Commit Graph

7052 Commits

Author SHA1 Message Date
Colin Walters
19cd8cf1c1
Merge pull request #3135 from ericcurtin/aboot-documentation
doc: Add section about ostree and aboot
2024-01-11 11:57:22 -05:00
Colin Walters
6031f1c022
Merge pull request #3120 from jlebon/pr/state-overlays
Add concept of state overlays
2024-01-11 11:56:44 -05:00
Jonathan Lebon
e233d0236f build(deps): bump libglnx from aff1eea to b415d046
Bumps libglnx from `aff1eea` to `b415d046`.

For https://gitlab.gnome.org/GNOME/libglnx/-/merge_requests/52.

Update submodule: libglnx
2024-01-10 15:41:14 -05:00
Jonathan Lebon
92b1a27202 Add concept of state overlays
In the OSTree model, executables go in `/usr`, state in `/var` and
configuration in `/etc`. Software that lives in `/opt` however messes
this up because it often mixes code *and* state, making it harder to
manage.

More generally, it's sometimes useful to have the OSTree commit contain
code under a certain path, but still allow that path to be writable by
software and the sysadmin at runtime (`/usr/local` is another instance).

Add the concept of state overlays. A state overlay is an overlayfs
mount whose upper directory, which contains unmanaged state, is carried
forward on top of a lower directory, containing OSTree-managed files.

In the example of `/usr/local`, OSTree commits can ship content there,
all while allowing users to e.g. add scripts in `/usr/local/bin` when
booted into that commit.

Some reconciliation logic is executed whenever the base is updated so
that newer files in the base are never shadowed by a copied up version
in the upper directory. This matches RPM semantics when upgrading
packages whose files may have been modified.

For ease of integration, this is exposed as a systemd template unit which
any downstream distro/user can enable. The instance name is the mountpath
in escaped systemd path notation (e.g.
`ostree-state-overlay@usr-local.service`).

See discussions in https://github.com/ostreedev/ostree/issues/3113 for
more details.
2024-01-09 23:20:41 -05:00
Jonathan Lebon
062cf603bd
Merge pull request #3136 from ericcurtin/pr-3134-feedback 2024-01-09 11:40:58 -05:00
Eric Curtin
477d472c36 status: Rename query-booted to is-default
This is a tool to check if we are booted as default or not, just a
rename before it becomes widely used. We also shortened the '-h' output
for this.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-01-09 15:24:34 +00:00
Colin Walters
b79a2e16a0
Merge pull request #3134 from ericcurtin/query-boot-real
status: Introduce tool to quickly check if we are booted as default
2024-01-08 13:14:50 -05:00
Colin Walters
87a0aba94c
Merge pull request #3133 from cgwalters/boot-complete-rollback
systemd/ostree-boot-complete: Start earlier
2024-01-08 07:38:53 -05:00
Eric Curtin
46bae54b1d status: Fix --skip-signatures description
It was a copy-paste of another description, rather than it's own.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-01-05 18:18:22 +00:00
Eric Curtin
c13aef97c6 man: Add ostree admin status man page CLI options.
Document the various CLI options.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-01-05 18:17:38 +00:00
Eric Curtin
1397ee2b7a status: Introduce tool to quickly check if we are booted as default
Generally in ostree based systems you would expect to boot into
deployment 0, in rollback conditions triggered by greenboot-related
rollbacks this might not be the case. This is a tool to detect this.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-01-05 17:40:41 +00:00
Eric Curtin
cd308d5751 doc: Add section about ostree and aboot
Android Bootloader is a standard of how Android devices should implement
their bootloaders, we also use it in CentOS Automotive Stream
Distribution for some ARM boards. Here is some documentation on how
ostree works with this.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-01-05 17:34:09 +00:00
Colin Walters
501a0775aa
Merge pull request #3132 from ericcurtin/query-boot
status: Fix build without GPGME
2024-01-05 12:22:57 -05:00
Colin Walters
852db03843 systemd/ostree-boot-complete: Start earlier
Prep for changing this service to perform state computations
such as "is this boot the default, or did we get rolled back"
that can be used by higher level tools.
2024-01-05 11:02:08 -05:00
Colin Walters
eb4fb917fb systemd/ostree-boot-complete: Add ConditionKernelCommandLine=ostree
In practice we don't enable this unit except via our generator,
but let's do this on general principle.
2024-01-05 11:02:03 -05:00
Eric Curtin
37971a9d54 status: Fix build without GPGME
If OSTREE_DISABLE_GPGME is not built in set remote to NULL.

The ostree_repo_signature_verify_commit_data path is irrelevant in the
no gpg case anyway. Having this set as NULL ensures an error gets
thrown early.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-01-05 14:52:11 +00:00
Eric Curtin
ac8638f3e4
Merge pull request #3131 from cgwalters/status-use-remote
status: Pass correct remote name when verifying
2024-01-05 14:28:47 +00:00
Colin Walters
4d06e98e69
Merge pull request #3130 from jlebon/pr/autoprune-aarch64-dtb
lib/deploy: Round to block size in early prune space check
2024-01-04 15:57:08 -05:00
Colin Walters
e95109b3ed status: Add an option to skip signature verification
Since it's really expensive in some cases.
2024-01-04 14:02:08 -05:00
Colin Walters
24bf5b7d11 status: Pass correct remote name when verifying
The default `ostree admin status` tries to do signature
verification, but doesn't error out if that fails.

However, an extremely longstanding bug here is that we passed
the "osname" aka stateroot instead of the remote name.  This
happens to work for e.g. Fedora Silverblue today, where they
are the same.  It doesn't work on FCOS (remote = fedora, stateroot = fedora-coreos).
2024-01-04 13:55:14 -05:00
Jonathan Lebon
cc5747a605 lib/deploy: Add safety margin in early prune space check
There are a few things the estimator doesn't account for, e.g. writing
the new BLS entries. Rather than trying to perfect it (since I think we
should change approach entirely -- see previous commit message), just
add a 1M margin to the space check.
2024-01-04 13:07:08 -05:00
Jonathan Lebon
4982306e67 lib/deploy: Round to block size in early prune space check
When we estimate how much space a new bootcsum dir will use, we
weren't accounting for the space overhead from files not using the
last filesystem block completely. This doesn't matter much if counting
a few files, but e.g. on FCOS aarch64, we include lots of small
devicetree blobs in the bootfs. That loss can add up to enough for the
`fallocate()` check to pass but copying still hitting `ENOSPC` later on.

I think a better fix here is to change approach entirely and instead
refactor `install_deployment_kernel()` so that we can call just the
copying bits of it as part of the early prune logic. We'll get a more
accurate assessment and it's not lost work since we won't need to
recopy later on. Also this would not require having to keep in sync the
estimator and the install bits.

That said, this is blocking FCOS releases, so I went with a more tactical
fix for now.

Fixes: https://github.com/coreos/fedora-coreos-tracker/issues/1637
2024-01-04 12:57:43 -05:00
Colin Walters
9faf55699a
Merge pull request #3129 from cgwalters/fix-unlock-composefs-compat
prepare-root: Fix composefs + ostree admin unlock --hotfix compat
2024-01-04 10:40:09 -05:00
Eric Curtin
6a339ac6eb
Merge pull request #3128 from cgwalters/hotfix-composefs
switchroot: use shared constant for unlock --hotfix
2024-01-04 12:05:02 +00:00
Colin Walters
dd33cc65e0 switchroot: use shared constant for unlock --hotfix
So it's easier to link the two bits of code.
2024-01-03 14:33:55 -05:00
Colin Walters
a1c1c0b500 prepare-root: Fix composefs + ostree admin unlock --hotfix compat
There's a test case for `ostree admin unlock --hotfix` that
runs in FCOS, not here; it breaks when enabling composefs.

The reason is because the composefs is mounted readonly, and
we tried to remount it writable.  Instead of trying to remount
the rootfs writable at this point forcibly, honor the
*real* sysroot readonly state flag from the underlying FS before
we mounted the composefs.

Note that in FCOS derivatives we always have the root mounted
writable via `rw` on the kernel cmdline and this is the default
general expectation now with ostree usage.
2024-01-03 14:01:38 -05:00
Colin Walters
40b143f494
Merge pull request #3127 from cgwalters/composefs-doc-toplevel-chattr
docs/composefs: Add note about toplevel dirs
2024-01-02 15:53:01 -05:00
Joseph Marrero Corchado
ba12a168be
Merge pull request #3119 from cgwalters/zipl-fix-nul-term
zipl: A few fixes
2024-01-02 15:49:24 -05:00
Colin Walters
712eecad4f docs/composefs: Add note about toplevel dirs
Just thinking about trying to land this, I think some people
may hit this one.
2024-01-02 15:18:37 -05:00
Colin Walters
888f29a62a
Merge pull request #3125 from ericcurtin/explicit-sysroot-rw-ro-log
switchroot: Be explicit about what could cause /sysroot to be ro
2023-12-30 16:55:09 +01:00
Eric Curtin
e5498b9445 switchroot: Be explicit about what could cause /sysroot to be ro
If you don't have rw in the kernel cmdline or have ro in it, often you
hit this issue. This is just to be really explicit about that in the
error messages so people can check.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2023-12-21 17:28:23 +00:00
Eric Curtin
02915a3f95
Merge pull request #3124 from cgwalters/rust-features
rust: Add missing feature versions
2023-12-20 12:48:53 +00:00
Colin Walters
798893b314
Merge pull request #3123 from cgwalters/deploy-log-space
deploy: Log calculated needed space
2023-12-20 07:22:21 -05:00
Colin Walters
6722c55fc8 deploy: Log calculated needed space
To aid debugging issues like https://github.com/coreos/fedora-coreos-tracker/issues/1637

If we're hitting this path where we think we have enough space,
let's log what we calculated here to aid in diagnosing why we
may later fail with ENOSPC.
2023-12-19 21:04:22 -05:00
Colin Walters
8b6e96cf52 rust: Add missing feature versions
- We missed 2022_2, which specifically includes
  https://docs.rs/ostree/latest/ostree/static.PATH_BOOTED.html
  and I was really confused why that was missing
- Add more recent upstream versions too
2023-12-19 21:02:59 -05:00
Colin Walters
41c56b37f8
Merge pull request #3121 from fwilhe/patch-1
Link to gardenlinux/ostree-image-builder in README
2023-12-18 09:22:13 -05:00
Florian Wilhelm
1c4420ed90
Link to gardenlinux/ostree-image-builder in README
This repo is the outcome of a PoC on how an existing
debian-based distro could be adapted to be used with OSTree.
2023-12-18 14:12:45 +01:00
Eric Curtin
5c7f42b8d2
Merge pull request #3116 from jmarrero/bootloader-doc
doc: Add section about ostree and bootloaders
2023-12-14 22:05:10 +00:00
Colin Walters
ade0bd2693 zipl: Convert to a data input stream
This high level reader API avoids all the bugs that were
found in previous patches.
2023-12-14 08:09:20 -05:00
Colin Walters
241597a8a5 zipl: NUL terminate buffer we're searching
Found by a static analyzer.
2023-12-14 08:03:01 -05:00
Colin Walters
e9a2a2cf25 zipl: Fix error handling for read
The return value is not errno.
2023-12-14 08:00:38 -05:00
Colin Walters
876ddd32b8 zipl: Use O_CLOEXEC
On general principle.
2023-12-14 07:57:43 -05:00
Joseph Marrero
5466e98cd2 doc: Add section about ostree and bootloaders 2023-12-14 07:34:41 -05:00
Joseph Marrero Corchado
234fa2cefa
Merge pull request #3117 from cgwalters/doc-root-transient
Doc root transient
2023-12-11 14:23:33 -05:00
Colin Walters
8f4beb4a7f docs: Add var.md
This one overlaps a bit with some other sections...the docs
need a bigger rework, but this is better than we had before.
2023-12-08 14:01:13 -05:00
Colin Walters
a0f7b3c789 man: Document root.transient
This one warrants some explanation.
2023-12-08 14:01:02 -05:00
Eric Curtin
071053d915
Merge pull request #3114 from cgwalters/root-ovl
prepare-root: Add support for root.transient
2023-12-08 14:02:56 +00:00
Colin Walters
8fbaebac58 prepare-root: Add support for root.transient
Closes: https://github.com/ostreedev/ostree/issues/3113

It'd greatly improve compatibility with things like RPMs that install
in `/opt` if we supported a full "original docker" style model where
`/` is a transient overlayfs.  We'd still keep our semantics for `/etc`
and `/var` by default, but e.g. we'd stop recommending
`/opt` ➡️ `/var/opt`, in this model,
so `/opt` would be on the overlayfs.

Note this all aligns with composefs, where we'd actually be making
`/` a *read-only* overlayfs by default; it'd be really nice of course
to *implement* this by just making the composefs overlayfs writable,
but I am not sure we can hard require composefs for this right now.

So this change adds support for `root.transient = true`
in `/usr/lib/ostree/prepare-root.conf`.

The major downside is that people could be surprised if files they
write to e.g. `/opt` don't persist across upgrades.  But, that's
already again how it works since Docker started.

Note as part of the implementation of this, we need to add a whole
new "backing" directory distinct from the deployment directories.

(Tangentially related to this, it's tempting to switch to always
 using a *read-only* overlay mount by default.
2023-12-07 13:31:42 -05:00
Colin Walters
59cdd6119f prepare-root: Add an autofree
This doesn't matter at all, but I just noticed this while working
on the code.
2023-12-07 13:31:42 -05:00
Colin Walters
6cb15c35c8 sysroot: Drop unused prototype
This function doesn't exist anymore.
2023-12-07 13:31:42 -05:00