keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
01fbaa7ba4
rpm-ostree/tests/vmcheck/test-autoupdate-check.sh

282 lines
10 KiB
Bash
Raw Normal View History

Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
#!/bin/bash
#
# Copyright (C) 2018 Jonathan Lebon
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
set -euo pipefail
. ${commondir}/libtest.sh
. ${commondir}/libvm.sh
set -x
tests: Move ostree-update creation functions into libvm.sh So they can be reused outside of just the autoupdate test. Closes: #1336 Approved by: jlebon
2018-04-16 02:41:53 +03:00
# Prepare an OSTree repo with updates
tests: Move more update-generation bits to libvm.sh The autoupdate test had a lot of useful infrastructure. Prep for removing `tests/check/test-upgrade-rebase.sh`. Closes: #1339 Approved by: cgwalters
2018-04-17 15:05:19 +03:00
vm_ostreeupdate_prepare
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
# ok, we're done with prep, now let's rebase on the first revision and install a
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
# bunch of layered packages
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
vm_build_rpm layered-cake version 2.1 release 3
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
vm_build_rpm layered-enh
vm_build_rpm layered-sec-none
vm_build_rpm layered-sec-low
vm_build_rpm layered-sec-crit
daemon: Fix cached-update including no-op diffs The `cached-update` variant would mark a bunch of RPMs as upgraded even if they didn't actually change. The issue turned out to be we were doing the diff all wrong in the staged deployment case. I'm not sure what I was thinking in #1344, but essentially, we were marking all layered RPMs in the staged deployment as updates instead of only marking those layered RPMs which were actually changed EVR. We just simplify the approach here by directly doing a pkglist diff between the booted and staged deployments and consuming that. That's really all there is to it! Reduces the code quite a bit too. Closes: #1446 Closes: #1455 Approved by: cgwalters
2018-07-27 23:08:59 +03:00
vm_build_rpm layered-constant # this one we won't update
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
vm_rpmostree rebase vmcheckmote:vmcheck \
--install layered-cake \
--install layered-enh \
--install layered-sec-none \
--install layered-sec-low \
daemon: Fix cached-update including no-op diffs The `cached-update` variant would mark a bunch of RPMs as upgraded even if they didn't actually change. The issue turned out to be we were doing the diff all wrong in the staged deployment case. I'm not sure what I was thinking in #1344, but essentially, we were marking all layered RPMs in the staged deployment as updates instead of only marking those layered RPMs which were actually changed EVR. We just simplify the approach here by directly doing a pkglist diff between the booted and staged deployments and consuming that. That's really all there is to it! Reduces the code quite a bit too. Closes: #1446 Closes: #1455 Approved by: cgwalters
2018-07-27 23:08:59 +03:00
--install layered-sec-crit \
--install layered-constant
Hard require staging This removes the logic around supporting opting out of the staging feature. We don't want to support multiple configurations here, and at this point, staging should be considered stable. Closes: #1546 Approved by: cgwalters
2018-09-10 07:15:29 +03:00
vm_cmd systemctl is-active ostree-finalize-staged.service
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
vm_reboot
vm_rpmostree status -v
vm_assert_status_jq \
tests: Move more update-generation bits to libvm.sh The autoupdate test had a lot of useful infrastructure. Prep for removing `tests/check/test-upgrade-rebase.sh`. Closes: #1339 Approved by: cgwalters
2018-04-17 15:05:19 +03:00
'.deployments[0]["origin"] == "vmcheckmote:vmcheck"' \
'.deployments[0]["version"] == "v1"' \
daemon: Fix cached-update including no-op diffs The `cached-update` variant would mark a bunch of RPMs as upgraded even if they didn't actually change. The issue turned out to be we were doing the diff all wrong in the staged deployment case. I'm not sure what I was thinking in #1344, but essentially, we were marking all layered RPMs in the staged deployment as updates instead of only marking those layered RPMs which were actually changed EVR. We just simplify the approach here by directly doing a pkglist diff between the booted and staged deployments and consuming that. That's really all there is to it! Reduces the code quite a bit too. Closes: #1446 Closes: #1455 Approved by: cgwalters
2018-07-27 23:08:59 +03:00
'.deployments[0]["packages"]|length == 6' \
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
'.deployments[0]["packages"]|index("layered-cake") >= 0'
echo "ok prep"
# start it up again since we rebooted
vm_start_httpd ostree_server $REMOTE_OSTREE 8888
auto-updates: Cache `cached-update` GVariant to disk Rather than recalculating `cached-update` as part of transaction cleanups and RpmostreedOS internal reloads, write it directly to a file from `deploy_transaction_execute`. This gives two major benefits: 1. Auto-updates now has virtually zero impact to daemon startup time. 2. We get to directly use the `DnfSack` created during metadata refresh rather than reconstructing it later on. This greatly simplifies code. This makes use of new APIs in libdnf to skip filelists and load updateinfo metadata right from the start. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
vm_rpmostree cleanup -m
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
# make sure that off means off
Add "ex-stage" update policy, support for ostree staged deployments Following up to https://github.com/projectatomic/rpm-ostree/pull/1352 AKA 506910d9300120f57ce710206ddc6fc0f2c9a628 which added an experimental flag to globally enable deployment staging, let's add an `ex-stage` automatic update policy. I chose to create a new `test-autoupdate-stage.sh` and rename the previous one to `test-autoupdate-check.sh` in going with the previous theme of smaller test files; it's way faster to iterate on new tests when it's a new file. And adding staging at the top would have been weird. This was all quite straightforward, just plumbing through lots of layers. Closes: #1321 Approved by: jlebon
2018-03-29 16:24:53 +03:00
vm_change_update_policy off
status: Rework auto-update status display First, split it into its own section; it's important enough to merit it. Second, explicitly reference the systemd timer/service units. For example, a question I often have is "when is the next run" and of course you can get that rpm `systemctl status rpm-ostreed-automatic.timer` but you have to know that, and the reminder helps. (I briefly looked at implementing the `Trigger` line from `systemctl status` but it's not entirely trivial...tempting to just fork off a `systemctl status | grep `) Prep for unifying this text with the message we print when one does `rpm-ostree upgrade` when auto-updates are enabled. Closes: #1432 Approved by: jlebon
2018-06-28 17:54:52 +03:00
vm_rpmostree status | grep 'AutomaticUpdates: disabled'
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
vm_rpmostree upgrade --trigger-automatic-update-policy > out.txt
assert_file_has_content out.txt "Automatic updates are not enabled; exiting"
auto-updates: Cache `cached-update` GVariant to disk Rather than recalculating `cached-update` as part of transaction cleanups and RpmostreedOS internal reloads, write it directly to a file from `deploy_transaction_execute`. This gives two major benefits: 1. Auto-updates now has virtually zero impact to daemon startup time. 2. We get to directly use the `DnfSack` created during metadata refresh rather than reconstructing it later on. This greatly simplifies code. This makes use of new APIs in libdnf to skip filelists and load updateinfo metadata right from the start. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
# check we didn't download any metadata (skip starting dir)
vm_cmd find /var/cache/rpm-ostree | tail -n +2 > out.txt
if [ -s out.txt ]; then
cat out.txt && assert_not_reached "rpmmd downloaded!"
fi
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
echo "ok disabled"
vmcheck/autoupdate-check.sh: Fix --check/--preview tests Noticed this while looking at the logs for #1432. Because --check and --preview exit with rc=77 when there are no updates, we would actually stop early on in the test and marking it as SKIPPED. Fix this by making sure we explicitly check for the $rc we expected when using those switches. I also added a final grep pass to make it easy to inspect whether we skipped any tests. I was about to do this nicely in `multitest.py` instead, though it may not be of this world much longer, so meh... Closes: #1450 Approved by: cgwalters
2018-07-10 18:49:03 +03:00
# runs --check and --preview, verifies rc matches what we expect, and capturing
# output for a following assert_output
assert_check_preview_rc() {
local expected_rc=$1; shift
local rc=0
vm_rpmostree upgrade --check > out.txt || rc=$?
assert_streq $rc $expected_rc
vm_rpmostree upgrade --preview > out-verbose.txt || rc=$?
assert_streq $rc $expected_rc
}
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
# check that --check/--preview still works
vmcheck/autoupdate-check.sh: Fix --check/--preview tests Noticed this while looking at the logs for #1432. Because --check and --preview exit with rc=77 when there are no updates, we would actually stop early on in the test and marking it as SKIPPED. Fix this by making sure we explicitly check for the $rc we expected when using those switches. I also added a final grep pass to make it easy to inspect whether we skipped any tests. I was about to do this nicely in `multitest.py` instead, though it may not be of this world much longer, so meh... Closes: #1450 Approved by: cgwalters
2018-07-10 18:49:03 +03:00
assert_check_preview_rc 77
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
assert_file_has_content out.txt "No updates available."
vmcheck/autoupdate-check.sh: Fix --check/--preview tests Noticed this while looking at the logs for #1432. Because --check and --preview exit with rc=77 when there are no updates, we would actually stop early on in the test and marking it as SKIPPED. Fix this by making sure we explicitly check for the $rc we expected when using those switches. I also added a final grep pass to make it easy to inspect whether we skipped any tests. I was about to do this nicely in `multitest.py` instead, though it may not be of this world much longer, so meh... Closes: #1450 Approved by: cgwalters
2018-07-10 18:49:03 +03:00
assert_file_has_content out-verbose.txt "No updates available."
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
echo "ok --check/--preview no updates"
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
# ok, let's test out check
vmcheck/autoupdate-check: Fix minor typos Closes: #1450 Approved by: cgwalters
2018-07-10 18:50:51 +03:00
vm_change_update_policy check
status: Rework auto-update status display First, split it into its own section; it's important enough to merit it. Second, explicitly reference the systemd timer/service units. For example, a question I often have is "when is the next run" and of course you can get that rpm `systemctl status rpm-ostreed-automatic.timer` but you have to know that, and the reminder helps. (I briefly looked at implementing the `Trigger` line from `systemctl status` but it's not entirely trivial...tempting to just fork off a `systemctl status | grep `) Prep for unifying this text with the message we print when one does `rpm-ostree upgrade` when auto-updates are enabled. Closes: #1432 Approved by: jlebon
2018-06-28 17:54:52 +03:00
vm_rpmostree status | grep 'AutomaticUpdates: check'
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
# build an *older version* and check that we don't report an update
vm_build_rpm layered-cake version 2.1 release 2
daemon: Add an 'id' param to RegisterClient, log it This makes the logs a bit more useful, but the ultimate goal here is to write the originating client `id` to the cached update data, so users know that e.g. `gnome-software` triggered it. Closes: #1368 Approved by: jlebon
2018-05-16 00:37:51 +03:00
cursor=$(vm_get_journal_cursor)
vmcheck/autoupdate-check: Fix minor typos Closes: #1450 Approved by: cgwalters
2018-07-10 18:50:51 +03:00
vm_cmd systemctl start rpm-ostreed-automatic.service
daemon: Add an 'id' param to RegisterClient, log it This makes the logs a bit more useful, but the ultimate goal here is to write the originating client `id` to the cached update data, so users know that e.g. `gnome-software` triggered it. Closes: #1368 Approved by: jlebon
2018-05-16 00:37:51 +03:00
vm_wait_content_after_cursor $cursor 'Txn AutomaticUpdateTrigger.*successful'
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
vm_rpmostree status -v > out.txt
status: Rework auto-update status display First, split it into its own section; it's important enough to merit it. Second, explicitly reference the systemd timer/service units. For example, a question I often have is "when is the next run" and of course you can get that rpm `systemctl status rpm-ostreed-automatic.timer` but you have to know that, and the reminder helps. (I briefly looked at implementing the `Trigger` line from `systemctl status` but it's not entirely trivial...tempting to just fork off a `systemctl status | grep `) Prep for unifying this text with the message we print when one does `rpm-ostree upgrade` when auto-updates are enabled. Closes: #1432 Approved by: jlebon
2018-06-28 17:54:52 +03:00
assert_not_file_has_content out.txt "AvailableUpdate"
daemon: Add an 'id' param to RegisterClient, log it This makes the logs a bit more useful, but the ultimate goal here is to write the originating client `id` to the cached update data, so users know that e.g. `gnome-software` triggered it. Closes: #1368 Approved by: jlebon
2018-05-16 00:37:51 +03:00
# And check the unit name https://github.com/projectatomic/rpm-ostree/pull/1368
libvm: add vm_get_journal_after_cursor The cursor argument was getting munged up by SSH. Use a helper to make sure we always get quoting right. Closes: #1450 Approved by: cgwalters
2018-07-10 18:49:41 +03:00
vm_get_journal_after_cursor $cursor journal.txt
daemon: Add an 'id' param to RegisterClient, log it This makes the logs a bit more useful, but the ultimate goal here is to write the originating client `id` to the cached update data, so users know that e.g. `gnome-software` triggered it. Closes: #1368 Approved by: jlebon
2018-05-16 00:37:51 +03:00
assert_file_has_content journal.txt 'client(id:cli.*unit:rpm-ostreed-automatic.service'
rm -f journal.txt
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
# build a *newer version* and check that we report an update
vm_build_rpm layered-cake version 2.1 release 4
vm_rpmostree upgrade --trigger-automatic-update-policy
vm_rpmostree status > out.txt
status: Rework auto-update status display First, split it into its own section; it's important enough to merit it. Second, explicitly reference the systemd timer/service units. For example, a question I often have is "when is the next run" and of course you can get that rpm `systemctl status rpm-ostreed-automatic.timer` but you have to know that, and the reminder helps. (I briefly looked at implementing the `Trigger` line from `systemctl status` but it's not entirely trivial...tempting to just fork off a `systemctl status | grep `) Prep for unifying this text with the message we print when one does `rpm-ostree upgrade` when auto-updates are enabled. Closes: #1432 Approved by: jlebon
2018-06-28 17:54:52 +03:00
assert_file_has_content out.txt "AvailableUpdate"
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
assert_file_has_content out.txt "Diff: 1 upgraded"
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
assert_not_file_has_content out.txt "SecAdvisories"
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
vm_rpmostree status -v > out.txt
assert_file_has_content out.txt "Upgraded: layered-cake 2.1-3 -> 2.1-4"
# make sure we don't report ostree-based stuff somehow
status: Rework auto-update status display First, split it into its own section; it's important enough to merit it. Second, explicitly reference the systemd timer/service units. For example, a question I often have is "when is the next run" and of course you can get that rpm `systemctl status rpm-ostreed-automatic.timer` but you have to know that, and the reminder helps. (I briefly looked at implementing the `Trigger` line from `systemctl status` but it's not entirely trivial...tempting to just fork off a `systemctl status | grep `) Prep for unifying this text with the message we print when one does `rpm-ostree upgrade` when auto-updates are enabled. Closes: #1432 Approved by: jlebon
2018-06-28 17:54:52 +03:00
! grep -A999 'AvailableUpdate' out.txt | grep "Version"
! grep -A999 'AvailableUpdate' out.txt | grep "Timestamp"
! grep -A999 'AvailableUpdate' out.txt | grep "Commit"
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
echo "ok check mode layered only"
auto-updates: Cache `cached-update` GVariant to disk Rather than recalculating `cached-update` as part of transaction cleanups and RpmostreedOS internal reloads, write it directly to a file from `deploy_transaction_execute`. This gives two major benefits: 1. Auto-updates now has virtually zero impact to daemon startup time. 2. We get to directly use the `DnfSack` created during metadata refresh rather than reconstructing it later on. This greatly simplifies code. This makes use of new APIs in libdnf to skip filelists and load updateinfo metadata right from the start. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
# confirm no filelists were fetched
vm_cmd find /var/cache/rpm-ostree -iname '*filelists*' > out.txt
if [ -s out.txt ]; then
cat out.txt && assert_not_reached "Filelists were downloaded!"
fi
echo "ok no filelists"
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
# now add some advisory updates
vm_build_rpm layered-enh version 2.0 uinfo VMCHECK-ENH
vm_build_rpm layered-sec-none version 2.0 uinfo VMCHECK-SEC-NONE
vm_rpmostree upgrade --trigger-automatic-update-policy
vm_rpmostree status > out.txt
assert_file_has_content out.txt "SecAdvisories: 1 unknown severity"
vm_rpmostree status -v > out.txt
assert_file_has_content out.txt \
"SecAdvisories: VMCHECK-SEC-NONE Unknown layered-sec-none-2.0-1.x86_64"
assert_not_file_has_content out.txt "VMCHECK-ENH"
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
assert_output() {
assert_file_has_content out.txt \
"SecAdvisories: 1 unknown severity, 1 low, 1 critical"
assert_file_has_content out-verbose.txt \
"SecAdvisories: VMCHECK-SEC-NONE Unknown layered-sec-none-2.0-1.x86_64" \
" VMCHECK-SEC-LOW Low layered-sec-low-2.0-1.x86_64" \
Print CVEs fixed in available updates One question I often have when looking at the output of `status -a`: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 Diff: 67 upgraded, 1 removed, 16 added ``` is "How serious and relevant are these advisories to me? How soon should I reboot?". For the packages that I'm most familiar with, e.g. `kernel` and `git-core`, I usually look up the advisory and check why it was marked as a security update, mentioned CVEs, and how those affect me. The updateinfo metadata includes a wealth of information that could be useful here. In Fedora, CVEs treated by the security response team result in RHBZs, which end up attached to the advisories and thus make it into that metadata. This patch tries to reduce friction in answering some of those questions above by checking for those CVEs and printing a short description in the output of `status -a`. Example: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 CVE-2018-18065 CVE-2018-18066 net-snmp: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1637573 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes https://bugzilla.redhat.com/show_bug.cgi?id=1649017 CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c https://bugzilla.redhat.com/show_bug.cgi?id=1652656 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 CVE-2018-19486 git: Improper handling of PATH allows for commands to executed from current directory https://bugzilla.redhat.com/show_bug.cgi?id=1653143 Diff: 67 upgraded, 1 removed, 16 added ``` Including the CVE name and RHBZ link also makes it easier to look for more details if desired. Closes: #1695 Approved by: rfairley
2018-12-03 18:32:30 +03:00
" VMCHECK-SEC-CRIT Critical layered-sec-crit-2.0-1.x86_64" \
"CVE-43-21 vuln5" \
"http://example.com/vuln5" \
"CVE-87-65 CVE-21-09 vuln7" \
"http://example.com/vuln7"
app/status: Print diff/advisories with pending deployment Follow-up from #1344. In the case where a cached update is created from an `upgrade` operation (and soon, "stage" auto-update policy runs), we can just print the diff and advisory info together with the pending deployment. This makes the output look much more natural. Closes: #1350 Approved by: cgwalters
2018-05-04 17:20:19 +03:00
Print CVEs fixed in available updates One question I often have when looking at the output of `status -a`: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 Diff: 67 upgraded, 1 removed, 16 added ``` is "How serious and relevant are these advisories to me? How soon should I reboot?". For the packages that I'm most familiar with, e.g. `kernel` and `git-core`, I usually look up the advisory and check why it was marked as a security update, mentioned CVEs, and how those affect me. The updateinfo metadata includes a wealth of information that could be useful here. In Fedora, CVEs treated by the security response team result in RHBZs, which end up attached to the advisories and thus make it into that metadata. This patch tries to reduce friction in answering some of those questions above by checking for those CVEs and printing a short description in the output of `status -a`. Example: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 CVE-2018-18065 CVE-2018-18066 net-snmp: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1637573 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes https://bugzilla.redhat.com/show_bug.cgi?id=1649017 CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c https://bugzilla.redhat.com/show_bug.cgi?id=1652656 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 CVE-2018-19486 git: Improper handling of PATH allows for commands to executed from current directory https://bugzilla.redhat.com/show_bug.cgi?id=1653143 Diff: 67 upgraded, 1 removed, 16 added ``` Including the CVE name and RHBZ link also makes it easier to look for more details if desired. Closes: #1695 Approved by: rfairley
2018-12-03 18:32:30 +03:00
assert_not_file_has_content out-verbose.txt \
"layered-constant 1.0-1 -> 1.0-1" \
"vuln6" "JUNK" "vuln8"
daemon: Fix cached-update including no-op diffs The `cached-update` variant would mark a bunch of RPMs as upgraded even if they didn't actually change. The issue turned out to be we were doing the diff all wrong in the staged deployment case. I'm not sure what I was thinking in #1344, but essentially, we were marking all layered RPMs in the staged deployment as updates instead of only marking those layered RPMs which were actually changed EVR. We just simplify the approach here by directly doing a pkglist diff between the booted and staged deployments and consuming that. That's really all there is to it! Reduces the code quite a bit too. Closes: #1446 Closes: #1455 Approved by: cgwalters
2018-07-27 23:08:59 +03:00
app/status: Print diff/advisories with pending deployment Follow-up from #1344. In the case where a cached update is created from an `upgrade` operation (and soon, "stage" auto-update policy runs), we can just print the diff and advisory info together with the pending deployment. This makes the output look much more natural. Closes: #1350 Approved by: cgwalters
2018-05-04 17:20:19 +03:00
# make sure any future call doesn't forget to create fresh ones
rm -f out.txt out-verbose.txt
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
}
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
# now add all of them
vm_build_rpm layered-sec-low version 2.0 uinfo VMCHECK-SEC-LOW
vm_build_rpm layered-sec-crit version 2.0 uinfo VMCHECK-SEC-CRIT
Print CVEs fixed in available updates One question I often have when looking at the output of `status -a`: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 Diff: 67 upgraded, 1 removed, 16 added ``` is "How serious and relevant are these advisories to me? How soon should I reboot?". For the packages that I'm most familiar with, e.g. `kernel` and `git-core`, I usually look up the advisory and check why it was marked as a security update, mentioned CVEs, and how those affect me. The updateinfo metadata includes a wealth of information that could be useful here. In Fedora, CVEs treated by the security response team result in RHBZs, which end up attached to the advisories and thus make it into that metadata. This patch tries to reduce friction in answering some of those questions above by checking for those CVEs and printing a short description in the output of `status -a`. Example: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 CVE-2018-18065 CVE-2018-18066 net-snmp: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1637573 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes https://bugzilla.redhat.com/show_bug.cgi?id=1649017 CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c https://bugzilla.redhat.com/show_bug.cgi?id=1652656 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 CVE-2018-19486 git: Improper handling of PATH allows for commands to executed from current directory https://bugzilla.redhat.com/show_bug.cgi?id=1653143 Diff: 67 upgraded, 1 removed, 16 added ``` Including the CVE name and RHBZ link also makes it easier to look for more details if desired. Closes: #1695 Approved by: rfairley
2018-12-03 18:32:30 +03:00
vm_uinfo add-ref VMCHECK-SEC-CRIT 5 http://example.com/vuln5 "CVE-43-21 vuln5"
vm_uinfo add-ref VMCHECK-SEC-CRIT 6 http://example.com/vuln6 "CVE-43-21 vuln6"
vm_uinfo add-ref VMCHECK-SEC-CRIT 7 http://example.com/vuln7 "CVE-87-65 CVE-21-09 vuln7"
vm_uinfo add-ref VMCHECK-SEC-CRIT 8 http://example.com/vuln8 "CVE-12-JUNK CVE-JUNK vuln8"
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
vm_rpmostree upgrade --trigger-automatic-update-policy
vm_rpmostree status > out.txt
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
vm_rpmostree status -v > out-verbose.txt
assert_output
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
echo "ok check mode layered only with advisories"
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
# check we see the same output with --check/--preview
app/dbus: Always call Reload() after transaction Specifically in this case, this allows us to close a race condition during `upgrade --check` where the `CachedUpdate` property might not have been updated yet when we read it after finishing the transaction. Closes: #1311 Approved by: cgwalters
2018-03-23 22:40:36 +03:00
# clear out cache first to make sure they start from scratch
vm_rpmostree cleanup -m
vm_cmd systemctl stop rpm-ostreed
vmcheck/autoupdate-check.sh: Fix --check/--preview tests Noticed this while looking at the logs for #1432. Because --check and --preview exit with rc=77 when there are no updates, we would actually stop early on in the test and marking it as SKIPPED. Fix this by making sure we explicitly check for the $rc we expected when using those switches. I also added a final grep pass to make it easy to inspect whether we skipped any tests. I was about to do this nicely in `multitest.py` instead, though it may not be of this world much longer, so meh... Closes: #1450 Approved by: cgwalters
2018-07-10 18:49:03 +03:00
assert_check_preview_rc 0
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
assert_output
echo "ok --check/--preview layered pkgs check policy"
# check that --check/--preview still works even with policy off
Add "ex-stage" update policy, support for ostree staged deployments Following up to https://github.com/projectatomic/rpm-ostree/pull/1352 AKA 506910d9300120f57ce710206ddc6fc0f2c9a628 which added an experimental flag to globally enable deployment staging, let's add an `ex-stage` automatic update policy. I chose to create a new `test-autoupdate-stage.sh` and rename the previous one to `test-autoupdate-check.sh` in going with the previous theme of smaller test files; it's way faster to iterate on new tests when it's a new file. And adding staging at the top would have been weird. This was all quite straightforward, just plumbing through lots of layers. Closes: #1321 Approved by: jlebon
2018-03-29 16:24:53 +03:00
vm_change_update_policy off
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
vm_rpmostree cleanup -m
vm_cmd systemctl stop rpm-ostreed
status: Rework auto-update status display First, split it into its own section; it's important enough to merit it. Second, explicitly reference the systemd timer/service units. For example, a question I often have is "when is the next run" and of course you can get that rpm `systemctl status rpm-ostreed-automatic.timer` but you have to know that, and the reminder helps. (I briefly looked at implementing the `Trigger` line from `systemctl status` but it's not entirely trivial...tempting to just fork off a `systemctl status | grep `) Prep for unifying this text with the message we print when one does `rpm-ostree upgrade` when auto-updates are enabled. Closes: #1432 Approved by: jlebon
2018-06-28 17:54:52 +03:00
vm_rpmostree status | grep 'AutomaticUpdates: disabled'
vmcheck/autoupdate-check.sh: Fix --check/--preview tests Noticed this while looking at the logs for #1432. Because --check and --preview exit with rc=77 when there are no updates, we would actually stop early on in the test and marking it as SKIPPED. Fix this by making sure we explicitly check for the $rc we expected when using those switches. I also added a final grep pass to make it easy to inspect whether we skipped any tests. I was about to do this nicely in `multitest.py` instead, though it may not be of this world much longer, so meh... Closes: #1450 Approved by: cgwalters
2018-07-10 18:49:03 +03:00
assert_check_preview_rc 0
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
assert_output
echo "ok --check/--preview layered pkgs off policy"
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
# ok now let's add ostree updates in the picture
Add "ex-stage" update policy, support for ostree staged deployments Following up to https://github.com/projectatomic/rpm-ostree/pull/1352 AKA 506910d9300120f57ce710206ddc6fc0f2c9a628 which added an experimental flag to globally enable deployment staging, let's add an `ex-stage` automatic update policy. I chose to create a new `test-autoupdate-stage.sh` and rename the previous one to `test-autoupdate-check.sh` in going with the previous theme of smaller test files; it's way faster to iterate on new tests when it's a new file. And adding staging at the top would have been weird. This was all quite straightforward, just plumbing through lots of layers. Closes: #1321 Approved by: jlebon
2018-03-29 16:24:53 +03:00
vm_change_update_policy check
tests: Move ostree-update creation functions into libvm.sh So they can be reused outside of just the autoupdate test. Closes: #1336 Approved by: jlebon
2018-04-16 02:41:53 +03:00
vm_ostreeupdate_create v2
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
vm_rpmostree upgrade --trigger-automatic-update-policy
# make sure we only pulled down the commit metadata
if vm_cmd ostree checkout vmcheckmote:vmcheck --subpath /usr/share/rpm; then
assert_not_reached "Was able to checkout /usr/share/rpm?"
fi
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
assert_output2() {
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
vm_assert_status_jq \
'.["cached-update"]["origin"] == "vmcheckmote:vmcheck"' \
'.["cached-update"]["version"] == "v2"' \
'.["cached-update"]["ref-has-new-commit"] == true' \
'.["cached-update"]["gpg-enabled"] == false'
# we could assert more json here, though how it's presented to users is
# important, and implicitly tests the json
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
assert_file_has_content out.txt \
"SecAdvisories: 1 unknown severity, 1 low, 1 critical" \
'Diff: 10 upgraded, 1 downgraded, 1 removed, 1 added'
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
assert_file_has_content out-verbose.txt \
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
"VMCHECK-SEC-NONE Unknown base-pkg-sec-none-2.0-1.x86_64" \
"VMCHECK-SEC-NONE Unknown layered-sec-none-2.0-1.x86_64" \
"VMCHECK-SEC-LOW Low base-pkg-sec-low-2.0-1.x86_64" \
Print CVEs fixed in available updates One question I often have when looking at the output of `status -a`: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 Diff: 67 upgraded, 1 removed, 16 added ``` is "How serious and relevant are these advisories to me? How soon should I reboot?". For the packages that I'm most familiar with, e.g. `kernel` and `git-core`, I usually look up the advisory and check why it was marked as a security update, mentioned CVEs, and how those affect me. The updateinfo metadata includes a wealth of information that could be useful here. In Fedora, CVEs treated by the security response team result in RHBZs, which end up attached to the advisories and thus make it into that metadata. This patch tries to reduce friction in answering some of those questions above by checking for those CVEs and printing a short description in the output of `status -a`. Example: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 CVE-2018-18065 CVE-2018-18066 net-snmp: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1637573 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes https://bugzilla.redhat.com/show_bug.cgi?id=1649017 CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c https://bugzilla.redhat.com/show_bug.cgi?id=1652656 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 CVE-2018-19486 git: Improper handling of PATH allows for commands to executed from current directory https://bugzilla.redhat.com/show_bug.cgi?id=1653143 Diff: 67 upgraded, 1 removed, 16 added ``` Including the CVE name and RHBZ link also makes it easier to look for more details if desired. Closes: #1695 Approved by: rfairley
2018-12-03 18:32:30 +03:00
"CVE-12-34 vuln1" \
"http://example.com/vuln1" \
"CVE-56-78 CVE-90-12 vuln3" \
"http://example.com/vuln3" \
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
"VMCHECK-SEC-LOW Low layered-sec-low-2.0-1.x86_64" \
"VMCHECK-SEC-CRIT Critical base-pkg-sec-crit-2.0-1.x86_64" \
"VMCHECK-SEC-CRIT Critical layered-sec-crit-2.0-1.x86_64" \
Print CVEs fixed in available updates One question I often have when looking at the output of `status -a`: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 Diff: 67 upgraded, 1 removed, 16 added ``` is "How serious and relevant are these advisories to me? How soon should I reboot?". For the packages that I'm most familiar with, e.g. `kernel` and `git-core`, I usually look up the advisory and check why it was marked as a security update, mentioned CVEs, and how those affect me. The updateinfo metadata includes a wealth of information that could be useful here. In Fedora, CVEs treated by the security response team result in RHBZs, which end up attached to the advisories and thus make it into that metadata. This patch tries to reduce friction in answering some of those questions above by checking for those CVEs and printing a short description in the output of `status -a`. Example: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 CVE-2018-18065 CVE-2018-18066 net-snmp: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1637573 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes https://bugzilla.redhat.com/show_bug.cgi?id=1649017 CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c https://bugzilla.redhat.com/show_bug.cgi?id=1652656 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 CVE-2018-19486 git: Improper handling of PATH allows for commands to executed from current directory https://bugzilla.redhat.com/show_bug.cgi?id=1653143 Diff: 67 upgraded, 1 removed, 16 added ``` Including the CVE name and RHBZ link also makes it easier to look for more details if desired. Closes: #1695 Approved by: rfairley
2018-12-03 18:32:30 +03:00
"CVE-43-21 vuln5" \
"http://example.com/vuln5" \
"CVE-87-65 CVE-21-09 vuln7" \
"http://example.com/vuln7" \
Check and display pending security advisories Pick up security advisories when checking for pending updates and include them in the `cached-update` property. On the client-side, display them in the output of `status`. This was part of the original vision for how useful a smart `check` mode could be. It directly impacts how one manages their individual system (e.g. when to reboot), and paves the way for integration into higher-level apps that act at the cluster level. Closes: #1249 Approved by: cgwalters
2018-02-14 17:27:06 +03:00
'Upgraded: base-pkg-enh 1.0-1 -> 2.0-1' \
' base-pkg-foo 1.4-7 -> 1.4-8' \
'Downgraded: base-pkg-bar 1.0-1 -> 0.9-3' \
'Removed: base-pkg-baz-1.1-1.x86_64' \
'Added: base-pkg-boo-3.7-2.11.x86_64'
app/status: Print diff/advisories with pending deployment Follow-up from #1344. In the case where a cached update is created from an `upgrade` operation (and soon, "stage" auto-update policy runs), we can just print the diff and advisory info together with the pending deployment. This makes the output look much more natural. Closes: #1350 Approved by: cgwalters
2018-05-04 17:20:19 +03:00
Print CVEs fixed in available updates One question I often have when looking at the output of `status -a`: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 Diff: 67 upgraded, 1 removed, 16 added ``` is "How serious and relevant are these advisories to me? How soon should I reboot?". For the packages that I'm most familiar with, e.g. `kernel` and `git-core`, I usually look up the advisory and check why it was marked as a security update, mentioned CVEs, and how those affect me. The updateinfo metadata includes a wealth of information that could be useful here. In Fedora, CVEs treated by the security response team result in RHBZs, which end up attached to the advisories and thus make it into that metadata. This patch tries to reduce friction in answering some of those questions above by checking for those CVEs and printing a short description in the output of `status -a`. Example: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 CVE-2018-18065 CVE-2018-18066 net-snmp: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1637573 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes https://bugzilla.redhat.com/show_bug.cgi?id=1649017 CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c https://bugzilla.redhat.com/show_bug.cgi?id=1652656 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 CVE-2018-19486 git: Improper handling of PATH allows for commands to executed from current directory https://bugzilla.redhat.com/show_bug.cgi?id=1653143 Diff: 67 upgraded, 1 removed, 16 added ``` Including the CVE name and RHBZ link also makes it easier to look for more details if desired. Closes: #1695 Approved by: rfairley
2018-12-03 18:32:30 +03:00
assert_not_file_has_content out-verbose.txt \
"layered-constant 1.0-1 -> 1.0-1" \
"vuln2" "JUNK" "vuln4" \
"vuln6" "JUNK" "vuln8" \
daemon: Fix cached-update including no-op diffs The `cached-update` variant would mark a bunch of RPMs as upgraded even if they didn't actually change. The issue turned out to be we were doing the diff all wrong in the staged deployment case. I'm not sure what I was thinking in #1344, but essentially, we were marking all layered RPMs in the staged deployment as updates instead of only marking those layered RPMs which were actually changed EVR. We just simplify the approach here by directly doing a pkglist diff between the booted and staged deployments and consuming that. That's really all there is to it! Reduces the code quite a bit too. Closes: #1446 Closes: #1455 Approved by: cgwalters
2018-07-27 23:08:59 +03:00
app/status: Print diff/advisories with pending deployment Follow-up from #1344. In the case where a cached update is created from an `upgrade` operation (and soon, "stage" auto-update policy runs), we can just print the diff and advisory info together with the pending deployment. This makes the output look much more natural. Closes: #1350 Approved by: cgwalters
2018-05-04 17:20:19 +03:00
# make sure any future call doesn't forget to create fresh ones
rm -f out.txt out-verbose.txt
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
}
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
vm_rpmostree status > out.txt
vm_rpmostree status -v > out-verbose.txt
assert_output2
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
echo "ok check mode ostree"
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
# check that we get similar output with --check/--preview
vmcheck/autoupdate-check.sh: Fix --check/--preview tests Noticed this while looking at the logs for #1432. Because --check and --preview exit with rc=77 when there are no updates, we would actually stop early on in the test and marking it as SKIPPED. Fix this by making sure we explicitly check for the $rc we expected when using those switches. I also added a final grep pass to make it easy to inspect whether we skipped any tests. I was about to do this nicely in `multitest.py` instead, though it may not be of this world much longer, so meh... Closes: #1450 Approved by: cgwalters
2018-07-10 18:49:03 +03:00
assert_check_preview_rc 0
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
assert_output2
echo "ok --check/--preview base pkgs check policy"
Add "ex-stage" update policy, support for ostree staged deployments Following up to https://github.com/projectatomic/rpm-ostree/pull/1352 AKA 506910d9300120f57ce710206ddc6fc0f2c9a628 which added an experimental flag to globally enable deployment staging, let's add an `ex-stage` automatic update policy. I chose to create a new `test-autoupdate-stage.sh` and rename the previous one to `test-autoupdate-check.sh` in going with the previous theme of smaller test files; it's way faster to iterate on new tests when it's a new file. And adding staging at the top would have been weird. This was all quite straightforward, just plumbing through lots of layers. Closes: #1321 Approved by: jlebon
2018-03-29 16:24:53 +03:00
vm_change_update_policy off
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
vm_rpmostree cleanup -m
vm_cmd systemctl stop rpm-ostreed
vmcheck/autoupdate-check.sh: Fix --check/--preview tests Noticed this while looking at the logs for #1432. Because --check and --preview exit with rc=77 when there are no updates, we would actually stop early on in the test and marking it as SKIPPED. Fix this by making sure we explicitly check for the $rc we expected when using those switches. I also added a final grep pass to make it easy to inspect whether we skipped any tests. I was about to do this nicely in `multitest.py` instead, though it may not be of this world much longer, so meh... Closes: #1450 Approved by: cgwalters
2018-07-10 18:49:03 +03:00
assert_check_preview_rc 0
tests/vmcheck: add coverage for --check and --preview We had no coverage for `--check` and `--preview`. Now that they use the more efficient auto-updates API, it should be fine to document/recommend to users. Let's add some coverage in the existing auto-updates tests to make sure we don't regress on them e.g. only working when auto-update "check" mode is on. Closes: #1268 Approved by: cgwalters
2018-03-05 21:08:38 +03:00
assert_output2
echo "ok --check/--preview base pkgs off policy"
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
assert_default_deployment_is_update() {
vm_assert_status_jq \
'.deployments[0]["origin"] == "vmcheckmote:vmcheck"' \
'.deployments[0]["version"] == "v2"' \
daemon: Fix cached-update including no-op diffs The `cached-update` variant would mark a bunch of RPMs as upgraded even if they didn't actually change. The issue turned out to be we were doing the diff all wrong in the staged deployment case. I'm not sure what I was thinking in #1344, but essentially, we were marking all layered RPMs in the staged deployment as updates instead of only marking those layered RPMs which were actually changed EVR. We just simplify the approach here by directly doing a pkglist diff between the booted and staged deployments and consuming that. That's really all there is to it! Reduces the code quite a bit too. Closes: #1446 Closes: #1455 Approved by: cgwalters
2018-07-27 23:08:59 +03:00
'.deployments[0]["packages"]|length == 6' \
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
'.deployments[0]["packages"]|index("layered-cake") >= 0'
vm_rpmostree db list $(vm_get_pending_csum) > list.txt
assert_file_has_content list.txt 'layered-cake-2.1-4.x86_64'
}
# now let's upgrade and check that it matches what we expect
daemon/upgrade: Write out new cached update Right now, cached updates generated during "check" policy runs are completely decoupled from upgrade operations. This can lead to the surprising situation where the "Available update" is *older* than a freshly deployed pending tree with `rpm-ostree upgrade`. We should just generate a cached update after upgrade operations. This is also prep for staged deployments, where we'll want to do this as well. Note that we write out the cached update here even if automatic updates are turned off since it's essentially free. I've been thinking about always displaying that information after an `rpm-ostree upgrade` in `status`. Though not sure if we should keep it in a separate "Available update" section, or somehow morph it as part of the pending deployment output. Closes: #1344 Approved by: cgwalters
2018-04-24 22:05:28 +03:00
# (but start from scratch to check that vanilla `upgrade` also builds the cache)
vm_rpmostree cleanup -m
vm_cmd systemctl stop rpm-ostreed
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
vm_rpmostree upgrade
app/status: Print diff/advisories with pending deployment Follow-up from #1344. In the case where a cached update is created from an `upgrade` operation (and soon, "stage" auto-update policy runs), we can just print the diff and advisory info together with the pending deployment. This makes the output look much more natural. Closes: #1350 Approved by: cgwalters
2018-05-04 17:20:19 +03:00
vm_rpmostree status > out.txt
vm_rpmostree status -v > out-verbose.txt
# we should have printed as part of the pending deployment
assert_not_file_has_content out.txt "Available update"
assert_not_file_has_content out-verbose.txt "Available update"
daemon/upgrade: Write out new cached update Right now, cached updates generated during "check" policy runs are completely decoupled from upgrade operations. This can lead to the surprising situation where the "Available update" is *older* than a freshly deployed pending tree with `rpm-ostree upgrade`. We should just generate a cached update after upgrade operations. This is also prep for staged deployments, where we'll want to do this as well. Note that we write out the cached update here even if automatic updates are turned off since it's essentially free. I've been thinking about always displaying that information after an `rpm-ostree upgrade` in `status`. Though not sure if we should keep it in a separate "Available update" section, or somehow morph it as part of the pending deployment output. Closes: #1344 Approved by: cgwalters
2018-04-24 22:05:28 +03:00
assert_output2
Initial support for automatic updates This patch introduces a new `AutomaticUpdatePolicy` configuration. This was a long time coming for rpm-ostree, given that its update model makes it extremely apt for such a feature. The config supports a `check` mode, which should be very useful to Atomic Workstation users, as well as a `reboot` mode, which could be used in its present form in simple single node Atomic Host situations. There is still a lot of work to be done, including integrating advisories, and supporting a `deploy` mode. This feature hopefully will be leveraged as well by higher-level projects like GNOME Software and Cockpit. Closes: #1147 Approved by: cgwalters
2017-12-15 20:01:46 +03:00
assert_default_deployment_is_update
echo "ok upgrade"
Reference in New Issue Copy Permalink