dgit.raspbian.org Git - ostree.git/log

tests: Add a test case for path traversal in a dirtree

I was reading about a recent security issue with both EMC and VMWare:
https://arstechnica.com/information-technology/2018/01/emc-vmware-security-bugs-throw-gasoline-on-cloud-security-fire/

It's a classic path traversal problem, and that made me think more about our
handling of this in libostree.  Fortunately of course, not being new to
this rodeo, long ago I *did* consider path traversal.  Inside the pull
code, we call `ot_util_filename_validate()`.  Also, `fsck` does this too.

I have further followups here, but let's add some test cases for this. I crafted
a repository with a `../` in a dirtree object by patching libostree to inject
it, and that's included as a tarball.

This patch covers the two cases where we do already have checks; pulling
via HTTP, and in `fsck`.

Closes: #1412
Approved by: jlebon

tests/libtest-core: support multiple literal checks

`grep` supports checking multiple fixed strings separated by newlines,
but it's mostly just easier to pass them as separate arguments, so let's
support that. This is now at parity with the similar
`assert_file_has_content`.

Closes: #1409
Approved by: cgwalters

lib/fetcher: Add version to USER_AGENT string

This came up in allowing Fedora infrastructure to work around a libcurl bug with
HTTP2: https://pagure.io/atomic-wg/issue/405

Closes: https://github.com/ostreedev/ostree/issues/1405
Closes: #1406
Approved by: jlebon

tests: Use --finders option for find-remotes

All the current uses of the find-remotes command in the tests use it to
find configured remotes or mounted (USB) remotes, so using
--finders=config and --finders=mount in the tests respectively shouldn't
affect the correctness of the tests. It does however allow the tests to
be run in an environment that doesn't have an Avahi daemon.

Closes: #1407
Approved by: cgwalters

find-remotes: Add --finders option

It can be helpful to be able to choose which OstreeRepoFinder instances
to use when using the find-remotes command. For example, if the tests
need to run in an environment that can't have an Avahi daemon, this
allows you to disable the Avahi (LAN) finder. This commit adds the
--finders option for this purpose.

Closes: #1407
Approved by: cgwalters

Tests: test-no-initramfs: Test both legacy and new kernel locations

Closes: #1401
Approved by: cgwalters

ostree-grub-generator: update outdated comment

Closes: #1401
Approved by: cgwalters

Support for booting without initramfs

Previously when initramfs-* was not found in a deployment's
boot directory, it was assumed that rootfs is prepared for
ostree booting by a kernel patch.

With this patch, the behaviour changes to be - if initramfs-*
is not found, assume that system is using a static
ostree-prepare-root as init process. Booting without initramfs
is a common use case on embedded systems. This approach is
also more convenient, than having to patch the kernel.

Closes: #1401
Approved by: cgwalters

deploy: add --karg-none argument

If the current deployment has "rootwait root=/dev/sda2",
but the new deployment does not need "rootwait" anymore,
there is no way to clear this arg at the moment (as opposed
to "karg=root=", which overrides any earlier argument with
the same name). With "--karg-none" users can now clear all
the previous args and set new "root=":

ostree admin deploy --karg-none --karg=root=LABEL=rootfs

Closes: #1401
Approved by: cgwalters

ostree-prepare-root: enabler for simpler kernel arg

With the current approach, when ostree-prepare-root is used
on the kernel command line as init=, it always assumes that
the next value in the argument list is a path to the sysroot.
The code for falling back to a default path (if none is provided),
would only work if init= is the last arg in the argument list.
We can not rely on that and have to explicitly provide the
path to the sysroot. Which defeats the purpose of a default
path selection code.

To keep command line neater assume that sysroot is on / when
using ostree-prepare-root as init. This probably is what most
people want anyways. Also _ostree_kernel_args* API assumes
that args are space separated list. Which is problematic for:
"init=${ostree}/usr/lib/ostree/ostree-prepare-root /" as it
gets split in two.

Closes: #1401
Approved by: cgwalters

bash/ostree: add missing --add-metadata option

Closes: #1402
Approved by: cgwalters

bin/commit: add --keep-metadata option

Clients of libostree such as rpm-ostree make extensive use of the
`ostree commit -b foo --tree=ref=foo` pattern in their tests, e.g. to
simulate an update.

What I'm trying to solve here is that it's often the case that we want
to keep metadata from the previous commit without having to be too
verbose (i.e. reading from the parent, then passing it as an argument).

The new `--keep-metadata` switch makes this really easy. I intend to use
this in the rpm-ostree testsuite to make sure we always carry over the
`source-title` metadata as well as during set up for tests that require
`rpmostree.rpmdb.pkglist` metadata.

I initially implemented this in a small wrapper script that uses the API
directly, though we make use of so many other `ostree commit` functions
that it'd require re-implementing a lot of it.

Closes: #1402
Approved by: cgwalters

bin/commit: move parent checking code higher up

No functional change. Prep for the next commit.

Closes: #1402
Approved by: cgwalters

grub2: Exit gracefully if there's no system ostree repository

Apparently there testing systems that literally install *all*
packages. Having `ostree-grub2` currently causes grub2 to fail
on a non-ostree managed system. Let's just gracefully exit
if there's no system repository.

https://bugzilla.redhat.com/show_bug.cgi?id=1532668

Closes: #1399
Approved by: jlebon

ostree-grub-generator: fix typo in comment
Closes: #1398
Approved by: jlebon

build-sys: Allow building with curl, but without libsoup

Some people (particularly embedded) may find it simpler to
drop libsoup from the build dependency side, but still use libcurl.

Note though this currently neuters almost all of the tests.

Signed-off-by: Anton Gerasimov <anton.gerasimov@openmailbox.org>
Closes: #1397
Approved by: cgwalters

bin: Fix cookie builtin build with curl but no soup

Prep for supporting `--with-curl --without-soup`.

Closes: #1397
Approved by: cgwalters

rofiles: Fix --copyup when creating a new file

This tripped up the `docbook-dtds` `%post` in my experiments
with doing rpm-ostree for buildroots.

I cloned and built [xfstests](https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git)
but haven't yet investigated actually running it.

In the meantime let's do the obvious fix here; we need to distinguish
between "copyup enabled" and "actually did a copyup" in the open path
at least, since if we didn't do a copyup we don't need to re-open.

Closes: #1396
Approved by: jlebon

rofiles: Add --copyup option

Sadly https://sourceware.org/bugzilla/show_bug.cgi?id=22089 is I think going to
actually force us to cave here. Even if we got the glibc patch in today, we need
to support the RHEL glibc. See also discussion about fish as part of the general
Fedora tracker.

This is basically needed to unblock rpm-ostree unified core 🌐:
https://github.com/projectatomic/rpm-ostree/issues/729

Closes: https://github.com/ostreedev/ostree/issues/1377
Closes: #1382
Approved by: jlebon

tests: Assert that byte-order is swapped on LE but not BE CPUs

Closes: #1392
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1393
Approved by: cgwalters

Revert "ci: Make rust build nonblocking for now"

This reverts commit 8ef18fd850d53fa01e7a3d8fe47fdd069b276b85.

Closes: #1391
Approved by: smcv

build-sys: Link with -ldl for rust build

I didn't dive into this too much, it looks like something in rust changed that
broke our build. Probably libstd gained a dependency on `-ldl` or so, and that's
handled by cargo? Anyways linking against it isn't going to hurt.

Closes: #1391
Approved by: smcv

tests: Don't assume uid == primary gid

Nothing guarantees that each user has a group containing only
themselves. Even if they do, nothing guarantees that its group ID
equals the user ID, particularly if another user earlier in the same
range was created without a corresponding group or vice versa.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1390
Approved by: cgwalters

lib/pull: allways include ostree-repo-pull-private.h

Allways include ostree-repo-pull-private.h to get rid of the following
build error when HAVE_LIBCURL_OR_LIBSOUP is not defined:

src/libostree/ostree-repo-pull.c:1493:1: error: no previous prototype
for '_ostree_repo_verify_bindings' [-Werror=missing-prototypes]

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Closes: #1389
Approved by: cgwalters

build: Fix typo in -Wparentheses warning

GCC supports -Wparentheses, not -Wparenthesis.

https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wno-parentheses

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1388
Approved by: jlebon

build-sys: Post-release version bump

Closes: #1387
Approved by: jlebon

ci: Make rust build nonblocking for now

Will debug at some point but for now let's
unblock other things.

```
/usr/bin/ld: /var/tmp/checkout/target/release/libbupsplit_rs.a(bupsplit_rs-db7d02fa07221ce3.bupsplit_rs0.rust-cgu.o): undefined reference to symbol 'dladdr@@GLIBC_2.2.5'
```

Closes: #1387
Approved by: jlebon

Release 2017.15

Let's do a new release with the locking preview, the http2 disable options and
other misc bugfixes to close out the year.

Closes: #1386
Approved by: jlebon

Bump libglnx, use "n items" progress for fsck

Sooo much nicer. See also
https://github.com/projectatomic/rpm-ostree/pull/1143

Update submodule: libglnx

Closes: #1383
Approved by: jlebon

build-sys: Use -fno-strict-aliasing by default

See discussion in https://bugzilla.gnome.org/show_bug.cgi?id=791622

This is what e.g. systemd, the Linux kernel, and lots of other projects do. It's
astonishingly hard to reliably get right; the optimization IMO only really
matters for truly high performance inner loops, but if you're doing
that kind of stuff today you're probably doing it on a GPU anyways.

Closes: #1384
Approved by: pwithnall

bin/refs: Disallow aliases to remote refs

It can't really work in general; the client and server would
have to agree on the name of the remote.

Closes: https://github.com/ostreedev/ostree/issues/1342
Closes: #1381
Approved by: jlebon

bin/commit: Support creating "unbound" commits

We had this basically forced on in the CLI; down the line I'd really like to
make this an API option to commit or so, but given that we found a use case in
the rpm-ostree test suite for "unbound" commits, let's support creating them
from the cmdline.

See: https://github.com/ostreedev/ostree/pull/1379

Closes: #1380
Approved by: jlebon

lib/core: Optimize breaking hardlinks for regfiles

It'd all be really nice if there was some sort of `O_TMPFILE` for symlinks, but
anyways the way we were doing a generic "make temp file than rename" actually
defeats some of the point of `O_TMPFILE`. It's now fully safe to do "copy to
self", so let's do that for regfiles.

Closes: #1378
Approved by: jlebon

lib/core: Add a "break hardlink" API

This imports the code from rpm-ostree:
https://github.com/projectatomic/rpm-ostree/blob/9ff9f6c997d914cb7d97d6b59d8045ba64a1882c/src/libpriv/rpmostree-util.c#L742

I plan to use this for rofiles-fuse to implement
copyup: https://github.com/ostreedev/ostree/issues/1377

But it's just obviously generally useful for projects using
libostree I think.

Closes: #1378
Approved by: jlebon

bin/fsck: Make ref binding verification optional

Today the rpm-ostree test suite uses `refs --create` to save
commits. I think this is a legitimate use case, and other
people may be doing something similar.

On the other hand, I think we should probably be changing the rpm-ostree test
suite to create "unbound" commits. But let's be maximially compatible here since
we hit a real-world case where something needed to change.

Closes: #1379
Approved by: pwithnall

lib/repo: Add an API to mark a commit as partial

For the [rpm-ostree jigdo ♲📦](https://github.com/projectatomic/rpm-ostree/issues/1081) work.
We're basically doing "pull" via a non-libostree mechanism, and this
should be fully supported. As I mentioned earlier we should try to
have `ostree-repo-pull.c` only use public APIs; this gets us closer
to that.

Closes: #1376
Approved by: jlebon

lib/repo: Disable locking by default, add locking=true boolean

I want some time to play with this more with different callers and work through
test scenarios. Let's disable the locking by default for now, but make it easy
to enable.

Closes: #1375
Approved by: jlebon

lib/repo: Make locking timeout configurable

I want to make locking fully configurable (and probably off by default for now).
This is a prep commit for that.

Closes: #1375
Approved by: jlebon

tests: Expand fsck unit tests to cover checks on bindings

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

tests: Fix LC_ALL for systems which use .utf8 suffixes

libtest-core.sh tries to clear the locale to a UTF-8 supporting C
locale, either by setting it to C.UTF-8 (preferred) or just C.

Some systems, like Fedora 26, use the locale name C.utf8, rather than
C.UTF-8. Support that too.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

ostree/commit: Allow --orphan and --bind-ref to be specified together

Typically you’d use --branch and --bind-ref together to add additional
bindings as well as creating a main --branch for the commit. However,
you might also want to occasionally use --orphan --bind-ref to create a
commit with bindings for one or more refs, but not actually create any
of those refs pointing to the commit (you might create them as a later
step).

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

ostree/fsck: Add --verify-back-refs option

This new option verifies that the refs listed in the ref-bindings for
each commit all point to that commit (i.e. there aren’t multiple commits
listing the same ref in their ref-bindings, and there aren’t any commits
with non-empty ref-bindings which aren’t pointed at by a ref).

This is useful when generating a new repository from scratch, but not
useful when adding new commits to an existing repository (since the old
commits will still, correctly, have ref-bindings from when the refs
pointed at them). That’s why it has to be enabled explicitly using
--verify-back-refs, rather than being on by default.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

lib/repo: Clarify documentation for ostree_repo_list_refs{,_ext}()

Try and clarify what happens with the prefixes, and that they always
return refspecs.

I’m still not 100% sure this is right.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

ostree/fsck: Handle refspecs from ostree_repo_list_refs()

It seems ostree_repo_list_refs() can return refspecs as hash table keys,
as well as just ref names. Handle that by parsing them before trying to
use them as ref names.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

ostree/fsck: Verify commit bindings for each ref

Since an OSTree client will refuse to pull from a remote which it has
locally configured with a collection ID, if the commit on that remote
has incorrect or missing bindings, we’d better verify them as part of
fsck.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

lib/static-delta: Drop duplicated declaration from private header

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

lib/pull: Fix capitalisation in binding verification error messages

Make them suitable for output from fsck.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

lib/pull: Split verify_bindings() out into a cmdprivate method

It will be used by the fsck utility in future. We could expose it
publicly in future too, if needed.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

ostree/fsck: Factor out common commit checking code

This will make upcoming commits a bit cleaner.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1347
Approved by: cgwalters

build-sys: Add --disable-http2

I may punt and use this in Fedora at least for now until we have time to debug
the issues.

Closes: #1373
Approved by: jlebon

bin/show: Add --no-byteswap

rpm-ostree writes host-endian data when importing packages, so let's add support
for not byteswapping.

Closes: #1372
Approved by: jlebon

bin/commit: Add --add-metadata that accepts g_variant_print() format

Mostly adding this for use in test cases; it allows us to add e.g.
integers, and we need to deal with byteswapping those.

Someone mind also find it useful to add fully structured metadata, although most
of those users should be using a real language and not shell script.

Closes: #1372
Approved by: jlebon

lib/commit: Use more direct path for regfile commits

In the non-`CONSUME` path for regfiles (which happens currently for
`bare-user`), we go to a lot of contortions to make an "object stream",
only to immediately parse it again.

Fixing this will also enable the `G_IS_FILE_DESCRIPTOR_BASED()` fast path in
commit, since the input stream will actually reference the file descriptor and
not be an `_OstreeChainInputStream`.

There's a slight concern here in that we're no longer checksumming *literally*
the object stream passed in for the stream case, but I mention in the comment,
the data should be the same, and if it's not somehow we're not adding risk,
since the checksum is still covering the data we actually care about.

Prep for further changes to break up the `write_content_object()` path into
separate paths for archive, as well as regfile vs symlink in non-archive.

Closes: #1371
Approved by: jlebon

lib/commit: Fix memleak in bare-user devino hit path

I noticed this while chasing an entirely different issue:
https://github.com/projectatomic/rpm-ostree/pull/1139

Closes: #1370
Approved by: jlebon

tests: Change test-corruption to use fatal()

It's clearer.

Closes: #1364
Approved by: jlebon

Add public API for fsck, use it before loading metadata

A while ago I did `truncate -s 0 /path/to/repo/00/123.commit`, and expected a
checksum error, but I actually got a validation error due to us loading the
commit into a variant and trying to parse out the parent checksum, etc.

I first started by changing the `load_and_fsck_one_object()` function to
checksum before loading, but the problem is that we do a traverse of all objects
first. Fixing this is going to require an `OSTREE_REPO_COMMIT_TRAVER_FLAG_FSCK`
or something.

In the meantime at least though, let's add a public API to fsck a single object
which *does* checksum cleanly before parsing the object, and change the `fsck`
command to use it.

We then change the fsck binary to do this while iterating over the refs
and finding the commit object. This way we'll at least get a checksum
first for commit objects, even if not dirtree/dirmeta.

Closes: #1364
Approved by: jlebon

lib/repo: Properly list remotes of parent repos

This commit fixes an infinite loop that happens if you try to list the
remotes of a repo that has a parent repo set. It also adds a unit test
to ensure the right behavior, which is that both the child remotes and
parent remotes are listed.

Closes: #1366
Approved by: cgwalters

lib/repo-file: Add casts to appease GLib g_object_ref cast PR

This fixes the build with https://bugzilla.gnome.org/show_bug.cgi?id=790697

Closes: #1363
Approved by: jlebon

lib/commit: Refactor file commits to separate subdir from content

One major thing we can do to speed up local commits is multithreading. In
preparation for that, split up the recursion function so that the subdirectory
case is separate from the content (regfile/symlink) case. Then for non-subdirs,
we can easily peel off worker threads and gather the final checksums and update
the mtree from the main thread.

The diff here looks large but it's pretty straightforward; amazingly this change
compiled the very first time I tried it!

Closes: #1365
Approved by: jlebon

docs/related: Add Balena

It's quite related.

Closes: #1369
Approved by: jlebon

pull: Add http2=false remote config option

This seems to work around
https://github.com/ostreedev/ostree/issues/1362

Though I'm not entirely sure why yet. But at least with this it'll be easier for
people to work around things locally.

Closes: #1368
Approved by: jlebon

tests: Test concurrent operations

Test that concurrent commits and prunes can succeed. Mostly this is a
check that the new locking works correctly and the concurrent processes
will properly wait until they've acquired the appropriate repository
lock.

Closes: #1343
Approved by: cgwalters

lib/prune: Take exclusive repository lock

Add exclusive repository locking to all the pruning entry points. This
ensures that objects and deltas will not be removed while another
process is writing to the repository.

Closes: #1343
Approved by: cgwalters

lib/commit: Add repository locking during transactions

Take a shared repo lock during a transaction to ensure that another
process doesn't delete objects.

Closes: #1343
Approved by: cgwalters

lib/repo: Add locking auto cleanup handler

Define an auto cleanup handler for use with repo locking. This is based
on the existing auto transaction cleanup. A wrapper for
ostree_repo_lock_push() is added with it. The intended usage is like so:

  g_autoptr(OstreeRepoAutoLock) lock = NULL;
  lock = ostree_repo_auto_lock_push (repo, lock_type, cancellable, error);
  if (!lock)
    return FALSE;

The functions and type are marked to be skipped by introspection since I
can't see them being usable from bindings.

Closes: #1343
Approved by: cgwalters

lib/repo: Add repo locking mechanism

Currently ostree has no method of guarding against concurrent pruning.
When there are multiple repo writers, it's possible to have a pull or
commit race against a prune and end up with missing objects.

This adds a file based repo locking mechanism. The intention is to take
a shared lock when writing objects and an exclusive lock when deleting
them. In order to make use of the locking throughout the library in a
fine grained fashion, the lock acts recursively with a stack of lock
states. If the lock becomes exclusive, it will stay in that state until
the stack is unwound past the initial exclusive push. The file locking
is similar to GLnxLockFile in that it uses open file descriptor locks
but falls back to flock when needed.

The lock also attempts to be thread safe by storing the lock state in
thread local storage with GPrivate. This means that each thread will
have an independent lock for each repository it opens. There are some
drawbacks to that, but it seemed impossible to manage the lock state
coherently in the face of multithreaded access.

The API is a push/pop interface in accordance with the recursive nature
of the locking. The push interface uses an enum that's translated to
LOCK_SH or LOCK_EX as needed. Both interfaces use an internal timeout
field to decide whether to manage the lock in a blocking or non-blocking
fashion. The intention is to allow ostree applications as well as
administrators to control this timeout. For now, the default is a 30
second timeout.

Note that the timeout is handled synchronously in thread since the lock
is maintained in thread local storage. I.e., the thread that acquires
the lock needs to be the same thread that runs the operation. There may
be a way to offer an asynchronous version, but it's not clear exactly
how that would work since it would likely involve a separate thread that
invokes a callback when the locking operation completes.

https://bugzilla.gnome.org/show_bug.cgi?id=759442

Closes: #1343
Approved by: cgwalters

lib/repo: Add some error prefixing in commit, repo create

I was getting a bare `error: Creating temp file: No such file or directory` when
debugging `test-concurrency.py`; with this I get
`error: Writing content object: Creating temp file: No such file or directory`
which helps me pin it down.

Closes: #1343
Approved by: cgwalters

lib/repo: Add MT support for transaction_set_ref(), clarify MT rules

For rpm-ostree I'd like to do importing in parallel with threads; the code is
*almost* ready for that except today it calls
`ostree_repo_transaction_set_ref()`.

Looking at the code, there's really a "transaction" struct here,
not just stats. Let's lift that struct out, and move the refs
into it under the existing lock.

Clarify the documentation around multithreading for various functions.

Closes: #1358
Approved by: jlebon

README.md: Link to BuildStream

This is an example of a tool using libostree to cache and share
build results.

Closes: #1360
Approved by: cgwalters

build-sys: Post-release version bump

Closes: #1361
Approved by: jlebon

Release 2017.14

Time to cut a new release, we've got the libcurl cleanup ordering patch which
several people have hit, along with safe early fixes for tmpdir cleanup. Let's
try to land the locking PR early next cycle.

Closes: #1359
Approved by: jlebon

lib/repo: Add a DEVINO_CANONICAL commit modifier flag

I was seeing the `Writing OSTree commit...` phase of rpm-ostree
being very slow lately. This turns out to be more fallout from
https://github.com/ostreedev/ostree/pull/1170
AKA commit: 8fe4536

Loading the xattrs is slow on my system (F27AW, XFS+LVM, NVMe). I haven't fully
traced through why, but AIUI at least on XFS the xattrs are often stored outside
of the inode so it's a little bit like doing an `open()+read()`. Plus there's
the LSM overhead, etc.

The thing is that for rpm-ostree's package layering use case, we
basically always want to treat the on-disk state as canonical. (There's
a subtle case here if one does overrides for something that contains
policy but we'll fix that).

Anyways, so we're in a state now where we do the slow but correct thing by
default, which seems sane. But let's allow the app to opt-in to telling us
"really trust devino". The difference between a `stat()` + hash table lookup
versus the full xattr load on my test case of `rpm-ostree install
./tree-1.7.0-10.fc27.x86_64.rpm` is absolutely dramatic; consistently on the
order of 10s without this support, and <1s with (800ms).

Closes: #1357
Approved by: jlebon

lib/repo: Verify txn stagedir existence after locking

This squashes the last race condition I was actively hitting while running
`test-concurrency.py` in a loop. The race is when process A finds a tmpdir to
reuse, and goes to lock it. Meanwhile process B deletes it and unlocks the lock.
Process A then succeeds at grabbing a lock, but the tmpdir is deleted.

Closes: #1352
Approved by: dbnicholson

lib/commit: Move txn stagedir deletion/unlock into one place

Previously we'd delete the tmpdir in `rename_pending_loose_objects()`
but do the unlock inside `ostree_repo_commit_transaction()`. Move
them into the same place in the latter function for consistency.

Doesn't fix anything, just a cleanup while reading the code and
working on `test-concurrency.py`.

Closes: #1352
Approved by: dbnicholson

ci: Really show test-suite.log on travis

The test-suite.log file is created in the top directory, not in test
(which isn't even a directory here).

Closes: #1352
Approved by: dbnicholson

tests: Run python tests with stdout unbuffered

Set the PYTHONUNBUFFERED environment variable during tests so that
python leaves stdout unbuffered. This is helpful when reading logs for
failures since the interleaved stdout and stderr will generally come out
in the right order. It's not perfect since tap-driver.sh does some
special redirection to the log file, but it's an improvement.

Closes: #1352
Approved by: dbnicholson

lib/commit: Minor refactoring of tmpdir cleanup code

Prep for future work here; let's cleanly separate the path for cleaning up the
txn staging directories from the code that cleans up "other stuff". Currently
only the former case uses the `GLnxLockFile` etc.

Closes: #1352
Approved by: dbnicholson

lib/commit: Reuse txn dir for tmpfiles

This closes a race condition I was seeing with `test-concurrency.py`. If we
don't have `O_TMPFILE` (or for symlinks) we'll create temporary files;
previously these would be subject to the date-based pruning because we set the
timestamp to 0 for objects.

Having our temporary files also in the txn staging dir ensures that they're
covered by the locking we do for that directory, and it's also generally cleaner
since the lifecycle of all the temporary data for a txn is in one place.

Closes: #1352
Approved by: dbnicholson

tests/delta-crosscheck: Disable fsync

I was running this recently to test the last delta write changes, and this
helps. We should add an option to repo-init to make this easier at some point.

Closes: #1356
Approved by: jlebon

lib/repo: Add a new private API for bare content writes

This lowers into the commit core what the static delta code
was doing, and improves the API.

The bigger picture issue is that for writing large files, our current "pull" API
where the caller provides a `GInputStream` is very awkward in some scenarios.
For example, we have a whole "libarchive input stream" that is a ~200 line
GObject that boils down to wrapping `archive_read_data()`.

This came more to a head when I was working on rpm-ostree jigdo since I had to
copy that object.

One step we can take after this is to further split `write_content_object()`
into a "write symlink or archive object" versus "write bare content object"
(it already has a mess of conditionals) and teach the latter case to call
this.

The eventual goal here is to make this API public.

Closes: #1355
Approved by: jlebon

lib/commit: Use direct repo writes if fsync is disabled

For situations where fsync is disabled, there's basically
no reason to do the whole "staging directory" dance. Just
write directly into the repo.

Today I use `fsync=false` for my build/cache repos.

I briefly considered not allocating a tmpdir at all
in this case, but we actually do want the txn tmpdir
for the non-`O_TMPFILE` case.

Part of https://github.com/ostreedev/ostree/issues/1184

Closes: #1354
Approved by: giuseppe

lib/remote: Add a method to return the URL

When using dynamic remotes (LAN and USB), we cannot use their name with
the common remote related ops (ostree_repo_remote_...) because ostree
doesn't keep this type of remotes in its internal hash table.
Unfortunately this means that we cannot access the URL of those remotes
either (in order to e.g. set the right URL for those remotes in
Flatpak).

Since the URL is actually stored in a key file that belongs to the
OstreeRemote, then we can simply allow users access to it through a
getter.

So this patch adds a method that allows to return the URL directly from
the OstreeRemote without having to go through the OstreeRepo.

The test-repo-finder-config is also updated by this patch to check if
the URL is correct.

Closes: #1353
Approved by: cgwalters

rofiles-fuse: Fix utime() support

We use utimens instead of utime, thus allowing nanosecond timestamps,
and also fixes a bug where we used to passed UTIME_OMIT to tv_nsec
which made the entire operation a no-op.

Closes: #1351
Approved by: cgwalters

fetcher/curl: Stop using CURLOPT_LOW_SPEED_TIME/_LIMIT

They don't play nicely currently with HTTP2 where we may
have lots of requests queued.

https://github.com/ostreedev/ostree/issues/878#issuecomment-347228854

In practice anyways I think issues here are better solved on a higher level -
e.g. apps today can use an overall timeout on pulls and if they exceed the limit
set the cancellable.

Closes: #1349
Approved by: jlebon

ci: Make sure we save gtdr test results on failures

If a test fails, we immediately exit and thus never get a chance to
actually upload the test results. Add a trap so that they always
uploaded, even on failure.

Closes: #1350
Approved by: cgwalters

papr: Bump primary to f27

Let's start with just f27-primary for now.

Closes: #1350
Approved by: cgwalters

add back helpful --allow-downgrade err message

Closes: #1348
Approved by: cgwalters

lib/repo: Don't delete new tmpdir if it can't be locked

If a newly allocated tmpdir can't be locked, set initialized to FALSE so
that glnx_tmpdir_cleanup doesn't delete it when new_tmpdir goes out of
scope.

Closes: #1346
Approved by: cgwalters

lib/repo: Handle race with existing tmpdir being deleted

Another tmpdir user may have deleted an existing tmpdir between the time
the current user called readdir and tried to open it.

Closes: #1346
Approved by: cgwalters

lib/repo: Restore tmpdir reusing out parameter

This got lost in d0b0578 and now the caller always thinks it got a new
tmpdir.

Closes: #1346
Approved by: cgwalters

lib/repo: Add debug messages when allocating tmpdir

This code is pretty complex and has some races when reusing tmpdirs, so
print some messages for debugging.

Closes: #1346
Approved by: cgwalters

build: fix "executible" typo

Closes: #1345
Approved by: jlebon

bin: Port a few commands (diff,remote,static-delta) to new style

No functional changes, not prep for anything, just keeping up some momentum.

Closes: #1344
Approved by: jlebon

grub-generator: If OSTREE_BOOT_PARTITION is not set, default to /boot

Closes: #1326
Approved by: cgwalters

lib/repo: Fix a memory leak of options in ostree_repo_create()

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1341
Approved by: dbnicholson

lib/repo: Add (transfer) annotations to various GHashTable arguments

By default, unless it’s const, an (out) GHashTable will be assumed to be
(transfer full). That means the binding needs to free all the items in
the hash table, plus the table itself.

However, all the GHashTables we use have free functions set already, so
freeing the hash table will free its items. This results in a
double-free.

Fix that by ensuring we annotate such (out) hash tables as (transfer
container). Also annotate some other hash tables as (transfer none)
where appropriate, for clarity.

This fixes OSTree.Repo.list_collection_refs() in the Python bindings.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1341
Approved by: dbnicholson

lib/traverse: Port to new style

Not prep for anything, was just reading this code a bit while
working on rpm-ostree jigdo.

Closes: #1338
Approved by: jlebon

Revert "lib/pull: Skip ostree_repo_resolve_keyring_for_collection for bindings"

This reverts commit 519b30b7e1979fea827ea4fe9b0e9ac4db99d631. Now that
the experimental GIR is being built correctly and OstreeRemote is a real
boxed type, this can be exposed again.

Closes: #1337
Approved by: pwithnall

lib: Include OstreeRemote and OstreeCollectionRef in GIR

Now that g-ir-scanner is being told about ENABLE_EXPERIMENTAL_API, it
can include these types correctly. Drop the __GI_SCANNER__ guards in the
header files so that all the declarations are found.

After this, you can actually construct the types normally:

>>> OSTree.CollectionRef.new('com.example.Foo', 'bar')
<OSTree.CollectionRef object at 0x7f2bba4c7528 (OstreeCollectionRef at 0x55c033ff2f30)>

Closes: #1337
Approved by: pwithnall

lib/remote: Export ostree_remote_get_type symbol

Without this, you can't really use OstreeRemote as a GObject, which is a
requirement for bindings.

This was found when attempting to include OstreeRemote in the GIR, and
g-ir-scanner wasn't able to link it's temporary object due to an
"undefined reference to `ostree_remote_get_type'" error.

Closes: #1337
Approved by: pwithnall