dgit.raspbian.org Git - ostree.git/log

lib/repo-finder: Emit gpg-verify-summary=false in dynamic remote config

When returning results from finding repos, set gpg-verify-summary=false
in their configs, since any pulls from such remotes will necessarily
involve collection IDs, and hence should be using the unsigned summary
support. In the intended deployment mode for P2P transmission of OSTree
refs, summaries *cannot* be signed, so setting gpg-verify-summary=true
would cause all the pulls to fail.

The unsigned summary support is the move of repository metadata from
the summary file (not spliceable) to the well-known ostree-metadata ref
(spliceable, as it can exist for multiple collection IDs in the same
repository).

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1066
Approved by: cgwalters

lib/deploy: Use a FIFREEZE/FITHAW cycle for /boot

See: http://marc.info/?l=linux-fsdevel&m=149520244919284&w=2

XFS doesn't flush the journal on `syncfs()`. GRUB doesn't know how to follow the
XFS journal, so if the filesystem is in a dirty state (possible with xfs
`/boot`, extremely likely with `/`, if the journaled data includes content for
`/boot`, the system may be unbootable if a system crash occurs.

Fix this by doing a `FIFREEZE`+`FITHAW` cycle.  Now, most people
probably would have replaced the `syncfs()` invocation with those two
ioctls.  But this would have become (I believe) the *only* place in
libostree where we weren't safe against interruption.  The failure
mode would be ugly; nothing else would be able to write to the filesystem
until manual intervention.

The real fix here I think is to land an atomic `FIFREEZETHAW` ioctl
in the kernel.  I might try a patch.

In the meantime though, let's jump through some hoops and set up
a "watchdog" child process that acts as a fallback unfreezer.

Closes: https://github.com/ostreedev/ostree/issues/876
Closes: #1049
Approved by: jlebon

lib: Port gpg verification for remotes to fd-relative

This was the last use of `repo->repodir` internally, and will help finally add
`ostree_repo_open_at()`.

Closes: #1034
Approved by: jlebon

lib/repo: Fix handling of missing summary files when downloading

The API for downloading a summary file can legitimately return NULL for
the summary file contents when it returns TRUE (success). This indicates
an error 404 — the summary file was not found.

Two call sites were not handling that correctly, which was causing later
assertion failures.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1061
Closes: #1065
Approved by: cgwalters

ostree/parse-datetime: Ensure tm structs are initialised

Otherwise tm.tm_wday remains uninitialised and gets propagated
elsewhere.

Spotted by Coverity as issue #209265.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1059
Approved by: cgwalters

lib/sepolicy: Drop duplicate assignment

Spotted by Coverity as issue #1452619.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1059
Approved by: cgwalters

lib/repo-commit: Drop unreachable conditional branch

(remaining > 0) is asserted by the loop condition, and remaining is not
modified between that check and the G_UNLIKELY — so the condition in the
G_UNLIKELY will always be true.

Spotted by Coverity as issue #1452617.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1059
Approved by: cgwalters

lib/repo-finder-avahi: Drop redundant conditional

summary_timestamp is checked for non-NULL-ness above, and the function
bails if it’s NULL.

Fixes Coverity issue #1452616.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1059
Approved by: cgwalters

lib/repo-refs: Add ostree_repo_remote_list_collection_refs() API

This parallels ostree_repo_remote_list_refs(), but returns a map of
OstreeCollectionRef → checksum, and includes refs from collection IDs
other than the remote repository’s main collection ID.

Use this in OstreeRepoFinderConfig to ensure that refs are matched
against even if they’re stored in the repository summary file’s
collection map, rather than its main ref map. This fixes false negatives
when searching for refs in some situations.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1058
Approved by: cgwalters

lib/repo-pull: Add a missing precondition

This catches a few failure modes in the pull code a little earlier,
before the incorrectly-NULL repo makes its way into a closure and a
worker thread, where the cause of the problem is harder to track down.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1058
Approved by: cgwalters

lib/repo-finder: Avoid a potential unref-of-NULL crash

As the comment explains, it’s possible for a result to be freed while
ref_to_checksum is NULL, even though normally the data structure
guarantees it’s non-NULL. This was causing crashes when results were
filtered out of a find-remotes call. Guard against that.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1058
Approved by: cgwalters

lib/repo-pull: Fix counting of latest commits when finding repos

The intended behaviour of ostree_repo_find_remotes() is to return
results which have the latest version of at least one of the requested
refs. Results which have some of the requested refs, but don’t have the
latest version of any of them, should be ignored. The logic to do this
was broken in the case that a result contained a positive number of the
requested refs, but none of them were the latest version. (It previously
worked when the result contained none of the requested refs.)

Fix the counting to work correctly in both cases.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1058
Approved by: cgwalters

man: The min-free-space-percent item goes in [core] section

The documentation incorrectly indicates that min-free-space-percent
goes in the [remote "name"] section. It should go in [core] instead.

Closes: #1062
Approved by: cgwalters

autogen.sh: Fix running out of tree

The autogen.sh script should be runnable out of tree. It's mostly
already the case, just one little tweak to make it work.

   $ mkdir build
   $ cd build
   $ ../autogen.sh --prefix=/usr

Closes: #1063
Approved by: cgwalters

tree-wide: Remove trailing semicolon from autoptr declarations

It confuses `g-ir-scanner`, and isn't necessary.

Closes: #1056
Approved by: pwithnall

bin/pull: Fix @ override syntax when pulling multiple refs

Coverity spotted an infloop here since we were incrementing `i++`
instead of `j++`. But adding a test revealed other bugs - we need
to keep the arrays in sync.

Coverity CID: 1452204

Closes: #1041
Approved by: pwithnall

lib/deltas: Squash Coverity warning for div-by-zero in delta show

If a delta happens to have zero objects, we could end up doing
a divide-by-zero when inferring endianness. In practice,
a zero-object delta isn't possible to generate I think, but
let's make sure the code is defensive all the same.

Spotted by Coverity.

Coverity CID: 1452208

Closes: #1041
Approved by: pwithnall

Documentation: static delta default from

Document that the default behavior of `ostree static-delta generate` if to generate the delta from the parent.
Closes: #1057
Approved by: cgwalters

main: Fix subcommand usage output

This commit sets prgname correctly so that the "ostree subcommand
--help" output prints the subcommand rather than just "ostree".

This was removed in commit f0519e541f29 because it tripped the thread
sanitizer, but it's being added back conditionally so most users who
don't compile with -fsanitize=adress see proper help output.

Closes: #1054
Approved by: cgwalters

tree-wide: Fix the build with old glib (Ubuntu Trusty etc.)

This regressed with <https://github.com/ostreedev/ostree/pull/1040>
but currently the Travis builds aren't gating.

Closes: #1051
Approved by: jlebon

lib: Define and use an autoptr cleanup for gpgme_key_t

Followup for previous patch, allows porting a bit to new code style.

Closes: #1039
Approved by: jlebon

tree-wide: Use g_autoptr(Ostree*)

Part of cleaning up our usage of libglnx; we want to use what's in GLib where we
can.

Had to change a few .c files to `#include ostree.h` early on to pick up
autoptrs for the core types.

Closes: #1040
Approved by: jlebon

Documentation: README: Remove deprecated wiki link

The old wiki only contains link back to readthedocs.
The link to is useless.
Closes: #1050
Approved by: cgwalters

tests/libtest-core.sh: Add a comment that this copy is canonical

Ref: https://github.com/projectatomic/bubblewrap/pull/203

Closes: #1047
Approved by: jlebon

lib/pull: Log state of summary/commit GPG verification

Since we have both, we should clearly log the state of both of
them. Split this out of a larger patch.

Closes: #1046
Approved by: jlebon

lib/repo: Add API to create and list ref aliases

There are multiple use cases where we'd like to alias refs.

First, having a "stable" alias which gets swapped across major
versions: https://pagure.io/atomic-wg/issue/228

Another case is when a ref is obsoleted;
<https://pagure.io/atomic-wg/issue/303>
This second one could be done with endoflife rebase, but I think
this case is better on the server side, as we might later change
our minds and do actual releases there.

I initially just added some test cases for symlinks in the `refs/heads` dir to
ensure this actually works (and it did), but I think it's worth having APIs.

Closes: #1033
Approved by: jlebon

lib/deploy: Add structured logging info for syncfs() times

I plan to at some point change rpm-ostree to read the journal messages from
libostree and render things like the time we spent in syncfs().

Closes: #1044
Approved by: jlebon

lib/sysroot: Add prefixes to syncfs/fsync error messages

And clean up one other bare `glnx_throw_errno()`.

Closes: #1044
Approved by: jlebon

tree-wide: Use GLib autocleanups for libarchive

Define typedefs for read/write archives, and use the GLib
autocleanups for them. Prep for updating libglnx to drop its
custom autocleanup macros.

Closes: #1042
Approved by: jlebon

lib/gpg: Switch to GLib autocleanups for gpgme types

Prep for dropping `GLNX_DEFINE_CLEANUP_FUNCTION` from libglnx
in favor of using GLib's `G_DEFINE_AUTO_CLEANUP_FREE_FUNC()`.

Closes: #1042
Approved by: jlebon

lib/curl: Only check individual request errors

It looks like `curl_multi_socket_action()` will return an error
if *one* of the requests has an error, but we already check
for that explicitly by iterating over each handle.

In libcurl, the "easy" layer doesn't really make use of this
return value. I did a bit of looking elsewhere; systemd
does check it as a runtime error, not an assertion. librepo
doesn't use the multi interface.

Closes: https://github.com/ostreedev/ostree/issues/1035
Closes: #1038
Approved by: jlebon

lib/commit: Rework a conditional set for clarity and Coverity

Coverity complained that the `else if (bytes_read == 0)` was dead
code if we happened to find it was already false when testing
`else if (G_UNLIKELY (bytes_read == 0 ...`.

There was nothing wrong with the logic, but let's rework it to
only test the value once; I think it does end up nicer anyways.

Coverity CID: 1452186

Closes: #1037
Approved by: jlebon

tests/lzma: Fix off-by-one in buffer size

Coverity spotted that we had an off-by-one here since we were using
`i+1`. Fix this by adding a `-1` to the bounds check. Also use
`sizeof()` to ensure the data and size are coupled.

Coverity CID: 1452207

Closes: #1037
Approved by: jlebon

rofiles-fuse: Add missing error handling for fcntl()

Spotted by Coverity.

Coverity CID: 1452201

Closes: #1037
Approved by: jlebon

tests/lzma: Use GRand over random()

It's designed for test suites and non-critical random uses like this. This
silences a Coverity warning about weak randomness.

Closes: #1037
Approved by: jlebon

bin/refs: Fix error handling logic

Spotted by Coverity.

Coverity CID: 1452202

Closes: #1037
Approved by: jlebon

tests: Add some return value checking to pacify Coverity

No real problems here, but Coverity likes to see consistent checking of return
values, and I agree with it.

Coverity CID: 1452213
Coverity CID: 1452211

Closes: #1037
Approved by: jlebon

docs/pull: Finish incomplete docs for pull@hash syntax

Closes: https://github.com/ostreedev/ostree/issues/1043
Closes: #1045
Approved by: guyshapiro

gpg-verify-result: try to display the primary key ID from signatures

The fingerprint associated with each signature can be different to
the primary key ID (the normal one that people use to identify a
GPG key) if the signature is from a signing subkey. Try to find the
primary key and print this ID in preference to the subkey signature.

https://github.com/ostreedev/ostree/issues/608

Closes: #1036
Approved by: cgwalters

gpg-verify-result: canonicalise key when looking up signatures

Use gpgme_get_key to find the primary key for the key we are
looking for, and the primary key for each signature, and
compare these when looking up signatures.

The primary key is the first in the list of subkeys, which is
the normal key ID people use when referring to a GPG key as an
identity.

If the key has a signing subkey, signature->fpr will not match
the provided key_id, so looking up both keys and comparing the
primary key fingerprints ensures they are both canonicalised.

https://github.com/ostreedev/ostree/issues/608

Closes: #1036
Approved by: cgwalters

lib/pull: Journal fetch results

This is a continuation of addition of journaling to libostree; see
e.g. <https://github.com/ostreedev/ostree/pull/708>.

I wanted more information at the end of fetches; in particular
some details about the delta execution (what opcodes etc.), but
this is a first step: we log things like the transferred data
as well as whether or not GPG was enabled, etc.

One awkward thing about this is how we map the fetcher options like
`tls-ca-path` back out into an enum for the code to log. But eh, hard to fix
without a bigger refactoring.

Closes: #1032
Approved by: jlebon

grub2: Handle aarch64 (at least on Fedora/RHEL)

See: https://github.com/projectatomic/rpm-ostree-toolbox/issues/102#issuecomment-316483554

The logic here should now match what grubby does. I have no
idea whether this applies to other distributions though.

Closes: #1021
Approved by: jlebon

build-sys: Post-release version bump

Closes: #1029
Approved by: jlebon

Release 2017.9

Closes: #1029
Approved by: jlebon

ci: Enable libcurl by default on Fedora

The insttest fell over since its build used libsoup, but that just dropped out
of FAH.

Closes: #1030
Approved by: jlebon

lib/core: Add #defines for ref/collection binding

These were previously private, but since we expect people to use them, let's add
`#define`s like we did for some of the other commit metadata.

Closes: #1028
Approved by: jlebon

Update libglnx, port some uses to newer APIs

Mostly for the latest `-Wmaybe-uninitialized` fix, but while here also port some
places to newer APIs.

Update submodule: libglnx

Closes: #1027
Approved by: jlebon

build: Turn off default warnings if we find -Werror specified

Our CI runs use `-Werror`; there's no point to our default warning set kicking
in, it just bloats the command line output.

Closes: #1023
Approved by: jlebon

ci: Enable -Werror for clang

I hit an unused-variable warning with `GLNX_AUTO_PREFIX_ERROR` for
rpm-ostree and led me to wonder why ostree didn't fail, then I noticed
we had lost the special `-Werror=unused-variable` bit. Let's go
ahead and use `-Werror` for clang too.

Closes: #1023
Approved by: jlebon

tests: More fixes for gjs tests

Previous to this commit, the gjs tests were installed-only; and our
logic for handling the "--enable-installed-tests=exclusive" logic
actually also meant they weren't installed.

It did work for me locally with `--enable-installed-tests`.

However, to make things fully symmetric, let's enable the js tests to also be
run under `make check`.

Also remove `corrupt-repo-ref.js` from the PAPR invocation since it's not
actually a unit test, it's a utility helper.

Closes: #1022
Approved by: jlebon

lib: Add #define for endoflife metadata key

It is a continuation of https://github.com/ostreedev/ostree/pull/1024
It adds documentation for endoflife metadata key.

Closes: #1025
Approved by: cgwalters

lib: Add #defines for current well-known metadata keys

This came up in https://github.com/projectatomic/rpm-ostree/issues/142

Let's add `#define`s for our metadata keys, with documentation so
that, well, they're documented.

Closes: #1024
Approved by: peterbaouoft

ci/papr: Add a suite to run introspection-based tests without ASAN

Unfortunately we can't do gobject-introspection based tests
while compiling with `-fsanitize=address`, since it needs to hook
`malloc` early on.

Add a new suite which just runs the introspection-based tests without ASAN.

Closes: #1016
Approved by: jlebon

lib/commit: Fix EBADF with GENERATE_SIZES option for commit

Regression from previous tmpfile refactoring; unfortunately
the `OSTREE_REPO_COMMIT_MODIFIER_FLAGS_GENERATE_SIZES` option
only has coverage via gjs currently.

Might expose it via the cmdline in a later option, but in the big picture the
idea was that this data is better kept in static deltas.

Closes: https://github.com/ostreedev/ostree/issues/1014
Closes: #1016
Approved by: jlebon

ci/papr: Switch primary to libcurl, add libsoup context

Sometime in the next few releases I think we should make libcurl
the default.

Prep for more CI work.

Closes: #1016
Approved by: jlebon

lib/repo: Auto-recreate repo/tmp if it's deleted

We can accumulate a lot of space there; let's be nice to people who delete the
whole directory.

Closes: https://github.com/ostreedev/ostree/issues/1018
Closes: #1020
Approved by: jlebon

core: Sanitize error text validating refs (e.g. against HTML)

See: https://github.com/projectatomic/rpm-ostree/issues/885

If we get a successful Apache directory listing HTML when fetching what we
intend to be a ref, we'd dump the HTML into the error.

I did some scanning of the pull code, and this was the only case
I saw offhand where we were dumping text out into an error. Which
makes sense, since most of our formats are binary, the exeptions I
think are just `repo/config` and `repo/refs/`.

Closes: #1015
Approved by: mbarnes

build: Don't distribute generated man pages

We build them in "make" and clean them in "make clean", so there
doesn't seem much point in shipping them pre-generated in the tarball.

Signed-off-by: Simon McVittie <smcv@debian.org>
Closes: #1013
Approved by: cgwalters

Update libglnx, port various bits to new API

Using the error prefixing in the delta processing allows us to
do new code style.  Also strip trailing whitespace.

Use error prefixing in a few other random places.  I didn't
hunt for all of them, just testing out the new API.

Use `glnx_fchmod()`.  Also note I dropped one `fchmod (tmpf, 0600)`
which is no longer necessary.

Update submodule: libglnx

Closes: #1011
Approved by: jlebon

lib/pull: Drop direct use of ->repodir

Prep for `ostree_repo_new_at()`. Down the line perhaps
we should extend libcurl to accept a file descriptor for cookies,
but this works OK for now.

Closes: #1010
Approved by: jlebon

bin/cookies: Drop libsoup code, fix fd-relative issues, new style

Prep for `ostree_repo_new_at()`. These commands were directly accessing
`repo->repodir`, which it turns out was unnecessary since the the APIs they then
used were fd-relative. Except actually there were bugs there, so fix all of the
cookie util code to actually use the passed `dfd` and not just hardcode
`AT_FDCWD`.

Also, libsoup can't handle this (its APIs require fully qualifed paths), and
there's not a really good reason to have two implementations now; historically
it was useful to cross-check them, but I don't think we need that.

While I'm here, port to new style.

Closes: #1010
Approved by: jlebon

Add a notion of "physical" sysroot, use for remote writing

(Note this PR was reverted in <https://github.com/ostreedev/ostree/pull/902>;
this version should be better)

Using `${sysroot}` to mean the physical storage root: We don't want to write to
`${sysroot}/etc/ostree/remotes.d`, since nothing will read it, and really
`${sysroot}` should just have `/ostree` (ideally). Today the Anaconda rpmostree
code ends up writing there. Fix this by adding a notion of "physical" sysroot.
We determine whether the path is physical by checking for `/sysroot`, which
exists in deployment roots (and there shouldn't be a `${sysroot}/sysroot`).

In order to unit test this, I added a `--sysroot` argument to `remote add`.
However, doing this better would require reworking the command line parsing for
the `remote` argument to support specifying `--repo` or `--sysroot`, and I
didn't quite want to do that yet in this patch.

This second iteration of this patch fixes the bug we hit the first time;
embarassingly enough I broke `ostree remote list` finding system remotes.
The fix is to have `ostree_repo_open()` figure out whether it's the same
as `/ostree/repo` for now.

Down the line...we might consider having the `ostree remote` command line itself
instatiate an `OstreeSysroot` by default, but this maximizes compatibility; we
just have to pay a small cost that `ostree` usage outside of that case like
`ostree static-delta` in a releng Jenkins job or whatever will do this `stat()`
too.

Closes: https://github.com/ostreedev/ostree/issues/892
Closes: #1008
Approved by: mbarnes

lib/pull: Do local content imports async too

This came up in <https://github.com/ostreedev/ostree/pull/982>; when
we added more direct local importing, we did it synchronously.

This was actually quite a regression when doing local pulls between different
modes; in particular between a bare mode and `archive`, as we were suddenly
doing gzip {de,}compression in the main thread.

Down the line actually...a simpler fix is probably to change things so that the
local path is really only used when we know we can hardlink; everything else
would go though the fetcher codepath but with `file://`.

But this isn't a lot more code, and the speed/interactivity win is large.

Note we're only doing content async with this patch. We could do metadata as
well; we have the object already local. But the metadata code path is messier,
and metadata objects are smaller.

Another area where this comes up is that in e.g. Fedora releng, most operations
talk to a NetApp via NFS. So this has the classic network filesystem problem
that operations that are normally cheap like `stat()` can actually have
nontrivial latency. Doing as much as possible in threads is better there too.

Closes: #1006
Approved by: jlebon

ci/papr: Update to F26

In particular F25AH will stop getting updates.

Closes: #1012
Approved by: jlebon

Move the include directive to the enum template

There is no actual written guarantee in glib-mkenums that the template
line specified using --fhead will be added after the templates specified
inside the template file. Since the template file is only used once, we
can simply move the `#include` directive inside the template, so that it
is guaranteed to be in the right place.

Closes: #1007
Approved by: cgwalters

lib/pull: Avoid journaling 404s for optional content

Currently in Fedora we don't sign summaries, and every use of
`rpm-ostree` would emit to the journal an error when we failed
to fetch it.

Fix this by having `OSTREE_FETCHER_REQUEST_OPTIONAL_CONTENT` tell the fetcher
not to journal 404 errors. While fixing this, we had a mix of two booleans vs
the flags; fix things so we consistently use the flags in the fetcher and pull
code.

Closes: #1004
Approved by: mbarnes

build: Ensure all experimental tests are distributed in tarballs

As with the previous commit, ensure that tests which are run when
configured with --enable-experimental-api, are always distributed; even
when running `make dist` from a source tree configured with
--disable-experimental-api.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1002
Approved by: cgwalters

build: Ensure all .sym files are distributed in tarballs

Since we’re using a custom variable for listing the .sym files,
automake’s magic support for automatically distributing all files in
conditionals doesn’t work, and the devel and experimental .sym files
were only being distributed if `make dist` was run on a source tree
which had been configured with --enable-experimental-api or not a
release flag.

Fix that by explicitly listing all the .sym files in EXTRA_DIST.

Specifically, this fixes the case of trying to compile with
--enable-experimental-api from a release tarball which was disted with
--disable-experimental-api.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1001
Approved by: cgwalters

lib/repo: Add OSTREE_REPO_METADATA_REF as a well-known metadata store

As discussed in https://github.com/ostreedev/ostree/pull/946, the
summary file is becoming an unsigned cache of ref information; any
additional metadata for the repository needs to move elsewhere in order
to remain signed. Introduce OSTREE_REPO_METADATA_REF as the well-known
name of a ref where such metadata can live, as the metadata on
contentless commits.

Don’t yet update the documentation for summary-related methods to
mention this, since it’s still hidden behind the
--enable-experimental-api configure option.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #946
Approved by: cgwalters

lib/repo-commit: Fix types of content size cache entries

Use goffset rather than gsize for file sizes. More importantly, get the
unpacked_size from g_file_info_get_size() (goffset) rather than from the
splice return value, which has type gssize.

This will make a difference on 32-bit systems, where goffset is defined
as off64_t, but gsize is 32 bits.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #999
Approved by: cgwalters

tests: Run pull tests for bare/bare-user

We have variants of `test-basic` for all 4 modes, but not for pull-test, which
for some reason was named `pull-archive`, but mostly pulls *into* bare repos.
The test code was structured like the basic one where it called into a
`pull-test.sh`, so let's actually use it for 2/3 bare modes. (I tried to extend
it to `bare-user-only` but it failed, going to look at that after this).

This is related to https://github.com/ostreedev/ostree/issues/991

Closes: #998
Approved by: jlebon

checkout: Don't set dir mtime to 0 when doing a force copy checkout

When we [switched to using checkout + force_copy](https://github.com/ostreedev/ostree/commit/e8efd1c8dcaad8fbd3b05c400972d237406263e7),
a side effect that went unnoticed at the time is that we started
setting directory mtimes to zero.

See the below bug where we long ago set the file times to zero, which got fixed,
so let's not regress things by setting the directory times to zero either. (Even
though AFAICS GNU tar doesn't complain about those)

This semantic is somewhat "overloaded" onto `force_copy`, but it avoids adding
yet another boolean; we don't have that many reserved boolean slots left. I
can't really think of many good use cases for `force_copy` *other* than the
`/etc` merge anyways.

https://bugzilla.redhat.com/show_bug.cgi?id=1229160

Closes: https://github.com/ostreedev/ostree/issues/995
Closes: #997
Approved by: jlebon

deploy: Port some functions to new style

There are a number of simple ports here. Prep for further work
in `/etc` merge.

I also stripped trailing whitespace globally.

Closes: #996
Approved by: jlebon

tests: New tests for creating commits with bindings and pulling them

Closes: #972
Approved by: cgwalters

lib/pull: Collection and ref bindings verification

This verifies the collection and ref bindings in the commit metadata
against the collection ID we have stored in the remote config and ref
we want to pull from. For the HEAD commits, we also check if the
checksum of the commit we just fetched agrees with the checksum we
really wanted to pull from the ref.

For commits with explicitly specified checksums and without specified
refs, we only verify if the commit has the bindings. We are able to
only verify the collection binding, though.

Closes: #972
Approved by: cgwalters

lib/pull: Pass the ref together with the request

We will want to use the requested ref later for the binding
verification.

Closes: #972
Approved by: cgwalters

ostree: Add collection and ref bindings to metadata on commit

The collection and ref bindings are stored in the commit metadata
under ostree.collection-binding and ostree.ref-binding,
respectively. They will be used to verify if the commit really comes
from the collection and ref we wanted to pull from.

Closes: #972
Approved by: cgwalters

build-sys: Post-release version bump

Closes: #994
Approved by: jlebon

Release 2017.8

Closes: #994
Approved by: jlebon

lib/repo: Immediately error creating bare-user repo on tmpfs

And in general, if for some reason we can't write `user.` xattrs, provide an
error immediately rather than doing it during a later pull. This way the failure
cause is a lot more obvious.

Related: https://github.com/ostreedev/ostree/issues/991

Closes: #993
Approved by: jlebon

pull: Cleanly error when doing local pulls of remote-prefixed refs

In the storage PR I was trying to do a `pull-local` of the whole
`/ostree/repo` on the system, which ended up triggering a `g_critical()`
in the collections code, since we tried to parse a remote-prefixed ref
`fedora:fedora/26/x86_64/atomic-host` as a ref.

I'm not sure offhand what our behavior in this case *should* be. I
think git only clones local refs, but I need to check.

This corner case arises only with `pull-local`. But in any case,
while we were previously saying this is programmer error, since it's
so easy to pass various unchecked input into the pull machinery,
make invalid refs an explicit error.

Closes: #992
Approved by: jlebon

lib/repo: Add min-free-space-percent option, default 3%

For ostree-as-host, we're the superuser, so we'll blow past
any reserved free space by default. While deltas have size
metadata, if one happens to do a loose fetch, we can fill
up the disk.

Another case is flatpak: the system helper has similar concerns
here as ostree-as-host, and for `flatpak --user`, we also
want to be nice and avoid filling up the user's quota.

Closes: https://github.com/ostreedev/ostree/issues/962
Closes: #987
Approved by: jlebon

lib/commit: Use provided length when doing writes

This is prep for storage space checks, where we look at free
space after parsing the metadata, before we write anything.

We did length-limited writes in the fd-based input path, but not for the
`GInputStream` path which in practice is used for HTTP pulls.

Closes: #987
Approved by: jlebon

lib/commit: Ensure bare-user objects are always user-readable

Some of the Jenkins jobs for Fedora Atomic Host broke after updating
to 2017.7, and it turns out that we regressed handling unreadable
files in `bare-user` mode. An example of this is `/etc/shadow`, which
ends up in the ostree-as-host content as `/usr/etc/shadow`.

Now there are better fixes here; we should probably delete it and create it
during the config merge if it doesn't exist. In general, having secret files in
ostree really isn't supported, so it doesn't make sense to include them.

But let's fix this regression - when operating as an unprivileged user we don't
have `CAP_DAC_OVERRIDE` and hence will fail to open un-user-readable objects.

(We still preserve the actual `0` mode of course in the xattr and will
apply it in `bare`)

Closes: #989
Approved by: jlebon

bin/commit: Add '=' to --statoverride

Previously, we only supported additions in the statoverride file;
it was mainly for adding the setuid bit without having that physically
on disk.

However, for testing a change to `bare-user` handling around *unreadable*
files (which happens for `/etc/shadow` in host content), I need a way
to write that into a repo in the test suite.

I'm not actually aware of a non-test-suite use case for this; a more
sophisticated user is going to be using the API directly, which can already do
this. But we need it for tests at least.

Closes: #989
Approved by: jlebon

bin/commit: Port helper functions to new style

Prep for more work here. Can't yet port the main function
without a cleanup for transactions.

Closes: #988
Approved by: jlebon

lib/commit: Fix a tmpfile fd leak in static delta processing

I had thought `glnx_link_tmpfile_at()` actually consumed the tmpfile;
it does consume the *path* but not the fd. In the non-delta path
things were fine since we used the autocleanup.

But the delta code had a tmpfile allocated in its struct that got reused, and
hence leaked the fd. Fix this by making the commit API actually consume the
tmpfile fully, just like the path path.

Closes: #986
Approved by: jlebon

Add "pull --localcache-repo"

This is a lot like `git clone --reference`, but we chose "localcache" as the
term "reference" is already used.

The main use case I'm targeting this for is the Fedora Atomic Host installer
case where we embed the repo content in the installer, but we may want to
kickstart and download newer content. There, while we want to get a newer ref,
we can still use the local repo as an object cache, since we have it sitting
there in memory anyways.

Another case is where one has a host ostree (say e.g. Fedora Atomic
Workstation), and one wants to create a local archive mirror of FAH. Then one
can use `pull --reference /ostree/repo` and pull the common objects (e.g.
contents of `bash.rpm` etc.)

Closes: https://github.com/ostreedev/ostree/issues/975
Closes: #982
Approved by: jlebon

lib/pull: Move check for requested content earlier

This is prep for a later patch; currently the logic is unchanged, but we'll need
this if we make local imports async.

Closes: #982
Approved by: jlebon

pull: fix GLNX_HASH_TABLE_FOREACH_KV regressions

These are regression from #971. We were stuffing a pointer size inside a
variable of integer size. So the assignment was spilling over into other
variables' storage space. Actually use a gpointer and GPOINTER_TO_[U]INT
as was done originally.

Also bump libglnx which has static checks for this error in the future.

Update submodule: libglnx

Closes: #990
Approved by: cgwalters

lib/repo: Fix repo-finder deleting remote configs when run

An inverted condition in _ostree_repo_add_remote() was causing the
OstreeRepoFinder to delete precisely the wrong remote
configurations from memory once it was finished. It’s supposed to delete
the ones which it transiently added; but was instead deleting all the
existing remote configurations.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #985
Approved by: cgwalters

lib/commit: Port a few minor functions to new style

Not sure why these weren't converted before.

Closes: #984
Approved by: jlebon

lib: Add a helper to convert struct stat → GFileInfo

It's more natural for a few calling places. Prep for patches to go the other
way, which in turn are prep for adding a commit filter v2 that takes `struct
stat`.

`ot_gfile_type_for_mode()` was only used in this function, so inline it here.

Closes: #974
Approved by: jlebon

cmdline/pull: Print final status even if noninteractive

Previously, `ostree pull` was silent if not on a tty. I don't
see a reason not to print the final status line at least. This
is prep for more work in the test suite, so I can write assertions
on the output.

But it should also be nicer for people who e.g. do an `ostree pull` in a Jenkins
job or whatever.

Closes: #981
Approved by: jlebon

tree-wide: Replace various uses of `archive-z2` → `archive`

The `-z2` is annoying now since it's really a legacy; we've long
since supported typing `archive`. Convert the docs fully and
explain that.

Also do some (but not all) of the tests just to encourage newer tests to use
`archive` too.

Closes: #980
Approved by: jlebon

lib/pull: Don't fetch detached metadata twice for local pulls

Obviously very minor, but I noticed this while working on `pull --reference`. If
we have a local repo, we'll have already done a hardlink and copied the detached
metadata too, so there's no reason to request it again via the fetcher path.

Closes: #978
Approved by: jlebon

tests: Fix assert_files_hardlinked

It was always succeeding because we were trying to stat the inode number, and
failing, and thus getting the empty string for both, which compared as true.

Regression from:
<https://github.com/ostreedev/ostree/commit/74e3581e>

Noticed this while working on
<https://github.com/ostreedev/ostree/pull/974>
and looking at the test results.

Closes: #976
Approved by: jlebon

lib/pull: Some small style porting

I'd mostly been avoiding this file since there's always patches outstanding, but
these few functions shouldn't conflict much.

Closes: #979
Approved by: jlebon

lib/repo: Port bareuser-conversion stat to bare load

I noticed this is a simple call that's useful to port to the new internal-only
non-allocating API.

Closes: #977
Approved by: jlebon

lib/deltas: More porting to new code style

Just noticed some of this while working on the previous tmpfile bits.

Closes: #973
Approved by: jlebon