ostree/tests/kolainst/destructive/unlock-transient.sh
Colin Walters f2773c1b55 Add "transient" unlock
I was thinking a bit more recently about the "live" changes
stuff https://github.com/coreos/rpm-ostree/issues/639
(particularly since https://github.com/coreos/rpm-ostree/pull/2060 )
and I realized reading the last debates in that issue that
there's really a much simpler solution; do exactly the same
thing we do for `ostree admin unlock`, except mount it read-only
by default.

Then, anything that wants to modify it does the same thing
libostree does for `/sysroot` and `/boot` as of recently; create
a new mount namespace and do the modifications there.

The advantages of this are numerous.  First, we already have
all of the code, it's basically just plumbing through a new
entry in the state enumeration and passing `MS_RDONLY` into
the `mount()` system call.

"live" changes here also naturally don't persist, unlike what
we are currently doing in rpm-ostree.
2020-08-07 18:57:56 +00:00

35 lines
1010 B
Bash
Executable File

#!/bin/bash
# Test unlock --transient
set -xeuo pipefail
. ${KOLA_EXT_DATA}/libinsttest.sh
testfile=/usr/share/writable-usr-test
case "${AUTOPKGTEST_REBOOT_MARK:-}" in
"")
require_writable_sysroot
assert_not_has_file "${testfile}"
ostree admin unlock --transient
# It's still read-only
if touch ${testfile}; then
fatal "modified /usr"
fi
# But, we can affect it in a new mount namespace
unshare -m -- /bin/sh -c 'mount -o remount,rw /usr && echo hello from transient unlock >'"${testfile}"
assert_file_has_content "${testfile}" "hello from transient unlock"
# Still can't write to it from the outer namespace
if touch ${testfile} || rm -v "${testfile}" 2>/dev/null; then
fatal "modified ${testfile}"
fi
/tmp/autopkgtest-reboot 2
;;
"2")
if test -f "${testfile}"; then
fatal "${testfile} persisted across reboot?"
fi
echo "ok unlock transient"
;;
*) fatal "Unexpected boot mark ${AUTOPKGTEST_REBOOT_MARK}"
esac