Wed Aug 14 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.7-2
|
* Thu Jul 20 2023 Colin Walters <walters@verbum.org> - 2022.2-7
|
||||||
- Backport https://github.com/ostreedev/ostree/pull/3281
|
- Backport for https://bugzilla.redhat.com/show_bug.cgi?id=2224102
|
||||||
Resolves: #RHEL-50680
|
|
||||||
|
|
||||||
* Fri Jul 26 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.7-1
|
* Fri Oct 14 2022 Colin Walters <walters@verbum.org> - 2022.2-6
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2024.7
|
- Backport https://github.com/ostreedev/ostree/commit/0085494e350c72599fc5c0e00422885d80b3c660
|
||||||
Resolves: #RHEL-50680
|
- Resolves: rhbz#2134629
|
||||||
|
|
||||||
* Fri May 17 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.6-1
|
* Tue Aug 23 2022 Luca BRUNO <lucab@redhat.com> - 2022.2-5
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2024.6
|
- Backport enablement patches for Secure Execution on s390x
|
||||||
Resolves: #RHEL-35886
|
https://github.com/ostreedev/ostree/pull/2694
|
||||||
|
Resolves: rhbz#2120522
|
||||||
|
- Backport security fix to verify signatures are minimum length (advisory GHSA-gqf4-p3gv-g8vw)
|
||||||
|
https://github.com/ostreedev/ostree/pull/2696
|
||||||
|
Resolves: rhbz#2119444
|
||||||
|
|
||||||
* Thu Mar 14 2024 Colin Walters <walters@verbum.org> - 2024.5-2
|
* Wed May 04 2022 Colin Walters <walters@verbum.org> - 2022.2-4
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2024.5
|
- Backport patches from 2022.3, particularly SELinux
|
||||||
|
Resolves: rhbz#2057497
|
||||||
|
|
||||||
* Wed Feb 28 2024 Colin Walters <walters@verbum.org> - 2024.4-3
|
* Tue Apr 19 2022 Colin Walters <walters@verbum.org> - 2022.2-3
|
||||||
- Backport
|
- https://github.com/ostreedev/ostree/releases/tag/v2022.2
|
||||||
https://github.com/ostreedev/ostree/pull/3205/commits/e47b37096343efa3bea8295f3f44c4dc90cc04e2
|
Resolves: rhbz#2057497
|
||||||
|
|
||||||
* Fri Feb 23 2024 Colin Walters <walters@verbum.org> - 2024.4-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2024.4
|
|
||||||
|
|
||||||
* Wed Feb 14 2024 Colin Walters <walters@verbum.org> - 2024.3-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2024.3
|
|
||||||
Resolves: #RHEL-19419
|
|
||||||
|
|
||||||
* Thu Feb 08 2024 Colin Walters <walters@verbum.org> - 2024.2-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2024.2
|
|
||||||
|
|
||||||
* Sun Jan 21 2024 Colin Walters <walters@verbum.org> - 2024.1-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2024.1
|
|
||||||
Resolves: #RHEL-19419
|
|
||||||
|
|
||||||
* Wed Dec 13 2023 Joseph Marrero <jmarrero@fedoraproject.org> - 2023.8-3
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2023.8
|
|
||||||
Resolves: #RHEL-19419
|
|
||||||
|
|
||||||
* Wed Dec 06 2023 Colin Walters <walters@verbum.org> - 2023.8-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2023.8
|
|
||||||
Resolves: #RHEL-19419
|
|
||||||
|
|
||||||
* Fri Oct 20 2023 Colin Walters <walters@verbum.org> - 2023.7-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2023.7
|
|
||||||
Resolves: #RHEL-14381
|
|
||||||
|
|
||||||
* Fri Aug 25 2023 Joseph Marrero <jmarrero@fedoraproject.org> - 2023.6-1
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2023.6
|
|
||||||
Resolves: rhbz#2234351
|
|
||||||
|
|
||||||
* Fri Aug 4 2023 Joseph Marrero <jmarrero@fedoraproject.org> - 2023.5-1
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2023.5
|
|
||||||
backport: https://github.com/ostreedev/ostree/commit/7f70614a1ac1950ebde3df0e26cc9ab1d72b2f1f
|
|
||||||
Resolves: rhbz#2221997
|
|
||||||
|
|
||||||
* Wed Jun 28 2023 Joseph Marrero <jmarrero@fedoraproject.org> - 2023.4-2
|
|
||||||
- Add patch https://github.com/ostreedev/ostree/pull/2901
|
|
||||||
Resolves: rhbz#2216810
|
|
||||||
|
|
||||||
* Thu Jun 22 2023 Joseph Marrero <jmarrero@fedoraproject.org> - 2023.4-1
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2023.4
|
|
||||||
Resolves: rhbz#2216810
|
|
||||||
|
|
||||||
* Tue Jun 13 2023 Joseph Marrero <jmarrero@fedoraproject.org> - 2023.3-1
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2023.3
|
|
||||||
Resolves: rhbz#2211487
|
|
||||||
|
|
||||||
* Thu Mar 23 2023 Colin Walters <walters@verbum.org> - 2023.2-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2023.2
|
|
||||||
Resolves: rhbz#2172898
|
|
||||||
|
|
||||||
* Thu Feb 23 2023 Colin Walters <walters@verbum.org> - 2023.1-2
|
|
||||||
- Update to 2023.1
|
|
||||||
Resolves: rhbz#2172898
|
|
||||||
xref https://issues.redhat.com/browse/COS-2069
|
|
||||||
|
|
||||||
* Thu Feb 9 2023 Sayan Paul <saypaul@redhat.com> - 2022.6-3
|
|
||||||
- Resolves: rhbz#2167344
|
|
||||||
|
|
||||||
* Wed Dec 14 2022 Sayan Paul <saypaul@redhat.com> - 2022.6-2
|
|
||||||
- Resolves: rhbz#2060976
|
|
||||||
|
|
||||||
* Thu Oct 13 2022 Luca BRUNO <lucab@redhat.com> - 2022.6-1
|
|
||||||
- New upstream version
|
|
||||||
https://github.com/ostreedev/ostree/releases/tag/v2022.6
|
|
||||||
Resolves: rhbz#2134054
|
|
||||||
|
|
||||||
* Mon Aug 22 2022 Luca BRUNO <lucab@redhat.com> - 2022.5-1
|
|
||||||
- New upstream version
|
|
||||||
https://github.com/ostreedev/ostree/releases/tag/v2022.5
|
|
||||||
Resolves: rhbz#2119815
|
|
||||||
|
|
||||||
* Thu May 05 2022 Colin Walters <walters@verbum.org> - 2022.3-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2022.3
|
|
||||||
Resolves: rhbz#2081840
|
|
||||||
|
|
||||||
* Fri Apr 01 2022 Luca BRUNO <lucab@redhat.com> - 2022.2-1
|
|
||||||
- New upstream version
|
|
||||||
https://github.com/ostreedev/ostree/releases/tag/v2022.2
|
|
||||||
Resolves: rhbz#2070964
|
|
||||||
|
|
||||||
* Mon Jan 10 2022 Colin Walters <walters@verbum.org> - 2022.1-2
|
* Mon Jan 10 2022 Colin Walters <walters@verbum.org> - 2022.1-2
|
||||||
- Rebase to 2022.1
|
- Rebase to 2022.1
|
||||||
Resolves: rhbz#2039071
|
Resolves: rhbz#2032593
|
||||||
|
|
||||||
* Fri Nov 26 2021 Luca BRUNO <lucab@redhat.com> - 2021.6-1
|
* Wed Dec 15 2021 Colin Walters <walters@verbum.org> - 2021.6-2
|
||||||
- New upstream version
|
- Rebase to 2021.6
|
||||||
https://github.com/ostreedev/ostree/releases/tag/v2021.6
|
Resolves: rhbz#2032593
|
||||||
Resolves: rhbz#2026931
|
|
||||||
|
|
||||||
* Tue Oct 19 2021 Colin Walters <walters@verbum.org> - 2021.5-3
|
* Tue Nov 30 2021 Colin Walters <walters@verbum.org> - 2021.3-2
|
||||||
- Pointless rebuild to re-trigger gating etc
|
- Backport
|
||||||
|
https://github.com/ostreedev/ostree/pull/2453/commits/e6a560b40797324aa8b90e7100c6d50bff91f14d
|
||||||
|
Resolves: rhbz#2027788
|
||||||
|
|
||||||
* Wed Oct 06 2021 Colin Walters <walters@verbum.org> - 2021.5-2
|
* Tue Jul 20 2021 Luca BRUNO <lucab@redhat.com> - 2021.3-1
|
||||||
- https://github.com/coreos/ostree/releases/tag/v2021.5
|
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2021.3-3
|
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
|
||||||
Related: rhbz#1991688
|
|
||||||
|
|
||||||
* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 2021.3-2
|
|
||||||
- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
|
|
||||||
|
|
||||||
* Fri Jul 16 2021 Luca BRUNO <lucab@redhat.com> - 2021.3-1
|
|
||||||
- New upstream version
|
- New upstream version
|
||||||
https://github.com/ostreedev/ostree/releases/tag/v2021.3
|
https://github.com/ostreedev/ostree/releases/tag/v2021.3
|
||||||
Resolves: rhbz#1981859
|
Resolves: rhbz#1981865
|
||||||
|
|
||||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2021.2-2
|
|
||||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
|
||||||
Related: rhbz#1971065
|
|
||||||
|
|
||||||
* Fri May 14 2021 Luca BRUNO <lucab@redhat.com> - 2021.2-1
|
* Fri May 14 2021 Luca BRUNO <lucab@redhat.com> - 2021.2-1
|
||||||
- New upstream version 2021.2
|
- New upstream version 2021.2
|
||||||
https://github.com/ostreedev/ostree/releases/tag/v2021.2
|
https://github.com/ostreedev/ostree/releases/tag/v2021.2
|
||||||
|
|
||||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2020.8-3
|
* Tue Nov 3 15:04:48 UTC 2020 Colin Walters <walters@verbum.org> - 2020.7-1
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- Update to 2020.7
|
||||||
|
Resolves: #1894062
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.8-2
|
* Wed Sep 09 2020 Colin Walters <walters@verbum.org> - 2020.5-4
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- Backport patches for https://bugzilla.redhat.com/show_bug.cgi?id=1875567
|
||||||
|
|
||||||
* Wed Nov 18 08:42:24 UTC 2020 Luca BRUNO <lucab@lucabruno.net> - 2020.8-1
|
* Mon Aug 24 2020 Colin Walters <walters@verbum.org> - 2020.5-3
|
||||||
- New upstream version
|
- Backport
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2020.8
|
https://github.com/ostreedev/ostree/pull/2179/commits/06ed04a816141914adb9bd3e32392801fce5bc8e
|
||||||
|
Resolves: #1867601
|
||||||
* Fri Oct 30 2020 Jeff Law <law@redhat.com> - 2020.7-4
|
|
||||||
- Fix volatile issues exposed by gcc-11
|
|
||||||
|
|
||||||
* Thu Oct 15 2020 Jonathan Lebon <jonathan@jlebon.com> - 2020.7-3
|
|
||||||
- Backport https://github.com/ostreedev/ostree/pull/2219 for
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1888436
|
|
||||||
|
|
||||||
* Wed Oct 14 2020 Colin Walters <walters@verbum.org> - 2020.7-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2020.7
|
|
||||||
|
|
||||||
* Wed Oct 07 2020 Jonathan Lebon <jonathan@jlebon.com> - 2020.6-5
|
|
||||||
- Backport https://github.com/ostreedev/ostree/pull/2211 for
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1886149
|
|
||||||
|
|
||||||
* Thu Sep 24 2020 Colin Walters <walters@verbum.org> - 2020.6-4
|
|
||||||
- Backport https://github.com/ostreedev/ostree/pull/2202
|
|
||||||
|
|
||||||
* Fri Sep 18 2020 Jonathan Lebon <jonathan@jlebon.com> - 2020.6-3
|
|
||||||
- Revert support for devicetrees
|
|
||||||
https://github.com/ostreedev/ostree/issues/2154
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1880499
|
|
||||||
|
|
||||||
* Thu Sep 03 2020 Colin Walters <walters@verbum.org> - 2020.6-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2020.6
|
|
||||||
|
|
||||||
* Tue Aug 18 2020 Colin Walters <walters@verbum.org> - 2020.5-2
|
* Tue Aug 18 2020 Colin Walters <walters@verbum.org> - 2020.5-2
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2020.5
|
- Update to https://github.com/ostreedev/ostree/releases/tag/v2020.5
|
||||||
|
Specifically to fix readonly-sysroot for e.g. RHEL Edge and
|
||||||
|
older RHCOS versions
|
||||||
|
- Related: #1861507
|
||||||
|
|
||||||
* Sat Aug 01 2020 Colin Walters <walters@verbum.org> - 2020.4-4
|
* Tue Jul 28 2020 Colin Walters <walters@verbum.org> - 2020.4-1
|
||||||
- Backport patch for https://bugzilla.redhat.com/show_bug.cgi?id=1862568
|
|
||||||
|
|
||||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.4-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jul 22 2020 Colin Walters <walters@verbum.org> - 2020.4-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2020.4
|
- https://github.com/ostreedev/ostree/releases/tag/v2020.4
|
||||||
|
- We plan to use per-object-fsync for etcd in OpenShift 4
|
||||||
|
- Resolves: #1861507
|
||||||
|
|
||||||
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 2020.3-6
|
* Thu May 21 2020 Colin Walters <walters@verbum.org> - 2020.3-3
|
||||||
- Disable LTO
|
- Backport https://github.com/ostreedev/ostree/pull/2108
|
||||||
|
|
||||||
* Thu Jun 18 2020 Jonathan Lebon <jonathan@jlebon.com> - 2020.3-5
|
* Fri May 15 2020 Colin Walters <walters@verbum.org> - 2020.3-2
|
||||||
- Backport patch to handle EOPNOTSUPP on NFS:
|
|
||||||
https://gitlab.gnome.org/GNOME/libglnx/-/merge_requests/18
|
|
||||||
|
|
||||||
* Thu May 21 2020 Jonathan Lebon <jonathan@jlebon.com> - 2020.3-4
|
|
||||||
- Backport patch to neuter sysroot.readonly for FCOS
|
|
||||||
https://github.com/coreos/fedora-coreos-tracker/issues/488
|
|
||||||
https://github.com/ostreedev/ostree/pull/2108
|
|
||||||
|
|
||||||
* Fri Apr 17 2020 Dusty Mabe <dusty@dustymabe.com> - 2020.3-3
|
|
||||||
- Backport patchset that should help us with concurrently pulling
|
|
||||||
https://github.com/ostreedev/ostree/pull/2077
|
|
||||||
|
|
||||||
* Sat Mar 14 2020 Colin Walters <walters@verbum.org> - 2020.3-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2020.3
|
- https://github.com/ostreedev/ostree/releases/tag/v2020.3
|
||||||
|
Resolves: #1836306
|
||||||
* Fri Feb 21 2020 Colin Walters <walters@verbum.org> - 2020.2-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2020.2
|
|
||||||
|
|
||||||
* Thu Feb 20 2020 Colin Walters <walters@verbum.org> - 2020.1-2
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2020.1
|
|
||||||
|
|
||||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2019.6-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Dec 10 2019 Colin Walters <walters@verbum.org> - 2019.6-2
|
* Tue Dec 10 2019 Colin Walters <walters@verbum.org> - 2019.6-2
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2019.6
|
- https://github.com/ostreedev/ostree/releases/tag/v2019.6
|
||||||
|
|
||||||
* Wed Oct 30 2019 Colin Walters <walters@verbum.org> - 2019.5-2
|
* Wed Oct 30 2019 Colin Walters <walters@verbum.org> - 2019.5-1
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2019.5
|
- https://github.com/ostreedev/ostree/releases/tag/v2019.5
|
||||||
|
|
||||||
* Thu Sep 26 2019 Jonathan Lebon <jonathan@jlebon.com> - 2019.4-2
|
* Mon Oct 14 2019 Colin Walters <walters@verbum.org> - 2019.4-3
|
||||||
- Revert ostree-grub2 patch to fix duplicate entries
|
|
||||||
https://github.com/ostreedev/ostree/pull/1929#issuecomment-539022174
|
|
||||||
|
|
||||||
* Thu Sep 26 2019 Jonathan Lebon <jonathan@jlebon.com> - 2019.4-2
|
|
||||||
- Backport patch to fix duplicate GRUB2 entries when using BLS
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1751272#c27
|
|
||||||
|
|
||||||
* Wed Sep 25 2019 Jonathan Lebon <jonathan@jlebon.com> - 2019.4-1
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2019.4
|
- https://github.com/ostreedev/ostree/releases/tag/v2019.4
|
||||||
|
|
||||||
* Thu Aug 22 2019 Colin Walters <walters@verbum.org> - 2019.3-3
|
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2019.3
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Apr 24 2019 Jonathan Lebon <jonathan@jlebon.com> - 2019.2-1
|
* Wed Apr 24 2019 Jonathan Lebon <jonathan@jlebon.com> - 2019.2-1
|
||||||
- https://github.com/ostreedev/ostree/releases/tag/v2019.2
|
- https://github.com/ostreedev/ostree/releases/tag/v2019.2
|
||||||
|
|
||||||
@ -800,7 +650,7 @@ find %{buildroot} -name '*.la' -delete
|
|||||||
- Move trusted.gpg.d to main runtime package, where it should be
|
- Move trusted.gpg.d to main runtime package, where it should be
|
||||||
|
|
||||||
* Fri Mar 07 2014 Colin Walters <walters@verbum.org> - 2014.2-2
|
* Fri Mar 07 2014 Colin Walters <walters@verbum.org> - 2014.2-2
|
||||||
- Depend on gpgv2
|
- Depend on gpgv2
|
||||||
- Resolves: #1073813
|
- Resolves: #1073813
|
||||||
|
|
||||||
* Sat Mar 01 2014 Colin Walters <walters@verbum.org> - 2014.2-1
|
* Sat Mar 01 2014 Colin Walters <walters@verbum.org> - 2014.2-1
|
||||||
|
Loading…
Reference in New Issue
Block a user