Commit Graph

6499 Commits

Author SHA1 Message Date
Colin Walters
c078e8bea3 mount: Fix gcc -fanalyzer warning for parsing androidboot.slot_suffix
If the karg wasn't present, we'd do a NULL deref which is undefined
behavior.
2023-07-14 06:51:34 -04:00
Colin Walters
c4f1d18a30
Merge pull request #2920 from ostreedev/dependabot/submodules/composefs-1704f82
build(deps): bump composefs from `ac729b5` to `1704f82`
2023-07-13 17:53:10 -04:00
Colin Walters
6cdc5ce595
Merge pull request #2926 from cgwalters/otcore-cfs-constants
prepare-root: A few cleanups
2023-07-13 07:10:59 -04:00
Colin Walters
18cc447230 prepare-root: Drop unused verity flag querying
This logic got pushed down into libcomposefs.
2023-07-12 07:56:17 -04:00
Colin Walters
2b738a995d prepare-root: Use otutil and g_print
Now that we link to libotutil (and glib) we don't need separate
handling for conditionalizing on the presence of systemd.

Further, there's no value in `sd_journal_send(MESSAGE=)` over
just printing to stdout.
2023-07-12 07:56:17 -04:00
Colin Walters
1b7b4fbd2b Add an internal constant for the composefs image name
Just a minor cleanup.
2023-07-11 17:50:43 -04:00
Dan Nicholson
c0c2c9bd80
Merge pull request #2924 from cgwalters/drop-syntax-check
build: Drop `make syntax-check`
2023-07-11 13:31:14 -06:00
Colin Walters
6591210661 build: Drop make syntax-check
As of lately it emits a ton of errors from `grep` about having `*`
at the start of a line, but more generally it's only generally
found papercut-style issues that aren't worth carrying a distinct
checking system for.
2023-07-11 14:17:05 -04:00
Colin Walters
57fe33f07e
Merge pull request #2921 from alexlarsson/composefs-sign-v2
ostree-prepare-root: Validate ed25519 signatures when requested
2023-07-11 14:09:07 -04:00
Alexander Larsson
c29f4193cd ostree-prepare-root: Validate ed25519 signatures when requested
If requested, by specifying ot-composefs=signed=/path/to/pub.key then
the commit object is validated against the specified ed25519 public
key, and if valid, the composefs digest from the commit object is used
to ensure we boot the right digest.
2023-07-11 14:08:33 -04:00
Colin Walters
b8ff210941 Factor out a libotcore
This will contain logic shared between ostree-prepare-root
and libostree-1.so.  It will just link to libgio.so, so as
to avoid pulling in e.g. libcurl and other things.

In other words, `ostree-prepare-root` will not link to `libostree-1.so`,
but will pull in just what it needs from this library.
2023-07-11 14:08:32 -04:00
Colin Walters
265cf7d786 build-sys: Add libsodium to OT_DEP_CRYPTO
There's no reason to have these distinct really.  If we're using
libsodium, we want it in the same places we're using openssl.

Prep for further refactoring.
2023-07-08 15:42:12 -04:00
Colin Walters
a6d9c714c6
Merge pull request #2922 from alexlarsson/openssl-ed25519
Implement ed255519 using openssl too
2023-07-07 15:25:27 -04:00
Alexander Larsson
744967a6e4 libotutil: Link to crypto libs
The checksum utils uses the crypto lib, but we're not explicitly linking
to it. I think this is why the CI got this error when using openssl
on debian, during ostree binary linking:

/usr/bin/ld: ./.libs/libotutil.a(libotutil_la-ot-checksum-utils.o): undefined reference to symbol 'EVP_DigestInit_ex@@OPENSSL_3.0.0'
/usr/bin/ld: /lib/x86_64-linux-gnu/libcrypto.so.3: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
2023-07-07 20:19:59 +02:00
Alexander Larsson
474c2b100b CI: Enable --with-crypto=openssl on debian testing to test openssl signatures 2023-07-07 17:16:30 +02:00
Alexander Larsson
7b85adfbbd sign-ed25519: Implement sign and verify using openssl
libsodium is used if configured to keep the old behaviour, but if
it is not enabled, and openssl is used, then ed25519 is now supported.
2023-07-07 17:16:30 +02:00
Alexander Larsson
501575c1e4 sign-ed25519: Drop some uses of libsodium
This adds some defines for ed25519 key sizes and drops uses
of the libsodium defines for these, as well as replacing sodium_bin2hex
use with ot_bin2hex. Some code that wes optionally built before are now
always built.

The goal for this is to support both libsodium and openssl.

Also fixes return value of _load_pk_from_stream(). It used
to always return FALSE.
2023-07-07 17:16:30 +02:00
Colin Walters
5b7277513b
Merge pull request #2923 from alexlarsson/fix-composefs-test
tests: Fix composefs test
2023-07-07 11:12:52 -04:00
Alexander Larsson
62e4f37653 tests: Fix composefs test
- Was using the wrong metadata key
- We were missing setting the canonical commit args which assigns
  e.g. owner uid 0, which is important for reproducibility
- Use the new --print-hex to make things easier to read
2023-07-07 09:57:00 -04:00
Colin Walters
eb01112083 show: Add --print-hex
The default GVariant output for byte arrays is illegible to humans,
and byte arrays are super common for us.
2023-07-07 09:22:30 -04:00
Joseph Marrero Corchado
6056ec130f
Merge pull request #2913 from cgwalters/tmpfile-not-on-revokefs
fetcher: Always open tmpfiles in repo (except on FUSE)
2023-07-05 20:00:30 -04:00
dependabot[bot]
8a4a0c1673
build(deps): bump composefs from ac729b5 to 1704f82
Bumps [composefs](https://github.com/containers/composefs) from `ac729b5` to `1704f82`.
- [Release notes](https://github.com/containers/composefs/releases)
- [Commits](ac729b579d...1704f823db)

---
updated-dependencies:
- dependency-name: composefs
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-05 12:48:46 +00:00
Colin Walters
43fb278772
Merge pull request #2918 from ostreedev/dependabot/submodules/composefs-ac729b5
build(deps): bump composefs from `412cb5e` to `ac729b5`
2023-07-05 06:26:42 -04:00
Colin Walters
25120bd7ad
Merge pull request #2912 from cgwalters/itest-transactionality-debug
tests/inst: A few small patches
2023-07-05 05:47:05 -04:00
Colin Walters
6172018090
Merge pull request #1633 from cgwalters/pkglibexec-tests
Drop "ostree trivial-httpd" CLI, move to tests directory
2023-07-05 04:51:29 -04:00
Colin Walters
ba9c9dedff fetcher: Always open tmpfiles in repo (except on FUSE)
This reverts commit 4e61e6f7d0
and re-instates the fix for ensuring that we download temporary
files into the repository location.

However in order to ensure we don't re-introduce
https://github.com/ostreedev/ostree/issues/2900
we detect the case where we're writing to a FUSE mount
and keep the prior behavior.

I've verified that this works with flatpak.

Note a downside of this is the change needs to be triplicated
across the 3 http backends.

This then again
Closes: https://github.com/ostreedev/ostree/issues/2571
2023-07-05 04:27:36 -04:00
Colin Walters
9104c54f2b
Merge pull request #2905 from cgwalters/prepare-root-static-split
Separate prepare-root static path + link to glib
2023-07-04 09:05:31 -04:00
dependabot[bot]
01be14e6c0
build(deps): bump composefs from 412cb5e to ac729b5
Bumps [composefs](https://github.com/containers/composefs) from `412cb5e` to `ac729b5`.
- [Release notes](https://github.com/containers/composefs/releases)
- [Commits](412cb5e6aa...ac729b579d)

---
updated-dependencies:
- dependency-name: composefs
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-04 12:25:19 +00:00
Colin Walters
0c36e8143d Drop "ostree trivial-httpd" CLI, move to tests directory
See https://github.com/ostreedev/ostree/issues/1593

Basically this makes it easier for people packaging, as the trivial-httpd
is only for tests, and this way the binary will live with the tests.

Also at this point nothing should depend on `ostree trivial-httpd`.
2023-07-04 08:18:24 -04:00
Colin Walters
8ad8a79c2a
Merge pull request #2916 from cgwalters/release
Release 2023.5
2023-06-30 15:07:15 -04:00
Colin Walters
b2cfee722e
Merge pull request #2914 from cgwalters/doc-usergroups
docs: Update user and group section
2023-06-30 11:49:30 -04:00
Colin Walters
5aadb6ec26 configure: post-release version bump 2023-06-30 11:10:25 -04:00
Colin Walters
26b833e90a Release 2023.5 2023-06-30 11:07:18 -04:00
Colin Walters
7d192d079a
Merge pull request #2899 from ostreedev/dependabot/submodules/composefs-412cb5e
build(deps): bump composefs from `08bdb03` to `412cb5e`
2023-06-30 11:01:59 -04:00
Colin Walters
875915f6c9 prepare-root: Link to glib
Since we've split off the "prepare root as init" code
into a separate file, we can now use glib to parse
the config file again, which is a lot less hacky.

This is particularly motivated by composefs, where
we want to do more in the initramfs.  Future patches
may also link to parts of libostree.
2023-06-30 05:18:23 -04:00
Colin Walters
d6799ecc24 Separate prepare-root static path
We should have done this a long time ago.  We don't have any test
coverage for the no-initramfs path, and I think it's not long
term supportable as we want to add more features like composefs.

Particularly now that there's good support for embedding an
initramfs in a kernel image, I see little value in a path for
having custom static linking for this prepare root flow.

That said, we will continue to make a best-effort "it compiles"
attempt to support it.

Fork the "pid 1" prepare root code into a new
`ostree-prepare-root-static.c` file, and drop the runtime conditionals.

We can drop the composefs logic from `-static.c` which ends up
keeping that file much smaller.

A further next step here will be to actually fold the
`prepare-root.c` logic into the main `ostree` binary which we
can then just include in the initramfs.
2023-06-30 05:18:23 -04:00
dependabot[bot]
6e5753f574
build(deps): bump composefs from 08bdb03 to 412cb5e
Bumps [composefs](https://github.com/containers/composefs) from `08bdb03` to `412cb5e`.
- [Release notes](https://github.com/containers/composefs/releases)
- [Commits](08bdb030fc...412cb5e6aa)

---
updated-dependencies:
- dependency-name: composefs
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-30 09:13:46 +00:00
Colin Walters
786e64ced7 docs: Update user and group section
- mention `DynamicUser=yes`
- mention the recent systemd JSON bits
- mention sysusers.doc

And briefly talk about the tradeoffs in these.
2023-06-29 11:05:31 -04:00
Dan Nicholson
c2ad2d23ae
Merge pull request #2911 from cgwalters/fix-generator-regression
Fix return value of generator on non-ostree systems
2023-06-29 02:16:52 -06:00
Colin Walters
8999d41127
Merge pull request #2910 from cgwalters/more-ci-fixes
ci: Fix executability
2023-06-29 02:38:00 -04:00
Colin Walters
8bba482bc8 tests: Enable mtime test
I think this just accidentally was never enabled.

While looking at the code, add a sleep here to be resilient to
filesystems with only second mtime granularity.
2023-06-29 02:11:09 -04:00
Colin Walters
0b519c2573 tests: Drop unused alias 2023-06-29 02:09:51 -04:00
Colin Walters
54c731554e tests/transactionality: Port a bit to xshell
This will give us more useful error messages which should
help debug a flake.
2023-06-29 02:08:56 -04:00
Joseph Marrero Corchado
a0d17a730d
Merge pull request #2907 from cgwalters/test-composefs
tests: Source libtest before exiting
2023-06-28 19:44:52 -04:00
Colin Walters
aeef8221c4 test-composefs: Sync flow with other tests
I am not sure why this is failing on older Debian systems,
but I'm wildly guessing that something being done in `libtest.sh`
is setting up automake in a way that we need.  This is done
in other tests.

Or maybe it's the missing `$CMD_PREFIX`?  Let's see...
2023-06-28 11:58:20 -04:00
Colin Walters
3c76d03af2 Fix return value of generator on non-ostree systems
Commit aa72caffb5
regressed the `ostree-system-generator` on non-ostree systems.
If there's no `ostree=` karg, we need to just exit 0.

Closes: https://github.com/ostreedev/ostree/issues/2909
Fixes: aa72caffb5
2023-06-28 11:45:15 -04:00
Colin Walters
531b4ab055 ci: Fix executability 2023-06-28 02:37:31 -04:00
Colin Walters
e0e2144e12
Merge pull request #2904 from cgwalters/prow-ci
ci/prow: Build tests before trying to install
2023-06-27 17:16:18 -04:00
Joseph Marrero Corchado
88e399a780
Merge pull request #2906 from cgwalters/compiletest-static-prepareroot
ci: Add "it compiles" coverage for --with-static-compiler
2023-06-27 09:55:15 -04:00
Colin Walters
6ed6a7e699 ci: Add "it compiles" coverage for --with-static-compiler
Prep for further changes.
2023-06-27 06:36:52 -04:00