shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-01-25 10:04:14 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3104 from cgwalters/s390x-target

Browse Source 
bootloader/zipl: Run in target deployment as container if needed
This commit is contained in:
Colin Walters 2023-12-01 16:21:34 -05:00 committed by GitHub
commit 15d0777bb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 55 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
src/libostree/ostree-bootloader-zipl.c
View File

@ -434,10 +434,19 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader, int bootver
if (getuid () != 0) if (getuid () != 0)
return TRUE; return TRUE;
/* Note that unlike the grub2-mkconfig backend, we make no attempt to // If we're in a booted deployment, we don't need to spawn a container.
* chroot(). // Also avoid containerizing if there's no deployments to target, which shouldn't
*/ // generally happen.
g_assert (self->sysroot->booted_deployment); OstreeDeployment *target_deployment;
if (self->sysroot->booted_deployment || self->sysroot->deployments->len == 0)
{
target_deployment = NULL;
}
else
{
g_assert_cmpint (self->sysroot->deployments->len, >, 0);
target_deployment = self->sysroot->deployments->pdata[0];
}
if (!glnx_fstatat_allow_noent (self->sysroot->sysroot_fd, zipl_requires_execute_path, NULL, 0, if (!glnx_fstatat_allow_noent (self->sysroot->sysroot_fd, zipl_requires_execute_path, NULL, 0,
error)) error))
@ -467,9 +476,30 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader, int bootver
const char *const zipl_argv[] const char *const zipl_argv[]
= { "zipl", "--secure", (sb_enabled == TRUE) ? "1" : "auto", "-V", NULL }; = { "zipl", "--secure", (sb_enabled == TRUE) ? "1" : "auto", "-V", NULL };
int estatus; int estatus;
if (!g_spawn_sync (NULL, (char **)zipl_argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, NULL, if (target_deployment != NULL)
&estatus, error)) {
g_debug ("executing zipl in deployment root");
g_autofree char *deployment_path
= ostree_sysroot_get_deployment_dirpath (self->sysroot, target_deployment);
glnx_autofd int deployment_dfd = -1;
if (!glnx_opendirat (self->sysroot->sysroot_fd, deployment_path, TRUE, &deployment_dfd,
error))
return FALSE; return FALSE;
g_autofree char *sysroot_boot
= g_build_filename (gs_file_get_path_cached (self->sysroot->path), "boot", NULL);
const char *bwrap_args[] = { "--bind", sysroot_boot, "/boot", NULL };
if (!_ostree_sysroot_run_in_deployment (deployment_dfd, bwrap_args, zipl_argv, &estatus, NULL,
error))
return glnx_prefix_error (error, "Failed to invoke zipl");
}
else
{
g_debug ("executing zipl from booted system");
if (!g_spawn_sync (NULL, (char **)zipl_argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL,
NULL, &estatus, error))
return FALSE;
}
if (!g_spawn_check_exit_status (estatus, error)) if (!g_spawn_check_exit_status (estatus, error))
return FALSE; return FALSE;
if (!glnx_unlinkat (self->sysroot->sysroot_fd, zipl_requires_execute_path, 0, error)) if (!glnx_unlinkat (self->sysroot->sysroot_fd, zipl_requires_execute_path, 0, error))

18
src/libostree/ostree-sysroot-deploy.c
View File

@ -3151,7 +3151,6 @@ get_var_dfd (OstreeSysroot *self, int osdeploy_dfd, OstreeDeployment *deployment
return glnx_opendirat (base_dfd, base_path, TRUE, ret_fd, error); return glnx_opendirat (base_dfd, base_path, TRUE, ret_fd, error);
} }
#ifdef HAVE_SELINUX
static void static void
child_setup_fchdir (gpointer data) child_setup_fchdir (gpointer data)
{ {
@ -3164,8 +3163,9 @@ child_setup_fchdir (gpointer data)
/* /*
* Derived from rpm-ostree's rust/src/bwrap.rs * Derived from rpm-ostree's rust/src/bwrap.rs
*/ */
static gboolean gboolean
run_in_deployment (int deployment_dfd, const gchar *const *child_argv, gint *exit_status, _ostree_sysroot_run_in_deployment (int deployment_dfd, const char *const *bwrap_argv,
const gchar *const *child_argv, gint *exit_status,
gchar **stdout, GError **error) gchar **stdout, GError **error)
{ {
static const gchar *const COMMON_ARGV[] = { "/usr/bin/bwrap", static const gchar *const COMMON_ARGV[] = { "/usr/bin/bwrap",
@ -3229,6 +3229,11 @@ run_in_deployment (int deployment_dfd, const gchar *const *child_argv, gint *exi
for (char **it = (char **)COMMON_ARGV; it && *it; it++) for (char **it = (char **)COMMON_ARGV; it && *it; it++)
g_ptr_array_add (args, *it); g_ptr_array_add (args, *it);
for (char **it = (char **)bwrap_argv; it && *it; it++)
g_ptr_array_add (args, *it);
// Separate bwrap args from child args
g_ptr_array_add (args, "--");
for (char **it = (char **)child_argv; it && *it; it++) for (char **it = (char **)child_argv; it && *it; it++)
g_ptr_array_add (args, *it); g_ptr_array_add (args, *it);
@ -3239,6 +3244,7 @@ run_in_deployment (int deployment_dfd, const gchar *const *child_argv, gint *exi
(gpointer)(uintptr_t)deployment_dfd, stdout, NULL, exit_status, error); (gpointer)(uintptr_t)deployment_dfd, stdout, NULL, exit_status, error);
} }
#ifdef HAVE_SELINUX
/* /*
* Run semodule to check if the module content changed after merging /etc * Run semodule to check if the module content changed after merging /etc
* and rebuild the policy if needed. * and rebuild the policy if needed.
@ -3264,7 +3270,8 @@ sysroot_finalize_selinux_policy (int deployment_dfd, GError **error)
* flag is not supported by semodule. * flag is not supported by semodule.
*/ */
static const gchar *const SEMODULE_HELP_ARGV[] = { "semodule", "--help", NULL }; static const gchar *const SEMODULE_HELP_ARGV[] = { "semodule", "--help", NULL };
if (!run_in_deployment (deployment_dfd, SEMODULE_HELP_ARGV, &exit_status, &stdout, error)) if (!_ostree_sysroot_run_in_deployment (deployment_dfd, NULL, SEMODULE_HELP_ARGV, &exit_status,
&stdout, error))
return FALSE; return FALSE;
if (!g_spawn_check_exit_status (exit_status, error)) if (!g_spawn_check_exit_status (exit_status, error))
return glnx_prefix_error (error, "failed to run semodule"); return glnx_prefix_error (error, "failed to run semodule");
@ -3278,7 +3285,8 @@ sysroot_finalize_selinux_policy (int deployment_dfd, GError **error)
ot_journal_print (LOG_INFO, "Refreshing SELinux policy"); ot_journal_print (LOG_INFO, "Refreshing SELinux policy");
guint64 start_msec = g_get_monotonic_time () / 1000; guint64 start_msec = g_get_monotonic_time () / 1000;
if (!run_in_deployment (deployment_dfd, SEMODULE_REBUILD_ARGV, &exit_status, NULL, error)) if (!_ostree_sysroot_run_in_deployment (deployment_dfd, NULL, SEMODULE_REBUILD_ARGV, &exit_status,
NULL, error))
return FALSE; return FALSE;
guint64 end_msec = g_get_monotonic_time () / 1000; guint64 end_msec = g_get_monotonic_time () / 1000;
ot_journal_print (LOG_INFO, "Refreshed SELinux policy in %" G_GUINT64_FORMAT " ms", ot_journal_print (LOG_INFO, "Refreshed SELinux policy in %" G_GUINT64_FORMAT " ms",

4
src/libostree/ostree-sysroot-private.h
View File

@ -150,6 +150,10 @@ gboolean _ostree_sysroot_rmrf_deployment (OstreeSysroot *sysroot, OstreeDeployme
char *_ostree_sysroot_get_runstate_path (OstreeDeployment *deployment, const char *key); char *_ostree_sysroot_get_runstate_path (OstreeDeployment *deployment, const char *key);
gboolean _ostree_sysroot_run_in_deployment (int deployment_dfd, const char *const *bwrap_argv,
const gchar *const *child_argv, gint *exit_status,
gchar **stdout, GError **error);
char *_ostree_sysroot_join_lines (GPtrArray *lines); char *_ostree_sysroot_join_lines (GPtrArray *lines);
gboolean _ostree_sysroot_ensure_boot_fd (OstreeSysroot *self, GError **error); gboolean _ostree_sysroot_ensure_boot_fd (OstreeSysroot *self, GError **error);