31 Commits

Author SHA1 Message Date
Colin Walters
eb54a44169 Switch to external composefs
Since there's now a stable shared library, let's use it.
2024-04-12 16:16:21 -04:00
Alexander Larsson
f617a341f3 Support transient /etc
If the `prepare-root.conf` file contains:
```
[etc]
transient=yes
```

Then during prepare-root, an overlayfs is mounted as /etc, with the
upper dir being in /run. If composefs is used, the lower dir is
`usr/etc` from the composefs image , or it is the deployed
`$deploydir/usr/etc`.

Note that for this to work with selinux, the commit must have been
built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise
the lowerdir (/usr/etc) will have the wrong selinux contexts for the
final location of the mount (/etc).

We also set the transient-etc key in the ostree-booted file, pointing it
to the directory that is used for the overlayfs.

There are some additional work happening in ostree-remount, mostly
related to selinux (as this needs to happen post selinux policy
load):

 * Recent versions of selinux-poliy have issues with the overlayfs
   mount being kernel_t, and that is not allowed to manage files as
   needed. This is fixed in
   https://github.com/fedora-selinux/selinux-policy/pull/1893

 * Any /etc files created in the initramfs will not be labeled,
   because the selinux policy has not been loaded. In addition, the
   upper dir is on a tmpfs, and any manually set xattr-based selinux
   labels on those are reset during policy load. To work around this
   ostree-remount will relabel all files on /etc that have
   corresponding files in overlayfs upper dir.

 * During early boot, systemd mounts /run/machine-id on top of
   /etc/machine-id (as /etc is readonly). Later during boot, when etc
   is readwrite, systemd-machine-id-commit.service will remove the
   mount and update the real file under it with the right content. To
   ensure that this keeps working, we need to ensure that when we
   relabel /etc/machine-id we relabel the real (covered) file, not the
   temporary bind-mount.

 * ostree-remount no longer needs to remount /etc read-only in the
   transient-etc case.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2023-10-12 17:03:22 +02:00
Colin Walters
b8d66964a8 remount: Use new metadata in /run/ostree-booted for composefs
Since we now have a generalized more structured way of serializing
state in the initramfs instead of "stamp files", use it for
passing the composefs state.
2023-07-13 07:57:18 -04:00
Alexander Larsson
c29f4193cd ostree-prepare-root: Validate ed25519 signatures when requested
If requested, by specifying ot-composefs=signed=/path/to/pub.key then
the commit object is validated against the specified ed25519 public
key, and if valid, the composefs digest from the commit object is used
to ensure we boot the right digest.
2023-07-11 14:08:33 -04:00
Colin Walters
875915f6c9 prepare-root: Link to glib
Since we've split off the "prepare root as init" code
into a separate file, we can now use glib to parse
the config file again, which is a lot less hacky.

This is particularly motivated by composefs, where
we want to do more in the initramfs.  Future patches
may also link to parts of libostree.
2023-06-30 05:18:23 -04:00
Colin Walters
d6799ecc24 Separate prepare-root static path
We should have done this a long time ago.  We don't have any test
coverage for the no-initramfs path, and I think it's not long
term supportable as we want to add more features like composefs.

Particularly now that there's good support for embedding an
initramfs in a kernel image, I see little value in a path for
having custom static linking for this prepare root flow.

That said, we will continue to make a best-effort "it compiles"
attempt to support it.

Fork the "pid 1" prepare root code into a new
`ostree-prepare-root-static.c` file, and drop the runtime conditionals.

We can drop the composefs logic from `-static.c` which ends up
keeping that file much smaller.

A further next step here will be to actually fold the
`prepare-root.c` logic into the main `ostree` binary which we
can then just include in the initramfs.
2023-06-30 05:18:23 -04:00
Colin Walters
6ed6a7e699 ci: Add "it compiles" coverage for --with-static-compiler
Prep for further changes.
2023-06-27 06:36:52 -04:00
Alexander Larsson
e3be4ee52a Update submodule: composefs
Instead of using pkg-config, etc we just include composefs.
In the end the library is just 5 c source files, and it is set up
to be easy to use as a submodule.

For now, composefs support is disabled by default.
2023-05-31 10:57:37 +02:00
Alexander Larsson
11d7587e40 prepare-root: Support using composefs as root filesystem
This changes ostree-prepare-root to use the .ostree.cfs image as a
composefs filesystem, instead of the checkout.

By default, composefs is used if support is built in and the .ostree.cfs
file exists in the deploy dir, otherwise we fall back to the old
method. However, if the ot-composefs kernel option is specified this
can be tweaked as per:
 * off: Never use composefsz
 * maybe: Use if possible
 * on: Fail if not possible
 * signed: Fail if the cfs image is not fs-verity signed with
   a key in the keyring.
 * digest=....: Fail if the cfs image does not match the specified
   digest.

The final layout when composefs is active is:

 /        ro overlayfs mount for composefs
 /sysroot "real" root
 /etc     rw bind mount to $deploydir/etc
 /var     rw bind mount to $vardir

We also specify the $deploydir/.ostree-mnt directory as the (internal)
mountpoint for the erofs mount for composefs. This can be used to map
the root fs back to the deploy id/dir in use,

A further note: I didn't test the .usr-ovl-work overlayfs case, but a
comment mentions that you can't mount overlayfs on top of a readonly
mount. That seems incompatible with composefs. If this is needed we
have to merge that with the overlayfs that composefs itself sets up,
which is possible with the libcomposefs APIs.
2023-05-31 10:57:37 +02:00
Joseph Marrero
581a58067b Update FSF license notices to use URL instead of address 2021-12-07 08:34:25 -05:00
Colin Walters
5af403be0c Support mounting /sysroot (and /boot) read-only
We want to support extending the read-only state to cover `/sysroot`
and `/boot`, since conceptually all of the data there should only
be written via libostree.  Or at least for `/boot` should *mostly*
just be written by ostree.

This change needs to be opt-in though to avoid breaking anyone.

Add a `sysroot/readonly` key to the repository config which instructs
`ostree-remount.service` to ensure `/sysroot` is read-only.  This
requires a bit of a dance because `/sysroot` is actually the same
filesystem as `/`; so we make `/etc` a writable bind mount in this case.

We also need to handle `/var` in the "OSTree default" case of a bind
mount; the systemd generator now looks at the writability state of
`/sysroot` and uses that to determine whether it should have the
`var.mount` unit happen before or after `ostree-remount.service.`

Also add an API to instruct the libostree shared library
that the caller has created a new mount namespace.  This way
we can freely remount read-write.

This approach extends upon in a much better way previous work
we did to support remounting `/boot` read-write.

Closes: https://github.com/ostreedev/ostree/issues/1265
2019-12-11 15:33:57 +00:00
Ricardo Salveti
de8e0765a4
Makefile: declare ostree_boot_SCRIPTS and append values
ostree_boot_SCRIPTS was being set on both Makefile-boot.am and
Makefile-switchroot.am, causing the first one to be replaced by the
other at the final Makefile, so declare as empty and append on both
places instead.

Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
2019-11-06 11:44:08 -03:00
Colin Walters
304abee9eb prepare-root: Fix compilation with --with-static-compiler
Closes: https://github.com/ostreedev/ostree/issues/1845

Closes: #1846
Approved by: akiernan
2019-04-25 13:00:40 +00:00
Jonathan Lebon
298c601d88 ostree-prepare-root: Log journal message after finding deployment
Log a structured journal message when resolving the deployment path.
This will be used by the `rpm-ostree history` command to find past
deployments the system has booted into.

Closes: #1842
Approved by: cgwalters
2019-04-18 06:11:10 +00:00
Alex Kiernan
3696e1cfdd build: Use ostree_prepare_root_CPPFLAGS for ostree-prepare-root
Swap from AM_CPPFLAGS to ostree_prepare_root_CPPFLAGS when compiling
ostree-prepare-root statically. This fixes a problem when you have
systemd and libmount, but only ostree_prepare_root_CPPFLAGS includes
-DHAVE_SYSTEMD_AND_LIBMOUNT=1.

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>

Closes: #1670
Approved by: jlebon
2018-07-04 19:45:50 +00:00
Alex Kiernan
6bed647648 switchroot: Fix split source/build directory
If you have split source and build directories, then building
static ostree-prepare-root fails to find the source files.

https://github.com/ostreedev/ostree/issues/1429

Closes: #1445
Approved by: cgwalters
2018-02-05 15:26:22 +00:00
Marcus Folkesson
6bf4b3e1d8 Add SPDX-License-Identifier to source files
SPDX License List is a list of (common) open source
licenses that can be referred to by a “short identifier”.
It has several advantages compared to the common "license header texts"
usually found in source files.

Some of the advantages:
* It is precise; there is no ambiguity due to variations in license header
  text
* It is language neutral
* It is easy to machine process
* It is concise
* It is simple and can be used without much cost in interpreted
  environments like java Script, etc.
* An SPDX license identifier is immutable.
* It provides simple guidance for developers who want to make sure the
  license for their code is respected

See http://spdx.org for further reading.

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>

Closes: #1439
Approved by: cgwalters
2018-01-30 20:03:42 +00:00
Philip Withnall
e3a4049c24 build: Add distcheck configure flags to fix systemd and bash-completion
When running distcheck, the systemd system-generator and bash-completion
scripts are installed in absolute paths (/usr and /lib) as looked up
from their pkg-config files. This breaks distcheck. Use a
${prefix}-relative path for both of them when configuring for distcheck.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Closes: #1103
Approved by: cgwalters
2017-08-22 17:37:48 +00:00
Colin Walters
30705889cb Switch to using a systemd generator for /var
If one wants to set up a mount for `/var` in `/etc/fstab`, it
won't be mounted since `ostree-prepare-root` set up a bind mount for
`/var` to `/sysroot/ostree/$stateroot/var`, and systemd will take
the already extant mount over what's in `/etc/fstab`.

There are a few options to fix this, but what I settled on is parsing
`/etc/fstab` in a generator (exactly like `systemd-fstab-generator` does),
except here we look for an explicit mount for `/var`, and if one *isn't* found,
synthesize the default ostree mount to the stateroot. Another nice property is
that if an admin creates a `var.mount` unit in `/etc` for example, that will
also override our mount.

Note that today ostree doesn't hard depend on systemd, so this behavior only
kicks in if we're built with systemd *and* libmount support (for parsing
`/etc/fstab`).  I didn't really test that case though.

Initially I started writing this as a "pure libc" program, but at one point
decided to use `libostree.so` to find the booted deployment. That didn't work
out because `/boot` wasn't necessarily mounted and hence we couldn't find the
bootloader config. A leftover artifact from this is that the generator code
calls into libostree via the "cmd private" infrastructure. But it's an easy way
to share code, and doesn't hurt.

Closes: #859
Approved by: jlebon
2017-05-16 16:13:05 +00:00
Simon McVittie
a73fef3eaa build: clean up ostree-remount if building without systemd
This is necessary for "make distcheck" on Travis-CI.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Closes: #600
Approved by: cgwalters
2016-11-29 14:11:50 +00:00
William Manley
4d3b93e2ad switchroot: Fix build on Ubuntu
Was failing with error:

    src/switchroot/ostree-prepare-root.c:30:20: fatal error: config.h: No such file or directory
    compilation terminated.

Reported by and fix provided by @gatispaeglis.

Closes: #485
Approved by: cgwalters
2016-09-01 20:17:58 +00:00
William Manley
1dc69dc879 switchroot: Move path_is_on_readonly_fs to header file
This simplifies the build system by removing the need for
`libswitchroot-mountutil.la`.

Original idea by @cgwalters in #477.

Closes: #478
Approved by: cgwalters
2016-08-30 22:41:27 +00:00
William Manley
42dab85728 ostree-prepare-root: Allow building statically with musl
If the `--with-static-compiler=musl-gcc` configure flag is given.

ostree-prepare-root can be used as init in a system without a populated
/lib.  To support this use case we need to link statically as we will be
unable to locate libc.so at run time if it's not installed in /lib.

We support building ostree-prepare-root with a different compiler to the
rest of ostree so we can use musl rather than glibc.  This reduces the size
of the executable significantly: from ~700K -> ~30K.  We have to use
`_SCRIPTS` here to get autotools to install this as an executable but
without generating rules to make it itself which we have specified
manually.

See https://lists.gnu.org/archive/html/help-gnu-utils/2007-01/msg00007.html
for advice on using autotools in this manner.

Closes: #477
Approved by: cgwalters
2016-08-30 20:50:33 +00:00
Gatis Paeglis
fd1a044d6e Move ostree-* executables to /usr/lib/ostree
Why not to use libexecdir?

Because this directory does not exist on some distros or paths
between distros varies. There are several reasons why a well
known path is prefered, for example when generating a kernel
command line:

init=${ostree}/usr/lib/ostree-boot/ostree-prepare-root

In addition this saves us some typing in a console when wanting
to access the "ostree" cmd line.

Closes: #449
Approved by: cgwalters
2016-08-11 14:04:59 +00:00
Daniel Narvaez
ccb10d592d Add support for mkinitcpio
https://bugzilla.gnome.org/show_bug.cgi?id=710682
2013-10-24 14:27:49 -04:00
Colin Walters
26cef497a6 Remove built in "triggers"
Originally, the idea was that clients would replicate "OS/tree"s from
a build server, but we'd run things like "ldconfig" on the client.
This was to allow adding e.g. the nVidia binary driver.

However, the triggers were the only thing in the system at the moment
that really had expected knowledge of the *contents* of the OS, like
the location of binaries.

For now, it's architecturally cleaner if we move the burden of
triggers to the tree builder (e.g. gnome-ostree or RPM).  Eventually
we may want OSTree to assist with this type of thing (perhaps
something like RPM %ghost), but this is the right thing to do now.
2013-07-07 14:37:59 -04:00
Colin Walters
bb6eedfb25 [INCOMPATIBLE CHANGE] Implement new deployment model
See https://wiki.gnome.org/OSTree/DeploymentModel2

This is a major rework of the on-disk filesystem layout, and the boot
process.  OSTree now explicitly supports upgrading kernels, and these
upgrades are also atomic.

The core concept of the new model is the "deployment list", which is
an ordered list of bootable operating system trees.  The deployment
list is reflected in the bootloader configuration; which has a kernel
argument that tells the initramfs (dracut) which operating system root
to use.

Invidiual notable changes that come along with this:

1) Operating systems should now come with their etc in usr/etc; OSTree
   will perform a 3-way merge at deployment time, and place etc in
   the actual root.  This avoids the need for a bind mount, and is
   just a lot cleaner.
2) OSTree no longer bind mounts /root, /home, and /tmp.  It is expected
   that the the OS/ has these as symbolic links into /var.

At the moment, OSTree only supports managing syslinux; other
bootloader backends will follow.
2013-07-07 11:31:26 -04:00
Colin Walters
7e882cc2cf dracut: Add ostree-remount
Linux creates a copy of the soure mount flags when creating a bind
mount; if the source is read-only, then the bind mount is.

The problem is that systemd will remount the rootfs read/write, but
each mount (/home, /var etc.) will still be read-only.  We need to
remount every bind mount except for /usr to read-write too.

This only "worked" with the old ostree-switch-root because it
effectively force mounted the rootfs read-write always, ignoring the
"ro" flag.
2013-06-04 15:59:52 -04:00
Colin Walters
1e080b9c73 ostree-prepare-root: New binary, used for systemd-in-initramfs setups
Rather than attempting to hack up the "switch-root" functionality of
systemd, this binary allows us to simply prepare the root before we
switch into it.
2013-06-02 15:39:20 -04:00
Colin Walters
c63cca53d7 build: Add --enable-triggers-only
For bootstrapping gnome-ostree, we need to install the triggers early
on, before we actually build the real ostree binary.
2012-08-26 13:58:23 -04:00
Colin Walters
a904c9693b Add ostree-switch-root here
Merge the code from ostree-init; now that we're back to targeting an
initramfs (dracut), we don't need to statically link the binary, so
there's no strong reason to have a separate module.
2012-02-05 16:02:44 -05:00