keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
1,807 Commits 1 Branch 0 Tags 12 MiB
C++ 58.8%
Rust 18.6%
Shell 13.6%
C 6.6%
M4 0.8%
Other 1.6%
90f9fe80e4
Go to file
Colin Walters 90f9fe80e4 scripts: Drop most capabilities 
Note this PR requires [bubblewrap 0.2.0](https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0).

Change our bwrap invocations drop truly dangerous capabilities like
`cap_sys_admin` and `cap_sys_module` just like Docker does today. Because of the
popularity of Docker, we can be pretty sure that most RPM scripts should have
adapted to this (although a problematic area here is that traditional librpm
doesn't actually error out if scripts fail).

There are two reasons to do this:

 - We want "offline" updates by default; updates shouldn't affect the
   running system.  If we prepare the new root in the background, a
   %post shouldn't restart a service for example.  We already "handle"
   this by making `systemctl` a symlink to `/bin/true`, but this approach
   also shuts off `%post`s that do e.g. `insmod`.
 - Protection against accidental system damage

Closes: #1099
Approved by: jlebon
2017-12-05 02:54:23 +00:00
.github Add issue template, move PR template to .github 2017-03-10 16:31:27 +00:00
api-doc lib: Expose new API around basearch 2017-07-21 16:02:41 +00:00
buildutil tap-test: create tmpdir in /var/tmp 2017-06-29 16:16:54 +00:00
ci scripts: Drop most capabilities 2017-12-05 02:54:23 +00:00
design Introduce experimental "rpm-ostree jigdo" 2017-12-04 14:24:53 +00:00
docs compose: Accept NULL treefile for "use defaults" postprocessing 2017-10-23 20:35:41 +00:00
libdnf@022365553a libdnf: bump for metadata_expire fix 2017-08-22 19:49:55 +00:00
libglnx@e627524af9 Update libglnx 2017-10-16 13:22:30 +00:00
man Lift 'override' out of experimental 2017-11-08 03:35:08 +00:00
packaging Add polkit support 2017-06-19 21:19:42 +00:00
scripts bwrap: Don't use --unshare-net in nspawn by default 2017-03-10 17:27:56 +00:00
src scripts: Drop most capabilities 2017-12-05 02:54:23 +00:00
tests scripts: Drop most capabilities 2017-12-05 02:54:23 +00:00
vagrant Vagrantfile: specify full path to using_sshfs 2016-12-21 20:00:43 +00:00
.dir-locals.el .dir-locals.el: Global Emacs style settings 2017-01-12 16:09:16 +00:00
.editorconfig tree: add vimrc and editorconfig 2017-10-02 14:36:44 +00:00
.gitmodules submodules: Use new repo for libdnf 2017-02-06 19:13:19 +00:00
.papr.yml scripts: Drop most capabilities 2017-12-05 02:54:23 +00:00
.vimrc tree: add vimrc and editorconfig 2017-10-02 14:36:44 +00:00
autogen.sh autogen.sh: tweak program checking logic 2015-09-11 10:24:44 -04:00
configure.ac Release 2017.11 2017-12-04 21:20:28 +00:00
CONTRIBUTING.md docs: fix ostree and CONTRIBUTING.md links 2016-07-12 15:46:53 +00:00
COPYING
git.mk build: Use git.mk, make git status clean 2016-03-10 14:36:44 -05:00
HACKING.md hacking: make it easier to use a custom tree 2017-09-01 19:58:55 +00:00
LICENSE Add a LICENSE symlink 2016-04-28 13:09:22 +00:00
Makefile-daemon.am daemon: Install dbus introspection files 2017-06-23 19:15:42 +00:00
Makefile-decls.am build: Always recurse build into libdnf/ 2017-04-13 16:10:14 +00:00
Makefile-lib-defines.am lib: Add version macros and version checking function 2017-07-21 20:35:26 +00:00
Makefile-lib.am lib: Expose new API around basearch 2017-07-21 16:02:41 +00:00
Makefile-libdnf.am build: Always recurse build into libdnf/ 2017-04-13 16:10:14 +00:00
Makefile-libpriv.am Introduce experimental "rpm-ostree jigdo" 2017-12-04 14:24:53 +00:00
Makefile-man.am build: Use git.mk, make git status clean 2016-03-10 14:36:44 -05:00
Makefile-rpm-ostree.am Introduce experimental "rpm-ostree jigdo" 2017-12-04 14:24:53 +00:00
Makefile-tests.am tests: Correctly error out if some part of install.sh fails 2017-11-29 14:42:25 +00:00
Makefile.am build: allow git describe versioning in worktrees 2017-11-13 13:48:58 +00:00
mkdocs.yml docs: Start using mkdocs 2016-03-09 11:10:58 -05:00
README.md README.md: libhif is now called libdnf 2017-02-16 15:40:20 +00:00
TODO upgrader: Prune pkgcache repo 2016-08-30 19:53:24 +00:00
Vagrantfile Vagrantfile: specify full path to using_sshfs 2016-12-21 20:00:43 +00:00

README.md

rpm-ostree Overview

rpm-ostree is a hybrid image/package system. It uses OSTree as a base image format, and supports RPM on both the client and server side using libdnf.

For more information, see the online manual: Read The Docs (rpm-ostree)

Features:

  • Atomic upgrades and rollback for host system updates
  • A server side tool to consume RPMs and commit them to an OSTree repository
  • A system daemon to consume OSTree commits as updates

Projects using rpm-ostree

Project Atomic uses rpm-ostree to provide a minimal host for Docker formatted Linux containers. Replicating a base immutable OS, then using Docker for applications.

Manual

For more information, see the online manual: Read The Docs (rpm-ostree)