IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This allows non-root users access to the rpm-ostree daemon, which is
a pre-requirement for gnome-software rpm-ostree support.
Closes: #745Closes: #825
Approved by: cgwalters
In the error path when trying to remove a base package, we would try to
print a DnfPackage as char*, which of course didn't result in any
coherent output.
Closes: #833
Approved by: cgwalters
We shouldn't just check that the "targeted" dir exists, but rather that
the actual directory where the modules are stored exists. This fixes a
regression on RHEL in which the new selinux-policy-targeted lists some
%ghost files under /var/lib/selinux and as a result think that the
policy is in /var.
Closes: #831
Approved by: cgwalters
This is just a cosmetic patch that ensures we use the same names for the
same things everywhere to make it easier to follow along.
Closes: #829
Approved by: cgwalters
Minor prep for replace overrides.
Let rpmostree_sort_pkgs_strv work on an existing fd list rather than
creating its own, since it may be called multiple times on different
pkgs arrays.
Factor out the logic that calls to sort and inserts the values in the
final modifiers variant dict to prepare for being able to do this
operation multiple times.
Closes: #829
Approved by: cgwalters
Only add information to it re. installing/uninstall/local installs after
we check that the corresponding arrays are not `NULL`.
Closes: #826Closes: #827
Approved by: cgwalters
This is to assuage my pet peeve of bad grammar output. It's of course
English-centric, and would require some tweaking if/when we support
internalionalization systems like gettext. Though I don't think it
makes it more difficult to do so in the future.
Closes: #824
Approved by: cgwalters
Starting from v4.12, rpmteFI has been deprecated in favour of
rpmteFiles. Make use of it if we can, otherwise fall back to the older
API.
Closes: #824
Approved by: cgwalters
This is part of the saga of permissions and checkouts that
came about thinking about flatpak, but suid and world-writable dirs
are also an issue for us.
There's no reason to make suid binaries accessible temporarily
to users while we're computing a new root. Similarly, we don't
want anyone to actually *write* to our temporary `/tmp`. The
simple fix is to make an intermediate dir that's `0700`.
See: https://github.com/ostreedev/ostree/pull/909
See: https://github.com/flatpak/flatpak/pull/843Closes: #821
Approved by: jlebon
This is one more step towards making rpm-ostree more powerful in its
quest to be the ultimate *hybrid* image/package system. Package layering
allows us to add packages on top of the base package set received from
the content provider. However, we're not able to remove or replace
packages in the base set itself.
This patch introduces a new `override` command, which is for now nested
under the experimental `ex` command. The `override` command will allow
users to modify the base package set itself. The first implemented
subcommands are `remove` and `reset`.
A stub has been provided for the more useful `replace` subcommand,
though much of the needed logic for that operation are implemented in
this patch as part of the `remove` subcommand.
Part of: https://github.com/projectatomic/rpm-ostree/issues/485Closes: #797
Approved by: cgwalters
1. There's no point in passing a GCancellable in those cases. All the
manipulations should be short-lived.
2. Rename delete_packages to remove_packages, since "remove" is the
proper antonym of "add".
Closes: #819
Approved by: cgwalters
There's a lot that could be done to improve this; we're not setting a title for
`rollback` etc. But I think in practice right now the "deploy" path (which
includes upgrade/install) etc. is most important.
Re-synthesizing a human readable string here is definitely a bit fragile and
going to be a maintenance pain. One thing I debated is having the client send
its commandline as a string. But that would only work for `/usr/bin/rpm-ostree`,
not e.g. Cockpit.
Anyways for now, this is useful and we can always improve it later.
Closes: https://github.com/projectatomic/rpm-ostree/issues/454Closes: #814
Approved by: jlebon
There's a subtle but classic issue in this code: calling `continue`
really just continued the inner loop, whereas we meant continuing the
outer loop.
Fix this by making the prefix lookup check a proper predicate function.
Place that function somewhere public, because we'll make use of it in
base overrides as well.
Closes: #807
Approved by: cgwalters
At this point, there are many helper functions that really should just
be made upgrader-aware to make it easier to follow. For example, now
both find_missing_pkgs_in_rpmdb() and generate_treespec() are passed the
Upgrader object directly, allowing us to avoid having to thread through
multiple arguments everywhere. Another example is that the Upgrader now
carries the list of final packages that need to be overlaid rather than
passing it around.
We also rename the functions to better reflect what they actually do.
Closes: #804
Approved by: cgwalters
Since we now use a predictable directory for the rootfs checkout and
assembly operation, there's no need for a tmprootfs variable anymore.
Closes: #804
Approved by: cgwalters
It's less cumbersome to check for this in the origin. Factor it out
there so that it's easier to modify it in the future.
Closes: #804
Approved by: cgwalters
In all cases, we always do download_metadata() followed by prepare().
Let's just make life easier for callers by inlining this in prepare(),
much like what libdnf does. The function is still public in case some
use case calls for making them separate.
Closes: #805
Approved by: cgwalters
There's not much use in having RpmOstreeInstall be separate now that
it's completely private. Let's just make it part of the main context
object rather than making callers allocate space for it and pass it to
the various context methods.
We also rename `prepare_install` to `prepare` since it will (soon) do
more than just installs (and sometimes only pure uninstalls).
Closes: #805
Approved by: cgwalters
We had a lot of duplicate code that handled subcommand handling. Though
now that we have proper structs to represent commands and command
invocations, we can easily unify these.
Closes: #803
Approved by: cgwalters
Part of: https://github.com/projectatomic/rpm-ostree/issues/774
Basically, for `rpm-ostree status` to accurately help people
understand whether or not their system is up to date, we need
to be showing repository timestamps.
Ideally, we'd change the libdnf API to support what we're doing
here better. But, this works for now.
Closes: #791
Approved by: jlebon
This is prep for a rework of rpm-md downloads (visualizing state better + prep
for parallelization). libdnf defaults to a week which is just too long
(particularly for async security updates).
See also the linked https://github.com/rpm-software-management/libdnf/issues/291Closes: #791
Approved by: jlebon
And tweak the comment; I'm not blindly adding everything from
e.g. a Fedora compose here, since while in practice we omit them,
the ugliness serves as a reminder to fix the packages.
(For example, pam should use tmpfiles.d snippets for `/var/log/tallylog`,
or %ghost it)
Closes: #795
Approved by: jlebon
We need to add an `__attribute((used))` to the autocleanup variable in order to
pacify its set-but-unused, so make a macro to simplify callers. This is a bit
like systemd's `PRESERVE_ERRNO` cleanup.
Closes: #794
Approved by: jlebon
This way we only have one directory to `rm_rf` at cleanup time.
A next steps might be teaching libdnf to use this. Futher, we could
consider inheriting a tmpdir from the transaction.
Closes: #792
Approved by: jlebon
In various places we thread down the tmpdir dfd. But since its lifecycle is
bound to the context, we might as well pass the context itself. This just ends
up being cleaner, and is also prep for changing how we do the tmpdir.
Closes: #792
Approved by: jlebon
Allows us to convert the metadata download func to new code style, and is
generally in line with our cleanup-focused philosophy on code, life,
and the meaning of the universe.
Closes: #789
Approved by: jlebon
Splitting this out before I keep hacking on this file. Pretty
straightforward stuff. There is one legitimate use of the `goto out`
pattern left in which we clean up a tmpdir.
Closes: #788
Approved by: cgwalters
There are a few reasons to do this. First, systemd changed to refuse mounts on
symlinks, and hence if one *wants* "/tmp-on-tmpfs", one would need to write a
different `sysroot-tmp.mount` unit.
Second, the original rationale for having this symlink was that if you had
multiple ostree stateroots ("osnames"), it's nicer if they had the same `/tmp`
to avoid duplication. But in practice today that's already an issue due to
`/var/tmp`, and further the multiple-stateroot case is pretty unusual. And that
case is *further* broken by SELinux (if one wanted to have e.g. an Ubuntu and
Fedora) stateroots. So let's fully decouple this and make `/tmp` a plain
old directory by default, so systemd's `tmp.mount` can become useful.
Now, things get interesting for the case where someone wants a physical `/tmp`
that *does* persist across reboots. Right now, if one just did a `systemctl mask
tmp.mount` as we do in Fedora Atomic Host's cloud images, you'd get a semantic
where `/tmp` stays per-deployment, which is weird. Our recommendation for
that should likely be to set up a bind mount for `/tmp` → `/var/tmp`.
For now, this stays an option to ensure compatibility; if FAH Cloud images
want to stay with "physical /tmp", then we'd have to change the kickstart.
Closes: https://github.com/projectatomic/rpm-ostree/issues/669Closes: #778
Approved by: jlebon
This was a kind of last-minute bug introduced when I tweaked the
checkout to use `.` to avoid a `mkdir()` for files. But there were
multiple bugs with that; for files that are in subdirectories of `/etc`
we obviously need to get the right subdir and not use `/etc`.
Second, we need to handle the case where we're adding new subdirectories.
This change fixes `rpm-ostree install firewalld + rpm-ostree ex livefs`.
Closes: #783
Approved by: jlebon
This is a valid case when layering local RPMs. Otherwise (e.g. if
specific non-local packages are requested), give the nicer error rather
than letting libdnf throw something less useful.
Closes: #780Closes: #781
Approved by: cgwalters
This is part of: https://github.com/projectatomic/rpm-ostree/issues/774
Basically, it's very useful for debugging since one could get an out-of-date
mirror or the like.
Down the line we may more formally store this data in a permanently-persistent
way, but this is a simple extension of the journaling we do now.
Closes: #775
Approved by: jlebon
There are a few different use cases here. First, for layering new packages,
there's no good reason for us to force a reboot. Second, we want some support
for cherry-picking security updates and allowing admins to restart services. Finally,
at some point we should offer support for entirely replacing the running tree
if that's what the user wants.
Until now we've been very conservative, but there's a spectrum here. In
particular, this patch changes things so we push a rollback before we start
doing anything live. I think in practice, many use cases would be totally fine
with doing most changes live, and falling back to the rollback if something went
wrong.
This initial code drop *only* supports live layering of new packages. However,
a lot of the base infrastructure is laid for future work.
For now, this will be classified as an experimental feature, hence `ex livefs`.
Part of: https://github.com/projectatomic/rpm-ostree/issues/639Closes: #652
Approved by: jlebon
I noticed I had `/tmp/rpmostree-metadata*` directories, and there
were two cases where we created those dirs. Astonishingly,
*both* had bugs that prevented cleaning up.
Rename one of them so in the future it'll be clearer which is buggy (or both).
Closes: #772
Approved by: jlebon
Switch a couple of core functions to the new style in preparation for
some other work there. This doesn't tackle the larger assemble()
function.
Another function which escaped for now is one that uses a tmpdir. Makes
me wonder if we should add a "GlnxTmpDir" type thing which simplifies
the mkdtempat/opendirat pattern and has a shutil_rmrf cleanup.
Closes: #771
Approved by: cgwalters
Now that the unpacker actually tracks what the RPM checksum was at
import time, we can make use of that to determine whether we should
download the newer RPM, even if it has the same NEVRA.
Closes: #769
Approved by: cgwalters
In addition to the header checksum, we also want a checksum of the RPM
file itself. This will allow us to know right away whether an RPM with
the same NEVRA in the repos is actually the same one we already
imported.
Closes: #769
Approved by: cgwalters
The actual number of imported packages is not printed right now on the
terminal. But it's useful information to have, so stick it in the
journal.
Also make both the ENABLED_REPOS and ENABLED_REPOS_SOLVABLES
comma-separated lists. This essentially makes them valid YAML/JSON,
which is a nice property to have for e.g. test/shell interactions.
Closes: #769
Approved by: cgwalters
Before this commit, in the case where we have 3 deployments, the rollback code
would pick the merge/pending deployment. This is understandable since that logic
predates us potentially creating 3 deployments.
For livefs, I want rollback to actually go to the rollback, not the pending.
Add an API to find the pending/rollback, and put it in syscore, since we have
other similar functions to this there. (Perhaps in the future we'll figure out a
way to dedup the deployment walking/filtering logic a bit).
Port the two callers to it.
Closes: #767
Approved by: jlebon
I didn't realize we had this dbus method. It was added in the initial
drop of the DBus API, and AFAICS nothing uses it; it's not exposed
via the cmdline, and a quick `git grep` in Cockpit shows it's
not used there either.
It's tempting to delete it.
However, before we take that step, let's reimplement it in terms of the new,
shiny, more powerful "cleanup" txn.
The particular reason I'm doing this is I want to change how we handle
rollbacks.
Closes: #767
Approved by: jlebon
This is a follow-up to commit 77acf62. There, we added support for
rebasing from a local branch to another local branch. But in testing,
it's also really useful to be able to rebase from a remote-based refspec
to a local branch. We allow this here by slightly expanding the syntax
of allowed refspecs.
Now, we can use rpm-ostree all the time rather than fallback to `ostree
admin deploy`, which isn't pkg-aware.
Closes: #764
Approved by: cgwalters
This was argued on list a while ago: http://lists.rpm.org/pipermail/rpm-ecosystem/2016-August/000391.html
Basically, every use of `%pretrans` is a workaround for some in-place
upgrade problem. But we never do inplace updates, we always assemble
a new tree. Hence, there is no point for us to ever execute these.
Let's stop erroring out on them. If there does turn out to be some problem with
a particular package (e.g. the `openjdk-copy-configs` or whatever), we would
likely end up needing to fix that package's `%post`, not start executing its
`%pretrans`.
Closes: #763
Approved by: jlebon
An updated version of: https://github.com/projectatomic/rpm-ostree/pull/316
using the journal (and structured logging) instead.
I was just curious. And yeah, in some quick testing via deploying an old
FAH `25.67`, there are zero relabels.
We should likely have a test that actually forces a relabel...would require
custom SELinux policy build? Or hm, maybe we could override a file context.
Closes: #760
Approved by: jlebon
When appending the trailing bytes, we were passing (p - s), but p by
definition is always NULL at that point. Chaos ensues.
The really evil part about this is that the len is passed signed and
glib treats negative values to mean it should lookup the length itself,
so this worked *most of the time*. Though I'm guessing if the address at
s is large enough, (p - s) can wrap around and become positive again,
thus causing a massive allocation. Anyway, I didn't actually check this
(esp. since the report was for ARM), but the patch is clearly right.
I think this may be the cause for
https://bugzilla.redhat.com/show_bug.cgi?id=1381357.
Closes: #756
Approved by: cgwalters
I want to use this in livefs, where I'll end up doing some diff
computations on the server and am currently rendering text there.
It might also be a step towards using this in `db diff`.
Closes: #709
Approved by: jlebon
While nothing else besides cleanup right now would call this directly, the code
should live close to the other very similar function:
`rpmostree_syscore_add_deployment()`.
Closes: #709
Approved by: jlebon
This is prep for livefs. We need to tweak the logic from what
core libostree has in `ostree_sysroot_simple_write_deployment()`,
and while we could land improved logic there, I think it makes
sense to carry this here until we're confident enough in the logic
to make it ABI.
This does depend on a [new libostree API](https://github.com/ostreedev/ostree/pull/745)
that allows writing deployments without doing cleanup.
The `bump_mtime()` bit is also prep for livefs, carrying in this patch to avoid
splitting things too much.
Closes: #709
Approved by: jlebon
I was looking at livefs executing scripts, realized I may need to
do some refactoring here, and decided to do some style updates.
Also, we make use of the `g_autoptr()` for ostree types in a few
places.
Closes: #752
Approved by: jlebon
This function wasn't like the others. If an error happened during
directory iteration, we'd still return TRUE, but with an error set.
Noticed while I was going to do some code style porting.
Closes: #752
Approved by: jlebon
I typed `rpm-ostree status` in a container, and today we print:
`error: Could not connect: No such file or directory` which isn't
quite informative enough for me.
Closes: #751
Approved by: jlebon
I honestly didn't really dive into this, but it looks like
this is yet another "hack upgrades in the yum case", which we
should be able to ignore since we always do reassembly.
I at least tested `java -version` works with this.
This is a band-aid for the bigger issue of:
https://github.com/projectatomic/rpm-ostree/issues/749
(Doing this one since an AtomicWS user reported it)
Closes: #750
Approved by: jlebon
`Commit` is useful in cases where one wants to e.g. run `rpm-ostree db diff`.
`StateRoot` however is going to be in the vast majority of cases identical
across deployments.
Closes: #743
Approved by: jlebon
See: https://github.com/ostreedev/ostree/pull/794
I originally tried to do this ~a year ago in:
https://github.com/projectatomic/rpm-ostree/pull/295
But Micah pushed back at the time. I'd still like to do this
though, since I personally find `OSName` *more* confusing
than `StateRoot`.
One specific rationale I have for making this change is that
I rebased a home server from CentOSAH to FAH - and I feel
it's just saner to see `StateRoot: centos-atomic-host` instead
of `OSName: centos-atomic-host` underneath the fedora refspec.
Closes: #743
Approved by: jlebon
This is preparatory for future changes which will make use the newer sysroot
writing API. But in this change, we can drop all of our version ifdef'd code.
Closes: #740
Approved by: jlebon
In #728, we started querying enabled repos using get_n_solvables().
However, there are different kinds of enabled repos, and
`dnf_repo_get_enabled()` reflects that through the bitmask it returns:
- DNF_REPO_ENABLED_NONE: repo disabled
- DNF_REPO_ENABLED_PACKAGES: repo enabled for package installs
- DNF_REPO_ENABLED_METADATA: repo enabled for metadata
We were treating it as a boolean, though really, we should only print
data about repos with ENABLED_PACKAGES on, which are the actual repos
libdnf can fetch packages from. Repos with only ENABLED_METADATA on are
not fetched by default, and thus will cause SIGSEGV when trying to
get_n_solvables().
I ran into this while trying to debug #720 on F25 AH, which has this
repo by default:
[fedora-cisco-openh264]
name=Fedora $releasever openh264 (From Cisco) - $basearch
baseurl=https://codecs.fedoraproject.org/openh264/$releasever/$basearch/
enabled=0
enabled_metadata=1
Closes: #736
Approved by: cgwalters
I'm debugging a depsolve failure right now, and just like for
the treecompose case, it's useful to see the information about
enabled repositories. (We should actually maintain this
better in the daemon, but this is a start)
Closes: #728
Approved by: jlebon
The kver that rpmostree_find_kernel() returned would include the csum
that ostree tacks on. This would then cause dracut to fail to find the
modules for the given kver.
The issue is that rpmostree_find_kernel() can be called for both the
ostree checkout case (pkglayering) and the yumroot case (treecompose).
Rather than using a heuristic to determine whether there is a trailing
csum we should trim, we instead always fetch the kver from the dirname
in /usr/lib/modules, which will work in both cases and is stronger.
This also fixes a few cosmetic issues. Notably the final initramfs and
vmlinuz filenames in /usr/lib/ostree-boot would have *two* chekcsums
tacked on, rather than just one.
Closes: #722
Approved by: cgwalters
Otherwise dracut will just default to the running kernel, which will be
wrong if the pending deployment doesn't have the same kernel. Use --kver
rather than appending to be more explicit.
Closes: #722
Approved by: cgwalters
