Go to file
Jonathan Lebon 677c083f24 libpriv: Rebuild policy during postprocessing
It's possible for some postprocessing scripts to affect the final
SELinux policy. This is the case for the new `/etc/default/useradd` edit
we now do (#1726), but it could've been the case beforehand too with
user scripts modifying e.g. booleans (though ideally all these
modifications would be part of RPMs).

Do a final `semodule -nB` during postprocessing so that the final policy
we commit is "up to date". Otherwise, users may only see changes take
effect if they layer packages that trigger a rebuild.

The motivation for this is specifically for `/etc/default/useradd`.
There is magic in `selinux-policy` that parses the file and generates
templated rules from the value of `HOME`.

For more info, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1669982
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14

Closes: #1754
Approved by: cgwalters
2019-02-14 17:24:09 +00:00
.github Fix GitHub issue template formatting 2018-03-14 21:54:16 +00:00
api-doc lib: Expose new API around basearch 2017-07-21 16:02:41 +00:00
bindgen Split cbindgen to separate build, support external version 2018-09-25 20:29:21 +00:00
buildutil buildutils: Add libglnx.m4 to .gitignore 2018-04-05 15:26:46 +00:00
ci ci: Verify rustfmt 2018-11-21 21:16:03 +00:00
design Initial renaming pass of "jigdo" to "rojig" 2018-02-26 15:32:50 +00:00
docs docs/treefile: Add some more details to mutate-os-release 2019-02-01 18:43:29 +00:00
experiments-and-demos/skopeo2ostree experiments-and-demos: New subdir with skopeo2ostree Dockerfile 2018-01-11 14:07:17 +00:00
libdnf@7ecb2f5ddc Update libdnf 2018-08-29 02:16:21 +00:00
libglnx@470af8763f Update libglnx 2018-07-17 18:35:38 +00:00
man man: Fix references to automatic timer and service 2018-11-01 15:26:06 +00:00
packaging packaging: Don't include checksums for libtool.m4 and configure 2019-01-15 19:20:36 +00:00
rust treefile: Fix octal mode for rojig spec too 2019-02-11 18:21:51 +00:00
scripts core/scripts: Support /var/lib/rpm-state 2018-03-28 18:37:17 +00:00
src libpriv: Rebuild policy during postprocessing 2019-02-14 17:24:09 +00:00
tests libpriv: Rebuild policy during postprocessing 2019-02-14 17:24:09 +00:00
vagrant Vagrantfile: specify full path to using_sshfs 2016-12-21 20:00:43 +00:00
.dir-locals.el .dir-locals.el: Global Emacs style settings 2017-01-12 16:09:16 +00:00
.editorconfig tree: add vimrc and editorconfig 2017-10-02 14:36:44 +00:00
.gitmodules .gitmodules: Update URL for libglnx 2018-05-29 14:22:46 +00:00
.papr.yml ci: Bump minimum Rust version to 1.29.2 2018-12-17 22:06:49 +00:00
.vimrc tree: add vimrc and editorconfig 2017-10-02 14:36:44 +00:00
autogen.sh build-sys: Fix use of libglnx configure bits 2017-12-15 16:32:39 +00:00
configure.ac app/rebase: Support local repo remotes 2019-02-05 18:03:02 +00:00
CONTRIBUTING.md docs: fix ostree and CONTRIBUTING.md links 2016-07-12 15:46:53 +00:00
COPYING COPYING: Update to latest LGPLv2+ 2014-03-10 16:40:16 -04:00
git.mk build: Use git.mk, make git status clean 2016-03-10 14:36:44 -05:00
HACKING.md hacking: make it easier to use a custom tree 2017-09-01 19:58:55 +00:00
LICENSE Add a LICENSE symlink 2016-04-28 13:09:22 +00:00
Makefile-daemon.am Add rpm-ostree-bootstatus.service 2018-12-03 15:38:50 +00:00
Makefile-decls.am packaging: Support vendoring the Rust sources 2018-06-06 15:52:48 +00:00
Makefile-extra.inc ci: Verify rustfmt 2018-11-21 21:16:03 +00:00
Makefile-lib-defines.am lib: Add version macros and version checking function 2017-07-21 20:35:26 +00:00
Makefile-lib.am compose+rust: Parse includes via Rust too 2018-10-04 13:17:47 +00:00
Makefile-libdnf.am build-sys: Propagate verbosity into libdnf 2018-08-27 19:04:10 +00:00
Makefile-libpriv.am build-sys: Mark libpriv symbols as private 2018-03-28 15:18:11 +00:00
Makefile-man.am man: Add rpm-ostreed-automatic page 2018-03-07 22:54:33 +00:00
Makefile-rpm-ostree.am ci: Verify rustfmt 2018-11-21 21:16:03 +00:00
Makefile-tests.am test: add unit test for passwd to sysuser conversion 2018-08-30 17:37:27 +00:00
Makefile.am ci: Verify rustfmt 2018-11-21 21:16:03 +00:00
mkdocs.yml docs: Start using mkdocs 2016-03-09 11:10:58 -05:00
README.md README.md: Fix youtube link 2018-04-14 15:24:54 +00:00
Vagrantfile Vagrantfile: specify full path to using_sshfs 2016-12-21 20:00:43 +00:00

rpm-ostree: A true hybrid image/package system

rpm-ostree combines libostree (an image system), with libdnf (a package system), bringing many of the benefits of both together.

                         +-----------------------------------------+
                         |                                         |
                         |       rpm-ostree (daemon + CLI)         |
                  +------>                                         <---------+
                  |      |     status, upgrade, rollback,          |         |
                  |      |     pkg layering, initramfs --enable    |         |
                  |      |                                         |         |
                  |      +-----------------------------------------+         |
                  |                                                          |
                  |                                                          |
                  |                                                          |
+-----------------|-------------------------+        +-----------------------|-----------------+
|                                           |        |                                         |
|         libostree (image system)          |        |            libdnf (pkg system)          |
|                                           |        |                                         |
|   C API, hardlink fs trees, system repo,  |        |    ties together libsolv (SAT solver)   |
|   commits, atomic bootloader swap         |        |    with librepo (RPM repo downloads)    |
|                                           |        |                                         |
+-------------------------------------------+        +-----------------------------------------+

For more information, see the online manual: Read The Docs (rpm-ostree)

Features:

  • Transactional, background image-based (versioned/checksummed) upgrades
  • OS rollback without affecting user data (/usr but not /etc, /var) via libostree
  • Client-side package layering (and overrides)
  • Easily make your own: rpm-ostree compose tree

Projects using rpm-ostree

Project Atomic is an umbrella project for delivering upstream container technologies and combined with a minimized, atomically upgradable host system to Fedora, Red Hat Enterprise Linux, and CentOS.

rpm-ostree is the underlying technology for host updates. The headlining project is "Atomic Host", which is a server variant oriented towards running Linux containers using e.g. Kubernetes. However, there is now also a Workstation variant, showing the full generality of the rpm-ostree model.

Manual

For more information, see the online manual: Read The Docs (rpm-ostree)

Talks and media

A number of Project Atomic talks are available; see for example this post which has a bigger collection that also includes talks on containers.

rpm-ostree specific talks: