IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This drops the `ot-composefs` kernel commandline in favour
of a `[composefs]` section in the `prepare-rootfs.conf` file.
You can set `composefs.enabled` to `signed`, `yes`, `no` or `maybe`,
with `maybe` being the default.
You can also set `composefs.keypath` (or rely on the default
`/etc/ostree/initramfs-root-binding.key`) to point to ed25519 public
keys, one of which which the commit must be signed with, or boot
fails.
The ostree dracut module adds `/etc/ostree/initramfs-root-binding.key`
to the initrd if it exists.
NOTE: This drop the option to define a digest in the commandline.
However, that was currently unused
(i.e. ComposefsConfig.expected_digest was never read).
Additionally it very hard to actually store the composefs digest in
the initrd, as the initrd is typically part of the commit and thus the
composefs. It may be possible to handle this, but lets add it back
when we know exactly how that will work.
The locking here was always too long - by holding the mutex
during the `sync()` call, it means `g_cond_wait_until()` can
never wake up (because its API requires the mutex to be locked).
Confusingly though of course we do still print the "timed out"
message, and I think that tricked us when we were doing testing
here.
We only need to lock the mutex when we're manipulating shared
state, which basically boils down to the `gboolean success`.
A core underlying primitive in the C library is the ability
to arbitrarily reorder bootloader entries.
Let's expose the basic functionality here with the ability to pick
an arbitrarily deployment for the next boot.
Closes: https://github.com/ostreedev/ostree/issues/2965
Today on anything using readonly sysroot `os-init` fails, because
we don't create a mount namespace if the `UNLOCKED` flag is specified
because we assume it's a readonly operation.
Since technically this is a mutation, let's just lock the sysroot
and use the tested path.
In preparation for support for a transient `/etc`:
https://github.com/ostreedev/ostree/issues/2868
particularly in combination with composefs.
Basically it's just much more elegant if we can directly mount
an overlayfs on the *empty* `etc` directory, using `usr/etc` as
the lower.
In the composefs case, we'd have to mount the composefs overlayfs
itself writable (and call `mkdir`) *just* so we can make that
empty `etc` directory which is ugly.
Coverity warns when we're checking the return value in most-but-not-all
instances. The code is correct in these instances; we're initializing
the values to defaults. So add a `(void)` cast like we are doing
in many other places.
We shouldn't load anything from the target root filesystem *before*
verifying its integrity if composefs is enabled.
In effect, we want to force composefs users to migrate to
`/usr/lib/ostree/prepare-root.conf` which lives in the initramfs.
(But because we enable sysroot.readonly=true if composefs is enabled
too, they don't actually need to)
Using the repository configuration for configuration of this
program was always a bit hacky.
But actually with composefs, we really must validate
the target root *before* we parse anything in it.
Let's add a config file for `ostree-prepare-root` that can live
in the initramfs, which will already have been verified.
In the future we'll also add configuration for composefs here.
We expect OS builders to drop this in `/usr/lib/ostree/prepare-root.conf`,
but system local configuration can live in `/etc`.
This pushes down the code for parsing the `ostree=` cmdline
in the generator into code that's part of libostree-1.so.
This is prep for using logic shared in libotcore.la.
But in general it's just cleaner to also keep the binary
entrypoint to just be a trampoline into the C library.
This must have always been dead code. We're trying to iterate
towards a place where it's only `ostree-prepare-root.c` which
parses the `ostree=` kernel argument, and canonically sets up
`/run/ostree-booted`.
I just noticed that this was another constant string duplicated
between prepare-root.c and libostree-1.so, and I went to make
it a common `#define` in libotcore.la.
But then I thought "it's ugly to have this directory mixed into
the deployment namespace" because in some theoretical world
it could also be in the ostree commit, which would cause weird
behavior.
I think this is transient state that is better in `/run`, so move
it there.
Now that we use androidboot.slot_suffix karg to determine whether we
boot into /ostree/root.a or /ostree/root.b, we can use ostree= karg
simply for parsing the stateroot, although we will still boot into
what's pointed to by /ostree/root.a or /ostree/root.b.
Most of this was used for the old composefs signature model. We
now reuse the core signature code and link to glib, so we don't
need reimplementations of hex strings and reading files.
Avoid having two copies of a regular expression for parsing
the `ostree=` kernel argument. Because the `ostree-system-generator`
binary already has access to the internals because it's implemented
in the shared library, expose the sysroot version internally
and use that.
Motivated by an attempt to change one of these copies but not
the other.
The semantics of this function now keep the key assigned
even if we fail to validate it, which is ugly. Only assign
the key after verifying its length.
Add a helper to compare lengths which includes the found
and expected values. Use it consistently.
The error message "Incorrect" is misleading; one might think
one had the *wrong* key. "Ill-formed" makes it clearer that
we're not parsing it at all.
Given the kernel argument androidboot.slot_suffix= is required in
Android AB updates [1] there is no need to check for ostree= or ostree=aboot
at all in the aboot case. This also ensures if the dependancy on ostree=
is removed, the android-boot technique will work regardless.
[1]: https://source.android.com/docs/core/ota/ab/ab_implement
Passing the private key via a direct command line argument
is just a bad idea because it's highly likely to get logged
or appear in `ps`.
Spotted in review of work for composefs signatures.
- Convert the current enum into a struct, using `OtTristate` and
two member variables (expected signature and digest)
- Factor out a helper function to parse this config
- Clean up the logging by consistently using `composefs:` as a prefix
- Add more assertions to more strictly verify our runtime state
since this is security relevant
I think this was only ever used in the "static pid1" path which
is now split out into a separate file.
We always expect that e.g. systemd does the switchroot in
the initramfs, so drop this dead code.
Since we now have a generalized more structured way of serializing
state in the initramfs instead of "stamp files", use it for
passing the composefs state.
Particularly for the signature case, having this metadata
acts as a reliable "proof of execution" of the signature verification
code (as opposed to parsing a log file or so).
Besides that, this is also just a stronger check for "we're using
composefs" instead of checking for "overlayfs on /".
