Commit Graph

250 Commits

Author SHA1 Message Date
Jonathan Lebon
fd64084b9b vmcheck: add basic test for local RPM installs
Closes: #657
Approved by: cgwalters
2017-03-10 18:35:11 +00:00
Jonathan Lebon
49cbdb739a status: always include the packages entries
Pull #646 introduced a subtle regression: we went from always including
a "packages" entry to only including it if there are packages present.
Albeit it's easy to guard against, though to be nice, let's make it
easier for consumers by always including it.

Reported-by: Micah Abbott <miabbott@redhat.com>

Closes: #670
Approved by: cgwalters
2017-03-10 14:54:45 +00:00
Colin Walters
66425c3161 core: Do GPG verification before importing
While reading a recent conversation about GPG checking at treecompose
time, I had a sudden thought - were we actually doing verification
client side?  Turned out, we aren't.  That happens as part of
`dnf_transaction_commit()` which we don't use.

That function verifies every package at one go, but for us I think it's better
to do it before "importing". We shouldn't have untrusted bits that we've
unpacked (they might have suid binaries, for one thing).

This is an embarassing problem, but it's worth emphasizing that everyone should
be retrieving repodata at a minimum over TLS, which sets a baseline. On RHEL, we
already do pinned TLS, and there are discussions about extending that elsewhere.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1422157

Closes: #656
Approved by: jlebon
2017-03-06 15:19:43 +00:00
Colin Walters
22048b25a7 scripts: Use tmpfs for /var/tmp, not the host's /tmp
We don't want to expose the host's `/tmp` since that means scripts could
potentially find things like the X11 socket or whatever.

To debug things better, add a quick bash script to run bwrap like the C code
does. Perhaps down the line we can add `rpm-ostree internals run-bwrap` or so.

Closes: #647
Approved by: jlebon
2017-02-28 23:37:15 +00:00
Jonathan Lebon
7fd474f8e1 vmcheck: adjust for new behaviour
Closes: #646
Approved by: cgwalters
2017-02-27 19:53:19 +00:00
Jonathan Lebon
a3ee87d67d vmcheck/test.sh: output reboot details to log
Clean up the output of vmcheck a bit by printing out ssh debug details
and rpm-ostree status output to the log file. This will help make it
easier to quickly see which tests failed (as well as helping satisfy my
OCD for a nice output).

Closes: #645
Approved by: cgwalters
2017-02-24 19:50:25 +00:00
Colin Walters
f573354324 ci: Hotfix ostree temporarily
For https://github.com/ostreedev/ostree/pull/705

Closes: #642
Approved by: jlebon
2017-02-23 20:03:06 +00:00
Jonathan Lebon
8eb746f533 test-initramfs.sh: fix for centos
Fetch the osname rather than hardcoding it.

Closes: #636
Approved by: cgwalters
2017-02-21 14:13:42 +00:00
Colin Walters
ddbaf19f1e importer: Error importing RPMs which install to /opt (outside of /usr)
See https://github.com/projectatomic/rpm-ostree/issues/233 - for RPMs which
place files in e.g. `/opt`, we have different behavior in the treecompose case
(silently drop it) versus package layering (does the wrong thing).

Since the unpacker right now is only used in the layering case, this just
ensures we'll get a consistent error there.

Closes: #624
Approved by: jlebon
2017-02-14 22:15:56 +00:00
Jonathan Lebon
8cf071127e unpacker: support root-owned /var & /run files
I'm not sure why we weren't doing this before, but we need to also
support files in /var and /run that are owned by root.

Related: RHBZ#1421781

Closes: #622
Approved by: cgwalters
2017-02-13 16:49:59 +00:00
Colin Walters
a66d27230d Add a cleanup command and DBus API
We sometimes talk about using `ostree admin undeploy`, but that
doesn't know about the pkgcache, and hence space there leaks
until the next rpm-ostree operation.

Just for this, we need to expose a cleanup command (and API).  But
we also need to support cleaning:

 - repomd
 - downloads (repo/tmp)

So let's start implementing that.

Closes: #614
Approved by: jlebon
2017-02-13 15:28:05 +00:00
Colin Walters
0a1289ae38 upgrader: Use "pending" deployment for origin by default
Until now, we always used the booted deployment, and would
garbage collect the "pending" deployment.  This is the
way OSTree was designed, but I think for rpm-ostree given
how mutable we are on the client side, there's a much stronger
argument for being more stateful too.

This is a relatively simple code change to split the "merge deployment"
concept into two.  There's now the "config merge deployment" and the
"origin merge deployment".

Basically, `rpm-ostree install foo; rpm-ostree install bar` will
now install both `foo` and `bar`.  But we will still use the booted
deployment for `/etc`.

Down the line, I think I'd like to drive into OSTree the concept of
a "staged" deployment, that has the hardlink checkout done, but doesn't
have the config merge.

But we don't need to change the OSTree core for this yet; we can
do it here in rpm-ostree, and this relatively simple code change
fixes many issues at once.

For example, `rpm-ostree upgrade && rpm-ostree install foo` now
does what you expect as well.

Obviously, we want to enable doing multiple things in *one* transaction,
and we're not far away, but I think this is also the right thing to do now.

I'm relatively confident it won't break anyone's workflow, as what
we did before wasn't generally that useful.  However, people will
need to learn to `ostree admin undeploy 0` if they *don't* want
this behavior.  (We need to have `rpm-ostree cleanup`).

Closes: https://github.com/projectatomic/rpm-ostree/issues/406

Closes: #611
Approved by: jlebon
2017-02-08 19:55:44 +00:00
Colin Walters
a52cb7d78e core: Add rpmostree.repo metadata to imported packages
I'm watching https://github.com/rpm-software-management/libdnf/pull/199 and I
really don't like it. We already have a place to put out-of-rpmdb metadata,
which is in the ostree commit for imported packages. No need to involve a
relational database for this (and further, one that would need to learn about
multiple ostrees).

We're not yet *using* this information in the UI, but we could; imagine
changing the `status` `Packages:` to show packages-per-repo or so.  We
could also expose an `rpm-ostree pkg-info foo`.

But for now, let's just start recording this.

Closes: #610
Approved by: jlebon
2017-02-08 17:52:16 +00:00
Jonathan Lebon
283b915ecf check: use jq for asserting json elements
Closes: #609
Approved by: cgwalters
2017-02-08 17:11:06 +00:00
Colin Walters
ace223acf8 Add pending-base-commit to status
One thing that's very confusing about OSTree is there are two layers -
deployments and the refs/commits. If one does an `rpm-ostree upgrade`, but then
e.g. `ostree admin undeploy 0`, you still have the new revision in the repo.

We don't do a good job of displaying this state, or helping people clean
it up.

Down the line, I also want to better support something like `rpm-ostree pull` to
cache updates explicitly *without* deploying.

This commit just adds a bit of information to the status display. We might want
to have better formatting, but I think this an OK start.

Closes: #595
Approved by: jlebon
2017-02-08 13:59:48 +00:00
Colin Walters
687567d3ee Merge daemon binary into main binary
The actual problem I am trying to fix with this is fallout from the
introduction of `/usr/libexec/rpm-ostreed`, which required a SELinux
policy change.  Specifically for CentOS, the base policy is rev'd
slowly.

My hope was that by merging the daemon code back into `/usr/bin/rpm-ostree`
which is labeled `install_exec_t`, starting via systemd would do
the right thing.  It turns out that doesn't happen.

Now later, I'm picking this patch back up because I want to do multprocessing in
the daemon (and in the core), and it makes sense to share code between them,
because multiprocessing will need to go through a re-exec path.

Another benefit is we avoid duplicated text (libglnx, internal helpers) between
the two binaries.

Closes: #292
Approved by: jlebon
2017-02-07 16:07:09 +00:00
Jonathan Lebon
566367ca3f upgrader: let ostree create the commit dir
When we checked out the base tree for package layering, we would create
the directory in which ostree did the checkout. This meant however that
ostree wouldn't apply xattrs on the root directory itself. This would
cause the directory to be mislabeled (as system_conf_t instead of
root_t), which in turn cause SELinux violations on reboot when systemd
tried to make the root mount shared.

This patch fixes this by first settling on a permanent directory in
which to do checkouts -- really, we'll never have multiple package
layering operations going on at the same time. Once we know that we have
a reserved path, we can safely let ostree create it for us with the
proper xattrs.

Resolves: RHBZ#1318547

Closes: #605
Approved by: cgwalters
2017-02-04 11:08:27 +00:00
Colin Walters
cac4522e5b Support "system/regenerate-initramfs=true" flag in origin
Currently we push for a model where the initramfs is
generated (in non-hostonly mode), and merely replicated.

However, to support a few unfortunate corner cases like dm-multipath which wants
to inject a config file into the initramfs, we need to support regenerating it
client side too.

Down the line, we'll need this to support overriding the kernel too.

This changes things in the core to add the concept of an "empty"
`RpmOstreeContext`. I initially tried skipping it, but that was too much
duplication. We still want all of the core ostree-related logic that lives in
that code too.

The treespec bits barfed if the spec didn't have a `tree/packages` key. It was
simplest to change that to allow it - and because that was the only case where
we errored out in parsing, I dropped the error handling.

There was another place in the upgrader that now needed to be fixed to handle
transitioning from just regenerating initramfs to not.

Closes: #574
Approved by: jlebon
2017-01-20 16:17:51 +00:00
Colin Walters
d277205c13 tests: Actually install the new binaries
I think since I landed a change to `--enable-new-name`, `/usr/bin/rpm-ostree`
became a symlink, and without the `-l` switch, rsync skips over them.

Hence, we have only been testing in vmcheck the old binaries, not new ones.
Oops.

Closes: #585
Approved by: jlebon
2017-01-19 18:55:15 +00:00
Colin Walters
59f34e8a03 tests: Disable ASAN leak checks
Right now we're far from leak free, and I want to use ASAN
as a sanity checker, not a leak checker.

Closes: #576
Approved by: jlebon
2017-01-18 16:52:46 +00:00
Colin Walters
c6f3c43295 tests: Brutally hack in copying in sanitizer shared libraries
Yes, there are better ways to do this, but there are also
better things to do...

Closes: #576
Approved by: jlebon
2017-01-18 16:52:46 +00:00
Colin Walters
4a511fa011 app: Check for root privileges where required early
Rather than sending a dbus message that gets denied, which
is ugly.

Closes: #565

Closes: #570
Approved by: jlebon
2017-01-13 19:46:24 +00:00
Colin Walters
533ff648a6 vmcheck: Note how many tests were skipped
I was initially confused as to the pattern matching, and this will make things a
bit clearer.

Closes: #560
Approved by: jlebon
2017-01-11 18:39:25 +00:00
Colin Walters
dee0807147 vmcheck: Scrape out the journal on failure
So we can debug things more easily.

Closes: #560
Approved by: jlebon
2017-01-11 18:39:25 +00:00
Colin Walters
d3bf60d373 tests: Add a pkg with rofiles violation that should fail
To ensure we don't accidentally allow mutations.

Closes: #560
Approved by: jlebon
2017-01-11 18:39:25 +00:00
Jonathan Lebon
9f8136e097 vmcheck: add test-layering-non-root-caps.sh
This new test exercises the new support for non-root file paths and
files with capabilities.

Closes: #561
Approved by: cgwalters
2017-01-08 21:05:06 +00:00
Jonathan Lebon
c5fa202378 sync.sh: tweak for container workflow
In the container build + vagrant test workflow, we have to run `make
vmsync` from the env in which autoconf was run, which is the container.

However, when using git worktrees (which is useful in this scenario to
avoid having to overwrite your local builds) and a CentOS build
container, the git inside is too old to understand worktrees, so let's
avoid invoking git in any of the test harness scripts.

Also make sure to restorecon after installing the new rpm-ostreed.

Closes: #555
Approved by: cgwalters
2016-12-21 20:00:43 +00:00
Jonathan Lebon
68acb1d2be compose-tests: add more tests
Add a few more tests to exercise some of the treefile options. We do
need to also expand test-basic.sh itself to sanity-check the structure
of a normal ostree compose. That's up next on the list.

Closes: #548
Approved by: cgwalters
2016-12-09 16:18:11 +00:00
Jonathan Lebon
a21c05ab10 vmcheck: disable default repos to speed it up
Closes: #543
Approved by: cgwalters
2016-12-07 21:47:58 +00:00
Jonathan Lebon
12c4b5b16f vmcheck: adapt for non-vagrant hosts
This is just the final bit required to make sure the vagrant and
non-vagrant paths can work happily together. It's mostly minor fixes,
though the most major change which also affects vagrant is that we now
sync to the root home dir, rather than ~vagrant.

Closes: #524
Approved by: cgwalters
2016-11-22 17:15:20 +00:00
Colin Walters
2f9d586bdc Redo vmcheck to abstract over ssh-config, drop all building
My development environment is now using "pet" docker containers.
I use VMs for testing things that require that (like rpm-ostree).

This patch builds on work from @jlebon in
https://github.com/projectatomic/rpm-ostree/pull/509
to rework `vmcheck` such that it can work on any `ssh-config`.  By
default we expect this to be Vagrant.

However, I go a lot farther and delete the `vmbuild` code that was
trying to do builds in a container on the target VM.  I think this is
still worth pursuing at some point, but for now I think it's
reasonable to assume that the rpm-ostree developer audience uses Linux
as their host workstation and hence has containers.

(There's another important point here in that for developing lower
 level things like rpm-ostree, there's a strong push to make the VM
 disposable and not a pet)

Closes: #516
Approved by: jlebon
2016-11-16 18:14:23 +00:00
Colin Walters
a5379a2520 tests: Test pinned package version
It should work for both layering and treecompose.

Closes: #518
Approved by: jlebon
2016-11-14 21:31:54 +00:00
Jonathan Lebon
accd2b9f6f vmcheck: add a test for RPM scripts
Thought it'd be fun to write a test for verifying proper handling of
scriptlets during package layering. There's obviously a lot more that
could go in here (patches welcome!), but it's a start.

Closes: #434
Approved by: cgwalters
2016-08-17 21:28:01 +00:00
Jonathan Lebon
194c2bf5cd libvm.sh: add vm_setup and vm_rsync
In preparation for being vagrant independent, let's factor out some
things directly into the libvm.

Closes: #394
Approved by: cgwalters
2016-07-15 19:14:19 +00:00
Jonathan Lebon
8942268ecb test.sh: write test result to log for easier grepping
Closes: #394
Approved by: cgwalters
2016-07-15 19:14:19 +00:00
Jonathan Lebon
ab6fe314aa vmcheck/test.sh: support external ssh-config
Closes: #394
Approved by: cgwalters
2016-07-15 19:14:19 +00:00
Jonathan Lebon
2da585023d vmcheck: remove test-basic.sh
This is a useless test for now since we should be able to test on a VM
even if there are updates available.

I initially had it just as an example of the vmcheck test harness,
without actually thinking too much into what it was testing. But we do
need a nice test-basic.sh that will give rpm-ostree a good general
workout.

Closes: #394
Approved by: cgwalters
2016-07-15 19:14:19 +00:00
Jonathan Lebon
f8907b6d53 vmcheck: add more pkg layering tests
- Rename test-layering.sh to test-layering-basic.sh and make it test
  both pkg-add and pkg-remove.
- Add test-layering-relayer.sh, which verifies that pkgs are properly
  relayered during the creation of new deployments (e.g. upgrades,
  rebases, deploys).
- Add test-layering-rpmdb.sh, which verifies that packages respect the
  rpm requirements before being overlayed.

Closes: #371
Approved by: cgwalters
2016-07-05 15:26:45 +00:00
Jonathan Lebon
ba05972bbb vmcheck/test.sh: make more silent and add some bling
Print out a better summary that sums up the passes, failures, and skips.
Silence the restoring step at the end of the testsuite by only echo'ing
to the log file. Finally, add some colouring because colours are
awesome.

Closes: #371
Approved by: cgwalters
2016-07-05 15:26:45 +00:00
Jonathan Lebon
7697702aaa vmcheck: strengthen test harness
We now make the test harness handle restoring the VM to the original
state. The wonderful thing about ostree here is that it's a perfect
shoo-in for this. We make a 'backup' of the current ref, and just have
to make sure that the VM is back on that ref after running each test.

This will allow us to write tests without worrying as much about
cleaning up in the event of an error.

Closes: #360
Approved by: cgwalters
2016-06-29 19:17:38 +00:00
Jonathan Lebon
d718b820ef Makefile-tests.am: more cleanups and add pkg bar
The new package bar will be used to test conflicting packages.

Closes: #360
Approved by: cgwalters
2016-06-29 19:17:38 +00:00
Jonathan Lebon
65f5678ecb vmcheck: add timeout option for vm_ssh_wait
Closes: #360
Approved by: cgwalters
2016-06-29 19:17:38 +00:00
Jonathan Lebon
812c431856 test-layering.sh: basic package layering test
This is a preliminary package layering test which simply installs the
foo package and verifies that it functions properly. A bunch of
primitives are added to libvm.sh to facilitate this and future tests.

Closes: #344
Approved by: cgwalters
2016-06-23 00:05:09 +00:00
Jonathan Lebon
c0924b8997 vmcheck: add a basic test harness
This is a very simple test harness inspired by the atomic one. It's a
simple bash script that sets up a permanent ssh connection to the host
and runs the test scripts. Also add a "demo" test-basic.sh test to make
sure that it works.

Closes: #344
Approved by: cgwalters
2016-06-23 00:05:09 +00:00
Jonathan Lebon
9587ab6597 vagrant: move helper files to vagrant/
These files are not only for vmcheck, but may be used as well for
setting up for development.

Closes: #344
Approved by: cgwalters
2016-06-23 00:05:09 +00:00
Jonathan Lebon
38c8040879 vmcheck: clean before building and adapt to new json
If the dir that was rsync'ed already contains build artifacts, we don't
want those contaminating our build process.

Closes: #336
Approved by: cgwalters
2016-06-20 19:57:37 +00:00
Jonathan Lebon
816194cd58 Makefile-tests: add toplevel vm* targets
The `make vmshell` target makes it even easier to immediately try out
your changes in a live running Atomic Host. It will automatically
provision the VM, sync your latest changes, build, install in a new
deployment onto which the VM is rebooted, and drop you in the shell.

Closes: #321
Approved by: cgwalters
2016-06-15 13:38:34 +00:00
Jonathan Lebon
be3a677125 vmcheck: create a new deployment instead
In order for vmcheck to be useful for testing, we need the machine to be
in a "clean" state. That is, sitting on a commit, ready for being
manipulated.

This is a small step towards this goal. Instead of overwriting the
files, we use rofiles-fuse to safely install and create a new
deployment.

Closes: #321
Approved by: cgwalters
2016-06-15 13:38:34 +00:00
Colin Walters
a3769a7219 vmcheck: Experiment with the name nxs
I find myself not liking the name rpm-ostree anymore; it's
descriptive, but unfortunately we compete with other projects with
easier and sexier names.

Also, people continually find the ostree and rpm-ostree layering
unclear.  It's *much* easier to say "nxs depends on ostree", even
though textually it's obvious "rpm-ostree depends on ostree".

Anyways, just an experiment for now.

Closes: #307
Approved by: giuseppe
2016-06-08 14:26:08 +00:00
Colin Walters
77eb3e2b5b tests: Introduce "vmcheck"
This is infrastructure that's oriented around Vagrant, we do builds
inside the target VM (actually inside a Docker container), but then
directly `make install DESTDIR=/host/`.

The goal here is to have a convenient workflow for:

  - dev -> hand testing
  - dev -> run destructive tests

Closes: #303
Approved by: jlebon
2016-06-07 18:39:46 +00:00