Colin Walters [Thu, 20 Mar 2025 16:47:48 +0000 (12:47 -0400)]
unlock: Use deployment backing dir
Closes: https://github.com/ostreedev/ostree/issues/3391
Basically it's not uncommon to make `/var/tmp` a separate
partition, but this constrains the amount of data that
can be written to `/usr` when unlocking.
Change things here to write to the deployment's backing
dir which is part of the same rootfs as the storage
and is lifecycle bound to the deployment, ensuring
it gets GC'd.
Signed-off-by: Colin Walters <walters@verbum.org>
Joseph Marrero Corchado [Fri, 21 Mar 2025 14:02:03 +0000 (10:02 -0400)]
Merge pull request #3396 from cgwalters/release
Release 2025.2
Colin Walters [Wed, 19 Mar 2025 21:21:08 +0000 (17:21 -0400)]
Post-release version bump
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Wed, 19 Mar 2025 21:20:44 +0000 (17:20 -0400)]
Release 2025.2
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Fri, 21 Mar 2025 12:11:50 +0000 (08:11 -0400)]
tests/auto-prune: Don't go negative
- First I kept wondering what the magic of 10000 was here before
looking above and noticing it matched the number of dtb files.
Make a shared variable so the connection is more obvious
- Next, I *believe* the intention of this test was to test
the edge case of bytes vs blocks, but we ended up subtracting
blocks and I think recent FCOS images happened to get small
enough that we started going negative here.
Fix this to convert the bytes into blocks.
Colin Walters [Tue, 18 Mar 2025 15:02:51 +0000 (11:02 -0400)]
Merge pull request #3278 from ueno/wip/dueno/pkcs8
sign: Support generic "spki" type of commit signatures
Daiki Ueno [Fri, 12 Jul 2024 03:54:13 +0000 (12:54 +0900)]
sign: Support generic "spki" type of commit signatures
The current "
ed25519" signing type assumes raw
Ed25519 key format for
both public and private keys. This patch generalizes it by adding a
new signature type "spki" which uses the X.509 SubjectPublicKeyInfo
format for public keys. Keys in this format can easily be created with
openssl tools and provide crypto agility[1] as the format embeds
algorithm identifier.
The supposed use-case of this feature is to attach multiple signatures
with different algorithms to a single commit, so even if an algorithm
turned vulnerable, the signatures made with other algorithms can still
be used as a fallback. For instance, signer can create an
Ed25519
signature along with a quantum-resistent ML-DSA signature.
The following are a couple of implementation notes:
- The private keys shall be stored in the PKCS#8 format, though future
extensions may support other format such as opaque key handles on a
hardware token.
- The "spki" signature type prefers the keys to be encoded in the PEM
format on disk, while it still accepts base64 encoded keys when given
through the command-line.
1. https://en.wikipedia.org/wiki/Cryptographic_agility
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Wed, 11 Sep 2024 07:04:34 +0000 (16:04 +0900)]
tests: Use tap_ok/tap_end in test-signed-commit.sh
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Fri, 9 Aug 2024 05:54:27 +0000 (14:54 +0900)]
sign: Add PEM reading facility
This adds a new class OstreePemReader, which reads PEM blocks from an
input stream. This would be useful for the "x509" signing backend, as
the keys are typically stored in the PEM format.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Sun, 11 Aug 2024 06:08:12 +0000 (15:08 +0900)]
sign: Factor out logic to read key blobs
This defines a new interface OstreeBlobReader, which encapsulates the
key file parsing logic. This would make it easy to support custom file
formats such as PEM.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Sat, 13 Jul 2024 01:05:00 +0000 (10:05 +0900)]
sign: Use explicit_bzero to clear secret key material
Suggested in:
https://github.com/ostreedev/ostree/pull/3278#discussion_r1675696052
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Fri, 12 Jul 2024 06:29:58 +0000 (15:29 +0900)]
sign: Fix typo in error messages and comments
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Colin Walters [Tue, 18 Mar 2025 01:59:05 +0000 (21:59 -0400)]
Merge pull request #3395 from cgwalters/syncfs-clarification
commit: Clarify that syncfs is of repo/tmp
Colin Walters [Mon, 17 Mar 2025 23:09:53 +0000 (19:09 -0400)]
commit: Clarify that syncfs is of repo/tmp
We saw this in an error message:
```
error: Generating commit from rootfs: syncfs: Not a directory
```
I'm pretty sure it's this function call but let's be a bit
more sure by adding a bit more context.
Colin Walters [Mon, 17 Mar 2025 13:21:43 +0000 (09:21 -0400)]
Merge pull request #3387 from smcv/debug3386
test-gpg-verify-result: Show what the result was before asserting about it
Colin Walters [Mon, 17 Mar 2025 12:45:07 +0000 (08:45 -0400)]
Merge pull request #3394 from vmorris/patch-1
Update introduction.md
Colin Walters [Mon, 17 Mar 2025 12:31:40 +0000 (08:31 -0400)]
Merge pull request #3393 from champtar/fsfreeze-boot
Use fsfreeze_thaw_cycle(/boot) instead of fsync(/boot)
Vance Morris [Mon, 17 Mar 2025 03:54:54 +0000 (22:54 -0500)]
Update introduction.md
slight rewording to remove redundancy
Etienne Champetier [Thu, 13 Mar 2025 13:04:20 +0000 (09:04 -0400)]
Use fsfreeze_thaw_cycle(/boot) instead of fsync(/boot)
Grub doesn't support replaying XFS journal, so when using
XFS for /boot, fsync() or syncfs() are not enough and can
leave the system in an unbootable state.
Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
Colin Walters [Mon, 10 Mar 2025 19:57:54 +0000 (15:57 -0400)]
Merge pull request #3389 from jlebon/pr/drop-finalize-staged-path
boot: Drop ostree-finalize-staged.path
Jonathan Lebon [Fri, 7 Mar 2025 21:49:27 +0000 (16:49 -0500)]
boot: Drop ostree-finalize-staged.path
This effectively reverts
ac1a919f ("boot: Add
ostree-finalize-staged.path").
A bug came in on the OCP side that demonstrates that the way things are
setup right now is racy. If a reboot is triggered quickly after staging
a deployment, the whole pipeline of:
- ostree-finalize-staged.path, which triggers
- ostree-finalize-staged.service, which triggers
- ostree-finalize-staged-hold.service,
may not fully have happened before systemd isolates to `reboot.target`
which will want to kill all pending jobs.
Just directly starting the systemd unit is less elegant but much more
explicit and gets rid of any possible race because it's directly part of
the staging operation.
Fixes: https://issues.redhat.com/browse/OCPBUGS-51150
Simon McVittie [Wed, 26 Feb 2025 19:20:00 +0000 (19:20 +0000)]
test-gpg-verify-result: Show what the result was before asserting about it
Helps: https://github.com/ostreedev/ostree/issues/3386
Signed-off-by: Simon McVittie <smcv@debian.org>
Colin Walters [Tue, 25 Feb 2025 21:42:36 +0000 (16:42 -0500)]
Merge pull request #3385 from cgwalters/log-xattr-conflict
core: Fix bare-user xattr canonicalization
Colin Walters [Tue, 25 Feb 2025 19:14:19 +0000 (14:14 -0500)]
core: canonicalize bare-user xattrs
Previously we were erroring out if xattrs were provided in
non-canonical (e.g. unsorted) form all the way down to just
the bare-user path. But for archive repos and dirmeta we
canonicalized.
Canonicalize bare-user xattrs on both read and write consistently
instead of erroring.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Tue, 25 Feb 2025 18:41:23 +0000 (13:41 -0500)]
tests/basic: Add lots of user. xattrs
This exercises our requirement for xattr sorting.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Tue, 25 Feb 2025 18:33:48 +0000 (13:33 -0500)]
commit: Add errprefix for bareuser metadata
To aid debugging.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Tue, 25 Feb 2025 18:19:27 +0000 (13:19 -0500)]
core: Print which xattrs are not sorted
I hit this in the rpm-ostree rechunker flow somehow
and with this change I now get:
`error: Generating commit from rootfs: Processing dir var: Writing content object: Incorrectly sorted xattr name (prev=user.Librepo.checksum.mtime, cur=security.selinux), index=2`
which is more useful, although I still need to figure out
and fix why that's happening (again?).
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Fri, 14 Feb 2025 13:34:42 +0000 (08:34 -0500)]
Merge pull request #3382 from alyssais/private
libostree: add private dependencies to pkg-config
Colin Walters [Fri, 14 Feb 2025 13:30:49 +0000 (08:30 -0500)]
Merge pull request #3383 from alyssais/libmount
libostree: remove unused libmount include
Alyssa Ross [Fri, 14 Feb 2025 11:29:46 +0000 (12:29 +0100)]
libostree: remove unused libmount include
As far as I can tell, this hasn't been used since
9a526bba ("sysroot: Handle ro /boot but rw /sysroot").
Alyssa Ross [Fri, 14 Feb 2025 11:26:11 +0000 (12:26 +0100)]
libostree: add private dependencies to pkg-config
This makes it possible to use pkg-config to link against libostree as
a static library. Unlike shared libraries, static libraries don't
encode their dependencies in the library file, so we have to
communicate them via pkg-config.
Jonathan Lebon [Mon, 10 Feb 2025 22:09:54 +0000 (17:09 -0500)]
Merge pull request #3381 from cgwalters/set-log-cb
sepolicy: Add ostree_sepolicy_set_null_log
Colin Walters [Mon, 10 Feb 2025 20:24:18 +0000 (15:24 -0500)]
sepolicy: Add ostree_sepolicy_set_null_log
Let's quiet the output of libselinux by default, all we
get is the pointless "regex version mismatch" warnings.
This is what e.g. systemd does.
This is exposed via the library; our binary opts in,
then we expect higher level tools like e.g. bootc to
do this too.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Mon, 3 Feb 2025 18:17:54 +0000 (13:17 -0500)]
Merge pull request #3377 from cgwalters/log-require-verity
prepare-root: Log when we're mounting with verity required
Colin Walters [Mon, 3 Feb 2025 17:40:37 +0000 (12:40 -0500)]
Merge pull request #3379 from nikita-dubrovskii/pvimg
zipl: remove 'sdboot' image before generating new one
Colin Walters [Mon, 3 Feb 2025 14:50:19 +0000 (09:50 -0500)]
Merge pull request #3378 from cgwalters/update-gir-follow
Update gir followup
Nikita Dubrovskii [Mon, 3 Feb 2025 11:51:11 +0000 (12:51 +0100)]
zipl: remove 'sdboot' image before generating new one
Colin Walters [Sat, 1 Feb 2025 18:45:27 +0000 (13:45 -0500)]
rust: Update to glib 0.20
Since we're releasing a new version of our crates,
let's update to the latest.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Sat, 1 Feb 2025 18:37:20 +0000 (13:37 -0500)]
rust: Regenerate with correct Since
To ensure the recent kexec_load API has a feature gate.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Sat, 1 Feb 2025 18:36:07 +0000 (13:36 -0500)]
lib: Add missing Since annotations to two recent APIs
On general principle, but specfiically this is needed
to ensure the Rust binding generator correctly handles
feature flags for them.
Colin Walters [Sat, 1 Feb 2025 17:53:05 +0000 (12:53 -0500)]
Merge pull request #3376 from Mstrodl/feature/mstrodl/update-gir
Update GIR
Mary Strodl [Thu, 30 Jan 2025 19:20:20 +0000 (14:20 -0500)]
Cargo: bump MSRV, need c-string literals
Signed-off-by: Colin Walters <walters@verbum.org>
Mary Strodl [Fri, 3 Jan 2025 13:59:38 +0000 (08:59 -0500)]
rust-bindings/tests: Display no longer implemented, but Debug is
Signed-off-by: Colin Walters <walters@verbum.org>
Mary Strodl [Fri, 3 Jan 2025 13:57:55 +0000 (08:57 -0500)]
rust-bindings: Regenerate Bindings
Signed-off-by: Colin Walters <walters@verbum.org>
Mary Strodl [Fri, 3 Jan 2025 13:56:16 +0000 (08:56 -0500)]
rust-bindings: upgrade gir and dependencies
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Sat, 1 Feb 2025 15:23:29 +0000 (10:23 -0500)]
prepare-root: Log when we're mounting with verity required
On general principle, but specifically as I wanted to cross-check
this when debugging something else.
Colin Walters [Mon, 27 Jan 2025 18:55:08 +0000 (13:55 -0500)]
Merge pull request #3375 from fossdd/musl
libotutil: Remove redundant import of prctl.h
fossdd [Mon, 27 Jan 2025 16:49:39 +0000 (17:49 +0100)]
libotutil: Remove redundant import of prctl.h
sys/prctl.h already provides prctl.h and adding both imports fails on
musl libc:
/usr/include/sys/prctl.h:88:8: error: redefinition of 'struct prctl_mm_map'
88 | struct prctl_mm_map {
| ^~~~~~~~~~~~
In file included from src/libotutil/ot-unix-utils.c:33:
/usr/include/linux/prctl.h:134:8: note: originally defined here
134 | struct prctl_mm_map {
| ^~~~~~~~~~~~
Colin Walters [Mon, 20 Jan 2025 20:17:11 +0000 (15:17 -0500)]
Merge pull request #3370 from igoropaniuk/contribute_updates
docs: update Dockerfile
Colin Walters [Thu, 16 Jan 2025 15:03:22 +0000 (10:03 -0500)]
Merge pull request #3371 from jmarrero/release-2025.1
Release 2025.1
Joseph Marrero Corchado [Wed, 15 Jan 2025 18:14:43 +0000 (13:14 -0500)]
configure: post-release version bump
Joseph Marrero Corchado [Tue, 14 Jan 2025 16:12:52 +0000 (11:12 -0500)]
Release 2025.1
Igor Opaniuk [Wed, 15 Jan 2025 16:08:51 +0000 (17:08 +0100)]
docs: update Dockerfile
Fix issues in Dockerfile:
1. Update Fedora image to the latest version 41, otherwise docker build
fails with an error:
Step 1/7 : FROM registry.fedoraproject.org/fedora:28
manifest for registry.fedoraproject.org/fedora:28 not found: manifest unknown: manifest unknown
2. Force install python3-yaml package, as it's required for running some
tests. For example, tests/test-remote-headers.sh will fail without
it:
V=$($CMD_PREFIX ostree --version | \
python3 -c 'import sys, yaml; print(yaml.safe_load(sys.stdin)["libostree"]["Version"])')
Traceback (most recent call last):
File "<string>", line 1, in <module>
import sys, yaml; print(yaml.safe_load(sys.stdin)["libostree"]["Version"])
^^^^^^^^^^^^^^^^
ModuleNotFoundError: No module named 'yaml'
With these fixes `make check` executes successfully in a container:
============================================================================
Testsuite summary for libostree 2024.11
============================================================================
TOTAL: 935
PASS: 888
SKIP: 47
XFAIL: 0
FAIL: 0
XPASS: 0
ERROR: 0
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Jonathan Lebon [Fri, 10 Jan 2025 15:41:54 +0000 (10:41 -0500)]
Merge pull request #3366 from cgwalters/unconditional-cfs
Colin Walters [Thu, 9 Jan 2025 15:55:27 +0000 (10:55 -0500)]
Always generate composefs blob, don't enable runtime by default
Followup to https://github.com/ostreedev/ostree/pull/3353/commits/
9a0acd7249bb0c7f55c2bf56e5073902cd60038b
Basically our composefs enablement flag has long had a tension between
trying to do two things:
- Enable generating the composefs blob (at deployment time)
- Enable at runtime in prepare-root
And we've hit issues in "ratcheting" enabling composefs
across upgrades because of this.
This change builds on the previous one, and now it's really
simple to talk about:
- If composefs is enabled at build time, we *always*
generate a composefs blob at deplyment time
- Configuring the prepare-root config now mostly
only affects the runtime state.
There is one detail though: in order to handle the
verity requirement at deploy time, we do still parse
the config then.
But for the basic "is composefs enabled at all at runtime"
that is now fully keyed off the config, not the build time
or (worse) whether the deployment happened to have a composefs
blob.
For users who want composefs on, they need to do so in the base
image configuration.
Signed-off-by: Colin Walters <walters@verbum.org>
Jonathan Lebon [Thu, 9 Jan 2025 20:35:43 +0000 (15:35 -0500)]
Merge pull request #3367 from cgwalters/clang-format
Colin Walters [Thu, 9 Jan 2025 16:47:26 +0000 (11:47 -0500)]
tree-wide: Rerun clang-format, update ci
We have drift again here because we're using an old clang-format
in CI, and some things have landed that it didn't catch.
And update clang-format to ubuntu-24.04 so we are running
against something more modern.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Thu, 2 Jan 2025 14:23:16 +0000 (09:23 -0500)]
Merge pull request #3364 from ruihe774/geteuid
chore: Use geteuid() instead of getuid() to check privilege
Colin Walters [Thu, 2 Jan 2025 14:20:41 +0000 (09:20 -0500)]
Merge pull request #3362 from Mstrodl/feature/mstrodl/kexec2
bin/admin-upgrade: add kexec support
Mary Strodl [Thu, 12 Dec 2024 14:30:59 +0000 (09:30 -0500)]
bin/admin-upgrade: add kexec support
Adds a new `--kexec` flag to `ostree admin upgrade` which will cause
the deployment to be loaded into kexec after the upgrade completes.
It is particularly useful in conjunction with the `--reboot` flag to
perform a reboot into the new deployment without waiting for the
(often slow) firmware initialization to take place. (And in my case,
allows me to avoid a normal reboot, which can be unreliable on my
hardware).
After an image has been loaded (using the `kexec_file_load` syscall),
the `systemctl-reboot` command (which is called when the existing
`-r` flag is included) will trigger a kexec on the loaded image
rather than a normal reboot. From `systemctl(1)`:
If a new kernel has been loaded via kexec --load, a kexec will be
performed instead of a reboot, unless "SYSTEMCTL_SKIP_AUTO_KEXEC=1"
has been set. If a new root file system has been set up on
"/run/nextroot/", a soft-reboot will be performed instead of a
reboot, unless "SYSTEMCTL_SKIP_AUTO_SOFT_REBOOT=1" has been set.
A good in-depth technical explanation of kexec can be found here:
https://web.archive.org/web/
20090505132901/http://www.ibm.com/developerworks/linux/library/l-kexec.html
My implementation uses the `kexec_file_load` syscall rather than the
older `kexec_load` syscall, which allows the kernel to verify the
signatures of the new kernel. It is supported on Linux 3.17 and
newer. I assume this probably won't be an issue, but if it is, it's
not that hard to put a preprocessor directive around the kexec stuff
to disable it for older kernels. Even RHEL is new enough now to
not be an issue :)
Closes: #435
Misaki Kasumi [Fri, 20 Dec 2024 12:35:08 +0000 (20:35 +0800)]
chore: Check CAP_SYS_ADMIN in ot_util_process_privileged
Misaki Kasumi [Wed, 18 Dec 2024 15:48:41 +0000 (23:48 +0800)]
chore: Use geteuid() instead of getuid() to check privilege
Colin Walters [Thu, 19 Dec 2024 22:10:40 +0000 (17:10 -0500)]
Merge pull request #3361 from cgwalters/release
Release 2024.10
Colin Walters [Thu, 19 Dec 2024 21:23:48 +0000 (16:23 -0500)]
Merge pull request #3351 from cgwalters/fix-transient-root-doc
man: Note semantics combining `root.transient` with `composefs.enabled`
Colin Walters [Thu, 19 Dec 2024 20:11:29 +0000 (15:11 -0500)]
Post-release version bump
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Thu, 19 Dec 2024 20:09:45 +0000 (15:09 -0500)]
Release 2024.10
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Fri, 6 Dec 2024 19:57:19 +0000 (14:57 -0500)]
man: Note semantics combining `root.transient` with `composefs.enabled`
It's all quite confusing having to reason about both the pre-composefs
ostree and the composefs version. But hopefully soon we more firmly
leave behind that first legacy.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Tue, 17 Dec 2024 20:34:37 +0000 (15:34 -0500)]
Merge pull request #3353 from jlebon/pr/composefs-maybe
libostree/deploy: enable composefs by default
Colin Walters [Tue, 17 Dec 2024 19:59:00 +0000 (14:59 -0500)]
Merge pull request #3354 from ruihe774/cfs-verity
prepare-root: Add composefs.enabled=verity
Colin Walters [Tue, 17 Dec 2024 19:22:10 +0000 (14:22 -0500)]
Merge pull request #3348 from qiuzhiqian/main
rofiles-fuse: when fuse execution fails, rofiles-fuse still returns exit code 0
Colin Walters [Tue, 17 Dec 2024 19:21:53 +0000 (14:21 -0500)]
Merge pull request #3357 from ruihe774/validate-len
sign-
ed25519: Fix error message of validate_length
Jonathan Lebon [Sat, 14 Dec 2024 13:47:21 +0000 (08:47 -0500)]
lib/deploy: error out if composefs enabled but unsupported
If composefs was explicitly requested (`enabled = true`) but libostree
was not compiled with composefs support, error out at deploy time. This
matches the logic in `ostree-prepare-root`.
Jonathan Lebon [Sat, 14 Dec 2024 13:45:19 +0000 (08:45 -0500)]
libostree/deploy: enable composefs by default
The composefs libostree integration has been supported for a while now
and is actively in use in various ostree/bootc-based systems. Let's
turn it on by default.
This has no effect if composefs support is not compiled in. Note also
that this does not change the default value of the `composefs.enabled`
tristate to `true`. The default is still `maybe`, but the deploy API
will now also create composefs images for `maybe`.
The reason for doing it this way is so that systems upgrading from
old libostree versions (which may either not have composefs support or
may have composefs-related bugs) will still be able to upgrade and not
trip `ostree-prepare-root` in the new deployment (which allows missing
composefs images for `maybe`).
We may in the future change the default value to `true`.
See also: https://github.com/ostreedev/ostree/issues/2867
Colin Walters [Tue, 17 Dec 2024 16:39:49 +0000 (11:39 -0500)]
Merge pull request #3356 from cgwalters/fix-ci
Fix ci
Misaki Kasumi [Tue, 17 Dec 2024 01:58:48 +0000 (09:58 +0800)]
sign-
ed25519: Fix error message of validate_length
Misaki Kasumi [Mon, 16 Dec 2024 20:48:50 +0000 (04:48 +0800)]
sysroot-deploy: Require fsverity when composefs.enabled=verity
Misaki Kasumi [Mon, 16 Dec 2024 11:41:21 +0000 (19:41 +0800)]
prepare-root: Add composefs.enabled=verity
Colin Walters [Mon, 16 Dec 2024 17:03:03 +0000 (17:03 +0000)]
deny: Add Unicode-3.0
This is under e.g.
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
and is now used by the unicode-ident crate.
Colin Walters [Mon, 16 Dec 2024 16:56:57 +0000 (16:56 +0000)]
Switch to quay.io vs registry.ci
The old one was a mirror that seems to have finally
been decommissioned.
Colin Walters [Tue, 3 Dec 2024 16:20:33 +0000 (11:20 -0500)]
Merge pull request #3346 from cgwalters/commit-label-ordering
core: Always sort incoming xattrs
qiuzhiqian [Tue, 3 Dec 2024 12:33:48 +0000 (20:33 +0800)]
rofiles-fuse: Fixed the problem that when fuse execution fails, the command returns a status code of 0
testcase:
`$ sudo rofiles-fuse a b`
fuse: bad mount point `b': No such file or directory
`$ echo $?`
0
Colin Walters [Wed, 27 Nov 2024 02:15:23 +0000 (21:15 -0500)]
core: Always sort incoming xattrs
When recomputing selinux attrs during commit, we weren't sorting,
which could cause various issues like fsck failures.
This is a big hammer; change things so we always canonicalize
(i.e. sort) the incoming xattrs when creating a file header
and directory metadata.
I think almost all places in the code were already keeping
things sorted, but it's better to ensure correctness first.
If we ever have some performance issue (I'm doubtful) we
could add something like `_ostree_file_header_known_canonicalized`
or so.
Closes: https://github.com/ostreedev/ostree/issues/3343
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Thu, 14 Nov 2024 23:49:32 +0000 (16:49 -0700)]
Merge pull request #3340 from smcv/issue3339
composefs: Ensure buffer is suitably aligned for struct fsverity_digest
Simon McVittie [Thu, 14 Nov 2024 09:57:36 +0000 (09:57 +0000)]
composefs: Ensure buffer is suitably aligned for struct fsverity_digest
struct fsverity_digest starts with a __u16, so it will normally require
16-bit alignment, which is not guaranteed for a char array.
Resolves: https://github.com/ostreedev/ostree/issues/3339
Signed-off-by: Simon McVittie <smcv@debian.org>
Colin Walters [Tue, 12 Nov 2024 15:47:29 +0000 (08:47 -0700)]
Merge pull request #3337 from dabukalam/patch-1
README: Update buildstream URL to new github repo
Danny Abukalam [Tue, 12 Nov 2024 14:27:15 +0000 (14:27 +0000)]
README: Update buildstream URL to new github repo
John Eckersberg [Tue, 5 Nov 2024 14:41:27 +0000 (09:41 -0500)]
Merge pull request #3328 from cgwalters/release
Release 2024.9
Colin Walters [Tue, 29 Oct 2024 20:50:59 +0000 (16:50 -0400)]
configure: post-release version bump
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Tue, 29 Oct 2024 20:50:11 +0000 (16:50 -0400)]
Release 2024.9
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Mon, 4 Nov 2024 22:27:09 +0000 (17:27 -0500)]
Merge pull request #3334 from cgwalters/fix-composefs-default-docs
prepare-root: Fix composefs docs
Colin Walters [Mon, 4 Nov 2024 21:10:39 +0000 (16:10 -0500)]
Merge pull request #3331 from cgwalters/verity-no-verity
checkout: Only verify digest if repo requires fsverity
Colin Walters [Mon, 4 Nov 2024 19:28:13 +0000 (14:28 -0500)]
bootupd-static: Drop this test
It breaks due to https://bugzilla.redhat.com/show_bug.cgi?id=
2308594
Colin Walters [Mon, 4 Nov 2024 18:48:56 +0000 (13:48 -0500)]
prepare-root: Fix composefs docs
In practice in ostree-sysroot-deploy.c we only react to having
`composefs = yes`; the docs mention `maybe` but that never did
anything.
The value is wrong in the code too, but I'm not touching
that here to avoid conflating changes - the main thing to fix
is the docs because here `maybe == no`.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Wed, 30 Oct 2024 14:07:26 +0000 (10:07 -0400)]
checkout: Only verify digest if repo requires fsverity
Fixes a regression from the previous commit; in
the case where the target repo doesn't have composefs in
signed mode there's no reason to verify the digest
at checkout time because we aren't verifying it at
boot time either.
The regression is in cases that use rpm-ostree e.g.
where as of recently we unconditionally add the composefs
digest, but for e.g. FCOS we aren't deploying with fsverity
enabled.
Closes: https://github.com/ostreedev/ostree/issues/3330
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Thu, 31 Oct 2024 12:15:24 +0000 (08:15 -0400)]
Merge pull request #3333 from smcv/gpg-2-2-45
tests: Work around GPG 2.2.45 error behaviour when revoking an expired key
Simon McVittie [Thu, 31 Oct 2024 10:54:13 +0000 (10:54 +0000)]
tests: Work around GPG 2.2.45 error behaviour when revoking an expired key
In GPG 2.2.45, a diagnostic message about the only trusted key having
already expired causes this import to produce exit status 2, but the
import still succeeds (the key is still revoked).
Bug: https://dev.gnupg.org/T7351
Bug-Debian: https://bugs.debian.org/
1086140
Colin Walters [Wed, 30 Oct 2024 18:37:59 +0000 (14:37 -0400)]
Merge pull request #3332 from cgwalters/fixups-for-fcos-composefs-default
tests: Skip checking for immutable bit on composefs
Colin Walters [Wed, 30 Oct 2024 17:00:35 +0000 (13:00 -0400)]
tests: Skip checking for immutable bit on composefs
Needed changing after FCOS switch.
Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Tue, 29 Oct 2024 19:09:59 +0000 (15:09 -0400)]
Merge pull request #3326 from cgwalters/hack-deploy-no-verity
deploy: Don't recompute verity checksums if not enabled
Colin Walters [Sun, 27 Oct 2024 14:20:29 +0000 (10:20 -0400)]
deploy: Don't recompute verity checksums if not enabled
This fixes a truly horrific performance bug when
composefs is enabled, but fsverity is not supported
by the filesystem. We'd fall back to doing *userspace*
checksumming of all files at deployment time which was absolutely
not expected or required.
There's really an immense amount of technical debt
here, such as the confusion between `ex-integity.composefs`
vs the prepare-root config, how we handle "torn" states
where some objects don't have verity enabled but some do,
etc.
The ostree composefs state has two modes:
- signed: We need to enforce fsverity
- unsigned: Best effort resilience
So we fix this by making the deploy path to make verity
"opportunistic" - if the ioctl gives us the data, then we
add it to the composefs.
However, this code path is also invoked when we're
computing the expected composefs digest to inject
as commit metadata, and *that* API must work regardless
of whether the target repo has fsverity enabled as
it may operate on a build server.
One lucky thing in all of this: When I went to add
the "checkout composefs" API I added a stub `GVariant`
for options extensibility, which we now use.
Signed-off-by: Colin Walters <walters@verbum.org>
projects / ostree.git / log