Commit Graph

45 Commits

Author SHA1 Message Date
Matthew Barnes
31cd8297e7 Merge pull request #77 from mbarnes/pull-progress
Use ostree_repo_pull_default_console_progress_changed()
2014-12-18 23:02:26 -05:00
Matthew Barnes
7b36814441 Use ostree_repo_pull_default_console_progress_changed()
Remove redundant function _rpmostree_pull_progress().

Bumped ostree requirement to 2014.13, but this isn't quite right because
we actually need (unreleased) 2014.14.  Post-release version bumps would
be useful here.
2014-12-18 21:37:22 -05:00
James Antill
855ab9ad01 compose: Add check-passwd/group JSON options, fails compose if uids/gids change
Verify uid/gid on files, directories and symlinks
Just output a msg when user/group is removed with no files

json-parsing: Add functions for strictly dealing with ints
passwd/json: Add simple scripts to convert passwd/group files to json data

docs: Check-passwd/groups and ignore-remove-users/groups JSON config. entries
2014-12-18 16:59:33 -05:00
Matthew Barnes
b8c26805d3 Split up rpmostree-builtin-db.c
As a followup to renaming the "rpm" command to "db", split the "db"
subcommands into separate source files in the style of "ostree admin"
and "rpm-ostree compose".

Also create rpmostree-rpm-util.[ch] as a place for common rpm-related
functions needed by the "db" subcommands.

No intentional functional changes here, just a bunch of copy-n-paste
and minor cleanup.
2014-12-01 20:03:12 -05:00
Matthew Barnes
8336e504e1 Rename "rpm" command to "db"
Eliminates some confusion between "rpm-ostree rpm" (or "atomic rpm")
commands versus actual "rpm" commands.

The "rpm" subcommand is retained as a hidden alias for the "db"
subcommand for backward-compatibility.  It is not listed in --help
output.

Fixes #22
2014-12-01 20:03:11 -05:00
Colin Walters
901917ff85 compose: Introduce a little 'libcontainer', use it for the post script
The current motivation for this is that

https://github.com/fedora-infra/fedmsg-atomic-composer

started using mock --new-chroot (which uses systemd-nspawn) to run
rpm-ostree, which in turn uses systemd-nspawn to run the post script.
Now systemd-nspawn is not really nestable (it wants to link up
journald, resolv.conf handling, etc).

First, dropping nspawn and going to raw containers fixes the nesting
problem.

Second, we don't need all the features of systemd-nspawn.  We are ok
with log messages going to stdout, and we don't use networking, so no
resolv.conf is needed.

Third, this sets a bit of a stage for more sandboxing internally when
run on real systems.  I already have a prototype branch which runs
librepo as an unprivileged user, that could be combined with this for
even stronger security.

Why not use systemd?  Well...I'm still debating that.  But the core
problem is systemd isn't a library in the C sense - to use its
sandboxing features we have to use unit files.  It's harder to have a
daemon that looks like a single service from a management perspective,
but uses sandboxing internally.
2014-11-21 13:16:49 -05:00
Colin Walters
cb5681a4f4 Delete rpmqa-sorted-and-clean
This is no longer needed now that we use hawkey for this.
2014-11-17 17:46:40 -05:00
Colin Walters
421fb94ab2 compose: Split out JSON helpers into separate file
In preparation for using some of them in the postprocessing code too.

Yeah, parsing JSON in C sucks =( Oh well.
2014-11-13 15:08:16 -05:00
Colin Walters
571fa8ddec Centralize cleanup function definitions
We might as well do what systemd does and have a big header which
defines all of them, to more conveniently share them for libraries
that don't include them (like hawkey/librepo, as well as things that
libgsystem doesn't yet cover).
2014-11-11 18:40:58 -05:00
Colin Walters
4c405bf62f compose: Protect the system during treecompose using container APIs
I was looking again at using hawkey/librepo, and realized just how
much I'd have to fight all of these libraries to avoid affecting
the running system.

What we really want to do with librepo/hawkey is run them effectively
unprivileged, and to hide the system's RPM database from them.  This
is a baby step towards that, by confining our existing yum.

- /usr, /etc, and /var/lib/rpm are mounted read-only
- yum is now run under CLONE_NEWPID, to avoid stray %post scripts
  affecting system processes
2014-11-10 12:13:44 -05:00
Colin Walters
4ecce5884d treecompose: Replace shell callout for package caching with builtin C
This is taking us closer to deeper integration in the treecompose side
with RPM instead of forking out to things.

It works except...we end up with the dreaded __db.001, .dbenv.lock
files =/ Best option would be to teach RPM how to open a database
really read-only.  Failing that, could use the immutable bit?
2014-11-03 16:42:16 -05:00
Colin Walters
0f16e2e252 Add --disable-compose-tooling build option
Some downstreams want the ability to separate the compose tooling from
the client, for e.g. support reasons.

This approach supports generating a tarball without the source for the
compose command, and requires specifying a config option to disable
it.
2014-09-16 21:45:30 -04:00
Anne LoVerso
00162a2eea upgrade: Download only /usr/share/rpm in check-diff
This improves on the check-diff option by only downloading the
/usr/share/rpm directory to do a package diff.  This prevents downloading
the whole deployment and the necessity to do a cleanup later.
2014-08-22 15:57:27 -04:00
James Antill
b7dbabe065 Add "rpm" command, for doing rpm/yum queries on commits.
It currently has the following sub-commands:

diff COMMIT COMMIT
 for rpmtree diff.
list [prefix...] COMMIT...
 for "yum list" like command.
version COMMIT...
 for "yum version" like command.

...bunch of FIXME's, UI output isn't great, needs docs.
 We also don't use the same code as the treediff on upgrade atm.
2014-07-11 02:01:41 -04:00
Anne LoVerso
489b2e301f status: New builtin for system administrators to see deployments
This allows administrators to configure between deployments and easily see which deployment
they are booted into as well as indicating which is chronologically most recent.  This makes
the process more user-friendly, rather than requiring the user to remember which deployment
checksum corresponds to the most recent upgrade.
2014-06-17 14:47:01 -04:00
Colin Walters
1613435f7d tree compose: Delete .dbenv.lock and __db.* files from /usr/share/rpm
Currently on an Atomic compose, I'm seeing abrtd trying to write to
/usr/share/rpm/.dbenv.lock, which is denied by policy because it's
usr_t.  There are multiple ways to address this, but there's no good
reason to leave the lock files and __db* files around.

rpm appears to operate correctly without them if calling process
merely gets EROFS.
2014-06-06 16:28:19 -04:00
Colin Walters
c8c54d5095 Delete repoquery-sorted script
This was used previously by the caching infrastructure, but is no
longer used.
2014-06-06 14:57:54 -04:00
Colin Walters
976c68542b Add a "rebase" builtin
This is exactly the code from "ostree admin switch", except it's
called "rebase" because in the future it will also carry along any
locally layered packages.
2014-05-29 18:00:11 -04:00
Colin Walters
7f7259ada0 build: Use ln -sf to help "sudo make install"
This way we don't error when installing over an existing install.
2014-05-26 15:41:58 -04:00
Colin Walters
7c71fbc077 Add new "compose" builtin, rename "treecompose" -> "compose tree"
And do the same for "sign".  This way we can have the compose server
utilities cleanly separated from what most people will see, which is
the client side tools.
2014-05-26 15:05:08 -04:00
Colin Walters
cc8e5ef97c build: Add --enable-usrbinatomic
The name "rpm-ostree" kind of sucks; see:
https://lists.projectatomic.io/projectatomic-archives/atomic/2014-April/msg00003.html

But we can't make a hard transition easily, so let's add a build-time
option to create an optional link for operating systems which want
this.
2014-05-21 08:21:36 -04:00
Colin Walters
18d0d989ae treecompose: Add initial caching
The way this works is still fairly naive in that we hash in two
inputs:

1) The treefile JSON
2) The result of rpm -qa

If both of those are a hit, we reuse the existing commit.
2014-05-16 04:29:17 -04:00
Colin Walters
18b2121c91 Remove internal postprocessing support
It was too hacky.  If we do this it should be a higher level language
like what Lorax has.
2014-05-14 13:59:40 -04:00
Colin Walters
0a88e292f2 Put hawkey stuff behind --enable-patched-hawkey-and-libsolv
Right now we depend on two patches.
2014-03-28 22:04:53 -04:00
Colin Walters
50bd970791 Print treepkgdiff on rollback too
Move it to an internal API.
2014-03-28 21:55:37 -04:00
Colin Walters
441313f9ef core: Add "rollback" builtin
This is a convenient command to go back to the previous tree.
2014-03-28 20:27:35 -04:00
Colin Walters
57f8bfb63f upgrade: Print out a summary of the package delta
This requires us to link to hawkey.
2014-03-28 17:34:08 -04:00
Colin Walters
c2b242f200 Add upgrade builtin
This is just the start of moving more functionality into rpm-ostree,
with the goal of more tightly binding the rpm and ostree worldviews.

For exmaple, supporting package installation on top, showing the
package-level diff between trees, etc.
2014-03-24 18:11:21 -04:00
Colin Walters
1319e1616d Rename create -> treecompose
It's just a better name.  Also matches what we already did for the
autobuilder.
2014-03-22 15:20:23 -04:00
Colin Walters
05d348528e core: Move rpm-ostree-sign to "rpm-ostree sign" 2014-03-22 15:12:31 -04:00
Colin Walters
af49603d6f core: Use generic "builtin" infrastructure for command handling
I want to have more options than just "create".
2014-03-22 15:05:41 -04:00
Colin Walters
e989331788 core: Add rpm-ostree-sign
This uses rpm-sign which talks to a remote server for signing.
2014-03-14 22:18:17 -04:00
Colin Walters
7f3fa0d60b Add "composeui/"
The web page previously bounced out to the "fedora-atomic" component -
but we really want a bit of web UI that's shared between products.
Like how Koji is a generic frontend.

In particular, this now comes with a start of a generic "repoweb".
2014-03-05 13:16:22 -05:00
Colin Walters
5fc914c34c build: Update for move of relabeling helper to autobuilder code 2014-02-26 09:41:41 -05:00
Colin Walters
39a7c458ef Major update to SELinux handling
We use the new unified OSTree API (OstreeSePolicy) to perform
labeling, rather than having our own here.

Also create a new rpm-ostree-relabeling-helper that is run to label
any leftover files such as /etc/fstab that we create offline, and also
to relabel the entire disk.
2014-02-20 07:59:09 -05:00
Colin Walters
38b995b94e Use the now external libgsystem
https://git.gnome.org/browse/libgsystem/commit/?id=9363cfc28ede912e2f06d4ccb42a646bb8a4bd2e
2014-02-07 17:29:40 -05:00
Colin Walters
8543a6108d Support SELinux
This commit labels all of the files on the server side, if a policy is
installed.
2014-01-31 10:13:18 -05:00
Colin Walters
f07f054efb Add postprocessing infrastructure
We remove the root password from all images.  The core/docker tree
also gets docs and some kernel drivers removed.
2014-01-29 18:12:50 -05:00
Colin Walters
b4a04884e7 build: Remove now-unused build rules 2014-01-29 16:52:29 -05:00
Colin Walters
802cace05f Unify rpm-ostree into one binary
And start making an internal library.
2014-01-29 14:37:44 -05:00
Colin Walters
f8444e6638 Resolve dependencies before building
This allows us to skip the whole install process if the
RPMs haven't changed, which is a rather large win.

Part of this commit involves some code to attempt to talk to "yum
shell" for dependency resolution, in an attempt to avoid depsolving
twice, which just isn't really going to work, since "yum shell" isn't
an API as it turns out.

The only other real alternative is doing something PackageKit-like,
which is ~4000 lines of very nontrivial Python.
2014-01-26 17:07:09 -05:00
Colin Walters
05872052b1 Rewrite core utilities in C
There are two major reasons:
1) I want to do things like process SELinux labels here, and that
   type of thing is best done in C.
2) There are presently 3 languages in this code, and this takes us
   down to just two.
2014-01-25 09:19:18 -05:00
Colin Walters
7333091db4 Split out postprocess+commit to separate script
As this logic is of most interest to potential other consumers; it's
not entangled with yum for example.
2014-01-16 11:43:17 -05:00
Colin Walters
8ecc47ac87 Various fixes to finish import from pkgsys-ostree 2013-12-21 22:15:57 -05:00
Colin Walters
958dfa435e Initial import from pkgsys-ostree 2013-12-21 19:41:30 -05:00