bdf3cda8db
One question I often have when looking at the output of `status -a`: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 Diff: 67 upgraded, 1 removed, 16 added ``` is "How serious and relevant are these advisories to me? How soon should I reboot?". For the packages that I'm most familiar with, e.g. `kernel` and `git-core`, I usually look up the advisory and check why it was marked as a security update, mentioned CVEs, and how those affect me. The updateinfo metadata includes a wealth of information that could be useful here. In Fedora, CVEs treated by the security response team result in RHBZs, which end up attached to the advisories and thus make it into that metadata. This patch tries to reduce friction in answering some of those questions above by checking for those CVEs and printing a short description in the output of `status -a`. Example: ``` AvailableUpdate: Version: 29.20181202.0 (2018-12-02T08:37:50Z) Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3 GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4 SecAdvisories: FEDORA-2018-042156f164 Unknown net-snmp-libs-1:5.8-3.fc29.x86_64 CVE-2018-18065 CVE-2018-18066 net-snmp: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1637573 FEDORA-2018-87ba0312c2 Moderate kernel-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-core-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-4.19.5-300.fc29.x86_64 FEDORA-2018-87ba0312c2 Moderate kernel-modules-extra-4.19.5-300.fc29.x86_64 CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes https://bugzilla.redhat.com/show_bug.cgi?id=1649017 CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c https://bugzilla.redhat.com/show_bug.cgi?id=1652656 FEDORA-2018-f467c36c2b Moderate git-core-2.19.2-1.fc29.x86_64 CVE-2018-19486 git: Improper handling of PATH allows for commands to executed from current directory https://bugzilla.redhat.com/show_bug.cgi?id=1653143 Diff: 67 upgraded, 1 removed, 16 added ``` Including the CVE name and RHBZ link also makes it easier to look for more details if desired. Closes: #1695 Approved by: rfairley |
||
---|---|---|
.github | ||
api-doc | ||
bindgen | ||
buildutil | ||
ci | ||
design | ||
docs | ||
experiments-and-demos/skopeo2ostree | ||
libdnf@7ecb2f5ddc | ||
libglnx@470af8763f | ||
man | ||
packaging | ||
rust | ||
scripts | ||
src | ||
tests | ||
vagrant | ||
.dir-locals.el | ||
.editorconfig | ||
.gitmodules | ||
.papr.yml | ||
.vimrc | ||
autogen.sh | ||
configure.ac | ||
CONTRIBUTING.md | ||
COPYING | ||
git.mk | ||
HACKING.md | ||
LICENSE | ||
Makefile-daemon.am | ||
Makefile-decls.am | ||
Makefile-extra.inc | ||
Makefile-lib-defines.am | ||
Makefile-lib.am | ||
Makefile-libdnf.am | ||
Makefile-libpriv.am | ||
Makefile-man.am | ||
Makefile-rpm-ostree.am | ||
Makefile-tests.am | ||
Makefile.am | ||
mkdocs.yml | ||
README.md | ||
Vagrantfile |
rpm-ostree: A true hybrid image/package system
rpm-ostree combines libostree (an image system), with libdnf (a package system), bringing many of the benefits of both together.
+-----------------------------------------+
| |
| rpm-ostree (daemon + CLI) |
+------> <---------+
| | status, upgrade, rollback, | |
| | pkg layering, initramfs --enable | |
| | | |
| +-----------------------------------------+ |
| |
| |
| |
+-----------------|-------------------------+ +-----------------------|-----------------+
| | | |
| libostree (image system) | | libdnf (pkg system) |
| | | |
| C API, hardlink fs trees, system repo, | | ties together libsolv (SAT solver) |
| commits, atomic bootloader swap | | with librepo (RPM repo downloads) |
| | | |
+-------------------------------------------+ +-----------------------------------------+
For more information, see the online manual: Read The Docs (rpm-ostree)
Features:
- Transactional, background image-based (versioned/checksummed) upgrades
- OS rollback without affecting user data (
/usr
but not/etc
,/var
) via libostree - Client-side package layering (and overrides)
- Easily make your own:
rpm-ostree compose tree
Projects using rpm-ostree
Project Atomic is an umbrella project for delivering upstream container technologies and combined with a minimized, atomically upgradable host system to Fedora, Red Hat Enterprise Linux, and CentOS.
rpm-ostree is the underlying technology for host updates. The headlining project is "Atomic Host", which is a server variant oriented towards running Linux containers using e.g. Kubernetes. However, there is now also a Workstation variant, showing the full generality of the rpm-ostree model.
Manual
For more information, see the online manual: Read The Docs (rpm-ostree)
Talks and media
A number of Project Atomic talks are available; see for example this post which has a bigger collection that also includes talks on containers.
rpm-ostree specific talks:
- devconf.cz 2018: Colin Walters: Hybrid image/package OS updates with rpm-ostree slides
- devconf.cz 2018: Peter Robinson: Using Fedora and OSTree for IoT