IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Back in 2b8d586c5, /sysroot was changed to be a private mount so that
submounts of /var do not propagate back to the stateroot /var. That's
laudible, but it makes /sysroot different than every other shared mount
in the root namespace. In particular, it means that submounts of
/sysroot do not propagate into separate mount namespaces.
Rather than make /sysroot private, make /var a slave+shared mount so
that it receives mount events from /sysroot but not vice versa. That
achieves the same effect of preventing /var submount events from
propagating back to /sysroot while allowing /sysroot mount events to
propagate forward like every other system mount. See
mount_namespaces(7)[1] and the linux shared subtrees[2] documentation
for details on slave+shared mount propagation.
When /var is mounted in the initramfs, this is accomplished with
mount(2) syscalls. When /var is mounted after switching to the real
root, the mount propagation flags are applied as options in the
generated var.mount unit. This depends on a mount(8) feature that has
been present since util-linux 2.23. That's available in RHEL 7 and every
non-EOL Debian and Ubuntu release. Applying the propagation from
var.mount fixes a small race, too. Previously, if a /var submount was
added before /sysroot was made private, it would have propagated back
into /sysroot. That was possible since ostree-remount.service orders
itself after var.mount but not before any /var submounts.
1. https://man7.org/linux/man-pages/man7/mount_namespaces.7.html
2. https://docs.kernel.org/filesystems/sharedsubtree.htmlFixes: #2086
This tests the current behavior of making /sysroot a private mount so
that submounts on /var do not propagate back to /sysroot. It also shows
how submounts of /sysroot do not propagate into separate mount
namespaces for the same reason.
This is another warning from recently changed code from Coverity:
```
1. Defect type: OVERRUN
16. libostree-2024.7/src/libostree/ostree-repo-commit.c:823:7: overrun-buffer-arg: Overrunning array "target_checksum" of 65 bytes by passing it to a function which accesses it at byte offset 258 using argument "size" (which evaluates to 259). [Note: The source code implementation of the function has been overridden by a builtin model.]
```
I think this can only happen if the repository is corrupt; the
data shouldn't be that long. But fix this by passing the max
length we expect; this will ignore the rest currently.
Signed-off-by: Colin Walters <walters@verbum.org>
Similar to d528083cae - I don't
believe we actually had a leak here because `dirname` always
returns the same start pointer, but this makes Coverity
happy.
Signed-off-by: Colin Walters <walters@verbum.org>
As the build system has required GLib 2.44 since commit
eb09207e1a, the manual expansion of
G_DECLARE_INTERFACE and G_DECLARE_FINAL_TYPE is no longer necessary.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Coverity points out that ""/sysroot.tmp/etc"" could be a copy-paste
error. This is mistake from coverity, but to supress the warning,
we create a global var, tmp_sysroot_etc, which replaces all
instances of TMP_SYSROOT "/etc".
Coverity points out that we have a memory leak from
`g_strdup(dir_or_file_path)`. Make the duplication of the string a
temporary variable that is freed using `g_autofree`.
Coverity points out that we have a memory leak from `g_strdup(name)`.
`insert_child_mtree()` takes a const char * and duplicates it.
`name` can be passed directly to `insert_child_mtree()`.
As newer docker refuses to talk to ancient skopeo.
Update this to use podman directly, also add the missing `-v /dev:/dev`.
Signed-off-by: Colin Walters <walters@verbum.org>
Ignore ENOENT error in selinux_restorecon to avoid failures when
temporary files created by systemd-sysusers in /etc are missing during
relabeling. This prevents errors such as:
"Failed to relabel /etc/.#gshadowJzu4Rx: No such file or directory"
and allows the process to continue.
Co-Authored-By: Alexander Larsson <alexl@redhat.com>
Signed-off-by: Eric Curtin <ecurtin@redhat.com>
In the ostree-ext codebase the test fixture was generating xattrs
without the trailing NUL byte. This caused confusing errors
later. Change the dirmeta validator to catch this.
The way GVariant represents bytestrings, the trailing NUL is there
on wire/disk so it can be there in memory too, but `g_variant_get_bytestring()`
will just return an empty `""` string if actually the value
has a missing NUL.
Signed-off-by: Colin Walters <walters@verbum.org>
Mainly we can now drop the TODO for mounting `/` readonly - that's
handled by composefs. Add a few other comments, typo fixes
while we're here.
Signed-off-by: Colin Walters <walters@verbum.org>
We were missing the simple, obvious API and CLI to go
from ostree commit -> composefs.
Internally, we had `ostree_repo_checkout_composefs`
with the right "shape" mostly, except it had more code
in the deploy path to turn that into a composefs.
Add a straightforward public API that does what
the deploy code did before, and then the old
API becomes an explicitly internal helper with an `_`
prefix.
Goals:
- Lead towards a composefs-oriented future
- This makes the composefs logic more testable directly
Signed-off-by: Colin Walters <walters@verbum.org>