Commit Graph

97 Commits

Author SHA1 Message Date
Jonathan Lebon
ba7a72995b treefile: Add new repo-packages field for pinning packages to repos
This addresses the server compose side of
https://github.com/coreos/rpm-ostree/issues/2584.

One tricky bit is handling overrides across included treefiles (or
really, even within a single treefile): as usual, higher-level treefiles
should override lowel-level ones. Rust makes it pretty nice to handle.

For now this just supports a `repo` field, but one could imagine e.g.
`repos` (which takes an array of repoids instead), or e.g.
`exclude-repos`.

The actual core implementation otherwise is pretty straightforward.

This should help a lot in RHCOS where we currently use many `exclude=`
directives in repo files to get it to do what we want.

This is also kind of a requirement for modularity support because as
soon as rpm-ostree becomes modules-aware, modular filtering logic will
break composes which assume rpm-ostree treats modular and non-modular
packages the same.
2021-04-30 09:13:18 -04:00
Timothée Ravier
19e40a8708 countme: Force disable Count Me logic in DNF
Make sure that we do not use the internal Count Me logic in DNF in
rpm-ostree as we have our own external implementation that is aware of
the different behavior regarding repo handling.

See also the discussions in:
  - https://github.com/rpm-software-management/libdnf/issues/1174
  - https://github.com/rpm-software-management/libdnf/issues/1068
  - https://github.com/coreos/rpm-ostree/pull/2671

Also remove the corresponding note in the docs which not needed anymore.
2021-04-16 16:01:43 -04:00
Benjamin Gilbert
2388be6dcb docs: fix "Edit this page on GitHub" links 2021-04-09 22:55:16 -04:00
Jonathan Lebon
7b2c2db3c9 docs: Add page about the daemon interface
To help new contributors trying to understand how it all fits together.
2021-03-30 16:09:22 -04:00
Jonathan Lebon
8e22075721 RELEASE: Add step to update libdnf's deps
In the latest release, we should've bumped librepo's requirement. It
doesn't use symbol versioning, so we don't automatically get this. At
release time at least, we should just peek at the spec we're baking in
and pick up from that.

Clearly the updated deps are in the buildroot if CI is green, so this
should mostly be a matter of bumping to versions which are already
shipped in Fedora.

See: https://github.com/rpm-software-management/libdnf/pull/1128
See: https://github.com/coreos/rpm-ostree/pull/2644
See: https://bugzilla.redhat.com/show_bug.cgi?id=1943773
2021-03-29 10:37:13 -04:00
Alexander Wellbrock
dd6beaa67d docs/compose: apply review; unify repo paths
In the sections "Granular.." and "Running rpm..." the usage of repo
paths was inconsistent.
2021-03-24 17:05:58 -04:00
Alexander Wellbrock
892097ee84 docs/compose: add section on the granular approach
This section goes into more detail how compose tree can be split up
using the other available commands.
2021-03-24 17:05:58 -04:00
Alexander Wellbrock
5ed0834144 docs/compose: add a introductory section
This section is meant to give a broad overview of this doc.

First introducing the tool in general. Then showing the distinction
between 'compose tree' and the granular approach. Finally transitioning
over to the next section.
2021-03-24 17:05:58 -04:00
Alexander Wellbrock
bf14072087 docs/compose: move container section to bottom
The container docs are nice to know but not the most important thing.
2021-03-24 17:05:58 -04:00
Timothée Ravier
f186840309 docs: Update instructions to disable countme
Focus on the timer disabling and add a note for the existing libdnf
issue until it is resolved:
https://github.com/rpm-software-management/libdnf/issues/1174
2021-03-22 14:08:23 -04:00
Colin Walters
4a29454ee6 docs: Add apply-live
Continuing the more docs momentum.
2021-03-11 21:32:54 +00:00
Colin Walters
927e02100f docs/architecture-core.md: New file
This is long overdue.  Some of this came up in recent
conversation.  Let's keep up some continual background
momentum on documentation, just like CI.

Co-authored-by: Jonathan Lebon <jonathan@jlebon.com>
2021-02-24 22:01:23 +01:00
Colin Walters
0544d1c92d ci: Drop tests/vmcheck/image.qcow2, use COSA_DIR/.cosa
Now that `cosa build-fast` writes to `.cosa`, teach our
test suite to pick that up by default.  We don't anymore
support non-CoreOS (i.e. non-Ignition) hosts for our test
suite, so making this more CoreOS specific is fine.

Then use the "standard" COSA_DIR as a way to find the target
cosa dir in the e2e CI.
2021-02-23 17:23:26 -05:00
Colin Walters
6cf0f87412 docs/HACKING.md: Various updates
In particular describe the cxx tools trap.
2021-02-23 12:40:27 -05:00
Colin Walters
04839e200f Misc doc tweaks/cleanups
- Link to osbuild blog
- Drop CentOS 7 stuff
- clarify goals a bit
2021-02-12 16:45:46 -05:00
Jonathan Lebon
317b920667 extensions: Add support for development extensions
In RHCOS, we ship kernel development-related packages as an extension.
Those aren't really extensions that are meant to be layered onto the
host.  They're meant to be used in a build environment somewhere to
compile kernel modules.

This makes it very different from "OS extensions" in at least two
drastic ways:
1. we don't want to do any depsolving (e.g. we don't want to pull in
   `gcc` or something)
2. some of those packages may be present in the base already, but we
   still want to redownload them

Hesitated putting this functionality in rpm-ostree, but I think in the
end it cuts from the benefit of moving this code to rpm-ostree if we
can't entirely get rid of the Python script it obsoletes. Plus, being
able to use the `match-base-evr` is still really useful for this use
case.

Let's add a new `kind` key to support this. The traditional extensions
are called "OS extensions" and these new extensions are called
"development extensions".

The latter is not yet part of the state checksum, so change detection
doesn't work there. I think that's fine for now though because the
primary use case is the kernel, and there we want to match the base
version. So if the kernel changes, the base would change too. (Though
there's the corner case of adding a new package to the list while at the
same version...)
2021-02-03 12:22:38 -05:00
Jonathan Lebon
271954a41c app: Add rpm-ostree compose extensions
This adds support for a new `rpm-ostree compose extensions` command`
which takes a treefile, a new extensions YAML file, and an OSTree repo
and ref. It performs a depsolve and downloads the extensions to a
provided output directory.

This is intended to replace cosa's `download-extensions`:
https://github.com/coreos/coreos-assembler/blob/master/src/download-extensions

The input YAML schema matches the one accepted by that script.

Some differences from the script:
- We have a guaranteed depsolve match and thus can avoid silly issues
  we've hit in RHCOS (like downloading the wrong `libprotobuf` for
  `usbguard` -- rhbz#1889694).
- We seamlessly re-use the same repos defined in the treefile, whereas
  the cosa script uses `reposdir=$dir` which doesn't have the same
  semantics (repo enablement is in that case purely based on the
  `enabled` flag in those repos, which may be different than what the
  rpm-ostree compose ran with).
- We perform more sanity-checks against the requested extensions, such
  as whether the extension is already in the base.
- We support no-change detection via a state SHA512 file for better
  integration in cosa and pipelines.
- We support a `match-base-evr` key, which forces the extension to have
  the same EVR as the one from a base package: this is helpful in the
  case of extensions which complement a base package, esp. those which
  may not have strong enough reldeps to enforce matching EVRs by
  depsolve alone (`kernel-headers` is an example of this).
- We don't try to organize the RPMs into separate directories by
  extension because IMO it's not at the right level. Instead, we should
  work towards higher-level metadata to represent extensions (see
  https://github.com/openshift/os/issues/409 which is related to this).

Closes: #2055
2021-01-23 17:12:09 +01:00
Kelvin Fan
9198e50c47 docs/HACKING: Update kola ext test instructions 2021-01-22 21:05:22 +01:00
Jonathan Lebon
ee34a2d57f docs/HACKING: drop reference to make vmcheck HOSTS=...
This is no longer supported.

Keep and rework the bit about `make vmsync`.

Also drop the bit about FAHC and CAHC.
2021-01-21 18:55:22 -05:00
Kelvin Fan
f8efa6808d HACKING: Update vmcheck instructions
Following c7a9c3b1dd,
it is no longer necessary to provision your own VM.
2021-01-21 17:16:47 -05:00
Timothée Ravier
6cfdb1f585 countme: Add DNF Count Me support
Add support for the DNF Count Me feature [1,2,3] as a standalone
rpm-ostree subcommand called weekly via a systemd timer.

[1] https://fedoraproject.org/wiki/Changes/DNF_Better_Counting
[2] https://dnf.readthedocs.io/en/latest/conf_ref.html?highlight=countme#options-for-both-main-and-repo
[3] https://github.com/rpm-software-management/ci-dnf-stack/blob/master/dnf-behave-tests/features/countme.feature
2021-01-13 14:53:50 -05:00
Colin Walters
6c66bf1072 Rename livefs → apply-live in more places
Keep up the renaming momentum by using the new name in more
places.

Prep for further work.
2021-01-12 03:15:49 -05:00
Jonathan Lebon
db775f43ec Default to sqlite rpmdb backend on f34
There won't be any support for writing to the bdb backend in f34, so
e.g. pkglayering won't work (and obviously even composes wouldn't work
once the buildroot moves to f34).

Instead of requiring the whole world to add an `rpmdb` key in their
manifests, let's just add a compile flag for it, and tweak the spec file
to use this flag on f34.
2020-12-21 19:01:48 -05:00
Prajna Sariputra
3412108ad0 docs: Update links to the OSTree documentation
Those got moved to GitHub from readthedocs.io, meaning links pointing
to specific pages return a 404, so this fixes that along with
skipping the redirect for the links that just point to the main page.
2020-11-17 14:14:23 +01:00
Timothée Ravier
d71a50796d docs: Import Release page 2020-10-01 12:01:25 -04:00
Timothée Ravier
9e43141994 docs: Import Hacking page 2020-10-01 12:01:25 -04:00
Timothée Ravier
5e17d6fc24 docs: Move and update Treefile page 2020-10-01 12:01:25 -04:00
Timothée Ravier
7383d074bd docs: Move and update Compose server page 2020-10-01 12:01:25 -04:00
Timothée Ravier
33c893bbd0 docs: Move and update Client administration page 2020-10-01 12:01:25 -04:00
Timothée Ravier
75708f9d77 docs: Move and update Background page 2020-10-01 12:01:25 -04:00
Timothée Ravier
86e41df561 docs: Update Repo Structure page 2020-10-01 12:01:25 -04:00
Timothée Ravier
dff488b8dd docs: Update Contributing page 2020-10-01 12:01:25 -04:00
Timothée Ravier
a3080a42bf docs: Unify and update README and Index page 2020-10-01 12:01:25 -04:00
Timothée Ravier
ad4f0272e3 docs: Add Jekyll and theme config 2020-10-01 12:01:25 -04:00
Colin Walters
456a3ec7c2 compose: Add rpmdb option, default to bdb
The design of https://fedoraproject.org/wiki/Changes/Sqlite_Rpmdb
is problematic for us for multiple reasons.  The first big reason
is that rpm-ostree is designed for "cross" builds and e.g. today
we use a Fedora-derived container to build RHEL CoreOS images.

However the default database lives inside the `rpm` package which
means that if we e.g. upgrade the coreos-assembler container to F33
it will suddenly try to use sqlite for RHCOS which is obviously broken.

Related to this, rebases from f32 to f33 w/layered packages
are broken: https://bugzilla.redhat.com/show_bug.cgi?id=1876194#c3

With this we can configure things to continue to use bdb for f33
for ostree-based systems, so that by enforcing an upgrade order
f32 → f33 [bdb] → f34 [sqlite] ... the intermediate f33 w/bdb
still understands sqlite and hence rebases will work.
2020-09-11 10:06:28 -04:00
Colin Walters
70462a9a05 compose: Add a "warn and sleep" if --unified-core is not provided
Start adding some pain if `--unified-core` isn't provided
to help flush out anyone relying on it.  (And I think today
pungi is not passing it, so e.g. Fedora IoT/Silverblue are impacted)

Prep for merging https://github.com/coreos/rpm-ostree/pull/1793

Co-authored-by: Jonathan Lebon <jonathan@jlebon.com>
2020-05-20 17:17:28 +02:00
Doug Hellmann
d160ed181c docs/background: Fix benefits and drawbacks formatting
The lists of pros and cons for each approach in the background section
of the manual use markdown formatting that is rendered as nested
lists. Separate the lists of benefits and drawbacks so that readers of
https://rpm-ostree.readthedocs.io/en/latest/manual/background/ and the
rendered markdown on github can understand which items are pros and
which are cons.

Signed-off-by: Doug Hellmann <dhellmann@redhat.com>
2020-05-15 12:58:17 -07:00
Colin Walters
1bd69619eb treefile: Add readonly-executables
Same motivation as
7392259332

I think we should encourage removing the writable bits from
executables.  This has happened to me:
https://thomask.sdf.org/blog/2019/11/09/take-care-editing-bash-scripts.html

And not having the writable bit may help prevent hardlink
corruption with OSTree in some cases.

We can't do this by default, but add a convenient treefile option
for it.

This starts out by just doing this for RPMs, but I'll add
a secondary pass which does it during postprocessing soon too.
2020-05-12 08:39:37 -07:00
Colin Walters
860e0f018a s/RPM-OSTree/rpm-ostree/
We are have been pretty inconsistent about this; I think while it's
true the project is called "OSTree", "RPM-OSTree" is just annoying
to type and looks weird.  `rpm-ostree` requires much less
"shift key gymnastics".

Also, the "proper name" style like RPM/OSTree is best when
something can be viewed more "abstractly" - there are multiple
RPM implementations (historically) and OSTree also is a *concept*
in addition to an implementation.

rpm-ostree though is much more of a "concrete" thing so it
makes more sense to use it as a "project name".
2020-05-07 21:55:50 +02:00
Jonathan Lebon
3ec5e2878d manifest: Add lockfile-repos field
In Fedora CoreOS, we have a "coreos-pool" repo from which all packages
in lockfiles are tagged for reproducible builds. This repo is shared
across all streams, including those on f31 and f32.

Thus, it makes no sense for composes to ever pick packages unconstrained
from the pool without being guided by a lockfile. Otherwise, one can
easily end up with e.g. f32 packages in an f31 compose.

Add a new `lockfile-repos` for this which is only used for fetching
lockfile packages and nothing else. For example, this will allow
`cosa fetch --update-lockfile` to Just Work as expected by only fetching
new packages from regular yum repos.
2020-04-19 09:17:17 -04:00
Colin Walters
e41a8ab26f Add support for wrapping binaries (rpm, dracut, grubby)
We need to be friendlier to people who are transitioning from
"traditional" yum managed systems.  This patchset starts to lay
out the groundwork for supporting "intercepting" binaries that
are in the tree.

For backwards compatibility, this feature is disabled by default,
to enable it, one can add `cliwrap: true` to the manifest.

To start with for example, we wrap `/usr/bin/rpm` and cause it
to drop privileges.  This way it can't corrupt anything; we're
not just relying on the read-only bind mount.  For example nothing
will accidentally get written to `/var/lib/rpm`.

Now a tricky thing with this one is we *do* want it to write if
we're in an unlocked state.

There are various other examples of binaries we want to intercept,
among them:

 - `grubby` -> `rpm-ostree kargs`
 - `dracut` -> `rpm-ostree initramfs`
 - `yum` -> well...we'll talk about that later
2020-04-15 16:22:57 +02:00
Colin Walters
5a0d3356ef treefile: Add exclude-packages
In FCOS we have a kola test that basically does `rpm -q python`.
It's...a bit silly to spawn a whole VM for this.  Ensuring that
some specific packages don't get included has come up in a few
cases.

I think FCOS/RHCOS at least will want to blacklist `dnf` for example.
And as noted above, FCOS could blacklist `python`.

One major benefit of doing this inside rpm-ostree is that one
gets the full "libsolv error message experience" when dependency
resolution fails, e.g. blacklisting `glibc` I get:

```
 Problem 79: conflicting requests
  - package coreos-installer-systemd-0.1.2-1.fc31.x86_64 requires coreos-installer = 0.1.2-1.fc31, but none of the providers can be installed
  - package coreos-installer-0.1.2-1.fc31.x86_64 requires rtld(GNU_HASH), but none of the providers can be installed
  - package glibc-2.30-10.fc31.x86_64 is filtered out by exclude filtering
  - package glibc-2.30-7.fc31.x86_64 is filtered out by exclude filtering
  - package glibc-2.30-8.fc31.x86_64 is filtered out by exclude filtering
  - package glibc-2.30-5.fc31.i686 is filtered out by exclude filtering
  - package glibc-2.30-5.fc31.x86_64 is filtered out by exclude filtering
  - package glibc-2.30-10.fc31.i686 is filtered out by exclude filtering
```
2020-02-05 21:02:06 +01:00
Colin Walters
e726d008fc compose: Add an automatic-version-suffix key
This allows replacing the `.` in automatic version increments
with whatever one wants (as long as it's a single ASCII character)
right now.

The specific motivation here is for at least RHEL CoreOS to use
`version-suffix: "-"` so that its versions can become valid
semantic versions.

Related: https://github.com/coreos/rpm-ostree/issues/1954
2019-12-13 17:11:16 +01:00
Colin Walters
80fd2e883b README.md: Add a "why" section, update background.md
Point at FCOS and not Project Atomic.  Add an inline "Why"
section since people will want to know that right away.

(An great thing about Github is the prevalence it gives to `README.md`;
 projects should use that as an "elevator pitch")

Drop outdated bits in `background.md`.

Closes: #1895
Approved by: jlebon
2019-09-04 20:09:13 +00:00
Colin Walters
7db30fec13
treefile: Support arch-include (#1886)
* treefile: Rework test helper

Have each test clearly hold its tempdir; this way we can have a simple
helper function rather than a struct with an unreferenced parameter.

Also use `utils::write_file`.

Prep for further test work.

* treefile: Add a basic test for includes

Prep for adding an arch include test.

* treefile: Support `arch-include`

A long time ago we added architecture-specific package lists
via e.g. `packages-ppc64le`.  Much more recently we added
support for having the `include` key be a list - multiple includes.

By combining these two and supporting architecture-conditional includes,
we've effectively added architecture-conditionals to *all* keys.

Notably we want this for Fedora CoreOS today which is using
`remove-from-packages` on `grub2-tools` which isn't present on
s390x.

* ci: Bump cosa build timeout

Looks like another OpenStack perf regression.
2019-08-21 15:25:08 -04:00
Colin Walters
00bd491fe2 treefile: Support multiple includes
I'm working on having Silverblue inherit from Fedora CoreOS.  But
conceptually it also inherits from (parts of) Workstation.
It is just easier if we support multiple inheritance, then I don't
need to think too hard about how to make it a single inheritance chain.

Closes: #1870
Approved by: jlebon
2019-07-18 22:40:59 +00:00
Jonathan Lebon
fc49fb0089 treefile: Add new add-commit-metadata key
Add support for a new `add-commit-metadata` key in the treefile so that
we can directly specify commit metadata we want to inject from there.

This will be useful in Fedora CoreOS, where we'll have separate
treefiles for each streams, each with stream-specific metadata values
required.

Closes: #1865
Approved by: cgwalters
2019-07-09 20:28:18 +00:00
Colin Walters
5f6578ef3c compose: Add ostree-layers and ostree-override-layers
The use case for `ostree-layers` is to support injecting non-RPM
content in a more flexible way than can be done with `add-files`,
and also without dropping all the way to split composes.

This starts with support on the `compose tree` side but down the
line I'd like to make it more convenient to do *client* side too.

For `ostree-override-layers` this is mainly a development thing
for tools like coreos-assembler.  Rather than building an RPM
we just `make install DESTDIR` then commit and add to
`ostree-override-layers`.

Closes: #1830
Approved by: jlebon
2019-06-07 17:42:32 +00:00
Colin Walters
adff1e98b6 compose: Add boot-location: modules
And this (for now at least) completes the epic journey of the
"where's the kernel"?  With this it's found solely in
`/usr/lib/modules/$kver`.

There are a few reasons to do this; most prominent is that
it avoids duplicating the content as the locations may have
different SELinux labels.

Closes: #1773
Approved by: jlebon
2019-03-08 22:49:40 +00:00
Colin Walters
f37426f1ad compose: Remove support for boot-location: both
I'd like to add a new `boot-location: modules`.  In prep
for that, let's remove the legacy `both` which drops into
`/boot`.

The libostree support for handling `/usr/lib/ostree-boot` has
existed for over 4 years:

```
commit 37a059925f6b96d30190b65bee6bdde0ae1c6915
Commit:     Colin Walters <walters@verbum.org>
CommitDate: Sun Nov 30 23:14:05 2014 -0500

    deploy: Ensure that we can deploy using only /usr/lib/ostree-boot

```

I think we assume now that no one is now making *new* treecomposes and needs
a newer rpm-ostree and that they expect people to be able to use as an
upgrade target from a libostree that predates that.

Closes: #1773
Approved by: jlebon
2019-03-08 22:49:40 +00:00