Commit Graph

3627 Commits

Author SHA1 Message Date
Alexander Larsson
8e1f199dd4 deltas: Add ostree_repo_list_static_delta_indexes() function
This lists all the available delta indexes.
2020-10-23 12:30:08 +02:00
Alexander Larsson
87e564eeaa deltas: Add _ostree_get_relative_static_delta_index_path()
This gets the subpath for a delta index file, which is of the form
"delta-indexes/$commit.index", that contains all the deltas going
to the particular commit.
2020-10-23 12:30:08 +02:00
OpenShift Merge Robot
f8f6464580
Merge pull request #2205 from pwithnall/etags-and-last-modified
Add support for ETag and Last-Modified headers for summary and summary.sig
2020-10-22 18:20:23 -04:00
Philip Withnall
0974a7faf1 tests: Split RFC 2616 date parsing code out and add tests
This makes it testable, and increases its test coverage too 100% of
lines, as measured by `make coverage`.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-10-22 21:03:34 +01:00
Philip Withnall
92215025aa ostree/trivial-httpd: Add Last-Modified/ETag support
This is basic support for the
Last-Modified/ETag/If-Modified-Since/If-None-Match headers. It’s not
high performance, and doesn’t support all of the related caching
features (like the If-Match header, etc.).

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-10-22 21:03:34 +01:00
Philip Withnall
0e3add8d40 lib/pull: Hook up HTTP caching headers for summary and summary.sig
As `summary` and `summary.sig` aren’t immutable, HTTP requests to
download them can be optimised by sending the `If-None-Match` and
`If-Modified-Since` headers to avoid unnecessarily re-downloading them
if they haven’t changed since last being checked.

Hook them up to the new support for that in the fetcher.

The `ETag` and `Last-Modified` for each file in the cache are stored as
the `user.etag` xattr and the mtime, respectively. For flatpak, for
example, this affects the cached files in
`~/.local/share/flatpak/repo/tmp/cache/summaries`.

If xattrs aren’t supported, or if the server doesn’t support the caching
headers, the pull behaviour is unchanged from before.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-10-22 21:03:34 +01:00
Philip Withnall
407c683524 libostree: Add support for ETag and Last-Modified headers
Add support in the soup and curl fetchers to send the `If-None-Match`
and `If-Modified-Since` request headers, and pass on the `ETag` and
`Last-Modified` response headers.

This currently introduces no functional changes, but once call sites
provide the appropriate integration, this will allow HTTP caching to
happen with requests (typically with metadata requests, where the data
is not immutable due to being content-addressed). That should reduce
bandwidth requirements.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2020-10-22 21:03:34 +01:00
OpenShift Merge Robot
95a6d15145
Merge pull request #2222 from fkrull/patch-v2020.7
lib: add missing GI annotation
2020-10-20 16:48:37 -04:00
Felix Krull
4183b68e70 lib: fix GI parameter tags 2020-10-17 22:14:09 +02:00
Jonathan Lebon
dec9eab203 ostree-prepare-root: print st_dev and st_ino as 64-bit ints
This matches what systemd does and should work fine on all platforms.

Possibly resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1888436
2020-10-15 12:26:47 -04:00
OpenShift Merge Robot
26b98ebc56
Merge pull request #2215 from cgwalters/fd-transfer
deploy: Remove (transfer none) from fd arg
2020-10-14 00:45:13 +02:00
Colin Walters
b4e7ab014e deploy: Remove (transfer none) from fd arg
GI complains.  And in general one needs to assume that file
descriptors aren't stolen.
2020-10-13 17:40:11 -04:00
Colin Walters
326b8b13c6 Post-release version bump 2020-10-13 17:38:19 -04:00
Colin Walters
32a3a12973 Release 2020.7 2020-10-13 14:31:26 -04:00
OpenShift Merge Robot
a13509ee7d
Merge pull request #2213 from alexlarsson/summary-bugfixes
Various fixes from the indexed-summaries branch
2020-10-08 15:18:34 -04:00
Alexander Larsson
2e9db809b9 signatures: Fix leak in _sign_detached_metadata_append()
This needs to ref_sink the returned variant, as it is used with g_autoptr
in the callers.
2020-10-08 14:10:04 +02:00
Alexander Larsson
f821cdb89e fetch_summary_with_options: Fix n-network-retries option parsing
"&u" is not a valid gvariant format string, it should just be "u".
2020-10-08 14:09:16 +02:00
Alexander Larsson
6ed1066ef0 ostree_repo_find_remotes_async: Fix leak of summary
We were creating a GVariant from a GBytes and storing it in an
g_autoptr without ref_sinking it.
2020-10-08 14:08:51 +02:00
Jonathan Lebon
b3dc074f5e lib/deploy: Don't leak fd when checksumming dtbs
Likely the root of https://bugzilla.redhat.com/show_bug.cgi?id=1886149.
2020-10-07 14:47:34 -04:00
OpenShift Merge Robot
9f98aa9223
Merge pull request #2198 from cgwalters/no-hardlink-zerosize
checkout: Don't hardlink zero sized files
2020-10-05 22:06:38 +02:00
OpenShift Merge Robot
06a77bfd69
Merge pull request #2155 from jlebon/pr/add-initrds
lib/deploy: Add support for overlay initrds
2020-10-02 16:41:01 -04:00
Colin Walters
558720e7aa checkout: Don't hardlink zero sized files
Alternative to https://github.com/ostreedev/ostree/pull/2197

Python's (usually) zero-sized `__init__.py` files can provoke
us hitting the hardlink limits on some filesystems (`EMLINK`).
At least one Fedora rpm-ostree user hit this.

The benefits of hardlinking here are quite marginal; lots
of hardlinks can behave suboptimally in particular filesystems
like BTRFS too.

This builds on prior code which made this an option, introduced
in 673cacd633
Now we just do it uncondtionally.

Also this provoked a different bug in a very obscure user mode checkout
case; when the "real" permissions were different from the "physical"
permissions, we would still hardlink.  Fix the test case for this.
2020-10-01 16:47:07 -04:00
Philip Withnall
23bdc4e5df ostree/dump: Fix a memory leak
Re-using the `refs` variable for the main list of refs, plus the
iterated lists, meant that the main list was never freed (although all
the iterated ones were freed correctly).

Fix this by using two variables rather than reusing the one.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-10-01 11:06:56 +01:00
Philip Withnall
8d09a1a8ea lib/pull: Read mode and tombstone options from summary file if possible
Otherwise, fall back to downloading and reading them from the `config`
file. See the previous commit for details.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #2165
2020-10-01 11:06:56 +01:00
Philip Withnall
206f1d3a13 lib/repo: Add mode and tombstone config options to the summary file
Currently, they are set in the `config` file and cause that to be
downloaded on every pull. Given that the client is already pulling the
`summary` file, it makes sense to avoid an additional network round trip
and cache those options in the `summary` file.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #2165
2020-10-01 11:06:56 +01:00
Jonathan Lebon
81b13da8e3 lib/deploy: Add support for overlay initrds
In FCOS and RHCOS, the need to configure software in the initramfs has
come up multiple times. Sometimes, using kernel arguments suffices.
Other times, it really must be a configuration file. Rebuilding the
initramfs on the client-side however is a costly operation. Not only
does it add complexity to the update workflow, it also erodes a lot of
the value obtained from using the baked "blessed" initramfs from the
tree itself.

One elegant way to address this is to allow specifying multiple
initramfses. This is supported by most bootloaders (notably GRUB) and
results in each initrd being overlayed on top of each other.

This patch allows libostree clients to leverage this so that they can
avoid regenerating the initramfs entirely. libostree itself is agnostic
as to what kind and how much data overlay initrds contain. It's up to
the clients to enforce such boundaries.

To implement this, we add a new ostree_sysroot_stage_overlay_initrd
which takes a file descriptor and returns a checksum. Then users can
pass these checksums when calling the deploy APIs via the new array
option `overlay_initrds`. We copy these files into `/boot` and add them
to the BLS as another `initrd` entry.
2020-09-30 13:29:32 -04:00
Jonathan Lebon
40fea4c443 lib/deploy: Add deploy/stage APIs with options
And make the `override_kernel_argv` one of those options. This is mostly
a mechanical move here, no functional change otherwise.

Prep for adding a new option.
2020-09-30 13:29:32 -04:00
Jonathan Lebon
f7500bb703 lib/bootconfig: Add support for multiple initrd keys
Prep for actually teaching the rest of the codebase about this.

We keep the primary initrd in the `options` hash table for backwards
compatibility.
2020-09-30 13:29:32 -04:00
Jonathan Lebon
f04e5d047d lib: Minor versioning related fixes
Fix/add the `Since` marker to the new static delta APIs, and update the
symbol versioning templates/comments.
2020-09-25 15:30:20 -04:00
OpenShift Merge Robot
fad95167ce
Merge pull request #2203 from cgwalters/delta-sign-cleanups
delta: Some minor code style fixups
2020-09-25 13:57:33 +00:00
OpenShift Merge Robot
e6f673a8ed
Merge pull request #2202 from cgwalters/bootcsum-dtb
deploy: Remove deployment bootcsum assertion
2020-09-24 22:14:31 +00:00
Colin Walters
9198fa040c delta: Some minor code style fixups
- Remove some unused variables
- Switch to declare-and-initialize with others
- Fix some indentation from 4 spaces to 2 (GNU style)
2020-09-24 22:12:56 +00:00
Colin Walters
aa2a2783ea deploy: Remove deployment bootcsum assertion
When support for devicetree was added, it created a problem
because old and new ostree versions would compute different
checksums for the "boot data".  The scenario here is:

- Have system with ostree < 2020.4
- Reboot into system with ostree 2020.5
- Try to perform an operation that would retain
  that previous booted deployment (common)

Currently ostree iterates over all the deployments
that will be retained and calls `install_deployment_kernel()`,
even for the booted one (which is a bit silly), but
just to verify that all boot data for the targeted
deployments are installed.

This then re-computes the checksum and we'd trip this
assertion.

In practice though, we don't strictly require them to match;
the only thing that will happen if they don't is that we'll
end up with another copy of the kernel/initramfs - and
that only temporarily until the previous deployment
gets GC'd.

Longer term, I think what we really want to do anyways
is probably closer to like a little ostree repo for `/boot`
so that we can e.g. still hardlink kernels there even if
the initramfs changes, or hardlink both kernel/initramfs
if just the devicetree changes, etc.

Closes: https://github.com/ostreedev/ostree/issues/2154
2020-09-24 21:24:48 +00:00
OpenShift Merge Robot
00df896550
Merge pull request #1985 from fdanis-oss/wip/fda/sign_delta_metadata
Static-delta's superblock signature support
2020-09-24 14:21:16 +00:00
Colin Walters
3441a48c58 checkout: Ensure copies of unreadable usermode checkouts are readable
The extreme special case of "zero mode" files like `/etc/shadow`
comes up again.  What we want is for "user mode" checkouts to
override it to make the file readable; otherwise when operating
as non-root without `CAP_DAC_OVERRIDE` it becomes very difficult
to work with.

Previously, we were hardlinking these files, but then it intersects
with *another* special case around zero sized files, which is
*also* true for `/etc/shadow`.

Trying to avoid hardlinking there unveiled this bug - when
we go to do a copy checkout, we need to override the mode.
2020-09-16 15:14:54 +00:00
Frédéric Danis
2e97f5659f bin/static-delta: Add signature parameters to apply-offline
This allows to check the delta signature before applying it.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
2020-09-14 09:27:19 +02:00
Frédéric Danis
fb1faf17d6 lib/deltas: Check signed delta in execute_offline
Add a new function `ostree_repo_static_delta_execute_offline_with_signature`
which takes a signature engine to verify the delta before applying it.
The `ostree_repo_static_delta_execute_offline` is just a wrapper to this
new function, passing a NULL signature engine.
When this function is called without signature engine, but with a sign
delta, it will only fails if `sign-verify-deltas` is set to true in repo
core options.

This commits move signature existence check and delta signature
verification to share common parts between existing APIs and the new
function.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
2020-09-14 09:27:19 +02:00
Frédéric Danis
bf0c09ffe1 lib/deltas: Support signed delta in dump
This checks if the static delta file is signed or not to be able to
correctly get the superblock to dump.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
2020-09-14 09:27:19 +02:00
Frédéric Danis
0c48423c26 lib/deltas: Support signed delta in execute_offline
This checks if the static delta file is signed or not to be able to
correctly get the superblock to apply.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
2020-09-14 09:27:19 +02:00
Frédéric Danis
512db0435c bin/static-delta: Add command to verify delta signature
Add new "static-delta verify" sub-command.
This supports multiple keys to verify the static-delta file.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
2020-09-14 09:27:19 +02:00
Frédéric Danis
02a19b2c96 lib/deltas: Add signature check API for static-delta superblock
This retrieves the signatures and pass the static delta block as an array
of bytes to ostree_sign_data_verify().

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
2020-09-14 09:27:19 +02:00
Frédéric Danis
92efbc00d8 bin/static-delta: Add support to sign superblock
Add signing ability to "static-delta generate" builtin.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
2020-09-14 09:27:19 +02:00
Frédéric Danis
46667567c5 lib/deltas: Add inline signature for static-delta superblock
While the commits contained in the single static-delta file are signed so
we can check them and operate on trusted data, the superblock isn't signed
in any way, so it end up operating on untrusted data to:
 1. actually find where the trusted data is, and
 2. check whether the update is fit for the current device by looking at
    the collection id stored in the metadata

This commit generates signatures of all static data, and concatenate them
to the existing static delta format, i.e. as a GVariant layout `a{sv}ay`
where
 - a{sv}: signatures
 - ay: existing delta variant

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
2020-09-14 09:27:19 +02:00
Phaedrus Leeds
c4f26bfdc8 Avoid shadowing local variables
This should help with code readability.

Fixes https://github.com/ostreedev/ostree/issues/2194
2020-09-13 10:08:02 -07:00
Colin Walters
779a901780 commit: Tighten scope of two variables
Prep for adding `-Wshadow` fixes.
2020-09-13 14:58:24 +00:00
Alexander Larsson
b7d1a9746b Update the symbols files to match that we're now on 2020.6 2020-09-11 12:35:32 +02:00
Alexander Larsson
da853a1783 ostree-repo-pull.c: Extract mirrorlist generation to helper
This code was duplicated in 3 places, so move it to a single place
to clean things up.
2020-09-11 12:03:29 +02:00
Alexander Larsson
155b215cd8 Minor cleanup of _ostree_repo_remote_new_fetcher()
Instead of open coding the extra_headers and append_user_agent
setting everywhere we do this in the constructor.
2020-09-11 12:03:28 +02:00
Alexander Larsson
3957bff0cb Inline repo_remote_fetch_summary
This was only used in one place, and (especially with the simplification
with GMainContextPopDefault) and the one caller doesn't really do
much more than call the helper. Additionally, what little it does (saving
the result in the cache) is inherently tied to how the helper work,
and will become even more so when we support summary indexes.

This is a preparatory cleanup for supporting summary indexes. It
doesn't change any behaviour and passes make check on its own.
2020-09-11 12:03:28 +02:00
Alexander Larsson
4b9e712e82 repo_remote_fetch_summary: Use GMainContextPopDefault
This allows us to drop the "goto out" use and clean up this function.
2020-09-11 12:03:28 +02:00
Alexander Larsson
c7df4317bd Add g_autoptr helper for pushing a thread default main context
This happens in a bunch of places, and currently each time it does
we have to use "goto out" style cleanups, which just isn't looking
very nice.
2020-09-11 12:03:28 +02:00
Alexander Larsson
f74bc8dd3d fetch_summary_with_options: drop unnecessary "goto out" use 2020-09-11 12:03:28 +02:00
Alexander Larsson
1f1ef4c989 Break out the signature verification code into a helper function
This changes nothing in the behaviour, but we want to later re-use
this when we also verify the summary index.
2020-09-11 12:03:28 +02:00
Alexander Larsson
598adc457f deltas: Break out _ostree_repo_static_delta_superblock_digest() helper
This loads and makes a digest for a delta superblock. The previous
code was used when generating the deltas section in the summary
file. This changes nothing, but is in preparation for using similar
formats in a separate delta index file.
2020-09-11 12:03:28 +02:00
Alexander Larsson
32014d99e6 Add and use ot_checksum_bytes helper
This removes some duplicated code (and will be use even more later).
2020-09-11 12:00:05 +02:00
Alexander Larsson
dddb449d2c pull: Actually mmap summary files
The change in cbf1aca1d5 actually
only mmaps the signature file, not the summary. This change makes
use mmap both, as well as extract the cache loading into a helper
function that we will later use in more places.
2020-09-11 12:00:02 +02:00
Alexander Larsson
85accb84e8 pull: Break out _ostree_repo_save_cache_summary_file() helper
This is a minor cleanup as its just called twice from
_ostree_repo_cache_summary(). However, later code will need it in more
places.
2020-09-11 11:53:38 +02:00
Alexander Larsson
bb2649a8c0 Fix leak when signing
_ostree_detached_metadata_append_gpg_sig() was returning a floating
ref, but all users were using g_autoptr. Fix it by adding a ref-sink.
2020-09-11 11:45:33 +02:00
Alexander Larsson
74bae256fe list-deltas: Don't break on non-subdir entries
ostree_repo_list_static_delta_names() tried to validate that
any second-level directory element was a directory, but there was
a cut-and-paste issue, and it used `dent->d_type` instead
of `sub_dent->d_type`.

This fixes the code, but all old ostree versions will break if
there are non-directories in a subdirectory of the deltas directory
in the repo, so be wary.
2020-09-11 11:45:24 +02:00
Colin Walters
a1bd29f245 deploy: Add some error prefixing around xattr setting
Looking at
https://github.com/coreos/coreos-assembler/issues/1703
a user is getting a bare:
`error: fsetxattr: Permission denied`

I don't think it's these code paths since a deploy
isn't happening but on inspection I noticed we didn't
have error prefixing here.
2020-09-09 12:34:44 +00:00
Jonathan Lebon
a7a751b69f ostree-remount: Remount /etc rw if needed
When we remount `/sysroot` as read-only, we also make `/etc` read-only.
This is usually OK because we then remount `/var` read-write, which also
flips `/etc` back to read-write... unless `/var` is a separate
filesystem and not a bind-mount to the stateroot `/var`.

Fix this by just remounting `/etc` read-write in the read-only sysroot
case.

Eventually, I think we should rework this to set everything up the way
we want from the initramfs (#2115). This would also eliminate the window
during which `/etc` is read-only while `ostree-remount` runs.
2020-08-28 14:16:46 -04:00
Jonathan Lebon
b3c7b059ea ostree-prepare-root: Fix /etc bind mount
We were bind-mounting the initramfs' `/etc` (to itself) instead of the
target deployment `/etc` (to itself). Since we're already `chdir`'ed
into it, we can just drop the leading slash.
2020-08-28 14:16:29 -04:00
Felix Krull
f4d0b17080 lib: mark out parameters as out parameters 2020-08-26 22:32:47 +02:00
Felix Krull
d5b8929017 lib: add some missing version tags 2020-08-26 22:32:47 +02:00
Matt Bilker
dac2ad288f Fix mkinitcpio with newer systemd versions
- Fixes systemd failing to determine if `/sysroot` is valid because of
  `/etc/os-release` not being available yet.

- Related: #1759
2020-08-25 18:12:55 -04:00
OpenShift Merge Robot
2596a718ce
Merge pull request #2179 from cgwalters/ioctl-fix
linuxfsutil: Pass int to ioctl, not long
2020-08-21 20:13:51 -04:00
Colin Walters
06ed04a816 linuxfsutil: Pass int to ioctl, not long
Otherwise it will fail on big-endian architectures like s390x.
Ref https://bugzilla.redhat.com/show_bug.cgi?id=1867601
2020-08-21 17:41:32 +00:00
Simon McVittie
d3fadf14b7 boot: Replace deprecated StandardOutput=syslog with journal, etc.
systemd deprecated this in v246.

Resolves: #2169
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-08-21 09:58:05 +01:00
OpenShift Merge Robot
c61ff03304
Merge pull request #2175 from cgwalters/coverity-2020.5
Two small Coverity fixes
2020-08-19 16:46:49 +02:00
OpenShift Merge Robot
56f00586dd
Merge pull request #2176 from cgwalters/pin-str
admin/pin: Enforce that index is a number
2020-08-19 15:45:40 +02:00
Colin Walters
22a445c189 admin/pin: Enforce that index is a number
Validate that we're parsing a number; we want to guard
against typos.

Closes: https://github.com/ostreedev/ostree/issues/2171
2020-08-19 13:11:55 +00:00
Colin Walters
95a7512622 prepare-root: Remove unused variable
Should quiet Coverity.
2020-08-18 23:35:38 +00:00
Colin Walters
1eab48363b pull: Assign idle_src variable before calling unref()
This should pacify Coverity, and also just "reads" better too.
2020-08-18 23:34:57 +00:00
OpenShift Merge Robot
199562fc14
Merge pull request #2149 from stb-tester/boot-self-symlink
sysroot: Support /boot on root or as seperate filesystem for syslinux and u-boot
2020-08-19 01:08:30 +02:00
Jonathan Lebon
10a68cd26b lib/deploy: Clarify comment re. staging API
Don't mention deprecation in the description for
`ostree_sysroot_deploy_tree` since there are legitimate use cases for it
(e.g. to create the first deployment via `ostree admin deploy`).

Instead, make the comment clearly redirect to the staging API when
booted into the sysroot.
2020-08-17 09:48:57 -04:00
Jonathan Lebon
5de3a9759f lib/deploy: Drop unneccessary function arg 2020-08-17 09:48:57 -04:00
Jonathan Lebon
e4fb7d3bb1 lib/cleanup: Drop unnecessary GEqualFunc cast 2020-08-17 09:48:57 -04:00
Jonathan Lebon
74bd136286 lib/deploy: Simplify deployment creation
Minor cleanup; we were declaring a superfluous variable.
2020-08-17 09:48:57 -04:00
Jonathan Lebon
61c544df1b lib/deploy: Avoid shadowing variable
There's already a `boot_relpath` variable in the outside scope.
2020-08-17 09:48:57 -04:00
Jonathan Lebon
52a6224606 lib/deploy: Clean up kargs override handling
Tighten up how we handle kargs here so it's more clear. When we call
`sysroot_finalize_deployment`, any karg overrides have already been set
on the bootconfig object of the deployment. So re-setting it here is
redundant and confusing.
2020-08-17 09:48:57 -04:00
João Paulo Rechi Vita
7cf1fb38b0 dracut: Create reproducible images
Without reproducible images, a rebuild of the initrd will create a
different image file (due to things like creation time of the files in
the cpio archive) even if the actual contents in it are exactly the
same, adding an unnecessary download during updates.

Adding 'reproducible=yes' avoids this and creates the same image files
for the same content.
2020-08-13 08:32:18 -07:00
Colin Walters
f2773c1b55 Add "transient" unlock
I was thinking a bit more recently about the "live" changes
stuff https://github.com/coreos/rpm-ostree/issues/639
(particularly since https://github.com/coreos/rpm-ostree/pull/2060 )
and I realized reading the last debates in that issue that
there's really a much simpler solution; do exactly the same
thing we do for `ostree admin unlock`, except mount it read-only
by default.

Then, anything that wants to modify it does the same thing
libostree does for `/sysroot` and `/boot` as of recently; create
a new mount namespace and do the modifications there.

The advantages of this are numerous.  First, we already have
all of the code, it's basically just plumbing through a new
entry in the state enumeration and passing `MS_RDONLY` into
the `mount()` system call.

"live" changes here also naturally don't persist, unlike what
we are currently doing in rpm-ostree.
2020-08-07 18:57:56 +00:00
Philip Withnall
f5da67d78a pull: Add summary-{,sig-}bytes options to ostree_repo_pull()
These allow the `summary` and `summary.sig` files to be cached at a
higher layer (for example, flatpak) between related pull operations (for
example, within a single flatpak transaction). This avoids
re-downloading `summary.sig` multiple times throughout a transaction,
which increases the transaction’s latency and introduces the possibility
for inconsistency between parts of the transaction if the server changes
its `summary` file part-way through.

In particular, this should speed up flatpak transactions on machines
with high latency network connections, where network round trips have a
high impact on the latency of an overall operation.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-08-07 16:12:15 +01:00
Philip Withnall
bd68c7dfd7 pull: Improve formatting of pull options in documentation
Backticks improve all things.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-08-07 16:11:44 +01:00
OpenShift Merge Robot
1dedc69a46
Merge pull request #2159 from agners/show-parent
Show commit checksum of parent, if present
2020-08-04 21:54:28 +02:00
OpenShift Merge Robot
9832a36a8c
Merge pull request #2160 from cgwalters/sysroot-ro
remount: Still remount /sysroot writable if not configured ro
2020-08-02 20:53:41 -04:00
Colin Walters
33eeb7b9eb remount: Still remount /sysroot writable if not configured ro
Regression from 3564225917
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1862568

We still need to remount writable if it's not configured on;
because it may need OS adjustments it needs to be opt-in.
2020-08-01 17:27:18 +00:00
Stefan Agner
512b4e6313 Show commit checksum of parent, if present
This is useful for ostree log on client side where often not the
full history of a branch is available. It is also helpful for
ostree show to show if a particular commit has a parent.
2020-07-31 21:46:58 +02:00
Jonathan Lebon
af140266d5 app: Fix various CLI metavariable names
- Use `REV` instead of `REF` in places where we meant it.
- Fix `commit --parent` actually taking a commit checksum and not a ref.
- Fix `ostree admin switch` using `REF` instead of `REFSPEC`.
2020-07-31 15:02:47 -04:00
Colin Walters
0d91206a62 Post-release version bump 2020-07-22 14:09:26 +00:00
Colin Walters
901747f985 Release 2020.4
A lot of stuff here, new signing API is the biggest.  Let's
get a release out.
2020-07-21 21:48:51 +00:00
OpenShift Merge Robot
12a9161a79
Merge pull request #2152 from cgwalters/pull-fdatasync
pull: Add --per-object-fsync
2020-07-20 13:55:26 -04:00
Colin Walters
a615d35762 pull: Add --per-object-fsync
This is the opposite of
https://github.com/ostreedev/ostree/issues/1184

Motivated by OpenShift seeing etcd performance issues during
OS updates: https://github.com/openshift/machine-config-operator/issues/1897

Basically, if we switch to invoking `fsync()` as we go, it makes
ostree performance worse (in my tests, 31s to write 2G versus 7s if we
delay sync) but it avoids *huge* outliers in `fsync()` time for etcd.
2020-07-18 14:59:01 +00:00
Colin Walters
5b75358357 pull: Also append bytes written
This is very useful information that we get from the transaction
stats.  Append it to the final display if we're not inheriting
the transaction.
2020-07-17 17:03:08 +00:00
William Manley
0ced9fde76 sysroot: Support /boot on root or as seperate filesystem for syslinux and u-boot
We use a similar trick to having a `sysroot -> .` symlink on the real root
here to support both /boot on root as well as on a separate filesystem.  No
matter how it's mounted `/boot/xyz` will always refer to the file you'd
expect.

This is nicer than my previous attempts at this because there's no
configuration nor auto-detection required.
2020-07-15 20:37:49 +01:00
Frédéric Danis
892e9acf25 lib/deltas: convert ostree_repo_static_delta_generate to new style
The "new style" code generally avoids `goto err` because it conflicts
with `__attribute__((cleanup))`.  This fixes a compiler warning.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
2020-07-03 13:35:39 +00:00
Jonathan Lebon
1d755f62af lib/repo: Handle EACCES for POSIX locking
If `glnx_make_lock_file` falls back to `flock`, on NFS this uses POSIX
locks (`F_SETLK`). As such, we need to be able to handle `EACCES` as
well as `EAGAIN` (see `fnctl(2)`).

I think this is what coreos-ostree-importer has been hitting, which runs
on RHEL7 in the Fedora infra and does locking over an NFS share where
multiple apps could concurrently pull things into the repo.
2020-06-30 15:09:41 -04:00
OpenShift Merge Robot
fd8ecdf047
Merge pull request #2131 from cgwalters/sign-success
signapi: Change API to also return a success message
2020-06-24 18:24:41 -04:00
OpenShift Merge Robot
adcd261596
Merge pull request #2001 from agners/multi-device-tree
deploy: support devicetree directory
2020-06-24 03:02:18 -04:00
OpenShift Merge Robot
9067c1ca49
Merge pull request #2136 from cgwalters/doc-timestamp
core: Add documentation for ostree_commit_get_timestamp()
2020-06-19 13:57:33 -04:00
Colin Walters
935f879542 sysroot: Remove unimplemented ostree_sysroot_lock_with_mount_namespace
This came in with 5af403be0c but
was never implemented.

I noticed this now because the Rust ostree bindings generate a
wrapper for it which the linker tries to use.
2020-06-18 21:19:43 +00:00
Colin Walters
c87a4c71bc core: Add documentation for ostree_commit_get_timestamp()
Working on some rpm-ostree bits and was going to pass
this to the `chrono` crate and I forgot the format, went
to look at the docs.  Oops.
2020-06-18 20:57:53 +00:00
OpenShift Merge Robot
33c95812bb
Merge pull request #2132 from cgwalters/remove-unused-symbol
libostree-devel.sym: Remove nonexistent stub symbol
2020-06-17 16:18:26 -04:00
Colin Walters
9336837194 libostree-devel.sym: Remove nonexistent stub symbol
This should have been removed when we added symbols to this list.
2020-06-17 19:38:26 +00:00
Denis Pynkin
ede93dc2ef sign/ed25519: fix return value if no correct keys in file
Fix the return value if file doesn't contains correct public key(s).

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-06-17 19:45:05 +03:00
Denis Pynkin
ce73876389 sign/ed25519: fix the abort in case of incorrect public key
We need to check the size of public key before trying to use it.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-06-17 19:44:56 +03:00
Colin Walters
36258036ae signapi: Change API to also return a success message
This is the dual of 1f3c8c5b3d
where we output more detail when signapi fails to validate.

Extend the API to return a string for success, which we output
to stdout.

This will help the test suite *and* end users validate that the expected
thing is happening.

In order to make this cleaner, split the "verified commit" set
in the pull code into GPG and signapi verified sets, and have
the signapi verified set contain the verification string.

We're not doing anything with the verification string in the
pull code *yet* but I plan to add something like
`ostree pull --verbose` which would finally print this.
2020-06-17 00:33:47 +00:00
Colin Walters
1f3c8c5b3d sign/ed25519: Output failed signatures in error message
To aid debuggability, when we find a commit that isn't signed
by our expected key, output a specific error message with the
key.

(And then add code to switch to just printing the count beyond 3
 because the test suite injects 100 keys and hopefully no one
 ever actually does that)
2020-06-16 18:20:54 +03:00
OpenShift Merge Robot
bd9b4ea731
Merge pull request #2121 from cgwalters/arch-key
core: Add OSTREE_COMMIT_META_KEY_ARCH
2020-06-09 02:58:59 +02:00
Stefan Agner
832ca09891 checkout: use FILE as option argument string for --skip-list
Align with --from-file and use 'FILE' instead of 'PATH' as option
argument string. No functional change, this is only cosmetics.

Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
2020-06-08 15:43:32 +02:00
Colin Walters
29dddf38d3 core: Add OSTREE_COMMIT_META_KEY_ARCHITECTURE
Add a standard key for this.  We actually had a case in OpenShift
builds recently where a `ppc64le` image was pushed over an `x86_64`
one and this started failing at runtime with a not immediately
obvious error.

I'll probably end up changing rpm-ostree at least to use
the RPM architecture for this key and fail if it doesn't match
the booted value.

Possibly that should live in ostree but it would involve adding
architecture schema here, which gets into a big mess.  Let's
just standardize the key.

xref e02ef2683d
2020-06-05 17:52:42 +00:00
Colin Walters
b137895022 commit: Note in help that --base takes an argument
I was trying to use this in some testing work and was confused for a minute.
2020-06-04 21:06:52 +00:00
Stefan Agner
5f08649f51 deploy: support devicetree directory
Add support for a devicetree directory at /usr/lib/modules/$kver/dtb/.
In ARM world a general purpose distribution often suppports multiple
boards with a single operating system. However, OSTree currently only
supports a single device tree, which does not allow to use the same
OSTree on different ARM machines. In this scenario typically the boot
loader selects the effective device tree.

This adds device tree directory support for the new boot artefact
location under /usr/lib/modules. If the file `devicetree` does not
exist, then the folder dtb will be checked. All devicetrees are hashed
into the deployment hash. This makes sure that even a single devicetree
change leads to a new deployment and hence can be rolled back.

The loader configuration has a new key "devicetreepath" which contains
the path where devicetrees are stored. This is also written to the
U-Boot variable "fdtdir". The boot loader is expected to use this path
to load a particular machines device tree from.

Closes: #1900
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
2020-05-29 19:56:11 +02:00
Colin Walters
167edbe63a pull: Add error prefixing with specific object when parsing
One OpenShift user saw this from rpm-ostree:
```
client(id:cli dbus:1.583 unit:machine-config-daemon-host.service uid:0) added; new total=1
Initiated txn UpdateDeployment for client(id:cli dbus:1.583 unit:machine-config-daemon-host.service uid:0): /org/projectatomic/rpmostree1/rhcos
Txn UpdateDeployment on /org/projectatomic/rpmostree1/rhcos failed: File header size 4294967295 exceeds size 0
```

which isn't very helpful.  Let's add some error
prefixing here which would at least tell us which
object was corrupted.
2020-05-29 13:12:02 +00:00
Colin Walters
68ebf743cd remote-add: Default to explicit sign-verify backends
In 588f42e8c6
we added a way to add keys for sign types when doing
a `remote add`, and in https://github.com/ostreedev/ostree/pull/2105
we extended `sign-verify` to support *limiting* to an explicit
set.

This PR changes the *default* for `remote add` to combine
the two - when providing an explicit `--sign-verify=type`,
we now limit the accepted types to only those.
2020-05-28 00:41:34 +00:00
OpenShift Merge Robot
936301608a
Merge pull request #2113 from cgwalters/prepare-root-sysroot-ro
Move ro /sysroot bind mount of /etc into initramfs
2020-05-26 11:38:42 -04:00
Colin Walters
3564225917 Move ro /sysroot bind mount of /etc into initramfs
We recently disabled the read-only /sysroot handling:
e35b82fb89

The core problem was that a lot of services run early in the
real root and want write access to things like `/var` and `/etc`.

In trying to do remounts while the system is running we introduce
too many race conditions.

Instead, just make the `/etc` bind mount in the initramfs right
after we set up the main root.  This is much more natural really,
and avoids all race conditions since nothing is running in the
sysroot yet.

The main awkward part is that since we're not linking
`ostree-prepare-root` to GLib (yet) we have a hacky parser
for the config file.  But, this is going to be fine I think.

In order to avoid parsing the config twice, pass state from
`ostree-prepare-root` to `ostree-remount` via a file in `/run`.
2020-05-24 18:46:28 +00:00
Colin Walters
5cb9d0df38 pull: Add support for sign-verify=<list>
The goal here is to move the code towards a model
where the *client* can explicitly specify which signature types
are acceptable.

We retain support for `sign-verify=true` for backwards compatibility.
But in that configuration, a missing public key is just "no signatures found".

With `sign-verify=ed25519` and no key configured, we can
explicitly say `No keys found for required signapi type ed25519`
which is much, much clearer.

Implementation side, rather than maintaining `gboolean sign_verify` *and*
`GPtrArray sign_verifiers`, just have the array.  If it's `NULL` that means
not to verify.

Note that currently, an explicit list is an OR of signatures, not AND.
In practice...I think most people are going to be using a single entry
anyways.
2020-05-22 19:10:32 +00:00
Jonathan Lebon
e35b82fb89 switchroot/remount: Neuter sysroot.readonly for now
We're hitting issues with the read-only remounts racing with various
services coming up. Let's neuter it for now until we rework how it
works.

See: https://github.com/coreos/fedora-coreos-tracker/issues/488
2020-05-20 16:23:59 -04:00
Colin Walters
5a47c926c1 pull: Only have API to disable signapi for local pulls
There's a lot of historical baggage associated with GPG verification
and `ostree pull` versus `ostree pull-local`.  In particular nowadays,
if you use a `file://` remote things are transparently optimized
to e.g. use reflinks if available.

So for anyone who doesn't trust the "remote" repository, you should
really go through through the regular
`ostree remote add --sign-verify=X file://`
path for example.

Having a mechanism to say "turn on signapi verification" *without*
providing keys goes back into the "global state" debate I brought
up in https://github.com/ostreedev/ostree/issues/2080

It's just much cleaner architecturally if there is exactly one
path to find keys: from a remote config.

So here in contrast to the GPG code, for `pull-local` we explictily
disable signapi validation, and the `ostree_repo_pull()` API just
surfaces flags to disable it, not enable it.
2020-05-17 13:52:24 +00:00
Jonathan Lebon
79079c2657 lib/upgrader: Pull with timestamp-check-from-rev
For the same reason as https://github.com/coreos/rpm-ostree/pull/2094.
What we care most about is that the new commit we pull is newer than the
one we're currently sitting on, not necessarily that it's newer than the
branch itself, which it might not be if e.g. we're trying to deploy a
commit older than the tip but still newer than the deployment (via
`--override-commit`).
2020-05-14 15:27:29 -04:00
Jonathan Lebon
c8efce0656 lib/pull: Add timestamp-check-from-rev
The way `timestamp-check` works might be too restrictive in some
situations. Essentially, we need to support the case where users want to
pull an older commit than the current tip, but while still guaranteeing
that it is newer than some even older commit.

This will be used in Fedora CoreOS. For more information see:
https://github.com/coreos/rpm-ostree/pull/2094
https://github.com/coreos/fedora-coreos-tracker/issues/481
2020-05-14 14:00:42 -04:00
Colin Walters
82679ce834 finalize: Add RequiresMountsFor=/boot too
In https://bugzilla.redhat.com/show_bug.cgi?id=1827712
some OpenShift CI is seeing `/boot` being unmounted before
`ostree-finalize-staged.service` runs or completes.

We finally tracked this down to a bug elsewhere, but
I think we should add this because it clearly shows
our requirements.
2020-05-13 18:52:45 +00:00
Colin Walters
9509a4bc94 pull: Further cleanup signapi verification
Previously in the pull code, every time we went to verify
a commit we would re-initialize an `OstreeSign` instance
of each time, re-parse the remote configuration
and re-load its public keys etc.

In most cases this doesn't matter really because we're
pulling one commit, but if e.g. pulling a commit with
history would get a bit silly.

This changes things so that the pull code initializes the
verifiers once, and reuses them thereafter.

This is continuing towards changing the code to support
explicitly configured verifiers, xref
https://github.com/ostreedev/ostree/issues/2080
2020-05-12 15:20:26 +00:00
Colin Walters
a9a81f3a29 signing: Change API to create instances directly
This cleans up the verification code; it was weird how
we'd get the list of known names and then try to create
an instance from it (and throw an error if that failed, which
couldn't happen).
2020-05-10 14:18:55 +00:00
Colin Walters
588f42e8c6 remote-add: Add --sign-verify=KEYTYPE=[inline|file]:PUBKEYREF
Per https://github.com/ostreedev/ostree/issues/2080#issuecomment-623614483

A huge benefit of ed25519 (and ECC in general) is that keys are very
short - short enough that it's completely reasonable to inline
them into a command line argument.

And I think that's a good model; it makes the keys very visible.

For example, someone could easily copy-paste a commandline
argument from a webpage (secured via TLS) that says to run
`ostree remote add --sign-verify=ed25519=inline:KEY`.
2020-05-09 20:07:44 +00:00
Colin Walters
e1b6398787 ostree-prepare-root: Requires=sysroot.mount
With just `After=` we'll still try to run in the scenario
where `sysroot.mount` fails because the rootfs didn't appear.
And this will end up spewing an error which can confuse people
into thinking something is wrong at the ostree level.

This has come up numerous times w/{Fedora,RHEL} CoreOS, most
recently while looking at
https://bugzilla.redhat.com/show_bug.cgi?id=1803130
2020-05-08 12:50:55 +00:00
Colin Walters
7392259332 commit: Add --mode-ro-executables option
I think we should encourage removing the writable bits from
executables.  This has happened to me:
https://thomask.sdf.org/blog/2019/11/09/take-care-editing-bash-scripts.html

And not having the writable bit may help prevent hardlink
corruption with OSTree in some cases.

We can't do this by default, but add a convenient CLI flag
for it.
2020-05-06 19:41:27 +00:00
Colin Walters
811082063c signing: Add #define OSTREE_SIGN_NAME_ED25519
Using `#define` or constants instead of strings helps avoid
typos and encourages documentation.
2020-05-03 17:04:27 +00:00
Dan Nicholson
dc69f56de6 lib: Coerce flags enums to GIR bitfields
The GI scanner decides if an `enum` is really a `bitfield` if it finds
any values that have left shifts. With an `enumeration`, the
introspecting language may error or convert to a different type if the
user tries to combine values. Change all Flags `enum`s to use
left-shifted values so that they're represented as `bitfield`s in the
GIR.

The primary bug here is that you can't combine `REFS_ONLY` and
`NO_PRUNE` when calling `OSTree.Repo.prune()` from an introspected
language.

This is an IABI break since the typelib will change from `enumeration`
to `bitfield`. `OstreeRepoImportFlags` is internal but the change is
included here to prepare for a subsequent name that would require bit
shifting to operate correctly as a flag.
2020-04-30 15:13:31 -06:00
Denis Pynkin
ee5d0f350f signapi: expose metadata format and key
Explicitly expose functions for querying the metadata format
and key name used by OstreeSign object:
 - ostree_sign_metadata_format
 - ostree_sign_metadata_key

This allows to use the same metadata format and key name
by 3-rd party applications using signapi.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-04-24 16:34:50 +00:00
OpenShift Merge Robot
66527efcb8
Merge pull request #2082 from cgwalters/finalize-sandbox
finalize-staged: Add ProtectHome=yes and ReadOnlyPaths=/etc
2020-04-22 18:51:15 +02:00
Colin Walters
47a3096ab8 finalize-staged: Add ProtectHome=yes and ReadOnlyPaths=/etc
Same motivation as
https://github.com/coreos/rpm-ostree/pull/2060

I tried `InaccessiblePaths=/var` first and was very sad to find
out we have one tiny exception that breaks it.  Otherwise it'd
be so elegant.  Maybe in the future we split out that one thing
to a separate `ostree-finalized-stage-var.service` that's just
`ExecStart=/bin/rm -vf /var/.updated` and is otherwise
`ProtectSystem=strict` etc.
2020-04-22 14:28:33 +00:00
Colin Walters
368574b657 deploy: Add --no-merge
All of the underlying libostree APIs have supported passing `NULL`
for a merge deployment for...a long time.  But we never plumbed
it up into the CLI.

Add a `--no-merge` option to aid people who want to do a "factory reset":
https://github.com/ostreedev/ostree/issues/1793
2020-04-22 14:09:54 +00:00
Colin Walters
1b8fed247c lib: Move gpg/signapi bits into ostree-repo-pull-verify.c
`ostree-repo-pull.c` is huge; separate some of the GPG/signing
verification functions into their own file so they're more easily seen.
2020-04-18 13:35:36 +00:00
Colin Walters
12984ddef2 lib: Move pull struct definition into repo-pull-private.h
Prep for further splitting up `ostree-repo-pull.c`.
2020-04-18 13:34:57 +00:00
Jonathan Lebon
8ece36c28a lib/commit: Check that dirent is a directory before cleaning
I've only noticed this by inspection. But I think it's possible for
`cleanup_txn_dir` to get called with the `staging-...-lock` file since
it matches the prefix.

Make the checking here stronger by verifying that it's a directory. If
it's not a directory (lockfile), then follow the default pruning expiry
logic so that we still cleanup stray lockfiles eventually.
2020-04-17 14:29:13 -04:00
Jonathan Lebon
df065ad766 lib: Rename function for staging dir check
Rename the function to more accurately reflect what it does, which is to
check whether the filename has the `staging-` prefix.
2020-04-17 14:28:20 -04:00
Jonathan Lebon
bb8fd5a2c4 lib/commit: Add more error prefixing
We think we're hitting an error in that function in the Fedora infra.
Add some more error prefixing to help debugging.
2020-04-17 14:27:16 -04:00
Colin Walters
b7f48a74c0 lib: Move internal binding verification API to repo.c
`ostree-repo-pull.c` is rather monstrous; I plan to split it
up a bit.  There's actually already a `pull-private.h` but
that's just for the binding verification API.  I think that one
isn't really pull specific.  Let's move it into the "catchall"
`repo.c`.
2020-04-17 01:16:51 +00:00
Colin Walters
8e7aea4473 Change signature opts to include type, cleanup error handling
Previously we would pass the `verification-key` and `verification-file`
to all backends, ignoring errors from loading keys until we
found one that worked.

Instead, change the options to be `verification-<engine>-key`
and `verification-<engine>-file`, and then
rework this to use standard error handling; barf explicitly if
we can't load the public keys for example.  Preserve
the semantics of accepting the first valid signature.  The
first signature error is captured, the others are currently
compressed into a `(and %d more)` prefix.

And now that I look at this more closely there's a lot of
duplication between the two code paths in pull.c for verifying;
will dedup this next.
2020-04-15 22:07:11 +00:00
Colin Walters
e035230c6b lib/pull: Two cosmetic internal function renames
I'm mainly doing this to sanity check the CI state right now.

However, I also want to more cleanly/clearly distinguish
the "sign" code from the "gpg" code.

Rename one function to include `gpg`.

For the other...I think what it's really doing is using the remote
config, so change it to include `remote` in its name.
2020-04-15 17:06:14 +00:00
Colin Walters
b6040143e5 Only enable "dummy" signature type with opt-in env variable
I don't want to even have to think about people using
this in production.
2020-04-14 22:18:13 +00:00
OpenShift Merge Robot
8baee5cd04
Merge pull request #2058 from cgwalters/signing-cleanups
pull: Update key loading function to match error style
2020-04-07 20:49:04 +02:00
OpenShift Merge Robot
dd44f6f941
Merge pull request #2060 from d4s/ostree_repo_pull_with_options-gpg_check
lib/repo-pull: fix GPG check while pulling remote
2020-04-07 16:04:22 +02:00
OpenShift Merge Robot
4a57204c60
Merge pull request #2044 from martinezjavier/duplicated-entries
grub2: Don't add menu entries if GRUB supports parsing BLS snippets
2020-04-07 15:54:08 +02:00
Denis Pynkin
ef1aeb7458 lib/repo-pull: fix GPG check while pulling remote
If GPG support is disabled in a build time we should to check if any of
options "gpg_verify" or "gpg_verify_summary" is set to TRUE instead
of checking if they are passed via options while pulling from remote.

Fixed the failure with assertion of `ostree find-remotes --pull --mirror`
calling (`tests/test-pull-collections.sh`) if libostree has been compiled
without GPG support.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-04-07 01:11:29 +03:00
OpenShift Merge Robot
1b0eec02d4
Merge pull request #2059 from cgwalters/commit-from-base-tree
commit: Add --base argument
2020-04-06 22:18:49 +02:00
OpenShift Merge Robot
eefb5241c8
Merge pull request #2055 from cgwalters/gtkdoc-warnings
lib: Squash two gtk-doc warnings
2020-04-06 21:54:13 +02:00
Colin Walters
329a82c57e commit: Add --base argument
I was trying to followup the `--selinux-policy-from-base` work
to add a `cosa build --fast=overlay` for coreos-assembler,
but hit on the fact that using e.g. `--owner-uid` disables
commit optimizations.

A while ago, https://github.com/ostreedev/ostree/pull/1643 landed
which optimized this for the case where no modifications are provided.
But, we really need the SELinux policy bits, and it's super convenient
to run `ostree commit` as non-root.

It's fairly surprising actually that it's taken us so long to
iterate on a good interface for this "commit changes on top of a base"
model.  In practice, many nontrivial cases really end up needing
to do a (hardlink) checkout, and that case is optimized.

But for this coreos-assembler work I want to directly overlay onto
a commit object another commit object.

That previous PR above added exactly the API we need, so let's
expose it in the CLI.

What you can see happening in the test is that we provide
`--owner-uid 42`, but that only applies to directories/files
that were added in the commit.

And now that I look at this, I think what we really want here
is to avoid changing directories that exist in the base, but
eh; in practice the main use here is for `--owner-uid 0` while
committing as non-root; and that works fine with this since
the baseline uid will be zero as well.
2020-04-06 19:28:51 +00:00
Javier Martinez Canillas
768eee87f6
grub2: Don't add menu entries if GRUB supports parsing BLS snippets
This is another attempt to avoid having duplicated menu entries caused by
GRUB having support to parse BLS snippets and the 15_ostree script adding
menu entries as well.

The previous attempt was in commit 985a141002 ("grub2: Exit gracefully if
the configuration has BLS enabled") but that lead to users not having menu
entries at all, due having an old GRUB version that was not able to parse
the BLS snippets.

This happened because the GRUB bootloader is never updated in the ESP as
a part of the OSTree upgrade transaction.

The logic is similar to the previous commit, the 15_ostree script exits if
able to determine that the bootloader can parse the BLS snippets directly.

But this time it will not only check that a BLS configuration was enabled,
but also that a /boot/grub2/.grub2-blscfg-supported file exists. This file
has to be created by a component outside of OSTree that also takes care of
updating GRUB to a version that has proper BLS support.
2020-04-06 20:44:19 +02:00
Colin Walters
47539874b8 pull: Update key loading function to match error style
This code wasn't written with idiomatic GError usage; it's not standard
to construct an error up front and continually append to its
message.  The exit from a function is usually `return TRUE`,
with error conditions before that.

Updating it to match style reveals what I think is a bug;
we were silently ignoring failure to parse key files.
2020-04-05 18:49:25 +00:00
OpenShift Merge Robot
a16fe86b36
Merge pull request #1878 from d4s/wip/d4s/no_gpg
Alternative signing system
2020-04-04 19:46:12 +02:00
Colin Walters
c4d519733d lib: Squash two gtk-doc warnings
Just noticed these while doing a build.
2020-04-04 17:05:56 +00:00
Felix Krull
7091e1b5ca lib: fix typo in function docs 2020-04-01 23:06:19 +02:00
Colin Walters
40a60f1e83 sysroot: Reorganize sysroot load code a bit
No functional changes; prep for a future patch
which will load the "live" deployment rather than
reading the bootloader configs.
2020-03-31 21:42:21 +00:00
OpenShift Merge Robot
5b4c97511f
Merge pull request #1973 from mwleeds/avoid-extraneous-summary-copy
Don't copy summary for collection-ref mirror subset pulls
2020-03-29 01:04:57 +01:00
Matthew Leeds
164b2aa35b Don't copy summary for collection-ref mirror subset pulls
When we're only pulling a subset of the refs available in the remote, it
doesn't make sense to copy the remote's summary (which may not be valid
for the local repo). This makes the check here match the one done
several lines above when we decide whether to error out if there's no
remote summary available.

This extends the fix in https://github.com/ostreedev/ostree/pull/935 for
the case of collection-refs.

Also, add a unit test for this issue, based on the existing one in
pull-test.sh.
2020-03-28 10:35:19 -07:00
Matthew Leeds
cd37293b5a find-remotes: Add a --mirror option
This will be useful in the unit test added by the next commit. It just
passes OSTREE_REPO_PULL_FLAGS_MIRROR to the call to
ostree_repo_pull_from_remotes_async().
2020-03-28 10:35:19 -07:00
Colin Walters
9cb148c9b9 lib: Add error prefixing for sysroot load and repo open
Noticed this while writing tests for a core `ostree_sysroot_load()`
entrypoint.  And decided to do the same for `ostree_repo_open()`,
and while there also noted we had a duplicate error prefixing
for the open (more recently `glnx_opendirat()` automatically
prefixes with the path).
2020-03-28 14:08:51 +00:00
Denis Pynkin
e2c601687b ostree-repo: improve error handling
Correctly return "error" from `ostree_repo_sign_commit()`
in case if GPG is not enabled.

Use glnx_* functions in signature related pull code for clear
error handling if GPG isn't enabled.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
cce3864160 sign-pull: improve error handling
Use glnx_* functions in signature related pull code for clear
error handling.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
584ad40549 lib/sign: return false for non-implemented functions
Do not mask implementation anymore since we have a working
engines integrated with pulling mechanism.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
e16faa58f4 lib/sign: convert ostree_sign_summary to new style
The "new style" code generally avoids `goto err` because it conflicts
with `__attribute__((cleanup))`.  This fixes a compiler warning.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
1e3bdef285 sign-dummy: optimize ostree_sign_dummy_data_verify
Return TRUE as soon as any signature verified.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
aaf73f6afc sign-ed25519: Convert functions to new style
The "new style" code generally avoids `goto err` because it conflicts
with `__attribute__((cleanup))`.  This fixes a compiler warning.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Colin Walters
9d02199675 signing: Remove g_debug(__FUNCTION__)
This type of thing is better done via `gdb` and/or userspace
tracing (systemtap/bpftrace etc.)
2020-03-25 15:23:55 +03:00
Colin Walters
e2bd2abc67 sign-dummy: Convert to current code style
This keeps the code style consistent.
2020-03-25 15:23:55 +03:00
Colin Walters
2a0edccbd3 sign-ed25519: Convert some functions to new style
The "new style" code generally avoids `goto err` because it conflicts
with `__attribute__((cleanup))`.  This fixes a compiler warning.
2020-03-25 15:23:55 +03:00
Denis Pynkin
59b9e64b72 lib/repo-pull: return errors from signature engines
Improve error handling for signatures checks -- passthrough real
reasons from signature engines instead of using common messages.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
194ab368f2 lib/repo-pull: return error from signing engine
Return the collected errors from signing engines in case if verification
failed for the commit.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
dd27461e22 lib/sign: better error handling of ed25519 initialization
Add more precise error handling for ed25519 initialization.
Check the initialization status at the beginning of every public
function provided by ed25519 engine.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
b4050b4a34 lib/sign: make ed25519 engine non-public
Remove unneeded public declaration for ed25519 signing engine.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
4d0e3a66c5 lib/sign: make dummy engine non-public
Remove unneeded public declaration for dummy signing engine.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
8b3b35a04a bin/pull-local: add --sign-verify-summary
Add option for enabling summary file verification while pulling from local.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
b97ab81bab lib/repo-pull: add signature check while fetching summary
Check the signature of downloaded summary file.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
c69dce3c31 lib/repo-pull: set default for sign-verify-summary
Use FALSE as default for summary verification while pulling from remote.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
df36984684 lib/repo-pull: change sign supporting functions
Change the API of supporting functions `_load_public_keys()` and
`_ostree_repo_sign_verify()` -- pass repo object and remote name
instead of OtPullData object. This allows to use these functions
not only in pull-related places.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
809176b1ff gpg: do not fail GPG-related configuration get for remote
We don't need anymore stubs for verification options for remotes
in case if ostree built without GPG support.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
40b80344f8 lib/repo-pull: verify signature on summary pull
Add signature verification on summary file pulling.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
137306f6f3 bin/summary: add signing with alternative mechanism
Allow to sign the summary file with alternative signing mechanism.
Added new options:
- --sign-type -- select the engine (defaults to ed25519)
- --sign -- secret key to use for signing

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
0bdcf14d56 lib/sign: new function for summary file signing
Add function `ostree_sign_summary()` allowing to sign the summary file.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
5cd822ae05 lib/sign: fix the false failure while loading keys
Usage of 'g_warning()' inside keys loading funcrion lead to false
failure: the key loading attempt for the wrong engine breaks the
pulling process instead of trying to use this key with correct engine.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:55 +03:00
Denis Pynkin
3063a0a838 lib/sign: use separate public and secret keys for 'dummy'
The initial implementation with single key for secret and public parts
doesn't allow to test pulling with several signing engines used.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
485ff7335f lib/sign: allow to build with glib version less than 2.44
Ubuntu 14.04 uses glib-2.40 which have no some shiny macroses
for interface declaration.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
6608436441 bin/remote-add: added "--no-sign-verify" option
Option "--no-sign-verify" disable the signature verification while
adding remote.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
2fd94388b1 bin/pull-local: add --sign-verify
Add option for enabling verification while pulling from local.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
908a2cd760 apidoc: add API documentation for signing interface
Add the documentation for all public functions.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
200efd7d44 builtin/sign: add option 'keys-dir'
Option '--keys-dir' is used for redefinition of default directories with
public/revoked keys. If keys directory is set then default directories
are ignored and target directory is expected to contain following
structure for ed25519 signature mechanism:

dir/
  trusted.ed25519      <- file with trusted keys
  revoked.ed25519      <- file with revoked keys
  trusted.ed25519.d/   <- directory with files containing trusted keys
  revoked.ed25519.d/   <- directory with files containing revoked keys

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
ee12b7e774 lib/sign: add revoking mechanism for ed25519 keys
Skip public keys verification if key is marked as invalid key.
Allow to redefine system-wide directories for ed25519 verification.
Minor bugfixes.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
ceaf6d7f54 lib/sign: add ostree_seign_clear_keys function
Add the function for implicit cleanup of all loaded keys.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
eb8e501ece lib/sign: minor optimisation for ed25519
Exclude unneeded conversion while load keys from files.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
7fa7c3c4f9 sign: use common function for loading public keys during pulling
Add function `_load_public_keys()` to pre-load public keys according
remote's configuration. If no keys configured for remote, then use
system-wide configuration.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
f0181adff3 lib/sign: allow to add keys as base64 string for ed25519
Allow to add public and secret key for ed25519 module as based64 string.
This allows to use common API for pulling and builtins without knowledge
of used signature algorithm.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
bc4488692c lib/sign: public API optimisation
Removed from public `ostree_sign_detached_metadata_append` function.
Renamed `metadata_verify` into `data_verify` to fit to real
functionality.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
95ab57c17e lib/sign-ed25519: cleanup unneeded code
Removed unused code.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
ea291a0605 builtin/sign: allow to use multiple public keys for verification
`ostree sign` is able to use several public keys provided via arguments
and via file with keys.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
557f423609 sign: fix memory leaks and code cleanup
Return `const char *` instead of copy of the string -- this allow to
avoid unneeded copying and memory leaks in some constructions.
Minor code cleanup and optimisations.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
36e4667973 builtin/sign: allow to sign with keys from secret file
Read keys from secret file provided by `--keys-file=` option.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
94447617db lib/sign: read ed25519 public keys from well known places
If not provided key of file name with keys for remote, then try to use
system defaults:
- /etc/ostree/trusted.ed25519
- /etc/ostree/trusted.ed25519.d/*
- /usr/share/ostree/trusted.ed25519
- /usr/share/ostree/trusted.ed25519.d/*

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
073876d9b2 lib/sign: add support of file with valid keys for remote
Allow to use custom file with public keys for remote.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
91cc294d05 lib/sign: disable mandatory signature check
Do not check the signature check by default.
Need to enable it explicitly.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
3386893deb sign: check signatures for pulled commits
If `verification-key` is set for remote it is used as a public key for
checking the commit pulled from that remote.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
2831028c41 sign: fixes for ed25519 for loading public keys from files
Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
fe3a839ae7 builtin/sign: remove libsodium dependency
Now do not need to compile/link builtin with external dependencies.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
a8521a7c3b sign: fix error return for dummy module
Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
2d39126628 sign: fix unneeded objects creation
Do not create objects just for supported modules list.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
4b9232b1fe builtin/sign: remove libsodium-specific code
Use only common sign API without libsoduim parts.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
06cfcd9a8a builtin/sign: allow to provide the file with public keys
Added option `--keys-file` for `ostree sign`.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
2303202c86 sign: API changes for public keys and CLI keys format
API changes:
- added function `ostree_sign_add_pk()` for multiple public keys using.
- `ostree_sign_set_pk()` now substitutes all previously added keys.
- added function `ostree_sign_load_pk()` allowed to load keys from file.
- `ostree_sign_ed25519_load_pk()` able to load the raw keys list from file.
- use base64 encoded public and private ed25519 keys for CLI and keys file.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
c09df18454 lib/sign: enable verification for pulling
Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
e133cb7b74 sign: allow to sign commits from CLI
Add signing ability to commit builtin.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
c3608aa56a sign: add new builtin for signing
This builtin allows to sign and verify commit with new signature
mechanism. At the moment it is possible to use 'dummy' and 'ed25519'
signing modules.

'dummy' module use any ASCII string from command line as a key for
commit's signing or verification.

Support of ed25519 signature is implemented with `libsoium` library.
Secret and public key should be provided in hex presentation via
command line.

Based on 'gpg-sign' source.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Denis Pynkin
edbbe1c4f2 lib/sign: initial implementation
Added the initial version of signing interface allowing to allowing to
sign and verify commits.
Implemented initial signing modules:
 - dummy -- simple module allowing to sign/verify with ASCII string
 - ed25519 -- module allowing to sign/verify commit with ed25519
   (EdDSA) signature scheme provided by libsodium library.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2020-03-25 15:23:54 +03:00
Colin Walters
b3bbbd1542 repo/commit: Add support for --selinux-policy-from-base
The [dev-overlay](332c6ab3b9/src/cmd-dev-overlay)
script shipped in coreos-assembler mostly exists to deal
with the nontrivial logic around SELinux policy.  Let's make
the use case of "commit some binaries overlaying a base tree, using
the base's selinux policy" just require a magical
`--selinux-policy-from-base` argument to `ostree commit`.

A new C API was added to implement this in the case of `--tree=ref`;
when the base directory is already checked out, we can just reuse
the existing logic that `--selinux-policy` was using.

Requires: https://github.com/ostreedev/ostree/pull/2039
2020-03-24 16:34:26 +00:00
Colin Walters
a717535490 main/commit: Rework control flow to use --tree=X path
Rework the simple cases of "commit ." and "commit argv[1]" to
generate the more general "--tree=X --tree=Y" path, so that we
only have one primary control flow here.

Prep for a future patch around loading SELinux policy from
the first argument.
2020-03-23 19:03:16 +00:00
Matthew Leeds
53d1efbaab lib/fetcher-util: retry download on G_IO_ERROR_PARTIAL_INPUT
Add G_IO_ERROR_PARTIAL_INPUT to the list of error codes caused by
transient networking errors which lead us to retry the request. When
attempting to install the spotify flatpak you often get the error
message "Connection terminated unexpectedly" and the download of the deb
file fails. In this case, libsoup is setting G_IO_ERROR_PARTIAL_INPUT
and sometimes a subsequent download attempt is successful, so we should
treat it as transient.

Ideally we would behave as wget does in this case and retry the download
picking up where we left off in the file rather than starting over, but
that would require changes to libsoup I think.

Sadly this patch does not fix the flatpak installation of spotify in the
face of such errors, because flatpak doesn't use libostree to download
extra data, but presumably it's possible we could encounter such an
error pulling from an ostree repo, so the patch is still correct.
2020-03-19 15:28:08 -07:00
Jonathan Lebon
fd822a8dfd lib/pull: Don't leave commits pulled by depth as partial
When pulling full parent commits via e.g. `--depth N`, we weren't
unmarking them as partial in the out path.

Closes: #2035
2020-03-19 10:10:50 -04:00
Jonathan Lebon
f7a8617c01 bin/diff: Clarify documentation around REV and DIR syntax
Related: #2032
2020-03-18 10:32:52 -04:00
Colin Walters
0b6ac72b7f main/pin: Fix usage of GError
This regressed in 2db79fb398
I noticed this while finally getting the installed tests to run
in FCOS via kola and `ostree admin pin 0` is now aborting because
we were returning TRUE, but no error set.

I don't see a reason to try to continue on if we hit an error;
the original reporter was requesting support for multiple arguments,
but not "ignore invalid requests".
2020-03-18 02:15:34 +00:00
Colin Walters
6a27dff941 main: Also automatically remount rw /sysroot for ostree pull etc.
See https://github.com/coreos/fedora-coreos-tracker/issues/343
When we added the read-only sysroot support it broke using "raw"
`ostree pull` and `ostree refs --create` and all of the core repo
CLIs that just operate on a repo and not a sysroot.

Fixing this is a bit ugly as it "layer crosses" things even more.
Extract a helper function that works in both cases.
2020-03-13 20:53:26 +00:00
Colin Walters
c6085ebd5e Release 2020.2
"Brown paper bag" release that actually sets the
`is_release_build=yes` flag and also fixes the
`Since:` on a few new functions.
2020-02-21 14:45:49 +00:00
Dan Nicholson
3557e4e165 lib: Fix Since versions for 2020.1
These had been added assuming 2019.7 would be the next version, but now
it's 2020 and there's been a release. In the case of
`OstreeCommitSizesEntry`, I'd forgotten to move it forward from 2019.5
to 2019.7 in the time between when I started working on the feature and
it landed.
2020-02-20 15:47:41 -07:00
OpenShift Merge Robot
b39c03ab97
Merge pull request #2013 from cgwalters/prepareroot-comment
prepare-root: Add a comment about the role of this service
2020-02-20 18:30:05 +01:00
Colin Walters
04c85fa101 Release 2020.1
New year, new release!
2020-02-20 16:35:47 +00:00
OpenShift Merge Robot
010e6c38bc
Merge pull request #1984 from jlebon/pr/supp-groups
lib/repo: Create repo directories as 0775
2020-02-20 03:07:41 +01:00
Colin Walters
d5bfbc6715 prepare-root: Add a comment about the role of this service
Came up on an IRC question, docs for this are scattered around.
2020-02-20 00:35:32 +00:00
Jonathan Lebon
7085a50297 lib/repo: Create repo directories as 0775
For repo structure directories like `objects`, `refs`, etc... we should
be more permissive and let the system's `umask` narrow down the
permission bits as wanted.

This came up in a context where we want to be able to have read/write
access on an OSTree repo on NFS from two separate OpenShift apps by
using supplemental groups[1] so we don't require SCCs for running as the
same UID (supplemental groups are part of the default restricted SCC).

[1] https://docs.openshift.com/container-platform/3.11/install_config/persistent_storage/persistent_storage_nfs.html#nfs-supplemental-groups
2020-02-18 11:26:46 -05:00
Colin Walters
0dd8dec2c9 deploy: Avoid trying to change immutable state unnecessarily
For some reason I haven't fully debugged (probably a recent
kernel change), in the case where the immutable bit isn't set,
trying to call `EXT2_IOC_SETFLAGS` without it set returns `EINVAL`.

Let's avoid calling the `ioctl()` if we don't have anything to do.

This fixes a slew of `make check` failures here in my toolbox
environment.

(kernel is `5.5.0-0.rc6.git0.1.fc32.x86_64` with `xfs`)
2020-02-14 16:37:38 +00:00
OpenShift Merge Robot
96fb1decf4
Merge pull request #1959 from cgwalters/ostree-verity
Initial fs-verity support
2020-01-28 13:01:40 -08:00
OpenShift Merge Robot
8a9a496501
Merge pull request #1957 from dbnicholson/commit-sizes
Upstream Endless sizes metadata changes
2020-01-27 08:25:59 -08:00
Colin Walters
58fa579b1b Initial fs-verity support
Using fs-verity is natural for OSTree because it's file-based,
as opposed to block based (like dm-verity).  This only covers
files - not symlinks or directories.  And we clearly need to
have integrity for the deployment directories at least.

Also, what we likely need is an API that supports signing files
as they're committed.

So making this truly secure would need a lot more work.  Nevertheless,
I think it's time to start experimenting with it.  Among other things,
it does *finally* add an API that makes files immutable, which will
help against some accidental damage.

This is basic enablement work that is being driven by
Fedora CoreOS; see also https://github.com/coreos/coreos-assembler/pull/876
2020-01-27 15:44:16 +00:00
OpenShift Merge Robot
08e292bc14
Merge pull request #1877 from dbnicholson/specific-gpg-errors
More specific GPG errors
2020-01-26 09:20:51 -08:00
Dan Nicholson
11ad68647a ostree/trivial-httpd: Add log message for autoexit
This is useful when checking if the daemon actually exited since we
don't store the child PID anywhere.
2020-01-24 13:11:54 -07:00
Dan Nicholson
fbf5a94e0a ostree/trivial-httpd: Fix --autoexit with --daemonize and --log-file
When --autoexit is used with --daemonize and --log-file, the program
never exits when the root directory is deleted. I believe what happens
is that g_file_new_for_path triggers the glib worker context to be
started to talk to GVfs. Once the program forks, the parent exits and
the thread iterating the worker context is gone. The file monitor then
never receives any events because the inotify helper also runs from the
worker context.

Move the fork earlier just after parsing and validating the command line
arguments. In order to handle setup errors in the child, a pipe is
opened and the parents waits until the child writes a status byte to it.
If the byte is 0, the parent considers the child setup successful and
exits and the child carries on as a daemon. Notably, the child doesn't
reopen stderr to /dev/null until after this so that it can send error
messages there.

Fixes: #1941
2020-01-24 13:11:54 -07:00
Dan Nicholson
0fbfc0b207 lib/gpg: Add more specific OstreeGpgError codes
Currently `ostree_gpg_verify_result_require_valid_signature` always
returns an error that the key used for the signature is missing from the
keyring. However, all that's been determined is that there are no valid
signatures. The error could also be from an expired signature, an
expired key, a revoked key or an invalid signature.

Provide values for these missing errors and return them from
`ostree_gpg_verify_result_require_valid_signature`. The description of
each result is appended to the error message, but since the result can
contain more than one signature but only a single error can be returned,
the status of the last signature is used for the error code. See the
comment for rationale.

Related: flatpak/flatpak#1450
2020-01-24 13:02:17 -07:00
Dan Nicholson
c54a3b5daa lib/gpg: Prefer declare-and-initialize style
As noted in
https://github.com/ostreedev/ostree/pull/1872#discussion_r295408768.
2020-01-24 13:02:09 -07:00
Dan Nicholson
97c831dd5f bin/show: Add --print-sizes option to show sizes metadata
Use the new `ostree_commit_get_object_sizes()` API to read the
`ostree.sizes` commit metadata and print a summary.
2020-01-20 20:46:31 -07:00
Dan Nicholson
260bcd1193 core: Add ostree_commit_get_object_sizes API
This function parses the object listing in the `ostree.sizes` metadata
and returns an array of `OstreeCommitSizesEntry` structures.

Unfortunately, for reasons I don't understand, the linker wants to
resolve `_ostree_read_varuint64` from `ostree-core.c` even though it's
not used by `test-checksum.c` at all.
2020-01-20 20:46:29 -07:00
Dan Nicholson
fcbb453443 core: Add OstreeCommitSizesEntry type
This will be used when reading out entries in the `ostree.sizes`
metadata. Each entry corresponds to an object in the metadata array.
2020-01-20 20:44:12 -07:00
Dan Nicholson
1bbe674d91 libarchive: Support commit sizes metadata
Call the helper to set the generate_sizes boolean so that object size
data is stored while writing the mtree.
2020-01-20 20:42:27 -07:00
John Hiesey
291e9da258 lib/commit: Include object type in sizes metadata
Append a byte encoding the OSTree object type for each object in the
metadata. This allows the commit metadata to be fetched and then for the
program to see which objects it already has for an accurate calculation
of which objects need to be downloaded.

This slightly breaks the `ostree.sizes` `ay` metadata entries. However,
it's unlikely anyone was asserting the length of the entries since the
array currently ends in 2 variable length integers. As far as I know,
the only users of the sizes metadata are the ostree test suite and
Endless' eos-updater[1]. The former is updated here and the latter
already expects this format.

1. https://github.com/endlessm/eos-updater/
2020-01-20 20:42:27 -07:00
Dan Nicholson
a4592678aa tests/sizes: Check duplicate file doesn't add sizes entry
A duplicate file will resolve to the same object, so it shouldn't add
any entries to the sizes metadata.
2020-01-20 20:42:27 -07:00
Dan Nicholson
44fb5e72a1 lib/commit: Make size entries for existing objects
If the object was already in the repo then the sizes metadata entry was
skipped. Move the sizes entry creation after the data has been computed
but before the early return for an existing object.
2020-01-20 20:42:27 -07:00
Dan Nicholson
8ec7d6322f lib/commit: Fix object sizes metadata for multiple commits
The object sizes hash table was only being cleared when the repo was
finalized. That means that performing multiple commits while the repo
was open would reuse all the object sizes metadata for each commit.

Clear the hash table when the sizes metadata is setup and when it's
added to a commit. This still does not fix the issue all the way since
it does nothing to prevent the program from constructing multiple
commits simultaneously. To handle that, the object sizes hash table
should be attached to the MutableTree since that has the commit state.
However, the MutableTree is gone when the commit is actually created.
The hash table would have to be transferred to the root file when
writing the MutableTree. That would be an awkward addition to
OstreeRepoFile, though. Add a FIXME to capture that.
2020-01-20 20:42:27 -07:00
Dan Nicholson
37045b4b46 lib/commit: Only set generate_sizes for archive repos
Rather than checking throughout the code, only set the boolean when
appropriate.
2020-01-20 20:42:27 -07:00
Colin Walters
5af403be0c Support mounting /sysroot (and /boot) read-only
We want to support extending the read-only state to cover `/sysroot`
and `/boot`, since conceptually all of the data there should only
be written via libostree.  Or at least for `/boot` should *mostly*
just be written by ostree.

This change needs to be opt-in though to avoid breaking anyone.

Add a `sysroot/readonly` key to the repository config which instructs
`ostree-remount.service` to ensure `/sysroot` is read-only.  This
requires a bit of a dance because `/sysroot` is actually the same
filesystem as `/`; so we make `/etc` a writable bind mount in this case.

We also need to handle `/var` in the "OSTree default" case of a bind
mount; the systemd generator now looks at the writability state of
`/sysroot` and uses that to determine whether it should have the
`var.mount` unit happen before or after `ostree-remount.service.`

Also add an API to instruct the libostree shared library
that the caller has created a new mount namespace.  This way
we can freely remount read-write.

This approach extends upon in a much better way previous work
we did to support remounting `/boot` read-write.

Closes: https://github.com/ostreedev/ostree/issues/1265
2019-12-11 15:33:57 +00:00
Colin Walters
20daf96880 finalize-staged: Use the core option parsing to load sysroot
Prep for using the default mount namespace handling there that
will land as part of the read-only `/sysroot` and `/boot` work.
See https://github.com/ostreedev/ostree/issues/1265
2019-12-11 14:39:17 +00:00
Colin Walters
978bd19f97 Release 2019.6
Nothing really big here, but let's get a release out
so some bigger things like ro-sysroot, signing, sizes can
bake in master for a bit.
2019-12-09 16:18:01 +00:00
Colin Walters
36039759e2 pull: Add support for basic auth
This has been requested a few times for people delivering
OSTree content and wanting to do access control.
2019-12-02 22:48:33 +00:00
Philip Chimento
54639c03ca libostree: Add ostree_async_progress_copy_state()
This allows copying the state from one OstreeAsyncProgress object to
another, atomically, without invoking the callback. This is needed in
libflatpak, in order to chain OstreeAsyncProgress objects so that you
can still receive progress updates when iterating a different
GMainContext than the one that the OstreeAsyncProgress object was
created under.

See https://github.com/flatpak/flatpak/pull/3211 for the application of
this API.
2019-11-20 12:24:26 -08:00
Philip Chimento
382ad59822 Bump version in symbols file
There were no new symbols in 2019.5 and this version didn't get bumped
when 2019.5 was released.
2019-11-20 11:18:36 -08:00
Robert Fairley
aadc4db012 lib/kernel-args: Store kernel args as key/value entries
Define an `OstreeKernelArgsEntry` structure, which holds
both the key and the value. The kargs order array stores
entries for each key/value pair, instead of just the keys.
The hash table is used to locate entries, by storing
entries in a pointer array for each key. The same public
interface is preserved, while maintaining ordering
information of each key/value pair when
appending/replacing/deleting kargs.

Fixes: #1859
2019-11-07 23:39:10 -05:00
Colin Walters
58980a717a lib/keyfile: Treat "group not found" the same as "key not found"
Prep for fsverity, where I want to create a new group
`[fsverity]` in the keyfile that has default values.  We should
treat the absence of a group the same as absence of a key
in these "with defaults" APIs.
2019-11-07 21:15:41 +00:00
Colin Walters
980ca07b03 Release 2019.5 2019-10-30 17:08:00 +00:00
Jonathan Lebon
7ae8da08b9 lib/deploy: Also install HMAC file into /boot
To allow for FIPS mode, we need to also install the HMAC file from
`/usr/lib/modules` to `/boot` alongside the kernel image where the
`fips` dracut module will find it. For details, see:

https://github.com/coreos/fedora-coreos-tracker/issues/302

Note I didn't include the file in the boot checksum since it's itself a
checksum of the kernel, so we don't really gain much here other than
potentially causing an unnecessary bootcsum bump.
2019-10-29 16:45:29 -04:00
OpenShift Merge Robot
476f375cfc
Merge pull request #1953 from uajain/uajain/fix-memory-leak
async-progress: Plug memory leak while destroying GSource
2019-10-29 06:26:17 +01:00
Jonathan Lebon
74936f98d8 lib/pull: Tweak update_timeout logic again
I was hitting `SIGSEGV` when running `cosa build` and narrowed it down
to #1954. What's happening here is that because we're using the default
context, when we unref it in the out path, it may not actually destroy
the `GSource` if it (the context) is still ref'ed elsewhere. So then,
we'd still get events from it if subsequent operations iterated the
context.

This patch is mostly a revert of #1954, except that we still keep a ref
on the `GSource`. That way it is always safe to destroy it afterwards.
(And I've also added a comment to explain this better.)
2019-10-28 15:26:45 -04:00
Umang Jain
78c8c25d64 async-progress: Plug memory leak while destroying GSource
See https://gitlab.gnome.org/GNOME/glib/commit/71973c722
2019-10-25 20:59:15 +05:30
Colin Walters
650d6252af Revert "grub2: Exit gracefully if the configuration has BLS enabled"
This reverts commit 985a141002.
It turned out that some people have old bootloaders, and hence
get the "no entries" problem.  That's much, much much worse
than double entries.
2019-10-24 17:49:53 +00:00
Jonathan Lebon
d4a186e80e lib/pull: Avoid calling destroy on unref'ed GSource
We're creating the timer source and then passing ownership to the
context, but because we didn't free the pointer, we would still call
`g_source_destroy` in the exit path. We'd do this right after doing
`unref` on the context too, which would have already destroyed and
unref'ed the source.

Drop that and just restrict the scope of that variable down to make
things more obvious.

Just noticed this after reviewing #1953.
2019-10-23 11:15:02 -04:00
OpenShift Merge Robot
1645416aac
Merge pull request #1947 from cgwalters/more-scan-build-2
More scan build 2
2019-10-18 20:59:06 +02:00
Dan Nicholson
4df90d4012 repo: Stop using deprecated G_GNUC_FUNCTION
In glib 2.62 this has been changed to emitting a warning. Use G_STRFUNC
instead, which has been available for a long time and is already used in
other places in ostree.
2019-10-18 11:10:44 -06:00
Colin Walters
fbed380483 lib/checksum-utils: Use g_memdup()
This is clearer and silences a scan-build warning.
2019-10-18 15:07:39 +00:00
Colin Walters
57bb06419a lib: Port variant-builder.c to new style
Seeing `scan-build` warning here, prep for fixing it.
2019-10-18 15:07:39 +00:00
Colin Walters
25c5ae5d08 lib/pull: [scan-build] Silence a dead store warning
This one was actual duplicate code.
2019-10-18 15:07:39 +00:00
Colin Walters
bc1980ca38 lib/repo: [scan-build] Quiet a dead store warning
False positive, just add a pacifier.
2019-10-18 15:07:39 +00:00
OpenShift Merge Robot
3b58d89368
Merge pull request #1943 from cgwalters/more-scan-build
More scan build
2019-10-16 20:44:15 +02:00
OpenShift Merge Robot
38729a4f90
Merge pull request #1937 from cgwalters/zipl-backend
bootloader: Add a zipl bootloader backend
2019-10-16 17:21:10 +02:00
Colin Walters
c61234a428 bootloader: Add a zipl bootloader backend
zipl is a bit special in that it parses the BLS config files
directly *but* we need to run the command to update the "boot block".

Hence, we're not generating a separate config file like the other
backends.  Instead, extend the bootloader interface with a `post_bls_sync`
method that is run in the same place we swap the `boot/loader` symlink.

We write a "stamp file" in `/boot` that says we need to run this command.
The reason we use stamp file is to prevent the case where the system is
interrupted after BLS file is updated, but before zipl is triggered,
then zipl boot records are not updated.
This opens the door to making things eventually-consistent/reconcilable
by later adding a systemd unit to run `zipl` if we're interrupted via
a systemd unit - I think we should eventually take this approach
everywhere rather than requiring `/boot/loader` to be a symlink.

Author: Colin Walters <walters@verbum.org>
Tested-by: Tuan Hoang <tmhoang@linux.ibm.com>
Co-Authored-By: Tuan Hoang <tmhoang@linux.ibm.com>
2019-10-16 14:22:02 +00:00
Colin Walters
946659aacf prune: [scan-build] Initialize a variable
Another false positive because we only read this if `opt_keep_younger_than` is `TRUE`,
but let's initialize variables on general principle.
2019-10-16 13:48:20 +00:00
Colin Walters
a8dc90b02f tree-wide: [scan-build]: Add some asserts that pointers are non-NULL
More "scan-build doesn't understand GError and our out-param conventions"
AKA "these errors would be impossible with Rust's sum type Result<> approach".
2019-10-16 13:44:46 +00:00
Colin Walters
4a38b11159 commit: [scan-build] Remove a dead assignment
The `write_commit()` API defaults to current time, and
this assignment became dead in:
8ba90a3341
2019-10-16 13:38:29 +00:00
Colin Walters
810f24d897 libotutil: Port keyfile-utils.c to new style
I was trying to fix a clang `scan-build` error that jlebon
ended up tracking down in
9344de1ce1

But in the process of tracing through this I found it
way easier to read as "new style" code, so this also ports the
code.

I added a `g_assert()` in there too to help assert that
`g_key_file_get_value` won't leak in the error path.
2019-10-16 13:30:21 +00:00
OpenShift Merge Robot
347e234aaa
Merge pull request #1932 from cgwalters/covscan-fixes-2
libostree: Add an assert to pacify clang-analyzer
2019-10-15 19:56:54 +02:00
Jonathan Lebon
9344de1ce1 src/libotutil: Fix strv memory leak
We were only freeing the array and not the members.

Caught by `clang-analyzer` in:
https://github.com/ostreedev/ostree/pull/1931
2019-10-15 11:59:45 -04:00
Colin Walters
806206fac2 repo: [scan-build]: Mark a variable used
We're just using this to auto-free, quiet the static analysis.
2019-10-15 12:41:27 +00:00
Colin Walters
51d9aa35a9 sysroot: [scan-build] Remove a dead assignment
Just quieting the scan.
2019-10-15 12:41:27 +00:00
Colin Walters
f1fdd885ab sysroot: [scan-build]: Remove a dead assignment
Clarify the conditionals here and remove a dead assignment.
2019-10-15 12:41:27 +00:00
Colin Walters
9032182e3c repo: [scan-build] Initialize a variable
Another GLib error convention issue; but eh, we might as
well be conservative and always initialize variables.
2019-10-15 12:41:27 +00:00
Colin Walters
aa7795d08d libostree: Add an assert to pacify clang-analyzer
Got this error when trying to rebase libostree in RHEL:

```
Error: CLANG_WARNING: [#def1]
libostree-2019.2/src/libostree/ostree-repo-checkout.c:375:21: warning: Access to field 'disable_xattrs' results in a dereference of a null pointer (loaded from variable 'repo')
```

I think what's happening is it sees us effectively testing
`if (repo == NULL)` via the `while (current_repo)`.  Let's
tell it we're sure it's non-null right after the loop.
2019-10-15 12:40:54 +00:00
Javier Martinez Canillas
985a141002 grub2: Exit gracefully if the configuration has BLS enabled
Since Fedora 30 grub2 has support to populate its menu entries from the
BootLoaderSpec fragments in /boot/loader/entries, so there's no need to
generate menu entries anymore using the /etc/grub.d/15_ostree script.

But since ostree doesn't update the bootloader, it may be that the grub2
installed is an old one that doesn't have BLS support.

For new installs, GRUB_ENABLE_BLSCFG=true is set in /etc/default/grub to
tell the /etc/grub.d/10_linux script if a blscfg command has to be added
to the generated grub2 config file.

So check if BLS is enabled in /etc/default/grub and only add the entries
if that's not the case. Otherwise the menu entries will be duplicated.

The approach has the drawback that if a user sets GRUB_ENABLE_BLSCFG=true
in /etc/default/grub without updating grub2, they will get an empty menu.
Since there won't be any entries created by the 30_ostree script and the
blscfg command won't work on the older grub2.

Unfortunately there is no way to know if the installed grub2 already has
BLS support or not.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1751272#c27

Closes: #1929
Approved by: jlebon
2019-09-26 17:59:37 +00:00
Jonathan Lebon
c6c640f3ae Post-release version bump
Closes: #1927
Approved by: cgwalters
2019-09-25 13:43:28 +00:00
Jonathan Lebon
9d39e7d91e Release 2019.4
Tiny release. Just want to get out the important bugfixes instead of
backporting patches (notably the gpg-agent stuff and
`ostree-finalize-staged.service` ordering).

Closes: #1927
Approved by: cgwalters
2019-09-25 13:43:28 +00:00
Jonathan Lebon
88182635ab boot/finalize-staged: Run after systemd-journal-flush.service
In Fedora 31, `systemd-journal-flush.service` uses a new
`--smart-relinquish-var` switch which fixes the
`umount: /var: target is busy` bug by telling journald to stop logging
to `/var` and back to `/run` again during shutdown.

This interacted with `ostree-finalize-staged.service` in a tricky way:
since we weren't strongly ordered against it, when we happened to
finalize after `/var` is relinquished, we never persisted the output
from that service to disk. This then threw off `rpm-ostree status` when
trying to find the completion message to know that finalization went
well.

Just fix this by adding an explicit `After=` on that unit. That way we
shut down *before* `systemd-journal-flush.service` (the `/var`
relinquish bit happens in its `ExecStop=`).

For more info, see:
3ff7a50d66
1e187d2dd5
https://bugzilla.redhat.com/show_bug.cgi?id=1751272

Closes: #1926
Approved by: cgwalters
2019-09-24 21:39:10 +00:00
Philip Withnall
94fcba96e0 lib/repo-pull: Add more debugging on pull failure
Signed-off-by: Philip Withnall <withnall@endlessm.com>

Closes: #1925
Approved by: cgwalters
2019-09-24 13:36:59 +00:00
Benjamin Gilbert
653fc6a125 prepare-root: remember to remove /sysroot.tmp
Without this, rerunning ostree-prepare-root will fail in mkdir()
because /sysroot.tmp already exists, which complicates debugging from
the dracut emergency shell.

Closes: #1919
Approved by: cgwalters
2019-09-13 12:40:57 +00:00
Colin Walters
ca701f69c2 fsck: Fix version in docs, tweak error text
I think this error message is clearer.

Closes: #1918
Approved by: jlebon
2019-09-09 15:18:50 +00:00
Jason Wessel
b709c3c67b fsck: Implement a partial commit reason bitmask
After the corruption has been fixed with "ostree fsck -a --delete", a
second run of the "ostree fsck" command will print X partial commits
not verified and exit with a zero.

The zero exit code makes it hard to detect if a repair operation needs
to be run.  When ever fsck creates a partial commit it should add a
reason for the partial commit to the state file found in
state/<hash>.commitpartial.  This will allow a future execution of the
fsck to still return an error indicating that the repository is still
in the damaged state, awaiting repair.

Additional reason codes could be added in the future for why a partial
commit exists.

Text from: https://github.com/ostreedev/ostree/pull/1880
====
cgwalters commented:

To restate, the core issue is that it's valid to have partial commits
for reasons other than fsck pruned bad objects, and libostree doesn't
have a way to distinguish.

Another option perhaps is to write e.g. fsck-partial into the
statefile state/<hash>.commitpartial which would mean "partial, and
expected to exist but was pruned by fsck" and fsck would continue to
error out until the commit was re-pulled. Right now the partial stamp
file is empty, so it'd be fully compatible to write a rationale into
it.
====

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>

Closes: #1910
Approved by: cgwalters
2019-09-09 13:40:36 +00:00
Dan Nicholson
e49060c207 lib/gpg: Use g_spawn_sync to kill gpg-agent
For reasons I don't understand, GSubprocess doesn't play nice with KDE's
plasmashell. I assume this has something to do with the GSubprocess
using the glib worker thread while plasmashell uses the glib main
loop. Instead, just use g_spawn_sync to fork and wait in the current
thread.

Fixes: #1913

Closes: #1917
Approved by: cgwalters
2019-09-07 18:42:22 +00:00
Dan Nicholson
d14472a7f0 lib/gpg: Don't kill gpg-agent on newer gnupg
GnuPG 2.1.17 contains a bug fix so that `gpg-agent` is killed when the
entire GPG home directory is deleted[1]. If the host's GnuPG is new
enough, then we don't need to bother calling `gpg-connect-agent` to kill
the agent since it will be cleaned up on its own.

Get the GnuPG version from the GPGME OpenPGP engine info and parse it to
see if it matches this criteria.

1. https://dev.gnupg.org/T2756

Closes: #1915
Approved by: cgwalters
2019-09-06 18:04:05 +00:00
Dan Nicholson
522d31b2d4 lib/gpg: Only show gpg-connect-agent stderr on failures
When listing GPG keys, the temporary GPG homedir will be constructed by
simply copying the remote's trusted keys to the pubring.gpg file. In
that case, no GPG operations spawning gpg-agent will be run. When
gpg-connect-agent is run to cleanup the homedir, it will helpfully print
on stderr that it's starting gpg-agent like so:

gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established

Send gpg-connect-agent's stderr to a pipe and only send it to the
application's stderr if an error was encountered.

Fixes: #1907

Closes: #1908
Approved by: cgwalters
2019-09-02 21:55:14 +00:00
Javier Martinez Canillas
d42f970ed3 lib/bootconfig-parser: Always include deployment index in BLS title
If there are different deployments for the same commit version, the BLS
snippets will have the same title fields (but different version fields):

$ grep title *
ostree-1-testos.conf:title TestOS 42 20190902.0 (ostree)
ostree-2-testos.conf:title TestOS 42 20190902.0 (ostree)
ostree-3-testos.conf:title TestOS 42 20190902.0 (ostree)

But bootloaders could expect the title field to be unique for BLS files.
For example, the zipl bootloader used in the s390x architecture uses the
field to name the boot sections that are created from the BLS snippets.

So two BLS snippets having the same title would lead to zipl failing to
create the IPL boot sections because they would have duplicated names:

$ zipl
Using config file '/etc/zipl.conf'
Using BLS config file '/boot/loader/entries/ostree-3-testos.conf'
Using BLS config file '/boot/loader/entries/ostree-2-testos.conf'
Using BLS config file '/boot/loader/entries/ostree-1-testos.conf'
Error: Config file '/etc/zipl.conf': Line 0: section name 'TestOS 42 20190902.0 (ostree)' already specified

Avoid this by always including the deployment index along with the commit
version in the title field, so this will be unique even if there are BLS
files for deployments that use the same commit version:

$ grep title *
ostree-1-testos.conf:title TestOS 42 20190902.0 (ostree:2)
ostree-2-testos.conf:title TestOS 42 20190902.0 (ostree:1)
ostree-3-testos.conf:title TestOS 42 20190902.0 (ostree:0)

$ zipl
Using config file '/etc/zipl.conf'
Using BLS config file '/boot/loader/entries/ostree-3-testos.conf'
Using BLS config file '/boot/loader/entries/ostree-2-testos.conf'
Using BLS config file '/boot/loader/entries/ostree-1-testos.conf'
Building bootmap in '/boot'
Building menu 'zipl-automatic-menu'
Adding #1: IPL section 'TestOS 42 20190902.0 (ostree:0)' (default)
Adding #2: IPL section 'TestOS 42 20190902.0 (ostree:1)'
Adding #3: IPL section 'TestOS 42 20190902.0 (ostree:2)'
Preparing boot device: dasda (0120).
Done.

Closes: #1911
Approved by: cgwalters
2019-09-02 21:08:58 +00:00
Javier Martinez Canillas
2ca2b88f51 lib/bootconfig-parser: Write BLS fragment fields in a deterministic order
Currently the BLS fragments fields write is non-determinisitc. The order
of the fields will depend on how the iterator of the options GHashTable
iterates over the key/value pairs.

But some bootloaders expect the fields to be written in a certain order.
For example the zipl bootloader (used in the s390x architecture) fails to
parse BLS files if the first field is not the 'title' field, since that's
used to name the zipl boot sections that are created from the BLS files.

Write the fields in a deterministic order, following what is used in the
example file of the BootLoaderspec document:

https://systemd.io/BOOT_LOADER_SPECIFICATION

Related: https://github.com/ostreedev/ostree/issues/1888

Closes: #1904
Approved by: cgwalters
2019-08-29 12:58:43 +00:00
Javier Martinez Canillas
f82f825fed lib/bootconfig-parser: Remove support to preserve comments in BLS files
OSTree has some logic to preserve comment lines in the BLS fragments, but
the BLS fragments are always created on new deployments so the comments
are never carried.

Also, OSTree never writes BLS fragments with comments so these will only
be present in BLS files that were modified outside of OSTree. Something
that should be avoided in general.

Finally, there is a bug in the logic that causes BLS files to have lines
with only a newline character.

The ostree_bootconfig_parser_parse_at() function reads the bootconfig file
using glnx_fd_readall_utf8() but this function NUL terminates the returned
string with the file contents.

So when the string is later split using '\n' as delimiter, the last token
is set to '\0' and a wrong GVariant will be added to the lines GPtrArray
in the OstreeBootconfigParser struct.

This will lead to bootconfig files that contains lines with only a newline
character, since the key in the GVariant would be set to NUL and won't be
present in the options GHashTable of the OstreeBootconfigParser struct.

So let's just remove that logic since is never used and makes BLS files to
have wrong empty lines.

Before this patch:

$ tail -n 4 /boot/loader/entries/ostree-1-testos.conf | hexdump -C
00000000  74 69 74 6c 65 20 54 65  73 74 4f 53 20 34 32 20  |title TestOS 42 |
00000010  32 30 31 39 30 38 32 34  2e 30 20 28 6f 73 74 72  |20190824.0 (ostr|
00000020  65 65 29 0a 0a 0a 0a                              |ee)....|
00000027

After this patch:

$ tail -n 4 /boot/loader/entries/ostree-1-testos.conf | hexdump -C
00000000  76 65 72 73 69 6f 6e 20  31 0a 6f 70 74 69 6f 6e  |version 1.option|
00000010  73 20 72 6f 6f 74 3d 4c  41 42 45 4c 3d 4d 4f 4f  |s root=LABEL=MOO|
00000020  20 71 75 69 65 74 20 6f  73 74 72 65 65 3d 2f 6f  | quiet ostree=/o|
00000030  73 74 72 65 65 2f 62 6f  6f 74 2e 31 2f 74 65 73  |stree/boot.1/tes|
00000040  74 6f 73 2f 61 65 34 36  34 39 36 38 30 64 33 65  |tos/ae4649680d3e|
00000050  38 33 62 32 34 65 34 37  66 38 64 66 31 30 38 31  |83b24e47f8df1081|
00000060  38 62 66 36 39 38 39 64  36 34 37 61 62 32 38 38  |8bf6989d647ab288|
00000070  64 31 63 30 39 38 30 36  65 34 61 33 36 61 34 65  |d1c09806e4a36a4e|
00000080  62 62 66 36 2f 30 0a 6c  69 6e 75 78 20 2f 6f 73  |bbf6/0.linux /os|
00000090  74 72 65 65 2f 74 65 73  74 6f 73 2d 61 65 34 36  |tree/testos-ae46|
000000a0  34 39 36 38 30 64 33 65  38 33 62 32 34 65 34 37  |49680d3e83b24e47|
000000b0  66 38 64 66 31 30 38 31  38 62 66 36 39 38 39 64  |f8df10818bf6989d|
000000c0  36 34 37 61 62 32 38 38  64 31 63 30 39 38 30 36  |647ab288d1c09806|
000000d0  65 34 61 33 36 61 34 65  62 62 66 36 2f 76 6d 6c  |e4a36a4ebbf6/vml|
000000e0  69 6e 75 7a 2d 33 2e 36  2e 30 0a 74 69 74 6c 65  |inuz-3.6.0.title|
000000f0  20 54 65 73 74 4f 53 20  34 32 20 32 30 31 39 30  | TestOS 42 20190|
00000100  38 32 34 2e 30 20 28 6f  73 74 72 65 65 29 0a     |824.0 (ostree).|
0000010f

Closes: #1904
Approved by: cgwalters
2019-08-29 12:58:43 +00:00
Colin Walters
93999d337e sysroot: Add a clearer error if /boot/loader isn't found
I've seen people confused by this error in the case where
`/boot` isn't mounted or the BLS fragments were deleted, etc.
If you understand ostree deeply it's clear but, let's do
better here and a direct error message for the case where
we can't find `/boot/loader` which is the majority of these.

The other case could happen if e.g. just the BLS fragment
for the booted deployment was deleted; let's reword that
one a bit too.

Closes: #1905
Approved by: rfairley
2019-08-26 20:30:31 +00:00
Colin Walters
71e1e9d18e Post-release version bump
Closes: #1902
Approved by: rfairley
2019-08-22 18:37:38 +00:00
Colin Walters
b15ed42111 Release 2019.3
It's been a while, and we need the new kargs API for rpm-ostree.

Closes: #1902
Approved by: rfairley
2019-08-22 18:37:38 +00:00
Daniel Drake
99d56215e6 lib/deploy: handle FIFREEZE ENOSYS failure
When running under qemu, unimplemented ioctls such as FIFREEZE
return ENOSYS, and this causes the deployment to fail.

Catch this and handle it like EOPNOTSUPP.

I'm not sure if qemu's behaviour is fully correct here (or if it should
return EOPNOTSUPP) but it's trivial to handle regardless.

Closes: #1901
Approved by: cgwalters
2019-08-21 12:38:05 +00:00
Jonathan Lebon
0c48769de3 bin: Better handle --
We would stop passing through `--` and args after it to the underlying
command in `ostree_run`. This made it impossible to use `--` to tell the
parser that following args starting with `-` really are positional.

AFAICT, that logic for `--` here came from a time when we parse options
manually in a big loop, in which case breaking out made sense (see
97558276e4).

There's an extra step here, which is that glib by default leaves the
`--` in the list of args, so we need to take care to remove it from the
list after parsing.

Closes: #1898

Closes: #1899
Approved by: rfairley
2019-08-14 12:31:10 +00:00
Colin Walters
ab73d9f525 admin/init-fs: Add a --modern switch
This skips creating the default stuff in the physical sysroot.
I don't recall why I did that to be honest; it originated with
the first commit of this file.  It might not have ever been
necessary.

In any case, it's not necessary now with Fedora CoreOS, so
prune it and let's have a clean `/`.

Keep the old behavior by default though to avoid breaking anyone.

Closes: #1894
Approved by: ajeddeloh
2019-08-08 20:02:11 +00:00
Denis Pynkin
8322e77a88 gpg: add dummy public interface
Add dummy stubs for GPG public functions to be compiled instead of
original code in case if support of GPG is disabled.
Need that to keep API backward compatibility.

Based on original code from file `ostree-gpg-verify-result.c`.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Closes: #1889
Approved by: cgwalters
2019-08-01 02:06:47 +00:00
Denis Pynkin
56020b7160 lib: rename common sign/verification functions and variables
Some gpg-named functions/variables should be used for any signature
system, so remove "gpg_" prefix from them to avoid confusion.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Closes: #1889
Approved by: cgwalters
2019-08-01 02:06:47 +00:00
Denis Pynkin
0108e9ea49 gpg: conditionally build GPG-related code for sign/verification
Do not build the code related to GPG sign and verification if
GPGME support is disabled.
Public functions return error 'G_IO_ERROR_NOT_SUPPORTED' in case if
gpg-related check is rquested.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Closes: #1889
Approved by: cgwalters
2019-08-01 02:06:47 +00:00
Jonathan Lebon
97c673b64b lib/pull: Rename variable for clarity
Let's use `checksum` instead of the more general `contents`.

Closes: #1891
Approved by: cgwalters
2019-07-29 13:58:29 +00:00
Jonathan Lebon
9332830e09 lib/pull: Allow downgrade protection with overrides
There's a valid use case for enabling the timestamp downgrade check
while still also using override commits.

We'll make use of this in Fedora CoreOS, where the agent specifies the
exact commit to upgrade to, while still enforcing that it be newer.

Closes: #1891
Approved by: cgwalters
2019-07-29 13:58:29 +00:00
Colin Walters
c9ecfb1d81 Add OSTREE_BUILT_FEATURES to ostree-version.h
This way projects can dispatch at run-time based on ostree's
build time options, e.g. detect the availability of GPG.

Closes: #1890
Approved by: jlebon
2019-07-29 13:58:13 +00:00
Dan Nicholson
19e764cea2 lib/kargs: Don't expose OstreeKernelArgs autoptr cleanup on old glib
Move the OstreeKernelArgs autoptr cleanup definition to
ostree-autocleanups.h, which will only expose the definitions when
building ostree or if glib is new enough. The include of
ostree-kernel-args.h needs to be moved before ostree-autocleanups.h in
ostree.h so that the OstreeKernelArgs type is declared when the autoptr
cleanup is defined. All the places it's used already pull in libglnx.h
first so that the compat macros are picked up if glib it too old during
the ostree build.

Closes: #1892
Approved by: jlebon
2019-07-27 03:20:21 +00:00
Rafael Fonseca
a904f434cd lib/kargs: add missing function to symbol-versioning table
Signed-off-by: Rafael Fonseca <r4f4rfs@gmail.com>

Closes: #1883
Approved by: jlebon
2019-07-02 13:58:26 +00:00
Matthew Leeds
48624c99ad lib/repo: Improve docs for get_min_free_space_bytes()
Closes: #1879
Approved by: jlebon
2019-06-26 14:14:08 +00:00
Robert Fairley
322e8697e9 lib/util: Drop unneeded ot-tool-util.h includes
With `ot-tool-util.h` made visible in `otutil.h` (in
be2572bf68), drop previous includes
of `ot-tool-util.h` elsewhere.

Closes: #1876
Approved by: zonggen
2019-06-21 14:52:11 +00:00
Dan Nicholson
b6979e7572 lib: Kill GPG agent when cleaning up tmp homedirs
When a temporary directory is used for GPG operations, it's pretty clear
that the running agent will be useless after the directory is deleted.
Call the new `ot_gpgme_kill_agent ()` helper to kill gpg-agent rather
than leaving them it hanging around forever.

As it turns out, gnupg does have code to make gpg-agent automatically
exit when the homedir is removed (https://dev.gnupg.org/T2756), but
that's only available on gnupg 2.2 or newer. Possibly this code can be
dropped later when that's more widely deployed or users/distros have
been advised to backport the necessary changes.

Closes: #1799
Approved by: cgwalters
2019-06-19 17:30:24 +00:00
Dan Nicholson
4670837f7c lib/gpg: Add helper to kill GPG agent
With GnuPG 2, any time you do basically any operation, a gpg-agent will
be spawned for the GPG home directory in use. The classic way to kill a
gpg-agent is to use `gpg-connect-agent` and send the `killagent` command
as is done in libtest.sh.

Closes: #1799
Approved by: cgwalters
2019-06-19 17:30:24 +00:00
Dan Nicholson
d0ec319b6b lib/gpg: Show if GPG key has been revoked
Rather then showing the incorrect `BAD signature`.

Closes: #1872
Approved by: cgwalters
2019-06-19 17:17:11 +00:00
Dan Nicholson
d714e622b8 lib/gpg: Show information for expired keys
Introduce a new signature attribute for the key expiration timestamp and
display it when the key has a non-zero expiration time. Without this,
the error shown is `BAD signature`, which isn't correct.

Closes: #1872
Approved by: cgwalters
2019-06-19 17:17:11 +00:00
Dan Nicholson
901c2f5e5f lib/gpg: Factor out expiration timestamp formatting
This will be reused to format a key expiration message.

Closes: #1872
Approved by: cgwalters
2019-06-19 17:17:11 +00:00
Allen Bai
be2572bf68 lib/kargs: Make API public and upstream new rpm-ostree APIs
This change makes public the current kargs API in src/libostree/ostree-kernel-args.c
and adds documentations.

Upstreams the new kargs API from rpm-ostree/src/libpriv/rpmostree-kargs-process.c

Merges libostree_kernel_args_la_SOURCES to libostree_1_la_SOURCES in Makefile-libostree.am

Upstreams tests/check/test-kargs.c from rpm-ostree.

Closes: #1833

Closes: #1869
Approved by: jlebon
2019-06-18 14:29:14 +00:00
Rafael Fonseca
2db79fb398 admin: allow multiple args for pin subcommand
Fixes #1816

Signed-off-by: Rafael Fonseca <r4f4rfs@gmail.com>

Closes: #1874
Approved by: rfairley
2019-06-17 15:06:09 +00:00
Dan Nicholson
d916383953 bin/refs: Allow overwriting existing ref
Currently if you want to update a non-alias ref, you need to first check
if it exists and use either `ostree refs --create` or `ostree reset` as
appropriate. That's unnecessarily complicated and is much less
convenient than the old `write-refs` builtin that simply called
`ostree_repo_set_ref_immediate()` without any checks.

Add a `--force` option to be used with `--create` that does not raise an
error when the destination ref already exists.

Closes: #1870
Approved by: jlebon
2019-06-12 15:00:19 +00:00
Allen Bai
6733843f87 lib/util: Fix segfault when validating filename
This change fixes the segfault issue when calling ostree_repo_checkout_tree with
empty GFileInfo. A simple condition check for NULL value is added at
src/libotutil/ot-unix-utils.c:46. Closes: ostreedev#1864.

Closes: #1868
Approved by: jlebon
2019-06-06 16:05:19 +00:00
Philip Withnall
e0ddaa811b ostree-repo-finder: Clarify immutability after construction
I think this was the intention, but I forgot to document it.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Closes: #1863
Approved by: mwleeds
2019-05-29 03:36:06 +00:00
Tristan Van Berkom
bebd8d6980 bin/commit: Support committing archives from stdin
This commit interprets archive filenames specified as '-' to
indicate that the input should be read from stdin.

Closes: #1862
Approved by: jlebon
2019-05-28 17:03:22 +00:00
Tristan Van Berkom
da4d0245af lib/commit: Added new ostree_repo_write_archive_to_mtree_from_fd()
Similar to ostree_repo_write_archive_to_mtree(), but takes
a file descriptor to read the archive from instead of mandating
a file path.

Usefull for importing archives into an OSTree repo over a socket
or from standard input in command line tools.

Closes: #1862
Approved by: jlebon
2019-05-28 17:03:22 +00:00
Robert Fairley
4929fc38e9 lib/fetcher-util: Use GIOErrorEnum instead of GIOError
Use GIOErrorEnum as the return value for
_ostree_fetcher_http_status_code_to_io_error(), to avoid an
implicit cast from GIOError.

Closes: #1857
Approved by: cgwalters
2019-05-20 13:09:28 +00:00
Felix Krull
2c1658538f lib: add parameter annotations for sysroot_load_if_changed
Closes: #1861
Approved by: cgwalters
2019-05-19 14:50:08 +00:00
Felix Krull
aa5df8995e lib: add some missing (out) annotations
Closes: #1861
Approved by: cgwalters
2019-05-19 14:50:08 +00:00
Felix Krull
0872708ea1 lib: fix up some nullability annotations
Closes: #1861
Approved by: cgwalters
2019-05-19 14:50:08 +00:00
Felix Krull
e607e79f4e lib: add minimum version to various symbols based on libostree-released.sym
Closes: #1861
Approved by: cgwalters
2019-05-19 14:50:08 +00:00
Felix Krull
4aeba118b0 lib: fix doc comment for ostree_repo_get_min_free_space_bytes
Closes: #1861
Approved by: cgwalters
2019-05-19 14:50:08 +00:00
Richard Hughes
f31d779690 lib: mmap the summary to reduce RSS in clients
Closes: #1855

Closes: #1856
Approved by: cgwalters
2019-05-08 19:36:24 +00:00
Tristan Cacqueray
27b7d468e6 prepare-root: remove ignored MS_MGC_VAL flag
Since Linux 2.4 this is no longer required and the flag is ignored.

Closes: #1851
Approved by: cgwalters
2019-05-05 20:53:17 +00:00
Jonathan Lebon
80435e12a7 Release 2019.2
Also add `ostree_repo_get_bootloader` to the public API, which was
missed when it was initially merged.

Closes: #1844
Approved by: rfairley
2019-04-25 16:47:40 +00:00
Colin Walters
304abee9eb prepare-root: Fix compilation with --with-static-compiler
Closes: https://github.com/ostreedev/ostree/issues/1845

Closes: #1846
Approved by: akiernan
2019-04-25 13:00:40 +00:00
Jonathan Lebon
586cc2deee lib/deploy: Support locking deployment finalization
Teach `ostree-finalize-staged.service` to check for a file in `/run` to
determine if it should do the finalization. This will be used in
RPM-OSTree, where we want to be able to separate out "preparing updates"
from "making update the default" for more fine-grained control. See:
https://github.com/projectatomic/rpm-ostree/issues/1748

Closes: #1841
Approved by: cgwalters
2019-04-24 21:38:24 +00:00
Jonathan Lebon
405d9ef9e0 lib/deploy: Write to journal if nothing to finalize
This can happen if a deployment was staged and later cleaned up. Though
just as a helper when debugging issues, let's explicitly mention that
case.

Closes: #1841
Approved by: cgwalters
2019-04-24 21:38:24 +00:00
Jonathan Lebon
5464535205 lib: Add ot_journal_* helper macros
Rather than wrapping each instance of `sd_journal_*` with
`HAVE_SYSTEMD`, let's just add some convenience macros that are just
no-op if we're not compiling with systemd.

Closes: #1841
Approved by: cgwalters
2019-04-24 21:38:24 +00:00
Robert Fairley
d69214ade3 grub2: Generate config from pending deployment
Generate a grub2 config using the pending deployment, if a grub2
bootloader is detected in the sysroot. Allows grub2-mkconfig
to run if there are no previous deployments.

Fixes: #1774

Closes: #1831
Approved by: jlebon
2019-04-24 21:29:39 +00:00
Jonathan Lebon
ba96d7ed7a lib/sysroot: Match deployment /usr mode for overlay
Rather than hardcoding 0755, let's directly look at what `/usr`'s mode
is and copy it when creating the overlay.

Closes: #1843
Approved by: cgwalters
2019-04-24 13:48:14 +00:00
Jonathan Lebon
794f75ca61 lib/sysroot: Call chmod on overlay dirs when unlocking
Otherwise, we'll be subject to whatever `umask` is currently. Normally,
processes should respect `umask` when creating files and directories,
but specifically for `ostree admin unlock` (or `rpm-ostree usroverlay`),
this poses a problem since e.g. a `/usr` with mode 0700 will break any
daemon that doesn't run as root and needs to read files under `/usr`,
such as polkitd.

This patch just does a `chmod()` after the `mkdir()`. An alternative
would be to do `umask(0000)` after forking into the child process
that'll call `mount()`, but that'd require also moving the `mkdir()`
calls into there, making for a more intrusive patch.

Closes: #1843
Approved by: cgwalters
2019-04-24 13:48:14 +00:00
Jonathan Lebon
298c601d88 ostree-prepare-root: Log journal message after finding deployment
Log a structured journal message when resolving the deployment path.
This will be used by the `rpm-ostree history` command to find past
deployments the system has booted into.

Closes: #1842
Approved by: cgwalters
2019-04-18 06:11:10 +00:00
Matthew Leeds
78747a8a17 lib/repo-refs: Allow resolving local collection-refs
Currently for a "normal" refspec you can choose to use
ostree_repo_resolve_rev_ext() instead of ostree_repo_resolve_rev() if
you only want to look at local refs (in refs/heads/) not remote ones.
This commit provides the analogous functionality for
ostree_repo_resolve_collection_ref() by adding a flag
OSTREE_REPO_RESOLVE_REV_EXT_LOCAL_ONLY and implementing it. This
will be used by Flatpak.

Closes: #1825
Approved by: jlebon
2019-04-15 15:56:40 +00:00
Matthew Leeds
0ecbc6f2a9 lib/repo-refs: Add a flag to exclude listing from refs/mirrors
Currently the flag OSTREE_REPO_LIST_REFS_EXT_EXCLUDE_REMOTES for
ostree_repo_list_collection_refs() means that refs in refs/remotes/
should be excluded but refs in refs/mirrors/ should still be checked, in
addition to refs/heads/ which is always checked. However in some
situations you want to exclude both remote and mirrored refs and only
check local "owned" ones. So this
commit adds a new flag OSTREE_REPO_LIST_REFS_EXT_EXCLUDE_MIRRORS which
lets you exclude refs/mirrors/ from the listing.

This way we can avoid breaking API but still allow the listing of local
collection-refs.

The impetus for this change is that I'm changing Flatpak to make more
use of refs/mirrors, and we need a way to specify that a collection-ref
is local when using ostree_repo_resolve_collection_ref() in, for
example, the implementation of the repo command. The subsequent commit
will make the changes needed there.

Closes: #1825
Approved by: jlebon
2019-04-15 15:56:40 +00:00
Matthew Leeds
23304b8c15 lib/repo-refs: Fix resolving collection-refs
My last commit "lib/repo-refs: Resolve collection-refs in-memory and in
parent repos" changed ostree_repo_resolve_collection_ref() to check the
in-memory set of refs *after* failing to find the ref on disk but that's
not what we want. We want to use the in-memory set of refs first,
because those are the most up to date commits, and then fall back to the
on-disk repo and finally fall back to checking any parent repo. This
commit makes such a change to the order of operations, which is
consistent with how ostree_repo_resolve_rev() works.

Aside from this change being logical, it also fixes some unit test
failures on an unmerged branch of flatpak:
https://github.com/flatpak/flatpak/pull/2705

Also, tweak the comments here.

Closes: #1825
Approved by: jlebon
2019-04-15 15:56:40 +00:00
Jonathan Lebon
a8754ae370 boot: Activate ostree-finalize-staged even earlier
Really, all `ostree admin finalize-staged` needs is access to `/sysroot`
and `/boot`. So let's activate it right after `local-fs.target` so that
it gets deactivated later in the shutdown process. This should allow us
to conflict with less services still running and possibly writing things
to `/etc`.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1672283

Closes: #1840
Approved by: cgwalters
2019-04-15 00:11:00 +00:00
Laurent Bonnans
077b23cc98 lib/repo: fix leak of bootloader field
Added in 21ebc7d21e

Closes: #1837
Approved by: rfairley
2019-04-11 14:18:10 +00:00
Matthew Leeds
da57956327 lib: Check for http_proxy being the empty string
On at least one user's computer, g_getenv("http_proxy") returns the
empty string, so check for that and treat it as no proxy rather than
printing a warning.

See https://github.com/flatpak/flatpak/issues/2790

Closes: #1835
Approved by: cgwalters
2019-04-02 20:44:08 +00:00
Matthew Leeds
c9725d0bef lib/repo-pull: Allow the keyring remote to be overridden
Currently the P2P code requires you to trust every remote you have
configured to the same extent, because a remote controlled by a
malicious actor can serve updates to refs (such as Flatpak apps)
installed from other remotes.[1] The way this attack would play out is
that the malicious remote would deploy the same collection ID as the
victim remote, and would then be able to serve updates for it.

One possible remedy would be to make it an error to configure remotes
such that two have the same collection ID but differing GPG keys. I
attempted to do that in Flatpak[2] but it proved difficult because it is
valid to configure two remotes with the same collection ID, and they may
then each want to update their keyrings which wouldn't happen
atomically.

Another potential solution I've considered is to add a `trusted-remotes`
option to ostree_repo_find_remotes_async() which would dictate which
keyring to use when pulling each ref. However the
ostree_repo_finder_resolve_async() API would still remain vulnerable,
and changing that would require rewriting a large chunk of libostree's
P2P support.

So this commit represents a third attempt at mitigating this security
hole, namely to have the client specify which remote to use for GPG
verification at pull time. This way the pull will fail if the commits
are signed with anything other than the keys we actually trust to serve
updates.

This is implemented as an option "ref-keyring-map" for
ostree_repo_pull_from_remotes_async() and
ostree_repo_pull_with_options() which dictates the remote to be used for
GPG verification of each collection-ref. I think specifying a keyring
remote for each ref is better than specifying a remote for each
OstreeRepoFinderResult, because there are some edge cases where a result
could serve updates to refs which were installed from more than one
remote.

The PR to make Flatpak use this new option is here[3].

[1] https://github.com/flatpak/flatpak/issues/1447
[2] https://github.com/flatpak/flatpak/pull/2601
[3] https://github.com/flatpak/flatpak/pull/2705

Closes: #1810
Approved by: cgwalters
2019-03-29 21:41:57 +00:00
Colin Walters
8d2e9b8f9e static-delta: Change show to display from/to commits
When writing a delta to a file this may not always be recorded
in the filename, and it's useful data.

Ref: https://mail.gnome.org/archives/ostree-list/2019-February/msg00000.html

This also required teaching `show` to accept a file path.

Note...for some reason `test-deltas.sh` breaks when run from
a tty - we get `SIGTTIN` which implies something is reading from
the tty but it wasn't obvious to me what.

Closes: #1823
Approved by: jlebon
2019-03-11 13:59:27 +00:00
Jonathan Lebon
978cffed70 lib/deploy: Don't include version twice in bootmenu title
In Silverblue right now, the boot menu title looks like this:

    Fedora 29.20190301.0 (Workstation Edition) 29.20190301.0 (ostree)

This is because RPM-OSTree's `mutate-os-release` feature is enabled,
which injects the OSTree version string directly into `VERSION` and
`PRETTY_NAME`. So appending the version string again is a bit redundant.
Let's just do a simple substring check here before adding the version to
the title.

Closes: #1829
Approved by: cgwalters
2019-03-09 19:44:15 +00:00
Robert Fairley
21ebc7d21e Add sysroot.bootloader repo config key
The sysroot.bootloader key configures the bootloader
that OSTree uses when deploying a sysroot. Having this key
allows specifying behavior not to use the default bootloader
backend code, which is preferable when creating a first
deployment from the sysroot (#1774).

As of now, the key can take the values "auto" or "none". If
the key is not given, the value defaults to "auto".

"auto" causes _ostree_sysroot_query_bootloader() to be used
when writing a new deployment, which is the original behavior
that dynamically detects which bootloader to use.

"none" avoids querying the bootloader dynamically. The BLS
config fragments are still written to
sysroot/boot/loader/entries for use by higher-level software.

More values can be supported in future to specify a single
bootloader, different behavior for the bootloader code, or
a list of bootloaders to try.

Resolves: #1774

Closes: #1814
Approved by: jlebon
2019-03-01 21:20:35 +00:00