IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
OSTree was designed from the very beginning of its existence
to support SELinux well instead of being something wedged on.
rpm-ostree builds on that foundation. We don't want to have anything
to do with librpm's SELinux code. And with unified core,
we usually don't, but that `rpm-plugin-selinux` code does get loaded.
Disable it here. The main reason I'm submitting this patch
is to help an effort in coreos-assembler to use a "supermin" virtual
machine: https://github.com/coreos/coreos-assembler/pull/124Closes: #1647
Approved by: jlebon
I originally was going to add the check here and error out to the user,
but `add-files` is handled all the way near the end of the compose,
which meant that users would have to wait through it all before getting
an error. Though the check is enforced at parsing time now, I think it's
still useful at postprocess time as well as a sanity check.
Closes: #1643
Approved by: cgwalters
While serde gives us type checking, it of course doesn't understand
semantics beyond that. One example is checking the compatibility of
`add-files` entries with the OSTree model. This is something we can do
upfront early on to avoid surprises for users.
Also tweak the docs to reflect this new check.
Related: #1642Closes: #1643
Approved by: cgwalters
Add a note that only certain paths actually make sense in the
`add-files` directive and link to the OSTree docs. Let's also the
examples given to more realistic and correct ones.
Closes: #1643
Approved by: cgwalters
I need to do some hunting for a "ffi helper" crate. I kind of
understand why these things aren't in the std library.
Anyways this is easy for now, prep for adding more types.
Closes: #1641
Approved by: jlebon
I was playing with https://crates.io/crates/indicatif
and this is prep for using it.
By using autocleanups here we ensure that the output state
ends even if we encounter an error. We previously had a few
explicit `failed` prints in cases where failure was more common
such as dependency resolution, but that was far from consistent.
Now we will always ensure a newline is printed even if an error
occurs, and we won't have to worry about missing calls to
`_task_done()` in the success case.
The downside of this is that we lose the `done` bit in the success
path...I thought about maybe taking a pointer to the error and
printing `done` or `failed` depending on whether it's non-`NULL`
but eh...the `done` is implied by us going on to the next line.
Also that issue will be fixed with the indicatif work.
Closes: #1640
Approved by: jlebon
Wrap RemovedBasePackages like other package lists in the status
command so it looks prettier.
fixup! app/status: line wrap RemovedBasePackages
fixup! app/status: line wrap RemovedBasePackages
fixup! app/status: line wrap RemovedBasePackages
Resolves: #1613Closes: #1632
Approved by: jlebon
Add a `selinux` verb to treespec, and bind it from treefile. If
set, use it in the core to load an initial policy before import,
if we didn't already set a policy.
In practice right now this is only used from the compose path
since the SysrootUpgrader uses the policy from the merge deployment.
Unset the policy if rojig mode is enabled.
Now, non-SELinux use cases are required to set `selinux: false`
in the treespec. For `ex container` I just set it in our example
specs. Probably that should forcibly disable it in the
treespec but eh, it's experimental.
The other case I can think of is client-side layering; before
we would create a policy using the target root, but it
wasn't a *hard* requirement, i.e. we didn't error out if
`policy_get_name() == NULL`. Let's preserve that semantic by
hooking off of whether `_new_system()` was used.
Prep for sharing code with `compose rojig`.
Closes: #1630
Approved by: jlebon
This way when debugging if I want to preserve the state so I can
go there and rerun command under gdb for exmaple, all I need
to do is set `env TEST_SKIP_CLEANUP=1` rather than also needing
to find a separate dir and also set `env RPMOSTREE_PRESERVE_TMPDIR=1`.
Closes: #1630
Approved by: jlebon
On the plus side, when submitting a patch to Github, no one knows
how long it took you to figure out...
Anyways so this reduces redundancy. I double-checked the list.
I was inspired to pick this back up after seeing a Rust code
snippet somewhere noting that macros defined inside a function
can capture variables, which simplifies this even more.
Closes: #1631
Approved by: jlebon
I swear I tested the previous PR here but it looks like they
did a new build recently whose release ends in `el7_5` which no
longer matches.
Since the Fedora spec doesn't have any scripts, let's go back
to using the gperf list.
Closes: #1623
Approved by: jlebon
In preparations for https://github.com/ostreedev/ostree/pull/1740, just
hard enable this path unit for now since centrally-maintained distro
presets still need to be updated.
Closes: #1617
Approved by: cgwalters
Make this function operate like all of the others, on the pair of
(treefile_rs, treefile). That way the "parsing" is co-located
with usage.
Prep for `compose rojig`.
Closes: #1618
Approved by: jlebon
Rename the function dealing with this, document it a bit,
and move all of the logic related to this inside there.
Prep for sharing more with `compose rojig`.
Closes: #1618
Approved by: jlebon
Supporting ancient systemd is painful, though given that it may end up
in RHCOS at least, it seems worth the effort.
Basically, the big changes here are:
- avoid using `_SYSTEMD_UNIT` since it might be missing in some entries
- also grep for the el7 version of the systemd msg when a service fails
- use `_TRANSPORT=stdout` for the error msg in case of ordering issues
Closes: #1601
Approved by: cgwalters
The `--frozen` stuff ends up being annoying when switching
branches. What we're really trying to protect against here
is the `sudo make install` problem, so let's test for that
more directly by verifying the uids.
(The previous code was also totally broken as it used `$` where
`$$` should have been in multiple places)
Closes: #1601
Approved by: cgwalters
Try to tease out a bit more info from the journal by looking at the
systemd message when the service transitions to the dead state or even
looking at the OSTree output itself.
Example outputs:
```
[root@f28-ros ~]# rpm-ostree status
State: idle
Warning: failed to finalize previous deployment
error: opendir(ostree/deploy/fedora-atomic/deploy/887c95887a3047a60372016a0d84536530755b60df3cca33c819f7606e220adf.0): No such file or directory
check `journalctl -b -1 -u ostree-finalize-staged.service`
AutomaticUpdates: disabled
...
```
```
[root@f28-ros ~]# rpm-ostree status
State: idle
Warning: failed to finalize previous deployment
ostree-finalize-staged.service: Failed with result 'timeout'.
check `journalctl -b -1 -u ostree-finalize-staged.service`
AutomaticUpdates: disabled
...
```
Closes: #1601
Approved by: cgwalters
Nuke systemd source files for the same reasons as libcurl (see #1554).
Also noticed that libz-sys was doing this, though it's not new to this
patch.
For reference, see: https://github.com/projectatomic/rpm-ostree/pull/1554Closes: #1601
Approved by: cgwalters
Sample output:
```
$ rpm-ostree status
State: idle
Warning: failed to finalize previous deployment
check `journalctl -b -1 -u ostree-finalize-staged.service`
AutomaticUpdates: disabled
...
```
(Though open to tweaking it).
I also played with directly invoking `journalctl` for the user, but that
can get really spammy with e.g. `os-prober` output and such.
I wrote this in Rust using journal API wrappers because I also plan to
implement the `history` command in Rust and will also enhance that new
`journal` module there for that.
Requires: https://github.com/ostreedev/ostree/pull/1750
Requires: https://github.com/jmesmon/rust-systemd/pull/54
(Though I've pointed the manifest at my branch for now for CI).
Closes: #1567Closes: #1601
Approved by: cgwalters
This is a bit of a selfish request, though I also really like
`ci/build.sh` for hacking in a throwaway environment. This patch allows
one to rerun `ci/build.sh` without erroring out on `testuser` already
existing.
Closes: #1621
Approved by: cgwalters
Move specific package mentions from the `.papr.yml` file to
`ci/installdeps.sh`. I find the latter script super useful for
bootstrapping a pet container for rpm-ostree development and this helps
with that.
Closes: #1621
Approved by: cgwalters
This is so obvious now, it's painful. We should fallback to the empty
string `""`, not `\0` which is of course semantically equivalent to
`NULL`. I think in practice we've never hit a `SIGSEGV` because librpm
itself has the same `?: ""` logic as well.
Closes: #1620
Approved by: cgwalters
At some point perhaps we'll define a sane format that unifies
treefile/treespec. This is not that day, but let's extract
the code that converts the two into a clean helper. Then the
compose context holds onto the treespec, and e.g. things like the
ref just point to its data.
Prep for sharing this code with rojig.
Closes: #1616
Approved by: jlebon
This bit moved to glibc-all-langpacks.posttrans at some point
in Fedora. The code is the same, use the same override. There
isn't a Fedora glibc-common.post.
So far we didn't really try `--unified-core` with RHEL7 content,
this fixes the last of the problems for me.
Closes: #1612
Approved by: jlebon
This gets me close to doing a build with `--unified-core`, but
now I'm tripping over a weird issue with the locale archive. I think
it's related to the lua override.
Closes: #1612
Approved by: jlebon
I missed this use before in the passwd code which was also parsing
the "filename" parameter. Teach this to use the fd that was opened
Rust side too.
It's really tempting to try oxidizing this whole file but...baby steps.
Closes: #1610
Approved by: jlebon
This is prep for running inside (unprivileged) Kube containers
as they exist today: https://github.com/projectatomic/rpm-ostree/issues/1329
Sadly FUSE today uses a suid binary that ends up wanting CAP_SYS_ADMIN.
I think there's some work on FUSE-in-containers but I'm not sure of
the current status.
What rofiles-fuse here is doing here is protecting is the hardlinked
repo imports. But if `--cachedir` isn't specified, that repository
gets thrown away anyways. So there's no real value to using FUSE
here.
Also since nothing is cached, disable the devino cache.
We also make use of --force-copy-zerosized that just landed
in libostree: https://github.com/ostreedev/ostree/pull/1752
Down the line ideally we gain the capability to detect if either
unprivileged overlayfs/FUSE are available. Then if `--cachedir`
is specified we can make things work.
Closes: #1591
Approved by: jlebon
This is basically overriding what happens with `bare-user` mode
OSTree repositories. I put a lot of thought into avoiding creating
suid files with that mode.
But today this creates a situation where if we don't have a devino
cache, the file will lose its suid bits.
In the end, since we're using the "inaccessible directory" pattern
anyways for rpm-ostree on the host, we don't need to really worry
about transient suid binaries. And similarly when we're run inside
an existing container, that's also fine.
Closes: #1591
Approved by: jlebon
Add a check to make sure we stay within the minimum version required to
build with DTS, which is updated frequently, but may still lag behind in
comparison to Fedora stable.
Closes: #1606
Approved by: cgwalters
PR: https://github.com/projectatomic/rpm-ostree/pull/1562
AKA commit: a7bbf5bc142d9dac5b1bfb86d0466944d38baa24
introduced two regressions. First one for `compose tree`. The intention is
the default there is to *always* immediately check for updated
rpm-md - a bit like `yum clean expire-cache`. However due
to bugs in the stack we end up downloading it again anyways, but
that's not the topic here.
When we made that change we basically stopped using `DnfContext`'s
`cache_age`, which is what `compose tree` was setting.
Introduce a new explicit API to do what we want for `compose tree`.
Secondly, we were mistakenly always caching on the client
side.
This also fixes an issue that `--cache-only` didn't work, it basically
just made `compose tree` use the default `metadata_expire`. Now we
really don't expire it.
Closes: #1587
Approved by: jlebon
This way the fds are always known to be at the start. For e.g.
`add-files` we need to both checksum them and then copy them
later.
Closes: #1600
Approved by: jlebon