IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
And update the doc text to talk about having a timeout at all
by default being a mistake.
Timeouts are really best handled at a higher level; if two processes
are contending for the ostree lock and one is actually frozen,
resolving this is something an admin may want to handle and introspect/debug
instead of having the waiter error out.
Most people using ostree are doing it in a way in which they have
higher level timeouts (e.g. on a container pod).
This drops the `ot-composefs` kernel commandline in favour
of a `[composefs]` section in the `prepare-rootfs.conf` file.
You can set `composefs.enabled` to `signed`, `yes`, `no` or `maybe`,
with `maybe` being the default.
You can also set `composefs.keypath` (or rely on the default
`/etc/ostree/initramfs-root-binding.key`) to point to ed25519 public
keys, one of which which the commit must be signed with, or boot
fails.
The ostree dracut module adds `/etc/ostree/initramfs-root-binding.key`
to the initrd if it exists.
NOTE: This drop the option to define a digest in the commandline.
However, that was currently unused
(i.e. ComposefsConfig.expected_digest was never read).
Additionally it very hard to actually store the composefs digest in
the initrd, as the initrd is typically part of the commit and thus the
composefs. It may be possible to handle this, but lets add it back
when we know exactly how that will work.
A core underlying primitive in the C library is the ability
to arbitrarily reorder bootloader entries.
Let's expose the basic functionality here with the ability to pick
an arbitrarily deployment for the next boot.
Closes: https://github.com/ostreedev/ostree/issues/2965
Using the repository configuration for configuration of this
program was always a bit hacky.
But actually with composefs, we really must validate
the target root *before* we parse anything in it.
Let's add a config file for `ostree-prepare-root` that can live
in the initramfs, which will already have been verified.
In the future we'll also add configuration for composefs here.
We expect OS builders to drop this in `/usr/lib/ostree/prepare-root.conf`,
but system local configuration can live in `/etc`.
Passing the private key via a direct command line argument
is just a bad idea because it's highly likely to get logged
or appear in `ps`.
Spotted in review of work for composefs signatures.
Let's describe the state of things at a high level, independent
of the tracking issue which has a lot more detail (and hence noise).
This document keeps things at a high level and describes how to
enable things today.
The only other way to get the remote ref revision from the CLI is to
scrape the output of `ostree remote summary` or pull the commit. The
revision is already there in the summary's ref map, so might as well add
an option to show it.
Allow printing the revision along with the ref. This is very convenient
for looping over the refs in a shell as well as for quickly seeing which
refs are pointed to the same commit.
Introduces an intermediate format for overlayfs storage, where
.wh-ostree. prefixed files will be converted into char 0:0
whiteout devices used by overlayfs to mark deletions across layers.
The CI scripts now uses a volume for the scratch directories
previously in /var/tmp otherwise we cannot create whiteout
devices into an overlayfs mounted filesystem.
Related-Issue: #2712
This is a follow up to
0ced9fde76
"sysroot: Support /boot on root or as seperate filesystem for syslinux and u-boot"
What we should have done at the time is changed our bootloader entries
to be prefixed with `/boot`. This means that the GRUB2 BLS support
will Just Work.
For now, I'm making this option default to off out of a lot of
conservatism. I think in the future we should flip this on by default.
In the current "ostree native container" flow, we're inserting
a commit object into the repo but with no refs.
We have hacks in a few places to find the commit digest via e.g.
`find repo/objects -name *.commit` but that's a horrible hack.
Add `ostree rev-parse --single` which will print the single commit,
and error out if there is not exactly one commit.
Co-authored-by: Jonathan Lebon <jonathan@jlebon.com>
<term><cmdsynopsis> is not valid, causing the command to not be rendered
correctly.
Create one <variablelist> per <cmdsynopsis>. Inelegant but maintains
desired formatting.
Closes#2581
I really don't know what these were for. In both man and HTML output
with a recent version of the Docbook XSL, the command synopses are
already indented. I don't see any reason why they'd need to be manually
indented more.
The commit metadata `version` key is well established but getting it for
a remote commit is cumbersome since the commit object needs to be
fetched and loaded. Including it in the summary additional metadata
allows a much more convenient view of what each of the remote refs
represents.
This will be helpful for the "ostree native container" work in
https://github.com/ostreedev/ostree-rs-ext/
Basically in order to reuse GPG/signapi verification, we need
to support adding a remote, even though it can't be used via
`ostree pull`. (At least, not until we merge ostree-rs-ext into ostree, but
even then I think the principle stands)
We're waaay overdue for this, it's been the default
in rpm-ostree for years, and solves several important bugs
around not capturing `/etc` while things are running.
Also, `ostree admin upgrade --stage` (should) become idempotent.
Closes: https://github.com/ostreedev/ostree/issues/2389
As pointed out in the original review, `gpg-list-keys` fits better
alongside the existing `gpg-import`.
Changes were done with:
```
git grep -l list-gpg-keys | xargs sed -i 's/list-gpg-keys/gpg-list-keys/'
for src in $(git ls-files '*list-gpg-keys*'); do
dst=${src/list-gpg-keys/gpg-list-keys}
git mv "$src" "$dst"
done
```
This provides a wrapper for the `ostree_repo_remote_get_gpg_keys`
function to show the GPG keys associated with a remote. This is
particularly useful for validating that GPG key updates have been
applied. Tests are added, which checks the
`ostree_repo_remote_get_gpg_keys` API by extension.
I was doing some rpm-ostree work and I wanted to compare two
OSTree commits to see if the kernel has changed. I think
this should be a lot more natural.
Add `ostree commit --bootable` which calls into a new generic
library API `ostree_commit_metadata_for_bootable()` that
discovers the kernel version and injects it as an `ostree.linux`
metadata key. And for extra clarity, add an `ostree.bootable`
key.
It's interesting because the "core" OSTree layer is all about
generic files, but this is adding special APIs around bootable
OSTree commits (as opposed to e.g. flatpak as well as
things like rpm-ostree's pkgcache refs).
Eventually, I'd like to ensure everyone is using this and
hard require this metadata key for the `ostree admin deploy`
flow - mainly to prevent accidents.
In some cases such as backups or mirroring you may want to pull commits
from one repo to another even if there commits that have incorrect
bindings. Fixing the commits in the source repository to have correct
bindings may not be feasible, so provide a pull option to disable
verification.
For Endless we have several repositories that predate collection IDs and
ref bindings. Later these repositories gained collection IDs to support
the features they provide and ref bindings as the ostree tooling was
upgraded. These repositories contain released commits that were valid to
the clients they were targeting at the time. Correcting the bindings is
not really an option as it would mean invalidating the repository
history.
...with the `sysroot.bootloader` configuration option. This can be useful
when converting a system to use `ostree` which doesn't currently have a
bootloader configuration that `ostree` can automatically detect, and is
also useful in combination with the `--sysroot` option when provisioning a
rootfs for systems other than the one you're running `ostree admin deploy`
on.
Alternative to https://github.com/ostreedev/ostree/pull/2197
Python's (usually) zero-sized `__init__.py` files can provoke
us hitting the hardlink limits on some filesystems (`EMLINK`).
At least one Fedora rpm-ostree user hit this.
The benefits of hardlinking here are quite marginal; lots
of hardlinks can behave suboptimally in particular filesystems
like BTRFS too.
This builds on prior code which made this an option, introduced
in 673cacd633
Now we just do it uncondtionally.
Also this provoked a different bug in a very obscure user mode checkout
case; when the "real" permissions were different from the "physical"
permissions, we would still hardlink. Fix the test case for this.
Add new "static-delta verify" sub-command.
This supports multiple keys to verify the static-delta file.
Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>