IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Supporting the session bus was a nice idea but we don't
have any tests for this anymore, and carrying it is
nontrivial overhead. It used to only kind of work because
ostree ran well as non-root, but rpm-ostreed really requires
root nowadays.
We haven't actually tested this in a long time, it's just
cruft now. Bigger picture we need to make it as ergonomic and
fast as possible to test in VMs.
(I think it likely would be worthwhile at some point having rpm-ostree run in a "stock
podman container" w/o systemd but that's a whole lot of work.)
Prep for some work on socket activation.
The only part left that we will need to keep ~forever is
the treefile parsing `rojig:` because it's used by coreos-assembler.
But all we need is to propagate it into the JSON treefile.
This is a better alternative to https://github.com/coreos/fedora-coreos-config/pull/830
Basically rather than trying to send this out to all FCOS users,
it's much saner to allow people to opt-in to it locally.
If we'd finished https://github.com/coreos/rpm-ostree/issues/2326
then this would be something as trivial as:
```
$ echo 'cliwrap: true' > /etc/rpm-ostree.d/cliwrap.yaml
$ rpm-ostree rebuild
```
Unfortunately that's not the world we live in, so a whole lot of
layers here need crossing to just propagate a boolean. And it
interacts in a tricky way with our change detection code.
But, it works and will allow people to try this out.
Other fixed problems:
- Our `rpm --verify` wrapping was broken
- Dropping privileges clashed with the default directory being `/root`,
so `chdir(/)` too
The inevitable followup to https://github.com/coreos/rpm-ostree/pull/2278
that I was too cowardly to do at the time. But it's time to admit
the 2 months or so of work on this was wasted. We have too much
tech debt and this is a large chunk of C/C++ code that touches everything
in the codebase in a nontrivial way.
Bigger picture, I'm going to work on
https://github.com/coreos/fedora-coreos-tracker/issues/828
which will strongly orient rpm-ostree towards the container world instead.
We'll still obviously keep the rpm package world around, but only
as a secondary layer. What rojig was trying to do in putting "images"
inside an RPM was conflating layers. It would have had a lot of
benefits probably if we'd truly pushed it over the edge into completion,
but that didn't happen. Let's focus on containers instead.
There's still a lot more rojig code to delete but this first patch removes
the bulk of it. Touching everything that references e.g. `RPMOSTREE_REFSPEC_TYPE_ROJIG`
etc. can come as a 3rd phase.
In Fedora CoreOS, updates are driven by Zincati and we thus completely
trust the information it gives us. The branch validation rpm-ostree does
is thus not necessary. It's also harmful in the case where the node is
extremely out of date because it may not be able to GPG verify the
commit at the tip of the branch (because the GPG key isn't yet in the
tree).
See: https://github.com/coreos/fedora-coreos-tracker/issues/749
If updates driver is registered but "stopped", ignore driver (i.e.
do not error out during deploy, rebase, ugprade).
We define "stopped" to mean the driver's `ActiveState` is not in
the following states: "active", "activating", "reloading", "failed".
This addresses the server compose side of
https://github.com/coreos/rpm-ostree/issues/2584.
One tricky bit is handling overrides across included treefiles (or
really, even within a single treefile): as usual, higher-level treefiles
should override lowel-level ones. Rust makes it pretty nice to handle.
For now this just supports a `repo` field, but one could imagine e.g.
`repos` (which takes an array of repoids instead), or e.g.
`exclude-repos`.
The actual core implementation otherwise is pretty straightforward.
This should help a lot in RHCOS where we currently use many `exclude=`
directives in repo files to get it to do what we want.
This is also kind of a requirement for modularity support because as
soon as rpm-ostree becomes modules-aware, modular filtering logic will
break composes which assume rpm-ostree treats modular and non-modular
packages the same.
The only entrypoint so far doesn't use it (`countme`), but a future new
entrypoint will.
Also mention that the commands should add themselves to the array in
libmain.cxx if applicable so it shows up in `--help`.
These new switches will allow users/drivers to more easily make idempotent changes to kernel arguments.
Closes: https://github.com/coreos/rpm-ostree/issues/2709
Signed-off-by: Rafael G. Ruiz <llerrak@hotmail.com>
Since in the future we'll operate on a treefile, move the callers
still using treespecs to an explicit API. This is also clearer
because about half the callers were passing `NULL` for this anyways.
We went through a lot of gyrations on this one. It's only
relevant to server side composes, so having the core parse
the treefile for it directly just makes sense.
Figuring out that we can't `fchmod()` on an `O_PATH` descriptor
took me a while =(
As part of that I discovered the `nix` crate grew a `Dir`
abstraction too. But I think we still probably want to be using
https://docs.rs/cap-std/0.13.7/cap_std/fs/index.html
Previously we carefully ported functionality bit by bit here.
Now take the last step and move it all in to Rust.
A reason I didn't do this in one go before is around the
incredibly twisted handling of the `/etc` vs `/usr/etc`.
I think longer term we should aim to basically have all
of our code keep it as `/etc` up until the very end. For
now we just do a rename dance around some of the add/remove
files code.
There are a lot of use cases for this, notably:
- This allows us to display advisories without fetching updateinfo
metadata in the pure OSTree case.
- It allows pipelines to fetch and display this information to
sanity-check builds.
- It makes it much easier to fix the "intermediate CVEs" issue described
in https://github.com/coreos/rpm-ostree/issues/1696#issuecomment-443861107.
This patch just adds the advisory information to the commit metadata.
There's follow-up work to make the client-side of rpm-ostree use this
data.
Also, remove the newly added metadata from the output of `rpm-ostree
status --json` for the same reason we remove the rpmdb. A follow-up
patch will teach `rpm-ostree db list/diff` to output advisories.
Closes: #1696
I did at one point look at converting this stuff into a C++
object but that led in to a whole rathole around a C++ `GObject<>`
smart pointer like glibmm has. But that would take over the code
and it's better to just port to Rust.
In general our error handling philosophy is "errors are strings".
Previously (before C++) we were relying on calling this API
to strip out the GDBus remote error message.
In the recent refactoring of clientlib to expose the txn APIs
to Rust via C++, we implicitly lost that because the C++
wrapper API throws an exception.
Add a copy of the remote error stripping here. Eventually
it will likely make sense for it to *only* be here instead
of also in `main.cxx`, but one thing at a time.
This moves the users/groups validation logic to Rust, taking care of
all the treefile check-passwd/check-groups knobs.
As all the passwd-handling logic has been ported to Rust, it also
drops the stale C source/headers/imports.
This code really makes sense as a method on the treefile.
And when that's done, we no longer need to expose
`get_postprocess_script()` via cxx, so we can return a nicely
Rust native `Option<&mut File>`.
