ostree/tests/test-composefs.sh

#!/bin/bash
#
# SPDX-License-Identifier: LGPL-2.0+
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <https://www.gnu.org/licenses/>.

set -euo pipefail

. $(dirname $0)/libtest.sh

skip_without_ostree_feature composefs
skip_without_user_xattrs

setup_test_repository "bare-user"

cd ${test_tmpdir}
$OSTREE checkout test2 test2-co
rm test2-co/whiteouts -rf  # This may or may not exist
COMMIT_ARGS="--owner-uid=0 --owner-gid=0 --no-xattrs --canonical-permissions"
$OSTREE commit ${COMMIT_ARGS} -b test-composefs-without-meta test2-co
$OSTREE commit ${COMMIT_ARGS} -b test-composefs --generate-composefs-metadata test2-co
# If the test fails we'll dump this out
$OSTREE ls -RCX test-composefs /
orig_composefs_digest=$($OSTREE show --print-hex --print-metadata-key ostree.composefs.digest.v0 test-composefs)
$OSTREE commit ${COMMIT_ARGS} -b test-composefs2 --generate-composefs-metadata test2-co
new_composefs_digest=$($OSTREE show --print-hex --print-metadata-key ostree.composefs.digest.v0 test-composefs2)
assert_streq "${orig_composefs_digest}" "${new_composefs_digest}"
assert_streq "${new_composefs_digest}" "be956966c70970ea23b1a8043bca58cfb0d011d490a35a7817b36d04c0210954"
rm test2-co -rf
tap_ok "composefs metadata"

$OSTREE checkout --composefs test-composefs test2-co.cfs
digest=$(sha256sum < test2-co.cfs | cut -f 1 -d ' ')
# This file should be reproducible bit for bit across environments; per above
# we're operating on predictable data (fixed uid, gid, timestamps, xattrs, permissions).
assert_streq "${digest}" "031fab2c7f390b752a820146dc89f6880e5739cba7490f64024e0c7d11aad7c9"
# Verify it with composefs tooling
composefs-info dump test2-co.cfs > dump.txt
# Verify we have a verity digest
assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - ebaa23af194a798df610e5fe2bd10725c9c4a3a56a6b62d4d0ee551d4fc4be27'
rm -vf dump.txt test2-co.cfs
tap_ok "checkout composefs"

$OSTREE checkout --composefs-noverity test-composefs-without-meta test2-co-noverity.cfs
digest=$(sha256sum < test2-co-noverity.cfs | cut -f 1 -d ' ')
# Should be reproducible per above
assert_streq "${digest}" "78f873a76ccfea3ad7c86312ba0e06f8e0bca54ab4912b23871b31caafe59c24"
# Verify it with composefs tooling
composefs-info dump test2-co-noverity.cfs > dump.txt
# No verity digest here
assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -'
tap_ok "checkout composefs noverity"

# Test with a corrupted composefs digest
$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \
    '--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5
, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]'
if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then
    fatal "checked out composefs with mismatched digest"
fi
assert_file_has_content_literal err.txt "doesn't match expected digest"
tap_ok "checkout composefs bad digest"

tap_end
lib: Rework composefs metadata, drop custom signatures We will be switching to handling signature verification of the target ostree commit. 2023-06-16 22:35:50 +03:00			`#!/bin/bash`
			`#`
			`# SPDX-License-Identifier: LGPL-2.0+`
			`#`
			`# This library is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU Lesser General Public`
			`# License as published by the Free Software Foundation; either`
			`# version 2 of the License, or (at your option) any later version.`
			`#`
			`# This library is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`# Lesser General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU Lesser General Public`
			`# License along with this library. If not, see <https://www.gnu.org/licenses/>.`

			`set -euo pipefail`

test-composefs: Sync flow with other tests I am not sure why this is failing on older Debian systems, but I'm wildly guessing that something being done in `libtest.sh` is setting up automake in a way that we need. This is done in other tests. Or maybe it's the missing `$CMD_PREFIX`? Let's see... 2023-06-27 13:59:51 +03:00			`. $(dirname $0)/libtest.sh`

tests: Use skip_without_ostree_feature to detect libarchive, composefs This avoids false negatives from `ostree --version \| grep -q ...` exiting with failure under `set -o pipefail` because `grep -q` can exit as soon as it sees the desired string, leaving `ostree --version` to be terminated by `SIGPIPE` next time it writes to stdout. Signed-off-by: Simon McVittie <smcv@collabora.com> 2024-02-19 19:07:13 +03:00			`skip_without_ostree_feature composefs`
tests: Skip composefs test if /var/tmp does not support user xattrs Otherwise, this test fails on Debian 12 (Linux 6.1) kernels if /var/tmp is a tmpfs. Some autobuilders put the entire build chroot on a tmpfs, to speed up builds. Signed-off-by: Simon McVittie <smcv@debian.org> 2024-01-24 16:55:12 +03:00			`skip_without_user_xattrs`
lib: Rework composefs metadata, drop custom signatures We will be switching to handling signature verification of the target ostree commit. 2023-06-16 22:35:50 +03:00
			`setup_test_repository "bare-user"`

			`cd ${test_tmpdir}`
			`$OSTREE checkout test2 test2-co`
tests: Fix composefs test - Was using the wrong metadata key - We were missing setting the canonical commit args which assigns e.g. owner uid 0, which is important for reproducibility - Use the new --print-hex to make things easier to read 2023-07-06 20:31:18 +03:00			`rm test2-co/whiteouts -rf # This may or may not exist`
			`COMMIT_ARGS="--owner-uid=0 --owner-gid=0 --no-xattrs --canonical-permissions"`
deploy: Don't recompute verity checksums if not enabled This fixes a truly horrific performance bug when composefs is enabled, but fsverity is not supported by the filesystem. We'd fall back to doing userspace checksumming of all files at deployment time which was absolutely not expected or required. There's really an immense amount of technical debt here, such as the confusion between `ex-integity.composefs` vs the prepare-root config, how we handle "torn" states where some objects don't have verity enabled but some do, etc. The ostree composefs state has two modes: - signed: We need to enforce fsverity - unsigned: Best effort resilience So we fix this by making the deploy path to make verity "opportunistic" - if the ioctl gives us the data, then we add it to the composefs. However, this code path is also invoked when we're computing the expected composefs digest to inject as commit metadata, and that API must work regardless of whether the target repo has fsverity enabled as it may operate on a build server. One lucky thing in all of this: When I went to add the "checkout composefs" API I added a stub `GVariant` for options extensibility, which we now use. Signed-off-by: Colin Walters <walters@verbum.org> 2024-10-27 17:20:29 +03:00			`$OSTREE commit ${COMMIT_ARGS} -b test-composefs-without-meta test2-co`
lib: Rework composefs metadata, drop custom signatures We will be switching to handling signature verification of the target ostree commit. 2023-06-16 22:35:50 +03:00			`$OSTREE commit ${COMMIT_ARGS} -b test-composefs --generate-composefs-metadata test2-co`
tests: Fix composefs test - Was using the wrong metadata key - We were missing setting the canonical commit args which assigns e.g. owner uid 0, which is important for reproducibility - Use the new --print-hex to make things easier to read 2023-07-06 20:31:18 +03:00			`# If the test fails we'll dump this out`
			`$OSTREE ls -RCX test-composefs /`
			`orig_composefs_digest=$($OSTREE show --print-hex --print-metadata-key ostree.composefs.digest.v0 test-composefs)`
lib: Rework composefs metadata, drop custom signatures We will be switching to handling signature verification of the target ostree commit. 2023-06-16 22:35:50 +03:00			`$OSTREE commit ${COMMIT_ARGS} -b test-composefs2 --generate-composefs-metadata test2-co`
tests: Fix composefs test - Was using the wrong metadata key - We were missing setting the canonical commit args which assigns e.g. owner uid 0, which is important for reproducibility - Use the new --print-hex to make things easier to read 2023-07-06 20:31:18 +03:00			`new_composefs_digest=$($OSTREE show --print-hex --print-metadata-key ostree.composefs.digest.v0 test-composefs2)`
lib: Rework composefs metadata, drop custom signatures We will be switching to handling signature verification of the target ostree commit. 2023-06-16 22:35:50 +03:00			`assert_streq "${orig_composefs_digest}" "${new_composefs_digest}"`
When exporting, use hardlinks for duplicated files For ostree_repo_export_tree_to_archive(), and 'ostree export', when the exported tree contains multiple files with the same checksum, write an archive with hard links. Without this, importing a tree, then exporting it again breaks hardlinks. As an example of savings: this reduces the (compressed) size of the Fedora Flatpak Runtime image from 1345MiB to 712MiB. Resolves: #2925 2023-09-29 19:09:04 +03:00			`assert_streq "${new_composefs_digest}" "be956966c70970ea23b1a8043bca58cfb0d011d490a35a7817b36d04c0210954"`
deploy: Don't recompute verity checksums if not enabled This fixes a truly horrific performance bug when composefs is enabled, but fsverity is not supported by the filesystem. We'd fall back to doing userspace checksumming of all files at deployment time which was absolutely not expected or required. There's really an immense amount of technical debt here, such as the confusion between `ex-integity.composefs` vs the prepare-root config, how we handle "torn" states where some objects don't have verity enabled but some do, etc. The ostree composefs state has two modes: - signed: We need to enforce fsverity - unsigned: Best effort resilience So we fix this by making the deploy path to make verity "opportunistic" - if the ioctl gives us the data, then we add it to the composefs. However, this code path is also invoked when we're computing the expected composefs digest to inject as commit metadata, and that API must work regardless of whether the target repo has fsverity enabled as it may operate on a build server. One lucky thing in all of this: When I went to add the "checkout composefs" API I added a stub `GVariant` for options extensibility, which we now use. Signed-off-by: Colin Walters <walters@verbum.org> 2024-10-27 17:20:29 +03:00			`rm test2-co -rf`
lib: Rework composefs metadata, drop custom signatures We will be switching to handling signature verification of the target ostree commit. 2023-06-16 22:35:50 +03:00			`tap_ok "composefs metadata"`

checkout: Add API to directly checkout composefs We were missing the simple, obvious API and CLI to go from ostree commit -> composefs. Internally, we had `ostree_repo_checkout_composefs` with the right "shape" mostly, except it had more code in the deploy path to turn that into a composefs. Add a straightforward public API that does what the deploy code did before, and then the old API becomes an explicitly internal helper with an `_` prefix. Goals: - Lead towards a composefs-oriented future - This makes the composefs logic more testable directly Signed-off-by: Colin Walters <walters@verbum.org> 2024-05-23 01:16:48 +03:00			`$OSTREE checkout --composefs test-composefs test2-co.cfs`
			`digest=$(sha256sum < test2-co.cfs \| cut -f 1 -d ' ')`
			`# This file should be reproducible bit for bit across environments; per above`
			`# we're operating on predictable data (fixed uid, gid, timestamps, xattrs, permissions).`
			`assert_streq "${digest}" "031fab2c7f390b752a820146dc89f6880e5739cba7490f64024e0c7d11aad7c9"`
			`# Verify it with composefs tooling`
deploy: Don't recompute verity checksums if not enabled This fixes a truly horrific performance bug when composefs is enabled, but fsverity is not supported by the filesystem. We'd fall back to doing userspace checksumming of all files at deployment time which was absolutely not expected or required. There's really an immense amount of technical debt here, such as the confusion between `ex-integity.composefs` vs the prepare-root config, how we handle "torn" states where some objects don't have verity enabled but some do, etc. The ostree composefs state has two modes: - signed: We need to enforce fsverity - unsigned: Best effort resilience So we fix this by making the deploy path to make verity "opportunistic" - if the ioctl gives us the data, then we add it to the composefs. However, this code path is also invoked when we're computing the expected composefs digest to inject as commit metadata, and that API must work regardless of whether the target repo has fsverity enabled as it may operate on a build server. One lucky thing in all of this: When I went to add the "checkout composefs" API I added a stub `GVariant` for options extensibility, which we now use. Signed-off-by: Colin Walters <walters@verbum.org> 2024-10-27 17:20:29 +03:00			`composefs-info dump test2-co.cfs > dump.txt`
			`# Verify we have a verity digest`
			`assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - ebaa23af194a798df610e5fe2bd10725c9c4a3a56a6b62d4d0ee551d4fc4be27'`
			`rm -vf dump.txt test2-co.cfs`
checkout: Add API to directly checkout composefs We were missing the simple, obvious API and CLI to go from ostree commit -> composefs. Internally, we had `ostree_repo_checkout_composefs` with the right "shape" mostly, except it had more code in the deploy path to turn that into a composefs. Add a straightforward public API that does what the deploy code did before, and then the old API becomes an explicitly internal helper with an `_` prefix. Goals: - Lead towards a composefs-oriented future - This makes the composefs logic more testable directly Signed-off-by: Colin Walters <walters@verbum.org> 2024-05-23 01:16:48 +03:00			`tap_ok "checkout composefs"`

deploy: Don't recompute verity checksums if not enabled This fixes a truly horrific performance bug when composefs is enabled, but fsverity is not supported by the filesystem. We'd fall back to doing userspace checksumming of all files at deployment time which was absolutely not expected or required. There's really an immense amount of technical debt here, such as the confusion between `ex-integity.composefs` vs the prepare-root config, how we handle "torn" states where some objects don't have verity enabled but some do, etc. The ostree composefs state has two modes: - signed: We need to enforce fsverity - unsigned: Best effort resilience So we fix this by making the deploy path to make verity "opportunistic" - if the ioctl gives us the data, then we add it to the composefs. However, this code path is also invoked when we're computing the expected composefs digest to inject as commit metadata, and that API must work regardless of whether the target repo has fsverity enabled as it may operate on a build server. One lucky thing in all of this: When I went to add the "checkout composefs" API I added a stub `GVariant` for options extensibility, which we now use. Signed-off-by: Colin Walters <walters@verbum.org> 2024-10-27 17:20:29 +03:00			`$OSTREE checkout --composefs-noverity test-composefs-without-meta test2-co-noverity.cfs`
			`digest=$(sha256sum < test2-co-noverity.cfs \| cut -f 1 -d ' ')`
			`# Should be reproducible per above`
			`assert_streq "${digest}" "78f873a76ccfea3ad7c86312ba0e06f8e0bca54ab4912b23871b31caafe59c24"`
			`# Verify it with composefs tooling`
			`composefs-info dump test2-co-noverity.cfs > dump.txt`
			`# No verity digest here`
			`assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -'`
			`tap_ok "checkout composefs noverity"`

checkout: Only verify digest if repo requires fsverity Fixes a regression from the previous commit; in the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either. The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled. Closes: https://github.com/ostreedev/ostree/issues/3330 Signed-off-by: Colin Walters <walters@verbum.org> 2024-10-30 17:07:26 +03:00			`# Test with a corrupted composefs digest`
			`$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \`
			`'--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5`
			`, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]'`
			`if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then`
			`fatal "checked out composefs with mismatched digest"`
			`fi`
			`assert_file_has_content_literal err.txt "doesn't match expected digest"`
			`tap_ok "checkout composefs bad digest"`

lib: Rework composefs metadata, drop custom signatures We will be switching to handling signature verification of the target ostree commit. 2023-06-16 22:35:50 +03:00			`tap_end`