Commit Graph

9 Commits

Author SHA1 Message Date
Jonathan Lebon
fc49fb0089 treefile: Add new add-commit-metadata key
Add support for a new `add-commit-metadata` key in the treefile so that
we can directly specify commit metadata we want to inject from there.

This will be useful in Fedora CoreOS, where we'll have separate
treefiles for each streams, each with stream-specific metadata values
required.

Closes: #1865
Approved by: cgwalters
2019-07-09 20:28:18 +00:00
Jonathan Lebon
c035c2b574 compose: Add --no-parent option
There are cases where we do want all the things that specifying a ref
provides (e.g. change detection, version incrementing, SELinux labeling
optimizations, and of course writing the ref) but we *don't* want the
new commit to have a parent. Add a new `--no-parent` option to
accommodate this.

This will be used by coreos-assembler. See discussions at
https://github.com/coreos/coreos-assembler/issues/159.

Closes: #1829
Approved by: cgwalters
2019-05-09 02:10:27 +00:00
Jonathan Lebon
544d79fd3f compose: Fix EBADF in unified core mode without cachedir
If no cache dir is given in the workdir, we would alias the cache dir fd
to the workdir fd. But of course, this meant that we'd try to close the
same fd twice when freeing the compose context. Instead, let's just copy
the fd as is also done in the non-unified path.

Closes: #1697

Closes: #1698
Approved by: lucab
2018-12-06 13:44:19 +00:00
Colin Walters
50b255a8a9 Move varsubst code into Rust, use it in treefile parsing
External tools often want to parse the ref; for example coreos-assembler
currently does so.  Let's ensure `${basearch}` is expanded with
`--print-only` so they can parse that JSON to get the expanded version
reliably.

Implementation note: this is the first Rust code which exposes a
"GLib-like" C API, notably with GHashTable, so we're making more use
of the glib-rs bindings.

Closes: #1653

Closes: #1655
Approved by: jlebon
2018-11-02 20:36:28 +00:00
Colin Walters
5b8b37658f compose: Make --print-only happen earlier and be quiet
Don't print the version or other warnings; ensure we output clean JSON.

Prep for fixing https://github.com/coreos/fedora-coreos-config/pull/24
(This helps, but we still need to expand `${basearch}`)

Closes: #1648
Approved by: jlebon
2018-10-30 15:04:21 +00:00
Colin Walters
b3f6f25637 core,scripts: When no cachedir+unified-core, disable rofiles-fuse
This is prep for running inside (unprivileged) Kube containers
as they exist today: https://github.com/projectatomic/rpm-ostree/issues/1329

Sadly FUSE today uses a suid binary that ends up wanting CAP_SYS_ADMIN.
I think there's some work on FUSE-in-containers but I'm not sure of
the current status.

What rofiles-fuse here is doing here is protecting is the hardlinked
repo imports.  But if `--cachedir` isn't specified, that repository
gets thrown away anyways.  So there's no real value to using FUSE
here.

Also since nothing is cached, disable the devino cache.

We also make use of --force-copy-zerosized that just landed
in libostree: https://github.com/ostreedev/ostree/pull/1752

Down the line ideally we gain the capability to detect if either
unprivileged overlayfs/FUSE are available.  Then if `--cachedir`
is specified we can make things work.

Closes: #1591
Approved by: jlebon
2018-10-12 19:03:26 +00:00
Colin Walters
b9e3bfd7b3 importer: Don't generate var-tmpfiles.d for rpm itself
This caused `/var/lib/rpm` to be a directory in my Fedora CoreOS
builds.

Closes: #1532
Approved by: sinnykumari
2018-09-07 15:10:10 +00:00
Colin Walters
3c0da8864b compose: Do relabel before downloading in --ex-unified-core
We removed this in review, but I rediscovered why I added it.  We
fail the `g_assert (sepolicy_matches)` if we already had packages
done with the final label when we go to reuse the cache.

(Basically, if we use the cache multiple times it's hard to avoid
 relabeling all the time which is unfortunate...gets back a bit to
 a way to annotate pkgcache commits as supporting multiple policies)

Closes: #1109
Approved by: jlebon
2017-11-20 15:35:21 +00:00
Colin Walters
6bf4206223 compose: Add --ex-unified-core
The "--ex" prefix here means it's an experimental option. A tremendous change
here is that start to support non-uid 0, but there are various things to fix there;
the unpacker for example needs to learn to set imported objects fully based
on the rpmfi information (i.e. default to uid 0, since libarchive gives the
current uid by default).

And even when run as uid 0, there are some bugs, though I'm not sure
of any showstoppers yet.  For example, dracut's `dracut-install` calls
`cp --preserve=xattrs` which fails to copy the `user.ostreemeta` xattrs
from a checkout (it shouldn't be copying that anyways...)

Nevertheless, the infrastructure behind this really helps (is almost a hard
requirement for) the [jigdo effort](https://github.com/projectatomic/rpm-ostree/issues/1081).
Which is really only true due to SELinux - we need to import the packages,
then generate the final tree to get the final policy, then use that policy
to relabel all of the packages.

Closes: #940
Approved by: jlebon
2017-11-17 18:59:34 +00:00