keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

daemon: start with one commit only when resolving versions

Browse Source 
During a deploy operation, we would fetch commit objects from the remote
to resolve the version string. If gpg-verify was turned on, we would
fail to pull them if some of the commits were not signed. This is
because we pulled them in batches. We partially address this by only
fetching the HEAD commit on the first pass. This allows `upgrade`
operations to work just as well as `deploy` operations.

Though there is still an issue if we have to traverse farther back than
when signed commits become unsigned (unless they happen to fall on a
batch boundary). We leave that unsolved for now, since that would likely
require a more complex solution and it's not clear whether it's a real
world issue (signers can just retroactively sign commits).

Copy the gpghome from ostree so that we can test GPG-related cases in
our suite.

Closes: #527

Closes: #557
Approved by: cgwalters
This commit is contained in:
Jonathan Lebon 2016-12-22 12:39:28 -05:00 committed by Atomic Bot
parent e10c97007f
commit b68209b6d4
11 changed files with 134 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/daemon/rpmostreed-utils.c
View File

@ -260,6 +260,10 @@ rpmostreed_repo_pull_ancestry (OstreeRepo *repo,
int depth, ii; int depth, ii;
gboolean ret = FALSE; gboolean ret = FALSE;
/* Only fetch the HEAD on the first pass. See also:
* https://github.com/projectatomic/rpm-ostree/pull/557 */
gboolean first_pass = TRUE;
g_return_val_if_fail (OSTREE_IS_REPO (repo), FALSE); g_return_val_if_fail (OSTREE_IS_REPO (repo), FALSE);
g_return_val_if_fail (refspec != NULL, FALSE); g_return_val_if_fail (refspec != NULL, FALSE);
@ -288,6 +292,7 @@ rpmostreed_repo_pull_ancestry (OstreeRepo *repo,
g_variant_new_strv ((const char * const *) refs_array, -1); g_variant_new_strv ((const char * const *) refs_array, -1);
g_variant_dict_init (&options, NULL); g_variant_dict_init (&options, NULL);
if (!first_pass)
g_variant_dict_insert (&options, "depth", "i", depth); g_variant_dict_insert (&options, "depth", "i", depth);
g_variant_dict_insert (&options, "flags", "i", flags); g_variant_dict_insert (&options, "flags", "i", flags);
g_variant_dict_insert_value (&options, "refs", refs_value); g_variant_dict_insert_value (&options, "refs", refs_value);
@ -307,7 +312,7 @@ rpmostreed_repo_pull_ancestry (OstreeRepo *repo,
if (visitor != NULL) if (visitor != NULL)
{ {
for (ii = 0; ii < depth && checksum != NULL; ii++) for (ii = 0; ii < (first_pass ? 1 : depth) && checksum != NULL; ii++)
{ {
g_autoptr(GVariant) commit = NULL; g_autoptr(GVariant) commit = NULL;
gboolean stop = FALSE; gboolean stop = FALSE;
@ -332,7 +337,10 @@ rpmostreed_repo_pull_ancestry (OstreeRepo *repo,
/* Pull the next batch of commits, twice as many. */ /* Pull the next batch of commits, twice as many. */
refs_array[0] = checksum; refs_array[0] = checksum;
if (!first_pass)
depth = depth * 2; depth = depth * 2;
first_pass = FALSE;
} }
ret = TRUE; ret = TRUE;

28
tests/check/test-basic.sh
View File

@ -23,7 +23,7 @@ set -e
ensure_dbus ensure_dbus
echo "1..13" echo "1..14"
setup_os_repository "archive-z2" "syslinux" setup_os_repository "archive-z2" "syslinux"
@ -33,9 +33,12 @@ echo "ok setup"
# --sysroot=sysroot to rpm-ostree commands as it will result # --sysroot=sysroot to rpm-ostree commands as it will result
# in a warning message. # in a warning message.
OSTREE="ostree --repo=sysroot/ostree/repo"
REMOTE_OSTREE="ostree --repo=testos-repo --gpg-homedir=${test_tmpdir}/gpghome"
# This initial deployment gets kicked off with some kernel arguments # This initial deployment gets kicked off with some kernel arguments
ostree --repo=sysroot/ostree/repo remote add --set=gpg-verify=false testos file://$(pwd)/testos-repo testos/buildmaster/x86_64-runtime $OSTREE remote add --set=gpg-verify=false testos file://$(pwd)/testos-repo testos/buildmaster/x86_64-runtime
ostree --repo=sysroot/ostree/repo pull testos:testos/buildmaster/x86_64-runtime $OSTREE pull testos:testos/buildmaster/x86_64-runtime
ostree admin --sysroot=sysroot deploy --karg=root=LABEL=MOO --karg=quiet --os=testos testos:testos/buildmaster/x86_64-runtime ostree admin --sysroot=sysroot deploy --karg=root=LABEL=MOO --karg=quiet --os=testos testos:testos/buildmaster/x86_64-runtime
rpm-ostree status | tee OUTPUT-status.txt rpm-ostree status | tee OUTPUT-status.txt
@ -53,7 +56,7 @@ fi
os_repository_new_commit os_repository_new_commit
rpm-ostree upgrade --os=testos rpm-ostree upgrade --os=testos
ostree --repo=sysroot/ostree/repo remote add --set=gpg-verify=false otheros file://$(pwd)/testos-repo testos/buildmaster/x86_64-runtime $OSTREE remote add --set=gpg-verify=false otheros file://$(pwd)/testos-repo testos/buildmaster/x86_64-runtime
rpm-ostree rebase --os=testos otheros: rpm-ostree rebase --os=testos otheros:
rpm-ostree status | tee OUTPUT-status.txt rpm-ostree status | tee OUTPUT-status.txt
@ -77,7 +80,7 @@ assert_file_has_content OUTPUT-status.txt '1\.0\.9'
echo "ok deploy older known version" echo "ok deploy older known version"
# Remember the current revision for later. # Remember the current revision for later.
revision=$(ostree rev-parse --repo=sysroot/ostree/repo otheros:testos/buildmaster/x86_64-runtime) revision=$($OSTREE rev-parse otheros:testos/buildmaster/x86_64-runtime)
# Jump forward to a locally known version. # Jump forward to a locally known version.
rpm-ostree deploy --os=testos 1.0.10 rpm-ostree deploy --os=testos 1.0.10
@ -102,7 +105,7 @@ echo "ok deploy older version by revision"
# Make a commit on a different branch and make sure that it doesn't let us # Make a commit on a different branch and make sure that it doesn't let us
# deploy it # deploy it
other_rev=$(ostree --repo=${test_tmpdir}/testos-repo commit -b other-branch --tree=ref=$revision) other_rev=$($REMOTE_OSTREE commit -b other-branch --tree=ref=$revision)
if rpm-ostree deploy --os=testos REVISION=$other_rev 2>OUTPUT-err; then if rpm-ostree deploy --os=testos REVISION=$other_rev 2>OUTPUT-err; then
assert_not_reached "Deploying an out-of-branch commit unexpectedly succeeded." assert_not_reached "Deploying an out-of-branch commit unexpectedly succeeded."
fi fi
@ -121,8 +124,8 @@ assert_file_has_content OUTPUT-status.txt $(date "+%Y%m%d\.2")
echo "ok rebase onto other branch at specific version" echo "ok rebase onto other branch at specific version"
branch=testos/buildmaster/x86_64-runtime branch=testos/buildmaster/x86_64-runtime
new_csum=$(ostree --repo=${test_tmpdir}/testos-repo commit -b $branch --tree=ref=$branch) new_csum=$($REMOTE_OSTREE commit -b $branch --tree=ref=$branch)
rpm-ostree rebase --os=testos otheros:testos/buildmaster/x86_64-runtime $new_csum rpm-ostree rebase --os=testos otheros:$branch $new_csum
rpm-ostree status | head --lines 5 | tee OUTPUT-status.txt rpm-ostree status | head --lines 5 | tee OUTPUT-status.txt
assert_file_has_content OUTPUT-status.txt otheros assert_file_has_content OUTPUT-status.txt otheros
assert_file_has_content OUTPUT-status.txt $new_csum assert_file_has_content OUTPUT-status.txt $new_csum
@ -134,6 +137,15 @@ fi
assert_file_has_content OUTPUT-err 'Checksum .* not found in .*' assert_file_has_content OUTPUT-err 'Checksum .* not found in .*'
echo "ok error on rebasing onto commit on other branch" echo "ok error on rebasing onto commit on other branch"
# Make sure that we can deploy from a remote which has gone from unsigned to
# signed commits.
$REMOTE_OSTREE commit -b $branch --tree=ref=$branch \
--gpg-sign=$TEST_GPG_KEYID --add-metadata-string version=gpg-signed
$OSTREE remote add secureos file://$(pwd)/testos-repo
rpm-ostree rebase --os=testos secureos:$branch gpg-signed
echo "ok deploy from remote with unsigned and signed commits"
# Ensure it returns an error when passing a wrong option. # Ensure it returns an error when passing a wrong option.
rpm-ostree --help | awk '/^$/ {in_commands=0} {if(in_commands==1){print $0}} /^Builtin Commands:/ {in_commands=1}' > commands rpm-ostree --help | awk '/^$/ {in_commands=0} {if(in_commands==1){print $0}} /^Builtin Commands:/ {in_commands=1}' > commands
while read command; do while read command; do

13
tests/common/libtest.sh
View File

@ -28,7 +28,7 @@ LIBTEST_SH=1
self="$(realpath $0)" self="$(realpath $0)"
if test -z "${SRCDIR:-}"; then if test -z "${SRCDIR:-}"; then
SRCDIR=$(dirname $0) SRCDIR=${topsrcdir}/tests
fi fi
_cleanup_tmpdir () { _cleanup_tmpdir () {
@ -62,8 +62,15 @@ export G_DEBUG=fatal-warnings
export OSTREE_SYSROOT_DEBUG=mutable-deployments export OSTREE_SYSROOT_DEBUG=mutable-deployments
export TEST_GPG_KEYID="472CDAFA" export TEST_GPG_KEYID="472CDAFA"
export TEST_GPG_KEYHOME=${SRCDIR}/gpghome
export OSTREE_GPG_HOME=${TEST_GPG_KEYHOME}/trusted # GPG when creating signatures demands a writable
# homedir in order to create lockfiles. Work around
# this by copying locally.
echo "Copying gpghome to ${test_tmpdir}"
cp -a "${SRCDIR}/gpghome" ${test_tmpdir}
chmod -R u+w "${test_tmpdir}"
export TEST_GPG_KEYHOME=${test_tmpdir}/gpghome
export OSTREE_GPG_HOME=${test_tmpdir}/gpghome/trusted
if test -n "${OT_TESTS_DEBUG:-}"; then if test -n "${OT_TESTS_DEBUG:-}"; then
set -x set -x

2
tests/compose
View File

@ -3,6 +3,8 @@ set -euo pipefail
dn=$(cd $(dirname $0) && pwd) dn=$(cd $(dirname $0) && pwd)
export topsrcdir=$(cd $dn/.. && pwd)
LOG=${LOG:-compose.log} LOG=${LOG:-compose.log}
date > ${LOG} date > ${LOG}

30
tests/gpghome/key1.asc Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFIuhBYBCADTbnocQsJgMfOELkFt3wRrAZShijoBPYZT9BrIuIKZxAbaxZJr
Tbw8eIGgHZ51NCfdoikul0i82dt4hwtsACNVL5EGRmvTIKHPacb0yJMr1YBjcSwD
Slo+niLPb/oVtLTbDWFt/msYKREF/lGJT9dJyXkQ5UOwWdipDaHIlwb0IKUvL7cu
NpNthRFRm1M5d5M9OtqTCrCja6zckQ6OfvoStsbneHzfVWeH7vLcKBxxkfDhusVt
y1iVaDk1EYT8ZxsrAWw4S7nRK/bjr86IYpFPjG2aKMd9qxyIo7hcX4r8od24jzfM
v/ysOapnkTJuv8J6v7MakM1HkCz+TKF6gXxVABEBAAG0HU9zdHJlZSBUZXN0ZXIg
PHRlc3RAdGVzdC5jb20+iQE5BBMBAgAjBQJSLoQWAhsDBwsJCAcDAgEGFQgCCQoL
BBYCAwECHgECF4AACgkQf8oj2Ecs2vr/9wgAnme6WsWQy8CYeGH4q/5I6XFL6q1m
S0+qdeGnYRmR0jJAGJ84vqDhnKxjeQzp+8Nq81DHGEJBszCkMW2o22neFi2Mo95h
Dq3GWNZVldCDshjPs563AY6j7zACUN7Cy5XB3MK/vj5R/SrHBtJmSgPTx9WfmUgn
n5Udg+fzSsS8z8DUtJFtexgrSnEmwH+nOmIfrsjIYL5EPg+CTTalhygROrERjINr
pCYiShaFCKbuyt/XvyQ71y0JbB2yS7tDv0mL4SZjSuBQ1PkNE8ZQsymqBOJHA1Y3
ppgPs1OenmtYgxaR8HQQv7uxHWZz0dmwQN93Qx8zMZwW40Odmdh1zLNQf7kBDQRS
LoQWAQgA9i9QWg28qmFrPIzn90ZlNlUtFzoZy/8/lIk34awge1uO5aHydYBzkuWU
jCDyBtQLWZQlwOKq8oHBbjENR2sfsmNkrYKcceQ02hSXqEJkc6jcDMCpB9eWy34K
sPZmdl76Eo/vIIgRqJ9JPeGoMPaIBg2ouEz6Ft6jcX3EriYIKebCEA9wPk29z40x
7D8mBZn06WrZ3JyePfbCdNJlQANEnrk7KDMNwPhhE1wcfPkiVtqBR0/FwIoUP0jn
PishIWOuFObYnXQQ2R8sxrw/V0hGqVTh+k+iNAjzEp4yPsAvB+LdMH9nCY5rU3Vo
1paEqVM1EHoBPu4NupRN0AjIJPr5UQARAQABiQEfBBgBAgAJBQJSLoQWAhsMAAoJ
EH/KI9hHLNr68i4IAMdc+EgAaPZFWZcXFGBfhnOKQFC/u/W6Cu1JjqIYkGO0HxSh
SfBkxArqlp37w4YVH4bUku6ja421bfGFNMtMfXjw2mU3HRdaDenP6OGv2jYmYmFt
6zi0JZZhvi8ZCcAQTStZ2Ms3hwstCMiBXPmYA7KW9Gzo4JQSKCW5haICGVSWl7kh
n0OkhOTVI9uzNr7+LhYn2ib/ynSaMKeI4hZ8v1HDuY0V1E63vFPGLFBTPaoRPpnm
9yBnXMWhrbV97L6eEoe7faurSyPcF11LEFC5x8oENnbH+wtAXOayQo3lld+JRa9C
JEZl8STdRU9o2NFwF8XM8BEOWntMS8aNpPoILC8=
=ZNNc
-----END PGP PUBLIC KEY BLOCK-----

30
tests/gpghome/key2.asc Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFUIM4ABCADYBuvzGgzv5nMy2wICv79l+N4bN9/o9hTdFEOzyAeCEaF5Wugc
L9nfTgUS9NRHsSpGt9DeZVEzRm5XzccgHOPs7MlYH0Irhc4Hb9ycOO2vBZ7ZiBK/
jbY+R5GN4Ut9XIRexbXWddOjJpRUTCWQeXw5iqV9Puqm1ge2Vcal+NZOi2AFRKKe
p/QI9EXIIx7ca6OWtH2SS/qE2p9obDYsMNrW+Dk623dbNKQiWaWyfRD+hB91UNbt
vK7agokTeU0hKr9C8dHrhepgl9B/Hz8SFibZQQiTxSiVH3fUu10eQsyuDC/01KHp
z0MR28Lc4VlCs6dsJBmGMBayHHVzbyXgw6uZABEBAAG0IU9zdHJlZSBUZXN0ZXIg
SUkgPHRlc3QyQHRlc3QuY29tPokBOAQTAQIAIgUCVQgzgAIbAwYLCQgHAwIGFQgC
CQoLBBYCAwECHgECF4AACgkQ2CKM/sqVDUFpJAgAirtYbbkvnlKtBxDsCu+A6qyl
7r+cW8IH5U1P4MqxqQwkAe1ZalfjuTSHVKYqt/K6gt0+4NvCee3A2JxXTvLq1hdR
DNMUFAjkbZv3Y6VS8Qtj3edsviNEB7s8uyWgR/EBB312YSZCwzk5uSLzM5E7AmvM
0/ZPIAAxjz8TpQKc8vJx1/4nqgt0Wjv5B74vuOQJT26zoFygCQM76YeN+ULzk/hN
hW7aNp/S2STasvEv7NgwqAe6eWy45xTrvxhEhQV760/toLbI0DuuBGr6Ue/G+Id4
P/R604HAbMg3GdCztyoD3WTuvcsY6oXD7GlSEX4DZ0LA2TqQDZB+Pqe2yF7Gi7kB
DQRVCDOAAQgAsxH2E9JeQPbcdXGyxLCa4FyMeziCrxn7tOEsRkeqZmb76mAOn67Q
ZuZ6SXcAQDjKOBu7QNEcFQ+bAW/urohzD/sjr09vKqibLh6v8t81DE79GHI1UZ7F
SuYDLgcGUvOCJej8iftJcudWuzCW9SvoykNcgPcIOYEXbbJVRr2xvK4z2a34DyWL
jEXU2r6g1KNwtGyT6hZ7Ax99MKAzCFX3to0V51EXcrnUojwz/8i4Lal9t3d4P3lu
FZw3ITWh4e9zNxp8aSxsAN/vQ1EHccMPrNmO+d+yjhH7inTxf+vLErP3Cs5rPjxl
FgoLvBCSCT0jQ0xP+8Aa2TDyXDcMHg85QwARAQABiQEfBBgBAgAJBQJVCDOAAhsM
AAoJENgijP7KlQ1Bc68H/RBn5PpUe8CA1CJ8eN4LIfRee3DjacwvjGsdgiMzcLhb
Hp/ke42kentYjT+gF1ABPbeUERDlhnZ8BguKGZV+jOGDWRI2KFrQXL444aNznjn8
aTOQY/d4LibwSaQ3qzf4Zp4CyZq2X2Vg3+B3HoUM6pkIL/r2ao5TnFqKubCE3sEo
St+LV4eHktoAS1GXmxYKo4Q67yMVekTZt7C/VQ2a20qfAXBn2U8UA3tUvNqKtyyJ
XrxeTJ+T4MMv60zdC/B/UPNjjHLNyB6culIzyiYFglGw3ctx2erJN2d+aQLrw78E
vIuMy+JcH6y3JlzVGdByWbC7628OcWWa+NL/CXnYMyQ=
=j9RC
-----END PGP PUBLIC KEY BLOCK-----

30
tests/gpghome/key3.asc Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFUIM6EBCACr57QUYEEuxvkX20yM1LVt2jyYZRKKQsqXx/xCF+Pg1MNz6mYx
Qz6R6+yZZmlADsfRdnEpRvl4Dq2g3cP0DqkjnIKwI7ffEsyXlves8OMlpwT2Vh4x
8Lx92eIEeqmb+PT8m88+x+EPVaR2R5KBHFkGXGyVgw+Ry8Oa9ZtJEKSkL/EQvzWv
5q+OR1Pm8rnIPe64XPh3yAx5SBJ2m7hykH/XMVrdGqaZvpuGBx77pmmqfMMjNWMC
U09hURyuyGWUsj9lFWYgpBvAzASmJNpAf7FZTjzCwLJwqpxCYm6a3sp76yyjuY7q
vgJOolRHp9F/XETsSLdy6966oBxclGNaD6gnABEBAAG0Ik9zdHJlZSBUZXN0ZXIg
SUlJIDx0ZXN0M0B0ZXN0LmNvbT6JATgEEwECACIFAlUIM6ECGwMGCwkIBwMCBhUI
AgkKCwQWAgMBAh4BAheAAAoJEA0V+uffRE1n0n4H/0Z8bC1cdr5cMFZ6YBaJlw4c
b61krhan2qCrwQupwaXi6LHt0zMwgljOcN+X2sAlZj9Jv0CabU5S1vM1fh9DZ6OY
2OQ/Pq2lXGk22JjrbPPq5o//xTzo92Uxptuxq6O4frVzuGCo1yPlrHJh+TxbXIc8
XOz9C9KTfcb9OwidSSW5LlUBzQ2e3oQLSUQPsdB3TZP5zlqPIYerWn+LdETKcOTr
JyoaobFqX2BN223d3vkA1/GcuB17eBnzbnS0OWLJH+E3bsCqjtCJMEc1uTq97tyF
XStIk9i0gVbA+GiK/ZFMt+a5kagR5dOUwpNZ0BE+Kzf0CtkSaSWkAh1vQV/j2E65
AQ0EVQgzoQEIAMeXa6sp5kdmJn/fVw0Pk5oluBXif7BiFt+T7K03RxCOKRpne6dI
SS98ruwZ1B5hn0lZO0UiL5RKpBQUrI9Y7251tz+oWohU2ZkUwwP3OcBlTXtErhe0
LctcJ1nUA5NICVP5brhJR94durULiM+Rrhr12Ccs+a9bV268btNLN51z7ICMwNI6
xuNxLt9orVJwP82a2eelQOgkPyFpiq7UxZ1erJg4aBVfWHP+rlxyQlzawVebbQMO
gwYW+gAawTxd2x7PV9CC3KsaM+HI6wBvDOtcWlbzo+TxzcVocd5oern4Mr5Y86Gt
lajuO9DVsuxxIfBrvHdRut613ShhOVlfy2MAEQEAAYkBHwQYAQIACQUCVQgzoQIb
DAAKCRANFfrn30RNZyPVB/9jNFOjcNCAZSrz9vylaO0xHsPhIn4osmkiU6BvodwO
n+qR4eEUw7BzoWC5QqGxUPYuDneQK7N7U31SFYjmY5Y1CDMsFtcYzjPgN5qWhtaN
iNTtE9pb5f97PyLSUwcdW1y/cfDfqoAY6rpRXieo7hJv1xBtlEzJIbSSTS1SUEd1
4qwPCqNWMSM6qBcaFB5Yuw0Z/E6B1JfNTUw5J5jDxbGdOzkLx2mXCldte1axq9Lp
1V17jMTvn7Ml1QdoEAqzvt4VNQci/Su/qd3XjQ46b4dFFP03+jJv7mO6tHka2luZ
RX0zfsk5q8wqbtV2k0XZFRD+22ddKMf1j4wID157lNQs
=Dq+d
-----END PGP PUBLIC KEY BLOCK-----

1
tests/gpghome/pubring.gpg Symbolic link
View File

@ -0,0 +1 @@
trusted/pubring.gpg

BIN
tests/gpghome/secring.gpg Normal file
View File

Binary file not shown.

BIN
tests/gpghome/trustdb.gpg Normal file
View File

Binary file not shown.

BIN
tests/gpghome/trusted/pubring.gpg Normal file
View File

Binary file not shown.