Go to file
Jonathan Lebon bdf3cda8db Print CVEs fixed in available updates
One question I often have when looking at the output of `status -a`:

```
AvailableUpdate:
        Version: 29.20181202.0 (2018-12-02T08:37:50Z)
         Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3
   GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
  SecAdvisories: FEDORA-2018-042156f164  Unknown    net-snmp-libs-1:5.8-3.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-core-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-modules-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-modules-extra-4.19.5-300.fc29.x86_64
                 FEDORA-2018-f467c36c2b  Moderate   git-core-2.19.2-1.fc29.x86_64
           Diff: 67 upgraded, 1 removed, 16 added
```

is "How serious and relevant are these advisories to me? How soon should
I reboot?". For the packages that I'm most familiar with, e.g. `kernel`
and `git-core`, I usually look up the advisory and check why it was
marked as a security update, mentioned CVEs, and how those affect me.

The updateinfo metadata includes a wealth of information that could be
useful here. In Fedora, CVEs treated by the security response team
result in RHBZs, which end up attached to the advisories and thus make
it into that metadata.

This patch tries to reduce friction in answering some of those questions
above by checking for those CVEs and printing a short description in the
output of `status -a`. Example:

```
AvailableUpdate:
        Version: 29.20181202.0 (2018-12-02T08:37:50Z)
         Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3
   GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
  SecAdvisories: FEDORA-2018-042156f164  Unknown    net-snmp-libs-1:5.8-3.fc29.x86_64
                   CVE-2018-18065 CVE-2018-18066 net-snmp: various flaws [fedora-all]
                   https://bugzilla.redhat.com/show_bug.cgi?id=1637573
                 FEDORA-2018-87ba0312c2  Moderate   kernel-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-core-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-modules-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-modules-extra-4.19.5-300.fc29.x86_64
                   CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes
                   https://bugzilla.redhat.com/show_bug.cgi?id=1649017
                   CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c
                   https://bugzilla.redhat.com/show_bug.cgi?id=1652656
                 FEDORA-2018-f467c36c2b  Moderate   git-core-2.19.2-1.fc29.x86_64
                   CVE-2018-19486 git: Improper handling of PATH allows for commands to executed from current directory
                   https://bugzilla.redhat.com/show_bug.cgi?id=1653143
           Diff: 67 upgraded, 1 removed, 16 added
```

Including the CVE name and RHBZ link also makes it easier to look for
more details if desired.

Closes: #1695
Approved by: rfairley
2018-12-05 18:56:49 +00:00
.github Fix GitHub issue template formatting 2018-03-14 21:54:16 +00:00
api-doc lib: Expose new API around basearch 2017-07-21 16:02:41 +00:00
bindgen Split cbindgen to separate build, support external version 2018-09-25 20:29:21 +00:00
buildutil buildutils: Add libglnx.m4 to .gitignore 2018-04-05 15:26:46 +00:00
ci ci: Verify rustfmt 2018-11-21 21:16:03 +00:00
design Initial renaming pass of "jigdo" to "rojig" 2018-02-26 15:32:50 +00:00
docs docs/treefile: Add info about paths for add-files 2018-10-26 20:48:07 +00:00
experiments-and-demos/skopeo2ostree experiments-and-demos: New subdir with skopeo2ostree Dockerfile 2018-01-11 14:07:17 +00:00
libdnf@7ecb2f5ddc Update libdnf 2018-08-29 02:16:21 +00:00
libglnx@470af8763f Update libglnx 2018-07-17 18:35:38 +00:00
man man: Fix references to automatic timer and service 2018-11-01 15:26:06 +00:00
packaging packaging: Nuke more vendored sources 2018-10-16 17:41:09 +00:00
rust compose: Add a CUtf8Buf copy of rojig_name 2018-11-28 16:53:00 +00:00
scripts core/scripts: Support /var/lib/rpm-state 2018-03-28 18:37:17 +00:00
src Print CVEs fixed in available updates 2018-12-05 18:56:49 +00:00
tests Print CVEs fixed in available updates 2018-12-05 18:56:49 +00:00
vagrant Vagrantfile: specify full path to using_sshfs 2016-12-21 20:00:43 +00:00
.dir-locals.el .dir-locals.el: Global Emacs style settings 2017-01-12 16:09:16 +00:00
.editorconfig tree: add vimrc and editorconfig 2017-10-02 14:36:44 +00:00
.gitmodules .gitmodules: Update URL for libglnx 2018-05-29 14:22:46 +00:00
.papr.yml ci: Go back to centos/7/atomic/smoketested 2018-11-20 18:06:34 +00:00
.vimrc tree: add vimrc and editorconfig 2017-10-02 14:36:44 +00:00
autogen.sh build-sys: Fix use of libglnx configure bits 2017-12-15 16:32:39 +00:00
configure.ac configure.ac: Add "GitHub release" step to release workflow 2018-11-26 22:59:50 +00:00
CONTRIBUTING.md docs: fix ostree and CONTRIBUTING.md links 2016-07-12 15:46:53 +00:00
COPYING COPYING: Update to latest LGPLv2+ 2014-03-10 16:40:16 -04:00
git.mk build: Use git.mk, make git status clean 2016-03-10 14:36:44 -05:00
HACKING.md hacking: make it easier to use a custom tree 2017-09-01 19:58:55 +00:00
LICENSE Add a LICENSE symlink 2016-04-28 13:09:22 +00:00
Makefile-daemon.am Add rpm-ostree-bootstatus.service 2018-12-03 15:38:50 +00:00
Makefile-decls.am packaging: Support vendoring the Rust sources 2018-06-06 15:52:48 +00:00
Makefile-extra.inc ci: Verify rustfmt 2018-11-21 21:16:03 +00:00
Makefile-lib-defines.am lib: Add version macros and version checking function 2017-07-21 20:35:26 +00:00
Makefile-lib.am compose+rust: Parse includes via Rust too 2018-10-04 13:17:47 +00:00
Makefile-libdnf.am build-sys: Propagate verbosity into libdnf 2018-08-27 19:04:10 +00:00
Makefile-libpriv.am build-sys: Mark libpriv symbols as private 2018-03-28 15:18:11 +00:00
Makefile-man.am man: Add rpm-ostreed-automatic page 2018-03-07 22:54:33 +00:00
Makefile-rpm-ostree.am ci: Verify rustfmt 2018-11-21 21:16:03 +00:00
Makefile-tests.am test: add unit test for passwd to sysuser conversion 2018-08-30 17:37:27 +00:00
Makefile.am ci: Verify rustfmt 2018-11-21 21:16:03 +00:00
mkdocs.yml docs: Start using mkdocs 2016-03-09 11:10:58 -05:00
README.md README.md: Fix youtube link 2018-04-14 15:24:54 +00:00
Vagrantfile Vagrantfile: specify full path to using_sshfs 2016-12-21 20:00:43 +00:00

rpm-ostree: A true hybrid image/package system

rpm-ostree combines libostree (an image system), with libdnf (a package system), bringing many of the benefits of both together.

                         +-----------------------------------------+
                         |                                         |
                         |       rpm-ostree (daemon + CLI)         |
                  +------>                                         <---------+
                  |      |     status, upgrade, rollback,          |         |
                  |      |     pkg layering, initramfs --enable    |         |
                  |      |                                         |         |
                  |      +-----------------------------------------+         |
                  |                                                          |
                  |                                                          |
                  |                                                          |
+-----------------|-------------------------+        +-----------------------|-----------------+
|                                           |        |                                         |
|         libostree (image system)          |        |            libdnf (pkg system)          |
|                                           |        |                                         |
|   C API, hardlink fs trees, system repo,  |        |    ties together libsolv (SAT solver)   |
|   commits, atomic bootloader swap         |        |    with librepo (RPM repo downloads)    |
|                                           |        |                                         |
+-------------------------------------------+        +-----------------------------------------+

For more information, see the online manual: Read The Docs (rpm-ostree)

Features:

  • Transactional, background image-based (versioned/checksummed) upgrades
  • OS rollback without affecting user data (/usr but not /etc, /var) via libostree
  • Client-side package layering (and overrides)
  • Easily make your own: rpm-ostree compose tree

Projects using rpm-ostree

Project Atomic is an umbrella project for delivering upstream container technologies and combined with a minimized, atomically upgradable host system to Fedora, Red Hat Enterprise Linux, and CentOS.

rpm-ostree is the underlying technology for host updates. The headlining project is "Atomic Host", which is a server variant oriented towards running Linux containers using e.g. Kubernetes. However, there is now also a Workstation variant, showing the full generality of the rpm-ostree model.

Manual

For more information, see the online manual: Read The Docs (rpm-ostree)

Talks and media

A number of Project Atomic talks are available; see for example this post which has a bigger collection that also includes talks on containers.

rpm-ostree specific talks: