dgit.raspbian.org Git - ostree.git/log

lib/deploy: Use _exit() for FIFREEZE watchdog

This works around an (IMO) SpiderMonkey bug - it tries to
clean up in a shared library destructor, but doesn't install a
`pthread_atfork()` handler to unset its state.

Closes: https://github.com/ostreedev/ostree/issues/1262
Closes: #1264
Approved by: dbnicholson

tree-wide: Update to new libglnx fd APIs

This ends up a lot better IMO.  This commit is *mostly* just
`s/glnx_close_fd/glnx_autofd`, but there's also a number of hunks like:

```
-  if (self->sysroot_fd != -1)
-    {
-      (void) close (self->sysroot_fd);
-      self->sysroot_fd = -1;
-    }
+  glnx_close_fd (&self->sysroot_fd);
```

Update submodule: libglnx

Closes: #1259
Approved by: jlebon

lib/commit: Make -path commit helper API private

It's no longer called directly by the pull code, so make it static.

The goal here is to have the pull and local-fs commit paths use higher level
more efficient APIs, and eventually make those APIs public.

Closes: #1257
Approved by: jlebon

lib/core: Use GBytes for file headers

This simplifies a lot of code; the header function was structured
to write to an input stream, but many callers only wanted the checksum,
so it's simpler (and error-free) to simply allocate a whole buffer
and checksum that.

For the callers that want to write it, it's also still simpler to allocate the
buffer and write the whole thing rather than having this function do the
writing.

A lot of the complexity here again is a legacy of the packfile code, which is
dead.

This is prep for faster regfile commits where we can avoid `G{In,Out}putStream`.

Closes: #1257
Approved by: jlebon

lib/core: Port a few functions to decl-after-stmt

No functional changes, just prep for more work.

Closes: #1257
Approved by: jlebon

lib/core: (refactor) Drop wrapper and unneeded args for variant writing

Nothing was using the `bytes_written` data (we always discard partially written
tmpfiles), so simplify everything by dropping it. Further, we always passed an
offset of `0`, so drop that argument too. (I believe that this was previously
used by the "pack files" code that we deleted long ago)

Second, we had an unnecessary internal wrapper for this function; drop that too.

Closes: #1257
Approved by: jlebon

ci: compile f26/c7-primary with libcurl/openssl

This is how ostree is shipped in those distros. We already have
alternative testsuites for testing other HTTP & crypto backends.

Closes: #1261
Approved by: cgwalters

libotutil/checksum-utils: fix openssl compilation

Closes: #1261
Approved by: cgwalters

lib/deploy: Ignore FIFREEZE/FITHAW errors when already in state

If the filesystem is already frozen, FIFREEZE returns EBUSY, and if the
filesystem is already thawed, FITHAW returns EINVAL. It's very unlikely
these issues would arise on a real ostree system since the sysroot would
be locked during the freeze/thaw cycle.

However, when multiple fake sysroots are used during the test suite (run
as root), the tests could race to run the freeze/thaw cycle without
locking. Furthermore, there's no reason why an independent process might
be trying to freeze the filesystem while ostree was deploying. Ignore
but warn for these errors since there's not much ostree can do about it,
anyways.

Closes: #1260
Approved by: cgwalters

lib: Add a lighter weight internal checksum wrapper

The faster (OpenSSL/GnuTLS) code lived in a `GInputStream` wrapper, and that
adds a lot of weight (GObject + vtable calls). Move it into a simple
autoptr-struct wrapper, and use it in the metadata path, so we're
now using the faster checksums there too.

This also drops a malloc there as the new API does hexdigest in place to a
buffer.

Prep for more work in the commit path to avoid `GInputStream` for local file
commits, and ["adopting" files](https://github.com/ostreedev/ostree/pull/1255).

Closes: #1256
Approved by: jlebon

commit: Add _CONSUME modifier flag

For many cases of commit, we can actually optimize things by simply "adopting"
the object rather than writing a new copy. For example, in rpm-ostree package
layering.

We can only make that optimization though if we take ownership of the file. This
commit hence adds an API where a caller tells us to do so. For now, that just
means we `unlink()` the files/dirs as we go, but we can now later add the
"adopt" optimization.

Closes: #1255
Approved by: jlebon

lib/deltas: Move variant read helper into the deltas code

What the deltas code is doing is weird/unfortunate. The name
`ot_variant_read()` conflicts too much with `ot_variant_read_fd()`.
Since nothing else uses it, move it into the deltas code.

Closes: #1254
Approved by: jlebon

lib/util: Delete some unused functions

Hooray, dead code.

Closes: #1254
Approved by: jlebon

lib/pull: Change fetcher to return O_TMPFILE

A lot of the libostree code is honestly too complex for its
own good (this is mostly my fault). The way we do HTTP writes
is still one of those. The way the fetcher writes tempfiles,
then reads them back in is definitely one of those.

Now that we've dropped the "partial object" bits in:
https://github.com/ostreedev/ostree/pull/1176 i.e. commit
https://github.com/ostreedev/ostree/commit/0488b4870e80ef575d8b0edf6f2a9e5ad54bf4df
we can simplify things a lot more by having the fetcher
return an `O_TMPFILE` rather than a filename.

For trusted archive mirroring, we need to enable linking
in the tmpfiles directly.

Otherwise for at least content objects they're compressed, so we couldn't link
them in. For metadata, we need to do similar logic to what we have around
`mmap()` to only grab a tmpfile if the size is large enough.

Closes: #1252
Approved by: jlebon

lib/utils: Port a bit to decl-after-stmt style

Add add some more comments.

Closes: #1247
Approved by: jlebon

lib/repo: Clarify that ostree_repo_remote_fetch_summary() doesn’t verify

Make that a bit clearer in the documentation.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1253
Approved by: cgwalters

Deduplicate and fix up our use of mmap()

Buried in this large patch is a logical fix:

```
-  if (!map)
-    return glnx_throw_errno_prefix (error, "mmap");
+  if (map == (void*)-1)
+    return glnx_null_throw_errno_prefix (error, "mmap");
```

Which would have helped me debug another patch I was working
on.  But it turns out that actually correctly checking for
errors from `mmap()` triggers lots of other bugs - basically
because we sometimes handle zero-length variants (in detached
metadata).  When we start actually returning errors due to
this, things break.  (It wasn't a problem in practice before
because most things looked at the zero size, not the data).

Anyways there's a bigger picture issue here - a while ago
we made a fix to only use `mmap()` for reading metadata from disk
only if it was large enough (i.e. `>16k`).  But that didn't
help various other paths in the pull code and others that were
directly doing the `mmap()`.

Fix this by having a proper low level fs helper that does "read all data from
fd+offset into GBytes", which handles the size check. Then the `GVariant` bits
are just a clean layer on top of this. (At the small cost of an additional
allocation)

Side note: I had to remind myself, but the reason we can't just use
`GMappedFile` here is it doesn't support passing an offset into `mmap()`.

Closes: #1251
Approved by: jlebon

lib/commit: minor coverity fix

Appease Coverity by using the same condition for both the ternary check
and the if-condition later on. It should be smart enough to figure out
that `dir_enum == NULL` implies that `dfd_iter != NULL` from the
assertion at the top of the function.

Coverity CID: #1457318

Closes: #1250
Approved by: cgwalters

lib/sysroot: Fix pointer going out of scope in unlock code

Fixes Coverity CID #1457317

Closes: #1249
Approved by: jlebon

lib/core: Init struct stat buffer

Regression from d57410a7e62dcb89321807dcb2d91c85f9d26df7

Fixes Coverity CID #1457316

Closes: #1249
Approved by: jlebon

tree: fix compiler warnings

Mostly innocuous warnings, except for -Wtautological-compare, which
caught a shady guint64 subtraction.

Closes: #1245
Approved by: cgwalters

ci: really turn on warnings

We didn't have `-Wall` in our `CFLAGS`. It's normally injected by
`configure.ac`, but because we *did* have `-Werror`, it was skipped.
Now, we just turn it on unconditionally directly in `build.sh`.

Closes: #1245
Approved by: cgwalters

docs: Clarify %NULL argument to ostree_sysroot_new()

It’s equivalent to ostree_sysroot_new_default().

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1246
Approved by: cgwalters

app/main: use HAVE_LIBCURL_OR_LIBSOUP for pull CLI

We want `pull` to be included as long as we have at least either
`libcurl` or `libsoup` to back it. Of course, this is a moot point for
now since `libsoup` is currently a build requirement.

Closes: #1244
Approved by: cgwalters

lib/repo-commit: Import detached metadata even if hardlink exists

Spotted while reading through the code, it looks like the
copy_detached_metadata() call is accidentally omitted if a hardlink
already exists for the .commit object.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1242
Approved by: cgwalters

lib/gpg: Print debug info when reading GPG keys

This commit adds debug output whenever libostree reads GPG keys, which
can come from different locations in the file system. This is especially
helpful in debugging "GPG signatures found, but none are in trusted
keyring" errors, which in my case was caused by OSTree looking in
/usr/local/share/ostree/trusted.gpg.d/ rather than
/usr/share/ostree/trusted.gpg.d/.

Closes: #1241
Approved by: cgwalters

lib/pull: Minor cleanup to metadata scanning function, add docs

I'm regretting a bit having the `guint8*csum` variant of checksums
except for the serialized form. Once we start doing processing
it's easier to just have it remain hex.

Do an on-stack conversion for the metadata scanning function; this
drops a malloc and also just looks nicer.

Also add some long-awaited function comments to the two.

Closes: #1240
Approved by: jlebon

lib/bloom: Add some missing preconditions on n_bytes

These shouldn’t change the bloom filter’s behaviour at all, but make it
a bit more obvious what the programmatical limitations are on the sizes
it can deal with.

In reality, those sizes should never be reached because they won’t fit
in a DNS-SD record.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1239
Approved by: cgwalters

lib/uboot: Port to fd-relative

Prep for `ostree_sysroot_new_at()`.

Closes: #1237
Approved by: jlebon

lib/syslinux: Port to fd-relative

Prep for `ostree_sysroot_new_at()`. Also just generally nicer.

Closes: #1237
Approved by: jlebon

lib/pull: Fix regression with pull-local for nonexistent refs

I was reading the pull code for the last release, and spotted
a bug in commit f923c2e1eaebe0c781f07d34ae1a03f94357bccd - in
the case where the ref doesn't exist, we don't set an error,
tripping an assertion in the main code.

The previous code wanted the ref to always exist, so just flip back the boolean
for "ignore noent". I moved the `g_strchomp()` just into the HTTP path - if a
local repo is corrupted in this way it's something to fix in that repo.

Closes: #1238
Approved by: pwithnall

lib/sysroot: Add some more comments

Also avoid gtk-doc style for private functions, as it tries to parse them and
complains since they aren't public.

Closes: #1230
Approved by: jlebon

lib/commit: Add some gtk-doc and internal doc comments

Just making more of an effort for this for obvious reasons. We had a few public
APIs not documented too.

Closes: #1230
Approved by: jlebon

build-sys: Post-release version bump

Closes: #1236
Approved by: cgwalters

Release 2017.12

Closes: #1234
Approved by: jlebon

ostree/summary: Generate an ostree-metadata ref when updating summary

This is the new way of publishing repository metadata, rather than as
additional-metadata in the summary file. The use of an ostree-metadata
ref means that the metadata from multiple upstream collections is not
conflated when doing P2P mirroring of many repositories.

The new ref is only generated if the repository has a collection ID set.
The old summary file continues to be generated for backwards
compatibility (and because it continues to be the canonical ref →
checksum map for the repository).

The new code is only used if configured with --enable-experimental-api.

Includes unit tests.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1158
Approved by: cgwalters

ostree/summary: Eliminate redundant gotos from error handling path

There is no error handling to do, so just return everywhere instead.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1158
Approved by: cgwalters

man: Fix a copypasta error in ostree-summary.xml

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1158
Approved by: cgwalters

lib/bloom: Fix a -Wconversion warning in OstreeBloom

Compiling with -Wconversion warns on this line, as the conversion from
guint64 to guint8 is implicit (but safe: there is no bug here, since the
implicit cast is applied after the modulus arithmetic).

Make the cast explicit to silence -Wconversion.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1231
Approved by: cgwalters

lib/bloom: Fix bloom hashing on 32-bit architectures

There was an implicit cast from guint64 to gsize (which is 32-bit on
armhf, for example) before the modulus arithmetic which safely narrows
the index.

Fix that by using a guint64 intermediate variable and making the cast
explicit.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1231
Approved by: cgwalters

tests/installed: also run test-basic-c

Since we now have a subtest there that needs full xattr support.

Closes: #1170
Approved by: cgwalters

tests: check for relabeling rather than overlay

Instead of checking for overlayfs, let's explicitly check for our
ability to relabel files since we now have a `libtest` function to do
this. Also port that logic to `libostreetest`.

Note that overlayfs *does* allow manipulating user xattrs. So ideally,
we should break down `OSTREE_NO_XATTRS` further to distinguish between
tests that use bare repos from other modes.

We check the current directory instead of `/` so that developers can
just point `TEST_TMPDIR` to a non-overlayfs mount point when hacking
from a container.

Closes: #1170
Approved by: cgwalters

lib/commit: don't query devino cache for modified files

We can't use the cache if the file we want to commit has been modified
by the client through the file info or xattr modifiers. We would
prematurely look into the cache in `write_dfd_iter_to_mtree_internal`,
regardless of whether any filtering applied.

We remove that path there, and make sure that we only use the cache if
there were no modifications. We rename the `get_modified_xattrs` to
`get_final_xattrs` to reflect the fact that the xattrs may not be
modified.

One tricky bit that took me some time was that we now need to store the
st_dev & st_ino values in the GFileInfo because the cache lookup relies
on it. I'm guessing we regressed on this at some point.

This patch does slightly change the semantics of the xattr callback.
Previously, returning NULL from the cb meant no xattrs at all. Now, it
means to default to the on-disk state. We might want to consider putting
that behind a flag instead. Though it seems like a more useful behaviour
so that callers can only override the files they want to without losing
original on-disk state (and if they don't want that, just return an
empty GVariant).

Closes: #1165
Closes: #1170
Approved by: cgwalters

tests/libtest.sh: always nuke repo and files

This allows users to easily re-initialize the test repo.

Closes: #1170
Approved by: cgwalters

libarchive: Fix assertion error if used with CANONICAL_PERMISSIONS

I was trying to do a change for rpm-ostree to use
`OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS`
for container builds with `bare-user-only,` but hit an assertion here
ultimtely because we weren't setting `standard::type`.

Rather than hand-rolling `GFileInfo` creation, use the stat buffer conversion
code which is more robust and used in multiple places already.

Closes: #1227
Approved by: jlebon

tests/repo: Drop modeline from top of file

As per commit 6e4146a3.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1203
Approved by: cgwalters

tests: Update some tests to use OSTREE_REPO_MODE_ARCHIVE not ARCHIVE_Z2

The latter is deprecated now.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1203
Approved by: cgwalters

tests: Add a manual integration test for OstreeRepoFinderMount

Test an end-to-end flow of pulling refs from an online
repository → local OS repository → create a USB stick of
them → pull to a local OS repository on another machine.

This is a manual test, as it requires a throwaway USB stick which the
test can format as ext4 or vfat to test the flow works with both file
systems.

Run it as:

MOUNT_INTEGRATION_DEV=/dev/sdb1 make check \
TESTS=tests/test-repo-finder-mount-integration.sh

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1203
Approved by: cgwalters

tests: Add 404 tests for dirtree objects too

I now believe the flatpak issue we were hitting was
https://github.com/ostreedev/ostree/pull/1185
but let's add these tests anyways for more coverage.

Closes: #888
Approved by: jlebon

tree-wide: Bump libglnx, port to new lockfile init

In particular I'd like to get the copy fix in, since it might affect users for
the keyring bits.

Update submodule: libglnx

Closes: #1225
Approved by: jlebon

lib/pull: Don't request deltas for unchanged commits

I noticed this while debugging why I was seeing "2 metadata objects" fetched for
a different PR. I knew 1 was detached meta, but the other turned out to be this.

There's no reason to request a delta if the ref is unchanged.

Closes: #1220
Approved by: jlebon

tests/commit-sign: Update a bit to more modern style

I was trying to debug this while working on another PR. Add `echo ok` lines and
also use `assert_file_has_content` more directly; there's no reason to use an
intermediate `grep` since if it fails it won't print the original file.

Closes: #1220
Approved by: jlebon

lib/diff: Add compile-time ABI check on 64 bit arches

Like what was done for most of the `ostree-repo.h` values. Prep
for adding a new option.

Closes: #1223
Approved by: jlebon

ci: Record primary context results using g-d-t-r --log-directory

So the output isn't all intermingled. I just pushed a commit
to add `--log-directory`, so we need to build it from git master
for now.

Closes: #1218
Approved by: jlebon

lib/repo-pull: Fix remote names in refspecs from non-mirror P2P pulls

Propagate the refspec_name from the OstreeRemote returned by an
OstreeRepoFinder through to the set_ref() call.

This changes ostree_repo_pull_with_options() to accept the
previously-disallowed combination of passing override-remote-name in
options and also setting a remote name in remote_name_or_baseurl.
ostree_repo_pull_with_options() will continue to pull using the remote
config named in remote_name_or_baseurl as before; but will now use the
remote name from override-remote-name when it’s setting the refs at the
end of the pull. This is consistent with the documentation for
override-remote-name.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1202
Approved by: cgwalters

lib/remote: Store name of remote providing keyring for dynamic remotes

When pulling from a dynamic (peer to peer) remote, the remote’s name is
set to a unique, generated string which doesn’t exist in repo/config. If
doing a non-mirror pull, however, we don’t want to use this name in the
refspecs for newly created or updated refs — we want to use the name of
the remote which provided the keyring for the pull (this will be a
remote from repo/config whose collection ID matches that being used for
the peer to peer pull).

Store both names in OstreeRemote. The name to use for refspecs is stored
as refspec_name, and is typically NULL unless it differs from name.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1202
Approved by: cgwalters

lib/repo: Change resolve_keyring_for_collection() to return a remote

Instead of returning just the keyring filename, return the entire
OstreeRemote, which has the keyring filename as one of its members. This
will simplify some upcoming changes, and allows slightly improved debug
logging.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1202
Approved by: cgwalters

lib/repo-pull: Fix a potential minor leak

If override-remote-name is specified in the options to
ostree_repo_pull_with_options(), but the remote_name_or_baseurl argument
is also set to a remote name, the override-remote-name would be leaked.

Note that this is currently an invalid configuration, so this leak is
basically never hit.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1202
Approved by: cgwalters

lib/pull: Add status for imported objects

Followup for recent work in commits:

- 8a7a35970928331a028ccddd04590ac300dbd26e
- 1a9a473580e9066f5d4a969932d703b5b104b2b7

Keep track of how many objects we imported, and print that for `ostree
pull-local` (also do this even if noninteractive, like we did for `pull`).

In implementing this at first I used separate variables for import
from repo vs import from localcache, but that broke some of the
tests that checked those values.

It's easier to just merge them; we know from looking at whether or not
`remote_repo_local` is set whether or not we were doing a "HTTP pull with
localcache" versus a true `pull-local` and can use that when rendering status.

Closes: #1219
Approved by: jlebon

lib/repo-pull: Use resolve() instead of list() in fetch_ref_contents()

This is more efficient in the non-collection case; in the collection
case, the implementation of ostree_repo_resolve_collection_ref() needs
to be rewritten to improve efficiency.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1182
Approved by: cgwalters

lib/repo-refs: Add first version of ostree_repo_resolve_collection_ref()

This is a parallel for ostree_repo_resolve_rev_ext() which works on
collection–refs. At the moment, the implementation is simple and uses
ostree_repo_list_collection_refs(). In future, it could be rewritten to
check the checksum directly rather than enumerating all
potentially-relevant checksums.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1182
Approved by: cgwalters

create-usb: Add a create-usb command to complement OstreeRepoFinderMount

This can be used to put OSTree repositories on USB sticks in a format
recognised by OstreeRepoFinderMount.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1182
Approved by: cgwalters

src/pull: Support local pulls for collection–refs

Previously, collection–refs could only be pulled from a repository if it
had a summary file (which listed them). There was no way to pull from a
local repository which doesn’t have a summary file, and where the refs
were stored as refs/remotes/$remote/$ref, with a config section linking
that $remote to the queried collection ID.

Fix that by explicitly supporting pull_data->remote_repo_local in
fetch_ref_contents().

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1182
Approved by: cgwalters

tests,ci: Move "test-basic" (bare mode) to installed test

Our CI uses default Docker, which has SELinux labeling but is rather
evil in returning `EOPNOTSUPP` to any attempts to set `security.selinux`,
even if to the same value.

The previous fire 🔥 for this was: https://github.com/ostreedev/ostree/pull/759

The `bare` repo mode really only makes sense as uid 0, so our installed
test framework is a good match for this. However, the unit tests *do*
work in a privileged container even as non-root, and *also* should
work on SELinux-disabled systems. So let's teach the test framework
how to skip in those situations.

I tested this both in a priv container (my default builder) and an unpriv
container (like our CI).

At the same time, start executing the `test-basic.sh` from an installed test,
so we get better coverage than before.

This is just the start - all of the sysroot tests really need the
same treatment.

Closes: #1217
Approved by: jlebon

lib/pull: Default checksum for archive mirror, add TRUSTED_HTTP flag

I now think commit fab1e113db558cb7d6754e243919558df92d4864 was a mistake;
because it breaks the mental model that at least I'd built up that "local repos
don't have checksums verified, HTTP does".

For example, a problem with this is (with that mental model in place) it's easy
for people who set up mirrors like this to then do local pulls, and at that
point we've done a deployment with no checksum verification.

Further, since then we did PR #671 AKA commit 3d38f03 which is really most of
the speed hit.

So let's switch the default even for this case to doing checksum verification,
and add `ostree pull --http-trusted`. People who are in situations where they
know they want this can find it and turn it on.

Closes: https://github.com/ostreedev/ostree/issues/1211
Closes: #1212
Approved by: jlebon

lib/pull: Refactor to use OstreeRepoImportFlags internally

Rather than carrying two booleans, just convert `OstreeRepoPullFlags`
into `OstreeRepoImportFlags`. This allows us to drop an internal
wrapper function and just directly call `_ostree_repo_import_object()`.

This though reveals that our mirroring import path doesn't check the
`OSTREE_REPO_PULL_FLAGS_UNTRUSTED` flag...it probably should.

Prep for further work.

Closes: #1212
Approved by: jlebon

lib/pull: Minor refactoring of metadata scanning function

Make the "local repo" processing conditional the same as the "localcache" bits;
this is really just a de-indent. Also add some comments. Prep for further work.

Closes: #1212
Approved by: jlebon

bin/pull: Fix description of --untrusted

It means *do* verify for local.

Closes: #1212
Approved by: jlebon

lib/commit: fix using uninitialized var

Noticed this while reading the code. The `child` var hasn't been
initialized yet at the time we throw this error (and even then, it's
only conditionally initialized). To be nice, let's just always calculate
the child path and pass that along.

Also do some minor style porting to decl near use.

Closes: #1216
Approved by: cgwalters

lib/commit: add comments to explain dir commit path

Add a few comments for each of the central functions used for committing
data from a directory. Took me a bit to understand the relationship
between those functions.

Closes: #1216
Approved by: cgwalters

lib/commit: Add a copy fastpath for imports

This fixes up the last of the embarassing bits I saw from
the stack trace in:
https://github.com/ostreedev/ostree/issues/1184

We had a hardlink fast path, but that doesn't apply across
devices, which occurs in two notable cases:

- Installer ISO with local repo
- Tools like pungi that copy the repo to a local snapshot

Obviously there are a lot of subtleties here around things like the
bare-user-only conversions as well as exactly what data we copy. I think to get
better test coverage we may want to add `pull-local --no-hardlink` or so.

Closes: #1197
Approved by: jlebon

lib/commit: Some misc porting to decl-after-stmnt

Just happened to have this file open.

Closes: #1214
Approved by: jlebon

lib/repo-finder-mount: Add var/lib/flatpak as a well-known directory

Add this as an additional well-known directory which is checked on
mounted removable drives to see if it contains OSTree repos we can pull
refs from.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
https://github.com/ostreedev/ostree/issues/1210

Closes: #1213
Approved by: cgwalters

Add --with-crypto=gnutls

Introduce support for GnuTLS for computing cryptograpic
hashes, similar to the OpenSSL backend. A reason to do
this is some distributors want to avoid GPLv3, and GPG
pulls that in.

A possible extension of using GnuTLS would be replacing the GPG signing
with `PKCS#7` signatures and `X.509` keys.

We also support `--with-crypto=openssl`, which has the same effect
as `--with-openssl`, and continues to be supported.

Changes by Colin Walters <walters@verbum.org>:

- Drop libgcrypt option for now
- Unify buildsystem on --with-crypto

Link: https://mail.gnome.org/archives/ostree-list/2017-June/msg00002.html
Signed-off-by: Jussi Laako <jussi.laako@linux.intel.com>
Closes: #1189
Approved by: cgwalters

lib: Define an alias OSTREE_REPO_MODE_ARCHIVE

For the old `OSTREE_REPO_MODE_ARCHIVE_Z2`. Use it mostly tree
wide except for the repo finder tests (to avoid conflicting with
some outstanding PRs).

Just noted another user coming in some of those tests and wanted to do a
cleanup.

Closes: #1209
Approved by: jlebon

lib/core: Add static assertions for OstreeRepoMode enum values

Prep for adding an alias.

Closes: #1209
Approved by: jlebon

Add a .vimrc and .editorconfig

The `.vimrc` requires the `exrc` option to be turned on, and
`.editorconfig` requires https://github.com/editorconfig/editorconfig-vim
apparently.

Closes: #1208
Approved by: cgwalters

tests/libtest: check that we have setfattr

We use `setfattr` to determine whether the filesystem we're on supports
xattrs, but we need to check that `setfattr` itself is available. We
just make it a hard requirement but only if trying to run tests that ask
about xattr support.

Closes: #1207
Approved by: cgwalters

tests: allow specifying tmpdir

Allow developers to override the default /var/tmp dir, which e.g. might
be on overlayfs and thus produces reduced coverage.

Closes: #1207
Approved by: cgwalters

tree-wide: Remove Emacs modelines

We added a `.dir-locals.el` in commit: 9a77017d87b74c5e2895cdd64ad098018929403f
There's no need to have it per-file, with that people might think
to add other editors, which is the wrong direction.

Closes: #1206
Approved by: jlebon

lib/repo: Add ostree_repo_hash() and tests

Add a hash function for OstreeRepo instances, which relies on the repo
being open, and hence being able to hash the device and inode of its
root directory.

Add unit tests for this and ostree_repo_equal().

Signed-off-by: Philip Withnall <withnall@endlessm.com>
https://github.com/ostreedev/ostree/issues/1191

Closes: #1205
Approved by: cgwalters

lib/repo: Use correct name for tmpdir lockfile

Such an evil bug 🙈. I was just reading an strace trying to figure out what was
going on, and noticed we had the `XXXXXX` in the lockfile name. It was only
after that I realized that that this might *be* the cause of the skopeo issue.

This is another case where we definitely need more test coverage of things that
actually use the API multiple times in process; might look at dusting off the
work for the rpm-ostree test.

Closes: https://github.com/ostreedev/ostree/issues/1196
Closes: #1204
Approved by: jlebon

ci: Add an "all options disabled" context

We keep occasionally regressing this so let's start covering it now. I'm
intentionally not running the tests since that would likely entail a lot more
conditionalizing pain.

Closes: #1194
Approved by: jlebon

lib/commit: Don't try to call linkat() for import on distinct devices

While opening a repo we've recorded the device/inode for a while; use it to
avoid calling `linkat()` during object import if we know it's going to fail.

Closes: #1193
Approved by: jlebon

lib: Move bareuseronly verification into commit/core

Conceptually `ostree-repo-pull.c` should be be written using
just public APIs; we theoretically support building without HTTP
for people who just want to use the object store portion and
do their own fetching.

We have some nontrivial behaviors in the pull layer though; one
of those is the "bareuseronly" verification. Make a new internal
API that accepts flags, move it into `commit.c`. This
is prep for further work in changing object import to support
reflinks.

Closes: #1193
Approved by: jlebon

rofiles-fuse: also pass mode for O_RDONLY

In the `O_RDONLY` case, we were calling `openat` without a mode
argument. However, it's perfectly legal (albeit unusual) to do
`open(O_RDONLY|O_CREAT)`. One such application that makes use of this is
`flock(1)`.

This was actually caught by `_FORTIFY_SOURCE=2`, and once we run
`rofiles-fuse` with `-f`, the message is clear:

```
*** invalid openat64 call: O_CREAT or O_TMPFILE without mode ***:
rofiles-fuse terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x7c8dc)[0x7f36d9f188dc]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f36d9fbfaa7]
/lib64/libc.so.6(+0x10019a)[0x7f36d9f9c19a]
rofiles-fuse[0x401768]
...
```

Without `_FORTIFY_SOURCE`, the file gets created, but its mode is
completely random.

I ran into this while investigating
https://github.com/projectatomic/rpm-ostree/pull/1003.

Closes: #1200
Approved by: cgwalters

tree-wide: Squash a few warnings when building with no features

Noticed these since I had a local configured build with no features for testing
the PAPR context for it.

Closes: #1201
Approved by: jlebon

lib/checkout: Squash a gcc maybe-uninitialized warning

gcc doesn't know that our enum cases must be exhaustive.

Closes: #1201
Approved by: jlebon

lib/repo: Move alloca() outside of loop

Just noticed this while looking at the code for a different issue.

Closes: #1201
Approved by: jlebon

lib/repo: Don't syncfs or fsync() dirs if fsync opt is disabled

There are use cases for not syncing at all; think build cache repos, etc. Let's
be consistent here and make sure if fsync is disabled we do no sync at all.

I chose this opportunity to add tests using the shiny new strace fault
injection. I can forsee using this for a lot more things, so I made
the support for detecting things generic.

Related: https://github.com/ostreedev/ostree/issues/1184

Closes: #1186
Approved by: jlebon

tests/libtest: Factor out user xattr detection

Make the equivalent of a `GOnce` or Rust `lazy_static!` detecting this and share
it between the two callers.

Prep for a future similar patch for strace fault injection.

Closes: #1186
Approved by: jlebon

lib/pull: Clarify use of unsigned summary support

Update the comments and remove an unneeded variable to make it clear
that the find_remotes_async() / pull_from_remotes_async() functions use
the unsigned summary support.

This is a follow-up of commit 8c148eb7e "lib/repo-finder: Emit
gpg-verify-summary=false in dynamic remote config".

Closes: #1195
Approved by: pwithnall

tests: Reset umask to 022 while creating test repository

In test-basic-root.sh we make assertions about the permissions
of files like baz/cow, which were created without an explicit chmod.
We can't do that unless we control the permissions.

For some reason the "debomatic" autobuilder used to do some Debian
archive rebuilds does the entire build including build-time tests
as uid 0 with umask 002, which broke those assertions. This seems
a weird thing to do, and I've opened a bug, but it also seems
reasonable to fix this test.

This also lets us remove a couple of existing workarounds for the
same issue.

Bug-Debian: https://bugs.debian.org/876138
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1192
Approved by: cgwalters

Add support for pkcs11 URIs in TLS client key/certificate

Closes: #1183
Approved by: cgwalters

lib/pull: Wait for pending ops to complete on error

I saw in a stack trace that the main thread was calling `exit()` even while
worker threads were alive and doing sha256/write/fsync etc. for objects.

The stack trace was a SEGV as the main thread was calling into library
`atexit()` handlers and we were a liblz4 destructor:

```
#0 0x00007f2db790f8d4 _fini (liblz4.so.1)
#1 0x00007f2dbbae1c68 __run_exit_handlers (libc.so.6)
```

(Why that library has a destructor I don't know offhand, can't find
it in the source in a quick look)

Anyways, global library destructors and worker threads continuing simply don't
mix. Let's wait for our outstanding operations before we exit. This is also a
good idea for projects using libostree as a shared library, as we don't want
worker threads outliving operations.

Our existing pull corruption tests exercise coverage here.

I added a new `caught-error` status boolean to the progress API, and use it the
commandline to tell the user that we're waiting for outstanding ops.

Closes: #1185
Approved by: jlebon

lib/repo: Minor cleanup to object import function

We have a lot of layers of abstraction here; let's fold in the `trusted`
conditional into the call, since that's all the public API we're using does
anyways.

Prep for a future patch around object copying during imports.

Closes: #1187
Approved by: jlebon

tests: Explicitly unset LANGUAGE after setting LC_ALL

As a GNU extension, LANGUAGE takes precedence over LC_ALL for
gettext(3) whenever the locale is not C, causing tests that grep for
specific English strings to fail when run in non-English locales.
The upstream glibc proposal for C.UTF-8 would give C.UTF-8 the same
special case as C here, but the implementation in Debian does not
currently have this, so we have to unset LANGUAGE too.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1188
Approved by: jlebon

tree-wide: Some glnx_fstatat_allow_noent() porting

The new API is definitely nicer.

Closes: #1180
Approved by: jlebon

lib/repo: Drop outdated FIXME comment from ostree-repo.h

This was some incomplete planning from while the find_remotes() API was
being designed; now totally outdated.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1179
Approved by: cgwalters

lib/repo-finder-mount: Change the schema for finding repos on volumes

See issue #1174 for the rationale behind this. In summary:
• It required two lists of collection–refs to be maintained: one in the
repository, and one pointing to the repository.
• It didn’t automatically work for live USBs of OSs based on OSTree
(where there’s always a repository at /ostree/repo).
• It was unnecessarily complex.

The new scheme allows a list of repositories to be searched, but without
needing a layer of indirection through their collection–refs. It adds
/ostree/repo and /.ostree/repo as well-known repository locations which
are always checked on a mounted volume (if they exist).

Update the unit tests accordingly.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
https://github.com/ostreedev/ostree/issues/1174

Closes: #1179
Approved by: cgwalters