Commit Graph

5245 Commits

Author SHA1 Message Date
Colin Walters
e6a560b407 deploy: Ignore sockets, fifos in /etc during merge
https://bugzilla.redhat.com/show_bug.cgi?id=1945274 is an issue where a privileged
kubernetes daemonset is writing a socket into `/etc`.  This makes ostree upgrades barf.

Now, they should clearly move it to `/run`.  However, one option is for us to
just ignore it instead of erroring out.  Some brief investigation shows that
e.g. `git add somesocket` is a silent no-op, which is an argument in favor of ignoring it.

Closes: https://github.com/ostreedev/ostree/issues/2446
2021-10-01 11:28:11 -04:00
Colin Walters
5bf4b1dabc
Merge pull request #2447 from cgwalters/sepolicy-for-commit
repo: Add an API to init `OstreeSePolicy` from commit directly
2021-09-30 17:25:30 -04:00
Jonathan Lebon
841902c40d
Merge pull request #2451 from cgwalters/fsck-happy 2021-09-30 16:33:47 -04:00
Jonathan Lebon
d61a499163
Merge pull request #2450 from cgwalters/revdep-ext-ci 2021-09-30 16:15:45 -04:00
Colin Walters
ddc0d54b78 sepolicy: Add deprecation comment for _get_path()
Came up in review
https://github.com/ostreedev/ostree/pull/2447#issuecomment-931428312
2021-09-30 15:54:48 -04:00
Colin Walters
1b9e3a9375 repo: Add an API to init OstreeSePolicy from commit directly
This is part of `OstreeCommitModifier`, but I'm not using
that in some of the ostree-ext Rust code.

It just makes more sense as a direct policy API, where it should
have been in the first place.  There's already support for
setting a policy object on a commit modifier, so that's all the
old API needs to do now.
2021-09-30 15:54:48 -04:00
Colin Walters
1ed290c7d9 fsck: Print a success message
There's a general Unix philosophy that "silence is golden".
However, when one is explicitly invoking an error check it's nice
to see explicit success.

We already print various statistics, so ending with a happy
note has no extra cost.
2021-09-30 14:09:22 -04:00
Colin Walters
bcc0ef7583 tests: Use ostree-ext 0.3.0
This updates to the modern glib 0.14 and paves the way for
some reverse dependency testing by using ostree-ext's code.
2021-09-30 13:38:25 -04:00
Colin Walters
4b61768e3d
Merge pull request #2448 from cgwalters/fix-selinux-policy
bin/commit: Fix --tree=tar with --selinux-policy
2021-09-30 13:26:00 -04:00
Colin Walters
ab12e380fc bin/commit: Fix --tree=tar with --selinux-policy
The logic for `--selinux-policy` ended up in the `--tree=dir`
path, but there's no reason for that.  Fix the imported
labeling with `--tree=tar`.  Prep for use with containers.

We had this bug because the previous logic was trying to avoid
duplicating the code for generic `--selinux-policy` and
the case of `--selinux-policy-from-base --tree=dir`.

It's a bit more code, but it's cleaner if we dis-entangle them.
2021-09-30 11:44:27 -04:00
Colin Walters
e8394c755b
Merge pull request #2440 from cgwalters/unit-test-counting
two small unit test patches
2021-09-13 14:19:19 -04:00
Colin Walters
bc30806c6e tests: Add new TAP APIs
Having to touch a global test counter when adding tests is
a recipe for conflicts between PRs.

The TAP protocol allows *ending* with the expected number of
tests, so the best way to do this is to have an explicit
API like our `tap_ok` which bumps a counter, then end with `tap_end`.

I ported one test as a demo.
2021-09-10 17:07:42 -04:00
Colin Walters
213b8608ea tests/pull-test: Avoid duplicating test numbers
We do this in other places; avoids touching two numbers when
adding tests.  Let computers do the addition.
2021-09-10 17:07:38 -04:00
Colin Walters
09804f7a09
Merge pull request #2438 from cgwalters/release-2021.4
Release 2021.4
2021-09-09 07:34:59 -04:00
Colin Walters
d1a73e1aba configure: post-release version bump 2021-09-08 14:18:11 -04:00
Colin Walters
55090f108d Release 2021.4 2021-09-08 14:00:12 -04:00
Colin Walters
ce36e05d38
Merge pull request #2434 from cgwalters/custom-remote
Add support for "custom remotes"
2021-09-08 09:27:26 -04:00
Colin Walters
511c7a13ee Add support for "custom remotes"
This will be helpful for the "ostree native container" work in
https://github.com/ostreedev/ostree-rs-ext/

Basically in order to reuse GPG/signapi verification, we need
to support adding a remote, even though it can't be used via
`ostree pull`.  (At least, not until we merge ostree-rs-ext into ostree, but
 even then I think the principle stands)
2021-09-08 07:42:25 -04:00
Luca Bruno
7e4c4f2a69
Merge pull request #2435 from RBuddel/fix-delta-files-resume-legacy-transaction
repo-pull: legacy_transaction_resuming flag ignored
2021-09-08 08:52:54 +00:00
Luca Bruno
20db6e52d1
Merge pull request #2430 from cgwalters/stabilize-staging
upgrade: Stabilize deployment staging
2021-09-08 08:18:00 +00:00
Buddelmann, Richard RB
744bf94369 repo-pull: legacy_transaction_resuming flag ignored
for deltafiles the legacy_transaction_resuming flag is not used,
which will mark the commit as done, even if files are missing.
using already existing commitstate_is_partial function as fix
2021-09-08 08:41:05 +02:00
Colin Walters
8821ec6e56 upgrade: Stabilize deployment staging
We're waaay overdue for this, it's been the default
in rpm-ostree for years, and solves several important bugs
around not capturing `/etc` while things are running.

Also, `ostree admin upgrade --stage` (should) become idempotent.

Closes: https://github.com/ostreedev/ostree/issues/2389
2021-09-07 16:12:43 -04:00
Colin Walters
55a7e74fee
Merge pull request #2428 from lucab/ups/tests-selinux-basic
tests: fix bare mode unprivileged 'make check'
2021-09-07 15:07:59 -04:00
Luca BRUNO
fff24089dd
tests: skip a broken fsck case
There are some existing issues around fsck in unprivileged bare mode,
so this test does not really work at the moment. Leaving it as a FIXME
for the moment.
2021-09-06 07:52:42 +00:00
Luca BRUNO
aa0bb176c5
tests/basic: avoid changing ownership
This avoids possible issues when trying to chmod, tweaking
permissions instead.
2021-09-06 07:41:02 +00:00
Colin Walters
9f5b636990
tests/basic: Skip --no-xattrs if we have selinux
It cannot work to use `--no-xattrs` when SELinux is enabled
because we get a `security.selinux` attribute on created files
regardless.  So just skip this test if true.

Also add some `ostree fsck`s in here which helped me debug
this.
2021-09-06 07:41:01 +00:00
Luca BRUNO
27fcee861a
libtest: tweak selinux/relabel message 2021-09-06 07:41:00 +00:00
Colin Walters
3691a23a41
Merge pull request #2340 from cgwalters/sign-verify-api
Add an API to verify a commit signature explicitly
2021-08-31 08:04:21 -04:00
Colin Walters
359435de84 Add an API to verify a commit signature explicitly
We have a bunch of APIs to do GPG verification of a commit,
but that doesn't generalize to signapi.  Further, they
require the caller to check the signature status explicitly
which seems like a trap.

This much higher level API works with both GPG and signapi.
The intention is to use this in things that are doing "external
pulls" like the ostree-ext tar import support.  There we will
get the commitmeta from the tarball and we want to verify it
at the same time we import the commit.
2021-08-30 13:27:38 -04:00
Luca Bruno
cfa2aec839
Merge pull request #2426 from cgwalters/xattrs-bareuseronly-union
checkout: Also ignore xattrs for union in bare-user-only mode
2021-08-27 07:34:46 +00:00
Luca Bruno
7fb0266df6
Merge pull request #2425 from cgwalters/hardlink-correct-errno
checkout: Save errno when re-throwing
2021-08-27 07:33:27 +00:00
Colin Walters
dd506fe2c8 checkout: Also ignore xattrs for union in bare-user-only mode
Followup to PRs related to https://github.com/ostreedev/ostree/issues/2410

Since the test suite now covers this the test was failing on
a Fedora SELinux enabled host where we see `security.selinux`
even if not in the commit.
2021-08-26 17:42:29 -04:00
Colin Walters
77a86ccba3
Merge pull request #2424 from cgwalters/test-nonroot-ci
ci: Run GH action CI build+test as non-root
2021-08-26 17:25:59 -04:00
Dan Nicholson
6e32084b67
Merge pull request #2422 from cgwalters/allow-none-detached
lib: Change read_commit_detached_metadata to be nullable
2021-08-26 13:33:23 -06:00
Colin Walters
87d115706e checkout: Save errno when re-throwing
I was seeing an `EPERM`  here which was confusing.
It turned out the real error was `EEXIST`.

Since we're referring to the original error, but we do a
lot of computation in the middle, we need to save errno.
2021-08-26 15:17:36 -04:00
Colin Walters
fdeee165f6 ci: Run main GH action CI build+test as non-root
This is really the standard best practice, matching how
e.g. dpkg/rpm work, as well as most local development
environments (including mine) with e.g. `toolbox`.
2021-08-26 14:40:34 -04:00
Colin Walters
3e30e72d33 lib: Change read_commit_detached_metadata to be nullable
Hit this while working on some Rust code.
2021-08-25 21:29:51 -04:00
Colin Walters
28a0792919
Merge pull request #2421 from lucab/ups/auto-txn-fixes
lib: improve transactions auto-cleanup logic
2021-08-25 17:45:28 -04:00
Luca BRUNO
c64b4bceba
lib: improve transactions auto-cleanup logic
This fixes some aspects of OstreeRepoAutoTransaction and re-aligns
it with the logic in flatpak. Specifically:
 * link to the underlying repo through refcounting
 * bridge internal errors to warning messages
 * verify the input pointer type

This is a preparation step before exposing this logic as a public API.
2021-08-25 16:17:52 +00:00
Luca Bruno
30909a28f2
Merge pull request #2418 from lucab/ups/lib-commit-xattrs
commit: automatically skip xattrs in bare-user-only mode
2021-08-24 14:28:39 +00:00
Luca BRUNO
00660eae79
tests: update several bare-user-only checks 2021-08-24 07:56:48 +00:00
Luca BRUNO
3e2360e3bb
lib/commit: automatically skip xattrs in bare-user-only mode 2021-08-24 07:56:46 +00:00
Luca BRUNO
f75552e15c
builtins/commit: set up relevant flags in bare-user-only mode
This detects bare-user-only mode and automatically enables a
commit modifier with relevant flags.
2021-08-24 07:56:19 +00:00
Luca BRUNO
0276f4dc0c
lib/diff: automatically skip xattrs in bare-user-only mode 2021-08-24 07:56:18 +00:00
Luca Bruno
89432b2e2d
Merge pull request #2419 from dbnicholson/gpg-list-keys
bin/remote: Rename list-gpg-keys to gpg-list-keys
2021-08-24 07:55:59 +00:00
Dan Nicholson
58a683f8f0 bin/remote: Rename list-gpg-keys to gpg-list-keys
As pointed out in the original review, `gpg-list-keys` fits better
alongside the existing `gpg-import`.

Changes were done with:

```
git grep -l list-gpg-keys | xargs sed -i 's/list-gpg-keys/gpg-list-keys/'
for src in $(git ls-files '*list-gpg-keys*'); do
  dst=${src/list-gpg-keys/gpg-list-keys}
  git mv "$src" "$dst"
done
```
2021-08-23 15:30:31 -06:00
Colin Walters
452611e4a8
Merge pull request #2417 from lucab/ups/diff-repo-ignore-xattrs
lib/diff: ignore xattrs if disabled on either repos
2021-08-23 10:58:36 -04:00
Luca BRUNO
06ff77cfeb
lib/diff: ignore xattrs if disabled on either repos
This fixes the logic to detect whether xattrs should be automatically
ignored when diffing.
2021-08-23 13:31:13 +00:00
Colin Walters
2f675cf1b1
Merge pull request #2412 from lucab/ups/lib-commit-canonicalize
lib/commit: autofix permissions for bare-user-only
2021-08-20 15:12:21 -04:00
Colin Walters
98f3fe3d8e
Merge pull request #2401 from dbnicholson/gpg-key-info
Remote GPG key info
2021-08-20 15:11:11 -04:00