Commit Graph

7041 Commits

Author SHA1 Message Date
Huijing Hei
311def51a5
Merge pull request #3185 from travier/main-docs-spdx-fixes
Docs fixes & SPDX identifiers uniformisation
2024-02-22 21:44:57 +08:00
Alexander Larsson
41fd55aa79 prepare-root: Disallow hotfixes if using signed composefs images
As mentioned in https://github.com/ostreedev/ostree/issues/3187, we
can't allow a hotfix overlay of /usr when using signed composefs
images as that would allow an attacker to persist something used
across boots.
2024-02-22 12:10:41 +01:00
Eric Curtin
4a71845b12 generator: Fixes for Android Boot environment
In Android Boot environment we do not parse ostree= karg to determine
what directory to boot into, alternatively we do this based on the
androidboot.slot_suffix= karg. But we do set ostree=true karg to denote
that we are indeed booting an ostree environment (required for some
systemd unit files). This change accounts for this approach in the
systemd generator. In this case androidboot.slot_suffix= points you to
/ostree/root.[a|b] and then that points you to the directory to boot
into in /ostree/deploy... Here is what a cmdline may look like in this
type of environment:

androidboot.slot_suffix=_a androidboot.bootdevice=*.ufshc root=PARTLABEL=system_a root=UUID=76a22bf4-f153-4541-b6c7-0332c0dfaeac rw ostree=true loglevel=4 acpi=off console=ttyAMA0 systemd.show_status=auto libahci.ignore_sss=1 slub_debug=FPZ fsck.mode=skip rcupdate.rcu_normal_after_boot=0 rcupdate.rcu_expedited=1

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-02-21 20:54:55 +00:00
Joseph Marrero Corchado
8f98143d64
Merge pull request #3186 from rborn-tx/amend-ms-shared-comment
ostree-prepare-root: Amend comment about shared mounts
2024-02-21 07:53:32 -05:00
Eric Curtin
1a3d1792f3
Merge pull request #3189 from alexlarsson/composefs-config-with-no-key
deploy: Don't fail if loading composefs configuration fails due to mi…
2024-02-21 12:34:09 +00:00
Alexander Larsson
b7688609b5 deploy: Don't fail if loading composefs configuration fails due to missing keys
When we load the configuration during deploy we don't need to actually
use the keys, so avoid loading them. This fixes an issue we had where
this broke the initial deploy becasue of a failure to load the key. In
our case it fails because the code looks for the config file in the
deploy dir, but then for the binding key in the real root.

However, even if it were to look for the key in the deploy dir I don't
think it necessarily has to be in the rootfs, it could be only in the
initrd.

This fixes https://github.com/ostreedev/ostree/issues/3188
2024-02-21 10:21:00 +01:00
Jonathan Lebon
255d40d79b
Merge pull request #3184 from smcv/issue3183 2024-02-20 22:29:56 -05:00
Rogerio Guerra Borin
5d0f1ad90d
ostree-prepare-root: Amend comment about shared mounts
Signed-off-by: Rogerio Guerra Borin <rogerio.borin@toradex.com>
2024-02-20 15:07:51 -03:00
Timothée Ravier
d005bf27cb README & docs: Sync README and docs index page 2024-02-20 17:08:24 +01:00
Timothée Ravier
038bb57a8d docs: Misc whitespace fixes 2024-02-20 17:04:44 +01:00
Timothée Ravier
1ce6216625 docs: Consistently use SPDX identifiers
Standardize on a single SPDX identifier in a comment at the top.
2024-02-20 17:04:02 +01:00
Simon McVittie
035b2c1647 test-admin-deploy-var: Don't rely on OSTREE_FEATURES
This is set during build-time testing, but unset during "as-installed"
tests.

Resolves: https://github.com/ostreedev/ostree/issues/3183
Signed-off-by: Simon McVittie <smcv@debian.org>
2024-02-19 21:01:15 +00:00
Simon McVittie
37466ec35b tests: Use skip_without_ostree_feature to detect libarchive, composefs
This avoids false negatives from `ostree --version | grep -q ...`
exiting with failure under `set -o pipefail` because `grep -q` can exit
as soon as it sees the desired string, leaving `ostree --version` to be
terminated by `SIGPIPE` next time it writes to stdout.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-02-19 21:01:07 +00:00
Simon McVittie
a84e56d603 tests: Generalize has_gpgme, has_sign_ed25519 into has_ostree_feature
Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-02-19 21:01:05 +00:00
Eric Curtin
695a52ae21
Merge pull request #3176 from travier/docs-dependabot-update
workflow/docs: Update to actions/checkout@v4 & dependabot: Update github-actions weekly
2024-02-19 14:37:37 +00:00
Colin Walters
fa59b3ef87
Merge pull request #3181 from ericcurtin/mention-rhivos
README: Add Red Hat In-Vehicle Operating System
2024-02-19 09:36:58 -05:00
Eric Curtin
83f18c4b27 README: Add Red Hat In-Vehicle Operating System
RHIVOS is a derivative of CentOS Automotive Stream Distribution that
uses OSTree, it's closest Fedora derivative is Fedora IoT although it
was created as it's own distribution.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-02-17 17:16:33 +00:00
Colin Walters
549f9d6a59
Merge pull request #3180 from teythoon/justus/long-key-ids
tests: Use long key IDs, I found another one
2024-02-16 12:10:09 -05:00
Colin Walters
bd7663fa9d
Merge pull request #3179 from ericcurtin/additional-docs-dependancy
docs: Add webrick dependancy for building site locally
2024-02-16 11:12:03 -05:00
Justus Winter
9b5a373adb
tests: Use long key IDs
Short key IDs are not secure, and may be rejected by OpenPGP
implementations.  See https://evil32.com/

Signed-off-by: Justus Winter <justus@sequoia-pgp.org>
2024-02-16 16:24:18 +01:00
Colin Walters
c7260105db
Merge pull request #3178 from teythoon/justus/long-key-ids
tests: Use long key IDs
2024-02-16 09:06:27 -05:00
Eric Curtin
1aec4deb86 docs: Add webrick dependancy for building site locally
This mimics the GitHub Pages environment so that you can build and serve
the site locally for testing. It requires webrick these days.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-02-16 13:00:41 +00:00
Justus Winter
ad8c9f9817
tests: Use long key IDs
Short key IDs are not secure, and may be rejected by OpenPGP
implementations.  See https://evil32.com/

Signed-off-by: Justus Winter <justus@sequoia-pgp.org>
2024-02-16 13:34:34 +01:00
Timothée Ravier
b7f6ed7102 dependabot: Update github-actions weekly 2024-02-15 16:20:33 +01:00
Timothée Ravier
99c9c387b8 workflow/docs: Update to actions/checkout@v4 2024-02-15 16:18:32 +01:00
Colin Walters
f46cc0cd85
Merge pull request #3175 from cgwalters/rofiles-fuse-statx
rofiles-fuse: Check fsverity flag for copyup
2024-02-15 09:34:27 -05:00
Colin Walters
d0afefcace rofiles-fuse: Remove unused parameter
The logic simplified, so we don't need it anymore.
2024-02-15 08:07:40 -05:00
Colin Walters
ed4bd88a3e rofiles-fuse: Check fsverity flag for copyup
We need to do a copyup if fsverity is enabled.
Sadly to do this we can't just use ostree_break_hardlink
as is.
2024-02-15 08:03:16 -05:00
Colin Walters
4d95848b8c rofiles-fuse: Port to statx
This allows us to query fsverity efficiently.
2024-02-14 20:32:55 -05:00
Colin Walters
939a62a68e
Merge pull request #3172 from cgwalters/release
Release 2024.3
2024-02-13 19:27:25 -05:00
Colin Walters
b2e97c08d0 Post-release version bump 2024-02-13 17:56:15 -05:00
Colin Walters
d43386f15d Release 2024.3 2024-02-13 17:56:15 -05:00
Colin Walters
d2fc1f3cb9
Merge pull request #3173 from cgwalters/transient-root-really-transient
prepare-root: Switch to a tmpfs for transient root
2024-02-13 17:25:26 -05:00
Colin Walters
0cff65d61a prepare-root: Switch to a tmpfs for transient root
We're debating this over in https://github.com/CentOS/centos-bootc-dev/pull/27
and I have come to the conclusion that having changes to `/`
persist across reboot by default was a bad idea.

- It conflicts with any kind of secure boot scenario
- Having things only go away on upgrades is in some ways even *more* surprising
- The term `transient` implies this

There may be a use case in the future for having something like `root.transient = persistent`,
but this is just a better default.

Signed-off-by: Colin Walters <walters@verbum.org>
2024-02-13 15:56:05 -05:00
Colin Walters
eeccac7fc9
Merge pull request #3171 from ericcurtin/docs-alternate-rollbacks
docs/atomic-rollbacks: Add a section on rollbacks
2024-02-13 12:40:13 -05:00
Eric Curtin
bc5c0717fc docs/atomic-rollbacks: Add a section on rollbacks
Describing how different types of rollbacks work.

Signed-off-by: Eric Curtin <ecurtin@redhat.com>
2024-02-13 17:07:17 +00:00
Colin Walters
a3f9276a32
Merge pull request #3170 from cgwalters/prepare-root-fix
prepare-root: Unify root.transient with composefs
2024-02-13 04:21:21 -05:00
Colin Walters
15b4ee8181
Merge pull request #3168 from cgwalters/drop-tmpfiles-var
Drop tmpfiles var
2024-02-12 18:33:30 -05:00
Colin Walters
f89af07fcb prepare-root: Unify root.transient with composefs
First, I was totally wrong and composefs handles being passed
an upperdir itself, we don't need to stack overlayfs.

Next, there's really no reason to support `root.transient`
*without* a backing composefs.  The legacy ostree bind mount
and readonly `/usr` is just that - legacy.

Finally, we actually *must* do this to enable both composefs
and transient root, because the prepare-root flow assumes
that it just needs to `MS_MOVE` a *single* mount for the root,
not a stack.
2024-02-12 17:42:07 -05:00
Colin Walters
b929378663 prepare-root: Add missing newline
This is ugly in the output.
2024-02-12 17:42:07 -05:00
Colin Walters
c8cf23055e
Merge pull request #3169 from rborn-tx/support-older-linux-headers
Expose MOUNT_ATTR_IDMAP detection result to C code
2024-02-12 14:27:15 -05:00
Colin Walters
6df18abee7 docs/var: Update for latest
This reorients things here around the latest `VOLUME /var` approach.
2024-02-12 13:12:09 -05:00
Colin Walters
87dcc801a2 ostree-tmpfiles.conf: Drop var entry
We are backing away from this semantic, and moving towards
`/var` only being initialized at initial provisioning.
2024-02-12 13:12:09 -05:00
Rogerio Guerra Borin
cdfdfed27d configure: Expose MOUNT_ATTR_IDMAP detection result to C code
This is to allow compiling composefs on machines having somewhat old
Linux kernel headers.

Signed-off-by: Rogerio Guerra Borin <rogerio.borin@toradex.com>
2024-02-12 14:52:26 -03:00
Colin Walters
9350006011
Merge pull request #3167 from smcv/ostree-repo-config-typo
ostree.repo-config(5): Fix a typo
2024-02-11 13:49:33 -05:00
Simon McVittie
d8077eef87 ostree.repo-config(5): Fix a typo
Signed-off-by: Simon McVittie <smcv@collabora.com>
2024-02-11 15:56:53 +00:00
Colin Walters
cb3c42e306
Merge pull request #3166 from cgwalters/var-again
sysroot: Rework /var handling to act like Docker `VOLUME /var`
2024-02-10 05:14:18 -05:00
Colin Walters
f81b9fa166 sysroot: Rework /var handling to act like Docker VOLUME /var
We've long struggled with semantics for `/var`.  Our stance of
"/var should start out empty and be managed by the OS" is a strict
one, that pushes things closer to the original systemd upstream
ideal of the "OS state is in /usr".

However...well, a few things.  First, we had some legacy bits
here which were always populating the deployment `/var`.  I don't
think we need that if systemd is in use, so detect if the tree
has `usr/lib/tmpfiles.d`, and don't create that stuff at
`ostree admin stateroot-init` time if so.

Building on that then, we have the stateroot `var` starting out
actually empty.

When we do a deployment, if the stateroot `var` is empty,
make a copy (reflink if possible of course) of the commit's `/var`
into it.

This matches the semantics that Docker created with volumes,
and this is sufficiently simple and easy to explain that I think
it's closer to the right thing to do.

Crucially...it's just really handy to have some pre-existing
directories in `/var` in container images, because Docker (and podman/kube/etc)
don't run systemd and hence don't run `tmpfiles.d` on startup.

I really hit on the fact that we need `/var/tmp` in our container
images by default for example.

So there's still some overlap here with e.g. `/usr/lib/tmpfiles.d/var.conf`
as shipped by systemd, but that's fine - they don't actually conflict
per se.
2024-02-09 17:46:12 -05:00
Colin Walters
1c18bd256a
Merge pull request #3165 from cgwalters/drop-ex-integrity
deploy: Honor prepare-root.conf at deploy time for composefs
2024-02-09 09:57:21 -05:00
Colin Walters
cae4ceb6c5 deploy: Honor prepare-root.conf at deploy time
I want to try to get away from the "repository global" configuration
in the repo config.

A major problem is that there's not an obvious way to configure
it as part of an ostree commit/container build - it needs
to be managed "out of band".

With this change, we parse the `usr/lib/ostree/prepare-root.conf`
in the deployment root, and if composefs is enabled there,
then we honor it.

We do still honor `ex-integrity.composefs` but that I think
we can schedule to remove.
2024-02-08 19:53:23 -05:00