Commit Graph

5396 Commits

Author SHA1 Message Date
Dan Nicholson
b91f29ca39 .lgtm.yml: Fix gpgme dependency
Since Ubuntu 18.04, libgpgme-dev is the real package and libgpgme11-dev
is a virtual package provided by it. Apparently LGTM running on Ubuntu
20.04 no longer resolves the virtual package:

```
WARNING: Package 'libgpgme11-dev' requested by configuration file was not found
```

That ends up causing the build to fail:

```
configure: error: Need GPGME_PTHREAD version 1.1.8 or later
```
2022-02-17 10:16:13 -07:00
Colin Walters
188b18795a
Merge pull request #2542 from cgwalters/tar-error-prefixing
lib/tar: Add some error prefixing
2022-02-15 18:22:01 -05:00
Colin Walters
48104f76ee lib/tar: Add some error prefixing
We're trying to debug a problem with a tar stream with hardlinks,
and I think this will be helpful.
2022-02-15 15:33:04 -05:00
Colin Walters
e6a734ab25
Merge pull request #2541 from melix99/find-remotes-fix-typo
man: Fix typo in ostree-find-remotes
2022-02-13 10:54:30 -05:00
Colin Walters
65f318a80a
Merge pull request #2540 from melix99/switch-fix-typo
man: Fix typo in ostree-admin-switch
2022-02-13 10:53:33 -05:00
Marco Melorio
6264c6deca
man: Fix typo in ostree-find-remotes 2022-02-12 19:00:28 +01:00
Marco Melorio
99e01c8b7b
man: Fix typo in ostree-admin-switch 2022-02-12 18:48:35 +01:00
Colin Walters
d61fdc7123
Merge pull request #2539 from chergert/main
lib/bootloader: use ot_journal_print() instead of sd-journal
2022-02-12 09:04:43 -05:00
Christian Hergert
6419c32334 lib/bootloader: use ot_journal_print() instead of sd-journal
This needs to use the helper so that USE_LIBSYSTEMD still works as
expected.
2022-02-11 15:40:26 -08:00
Christian Hergert
5d08032aec lib/util: add syslog.h for ot_journal_print()
If we aren't including sd-journal, we may need this too.
2022-02-11 15:40:19 -08:00
Colin Walters
bea8d9a2b4
Merge pull request #2538 from cgwalters/dirmeta-not-floating
core: Mark `ostree_create_directory_metadata` as `(not nullable)`
2022-02-11 18:01:49 -05:00
Colin Walters
5f2ab097d5
Merge pull request #2491 from nikita-dubrovskii/secure-execution
s390x: add secure-execution support
2022-02-11 15:34:55 -05:00
Colin Walters
ea5f7b0f38 core: Mark ostree_create_directory_metadata as (not nullable)
So I can drop an unnecessary use of `unwrap()` in Rust.
2022-02-11 14:09:49 -05:00
Nikita Dubrovskii
d1ab18f327 s390x: add LUKS keyfile to 'sd-boot'
This allows to use Secure Execution with LUKS encrypted boot disk,
key and cryptab are stored only in 'sd-boot' encrypted image.

Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
2022-02-11 09:02:42 +01:00
Nikita Dubrovskii
c27b98a2cb s390x: add "IBM Secure Execution for Linux" support
If system contains ibm-z-hostkey (fetched during ignition), than
ostree generates 'sd-boot' image and reboots into Secure Execution

Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
2022-02-11 09:00:38 +01:00
Colin Walters
d8e33e3a49
Merge pull request #2537 from jlebon/pr/fix-floating
lib/gpg-verify-result: Add missing floating annotation
2022-02-09 17:15:26 -05:00
Jonathan Lebon
c5ecef0aa4 lib/gpg-verify-result: Add missing floating annotation
I think I'm hitting issues due to this while using the Rust bindings:
https://github.com/coreos/rpm-ostree/pull/3406#issuecomment-1033084956

The bindings for those APIs use `from_glib_full` which says:

> Because ownership can only be transferred if something is already
> referenced, this is unsuitable for floating references.
2022-02-09 14:35:31 -05:00
Colin Walters
0eaad8762b
Merge pull request #2535 from dbnicholson/summary-commit-version
lib/repo: Add commit version metadata to summary metadata
2022-02-04 17:51:02 -05:00
Dan Nicholson
6fbf759279 lib/repo: Add commit version metadata to summary metadata
The commit metadata `version` key is well established but getting it for
a remote commit is cumbersome since the commit object needs to be
fetched and loaded. Including it in the summary additional metadata
allows a much more convenient view of what each of the remote refs
represents.
2022-02-04 14:28:11 -07:00
Jonathan Lebon
a588295d3a
Merge pull request #2534 from jlebon/pr/copr 2022-02-03 15:36:50 -05:00
Jonathan Lebon
1e663baad7 Add COPR integration Makefile
I'd like to enable auto-builds of this repo to
https://copr.fedorainfracloud.org/coprs/g/CoreOS/continuous/ so it could
eventually feed into
https://github.com/coreos/fedora-coreos-tracker/issues/910.
2022-02-03 13:34:20 -05:00
Jonathan Lebon
a51ae1ed73 ci/make-git-snapshot.sh: xz the archive
This matches `make dist` and what the spec file expects.
2022-02-03 13:23:43 -05:00
Jonathan Lebon
92c396c82b ci/make-git-snapshot.sh: auto-initialize submodules
Matches `autogen.sh`.
2022-02-03 13:22:47 -05:00
Jonathan Lebon
8d45298a2d ci/make-git-snapshot.sh: fix archive name
The archive name is libostree even though the project name is ostree, so
we can't rely on the directory name.

Just hardcode it.
2022-02-03 13:21:54 -05:00
Jonathan Lebon
8e445cb957 ci/libbuild.sh: drop yum/CentOS support
`dnf` is present in all the platforms we care about now, and the CentOS
bit is out of date. We can re-add it if we add e.g. C[89]S support with
the updated list of packages.

Motivated by noticing that the `yum` symlink isn't always present.
2022-02-03 13:17:56 -05:00
Jonathan Lebon
2de6abfcd0
Merge pull request #2533 from lucab/ups/commit-cleanup-assertions 2022-02-01 13:57:00 -05:00
Luca BRUNO
e6e9f14985
lib/commit: clean up assertions
This aligns all the assertion in the module. In particular, it gets
rid of all `g_return_val_if_fail` instances which may fail without
properly setting GError to the caller.
2022-02-01 17:33:28 +00:00
Colin Walters
a10669dc4a
Merge pull request #2530 from smcv/update-libglnx-2525
Update libglnx submodule
2022-01-29 10:19:24 -05:00
Simon McVittie
0ebf9d9f64 Update submodule: libglnx
Resolves: https://gitlab.gnome.org/GNOME/libglnx/-/issues/3
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-28 14:53:28 +00:00
Colin Walters
2903ffac60
Merge pull request #2529 from smcv/static-delta-error-unwind
libotutil: Avoid infinite recursion during error unwinding
2022-01-28 09:22:27 -05:00
Simon McVittie
920f85cabc libotutil: Avoid infinite recursion during error unwinding
When we clean up from an error, for example copy_file_range() failing
while we generate a static delta (perhaps caused by
https://gitlab.gnome.org/GNOME/libglnx/-/issues/3 or by a
genuine write error), we might free a variant builder that has a
non-null parent. Previously, this caused infinite recursion and a stack
overflow, repeatedly freeing the same object, but Luca Bruno suggested
that the intention here appears to have been to free the parent object.

Partially resolves https://github.com/ostreedev/ostree/issues/2525
(the other bug reported in that issue needs to be resolved by updating
libglnx to a version where libglnx#3 has been fixed).

Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-01-28 11:08:00 +00:00
Luca Bruno
10ddf6e25f
Merge pull request #2524 from jlebon/pr/unlink-lock
lib/deploy: When deleting staged deployment, delete any lock
2022-01-26 08:36:45 +00:00
Jonathan Lebon
5bf57ec062 tests/kolainst: Avoid recursive symlinks
`kola` now follows symlinks when archiving an external test's `data/`
dir. So the recursive `data` symlink we have here breaks it.

Let's just move the shared files in its own directory and update the
symlinks.
2022-01-25 16:44:39 -05:00
Colin Walters
bcc7f62ed7
Merge pull request #2526 from lucab/ups/openat-load-xattrs
lib/repo: open file only if required
2022-01-25 05:59:58 -05:00
Luca BRUNO
b27792ade3
lib/repo: open file only if required
This tightens up the logic for opening a file while inspecting its
xattrs. The only codepath fetching xattrs from a FD is the one
handling 'bare' mode.
It also rearranges the else-assert flow, mostly for future-proofing.
2022-01-24 16:54:54 +00:00
Jonathan Lebon
baf838de22 ostree/deploy: Test finalization locking
Support for that file was added previously, but the testing lived in
rpm-ostree only. Let's add it here too.

In the process add a hidden `--lock-finalization` to `ostree admin
deploy` to make testing easier (though it could also be useful to update
managers driving OSTree via the CLI).
2022-01-21 13:48:35 -05:00
Jonathan Lebon
88dca03967 lib/deploy: When deleting staged deployment, delete any lock
Otherwise, any future staged deployment will also automatically be
locked even if not requested. Likely we should fold the locking into the
primary `staged-deployment` serialized GVariant instead.
2022-01-21 11:30:23 -05:00
Joseph Marrero Corchado
0713ad3259
Merge pull request #2523 from lucab/ups/ls-gcancellable-gerror
builtin: use GCancellable and GError everywhere
2022-01-21 08:30:00 -05:00
Luca BRUNO
3f491a60c3
builtin: use GCancellable and GError everywhere
This reworks `ostree ls` top-level logic so that cancellation
tokens and error details are plumbed through all codepaths.
It also gets rid of all previous goto jumps.
2022-01-21 12:26:32 +00:00
Luca Bruno
b9f6632b70
Merge pull request #2521 from cgwalters/syncfs-only-log
deploy: Also log to journal if we time out global sync()
2022-01-20 16:58:05 +00:00
Colin Walters
8c58195cc4 deploy: Also log to journal if we time out global sync()
We do implicitly have this data because we log timings via structured
metadata in a later journal entry, but it's quite common to lose
the structured metadata because a lot of tooling just grabs the default
syslog-compatible text from `journalctl`.

Let's be louder when we hit this case as a general rule too; I think
most people shipping ostree systems want to see if it's happening.
2022-01-20 10:52:04 -05:00
Colin Walters
51361f62af
Merge pull request #2520 from lucab/ups/builtin-commit-reject-empty-metadata
lib/commit: reject empty metadata keys
2022-01-20 09:04:34 -05:00
Luca BRUNO
da72c245f4
lib/commit: reject empty metadata keys
This adds one more check to the metadata validation logic in order
to reject empty metadata keys.
2022-01-20 10:54:30 +00:00
Luca BRUNO
6230b3eeab
lib/commit: always validate metadata
This tweaks commit logic in order to always validate metadata,
including on commits where the expected checksum is already known.
2022-01-19 14:10:24 +00:00
Colin Walters
a05b02fa9c
Merge pull request #2519 from cgwalters/syncfs-only
deploy: Add a 5s max timeout on global filesystem `sync()`
2022-01-18 12:39:32 -05:00
Colin Walters
cb73129483 deploy: Add a 5s max timeout on global filesystem sync()
https://bugzilla.redhat.com/show_bug.cgi?id=2003532

Basically there's a systemd bug where it's losing the `_netdev`
aspect of Ceph filesystem mounts.  This means the network is taken
down before Ceph is unmounted.  In turn, our invocation of `sync()`
blocks on Ceph, which won't succeed.

And this in turn manifests as a failure to transition to the new
deployment.

I initially did this patch to just rip out the global `sync()`.  I
am pretty sure we don't need it anymore.  We've been doing individual
`syncfs()` on `/sysroot` and `/boot` for a while now, and those
are the only filesystems we should be touching.  But *proving* that
is a whole other thing of course.

To be conservative, let's instead just add a timeout of 5s on
our invocation of `sync()`.  It doesn't return any information on
success/error anyways.

To allow testing without the `sync()` invocation, we also support
a new `OSTREE_SYSROOT_OPT_SKIP_SYNC=1` environment variable.  For
staged deployments, this needs to be injected via e.g. systemd unit
overrides into `ostree-finalize-staged.service`.

Implementing this is a bit hairy - we need to spawn a thread.  I
debated blocking in arecursive mainloop, but I think `g_cond_wait_until()`
is also fine here.
2022-01-18 09:19:20 -05:00
Colin Walters
0095f7c472
Merge pull request #2517 from dbnicholson/ubuntu-seccomp
github: Workaround glib/seccomp issue on Ubuntu impish
2022-01-13 09:50:19 -05:00
Dan Nicholson
de1870df8c github: Workaround glib/seccomp issue on Ubuntu impish
The ubuntu-latest VMs are currently based on 20.04 (focal). In focal,
libseccomp2 doesn't know about the close_range syscall[1], but
g_spawn_sync in impish tries to use close_range since it's defined in
glibc. That causes libseccomp2 to return EPERM as it does for any
unknown syscalls. g_spawn_sync carries on silently instead of falling
back to other means of setting CLOEXEC on open FDs. Eventually it causes
some tests to hang since once side of a pipe is never closed. Remove
this when libseccomp2 in focal is updated or glib in impish handles the
EPERM better.

1. https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436

Fixes: #2495
2022-01-12 21:59:23 -07:00
Jonathan Lebon
1af0150750
Merge pull request #2516 from cgwalters/define-ostree-booted 2022-01-12 13:39:59 -05:00
Colin Walters
0ff4bee743 sysroot: Add a public #define OSTREE_PATH_BOOTED
This is public API.  Motivated by
https://github.com/coreos/rpm-ostree/pull/3325/files#diff-56528694f6f3213d6fb88d872f77291412dceec263b57166519843b13eca9a4dR30
2022-01-12 12:47:11 -05:00