dgit.raspbian.org Git - ostree.git/log

tests: Change test-corruption to use fatal()

It's clearer.

Closes: #1364
Approved by: jlebon

Add public API for fsck, use it before loading metadata

A while ago I did `truncate -s 0 /path/to/repo/00/123.commit`, and expected a
checksum error, but I actually got a validation error due to us loading the
commit into a variant and trying to parse out the parent checksum, etc.

I first started by changing the `load_and_fsck_one_object()` function to
checksum before loading, but the problem is that we do a traverse of all objects
first. Fixing this is going to require an `OSTREE_REPO_COMMIT_TRAVER_FLAG_FSCK`
or something.

In the meantime at least though, let's add a public API to fsck a single object
which *does* checksum cleanly before parsing the object, and change the `fsck`
command to use it.

We then change the fsck binary to do this while iterating over the refs
and finding the commit object. This way we'll at least get a checksum
first for commit objects, even if not dirtree/dirmeta.

Closes: #1364
Approved by: jlebon

lib/repo: Properly list remotes of parent repos

This commit fixes an infinite loop that happens if you try to list the
remotes of a repo that has a parent repo set. It also adds a unit test
to ensure the right behavior, which is that both the child remotes and
parent remotes are listed.

Closes: #1366
Approved by: cgwalters

lib/repo-file: Add casts to appease GLib g_object_ref cast PR

This fixes the build with https://bugzilla.gnome.org/show_bug.cgi?id=790697

Closes: #1363
Approved by: jlebon

lib/commit: Refactor file commits to separate subdir from content

One major thing we can do to speed up local commits is multithreading. In
preparation for that, split up the recursion function so that the subdirectory
case is separate from the content (regfile/symlink) case. Then for non-subdirs,
we can easily peel off worker threads and gather the final checksums and update
the mtree from the main thread.

The diff here looks large but it's pretty straightforward; amazingly this change
compiled the very first time I tried it!

Closes: #1365
Approved by: jlebon

docs/related: Add Balena

It's quite related.

Closes: #1369
Approved by: jlebon

pull: Add http2=false remote config option

This seems to work around
https://github.com/ostreedev/ostree/issues/1362

Though I'm not entirely sure why yet. But at least with this it'll be easier for
people to work around things locally.

Closes: #1368
Approved by: jlebon

tests: Test concurrent operations

Test that concurrent commits and prunes can succeed. Mostly this is a
check that the new locking works correctly and the concurrent processes
will properly wait until they've acquired the appropriate repository
lock.

Closes: #1343
Approved by: cgwalters

lib/prune: Take exclusive repository lock

Add exclusive repository locking to all the pruning entry points. This
ensures that objects and deltas will not be removed while another
process is writing to the repository.

Closes: #1343
Approved by: cgwalters

lib/commit: Add repository locking during transactions

Take a shared repo lock during a transaction to ensure that another
process doesn't delete objects.

Closes: #1343
Approved by: cgwalters

lib/repo: Add locking auto cleanup handler

Define an auto cleanup handler for use with repo locking. This is based
on the existing auto transaction cleanup. A wrapper for
ostree_repo_lock_push() is added with it. The intended usage is like so:

  g_autoptr(OstreeRepoAutoLock) lock = NULL;
  lock = ostree_repo_auto_lock_push (repo, lock_type, cancellable, error);
  if (!lock)
    return FALSE;

The functions and type are marked to be skipped by introspection since I
can't see them being usable from bindings.

Closes: #1343
Approved by: cgwalters

lib/repo: Add repo locking mechanism

Currently ostree has no method of guarding against concurrent pruning.
When there are multiple repo writers, it's possible to have a pull or
commit race against a prune and end up with missing objects.

This adds a file based repo locking mechanism. The intention is to take
a shared lock when writing objects and an exclusive lock when deleting
them. In order to make use of the locking throughout the library in a
fine grained fashion, the lock acts recursively with a stack of lock
states. If the lock becomes exclusive, it will stay in that state until
the stack is unwound past the initial exclusive push. The file locking
is similar to GLnxLockFile in that it uses open file descriptor locks
but falls back to flock when needed.

The lock also attempts to be thread safe by storing the lock state in
thread local storage with GPrivate. This means that each thread will
have an independent lock for each repository it opens. There are some
drawbacks to that, but it seemed impossible to manage the lock state
coherently in the face of multithreaded access.

The API is a push/pop interface in accordance with the recursive nature
of the locking. The push interface uses an enum that's translated to
LOCK_SH or LOCK_EX as needed. Both interfaces use an internal timeout
field to decide whether to manage the lock in a blocking or non-blocking
fashion. The intention is to allow ostree applications as well as
administrators to control this timeout. For now, the default is a 30
second timeout.

Note that the timeout is handled synchronously in thread since the lock
is maintained in thread local storage. I.e., the thread that acquires
the lock needs to be the same thread that runs the operation. There may
be a way to offer an asynchronous version, but it's not clear exactly
how that would work since it would likely involve a separate thread that
invokes a callback when the locking operation completes.

https://bugzilla.gnome.org/show_bug.cgi?id=759442

Closes: #1343
Approved by: cgwalters

lib/repo: Add some error prefixing in commit, repo create

I was getting a bare `error: Creating temp file: No such file or directory` when
debugging `test-concurrency.py`; with this I get
`error: Writing content object: Creating temp file: No such file or directory`
which helps me pin it down.

Closes: #1343
Approved by: cgwalters

lib/repo: Add MT support for transaction_set_ref(), clarify MT rules

For rpm-ostree I'd like to do importing in parallel with threads; the code is
*almost* ready for that except today it calls
`ostree_repo_transaction_set_ref()`.

Looking at the code, there's really a "transaction" struct here,
not just stats. Let's lift that struct out, and move the refs
into it under the existing lock.

Clarify the documentation around multithreading for various functions.

Closes: #1358
Approved by: jlebon

README.md: Link to BuildStream

This is an example of a tool using libostree to cache and share
build results.

Closes: #1360
Approved by: cgwalters

build-sys: Post-release version bump

Closes: #1361
Approved by: jlebon

Release 2017.14

Time to cut a new release, we've got the libcurl cleanup ordering patch which
several people have hit, along with safe early fixes for tmpdir cleanup. Let's
try to land the locking PR early next cycle.

Closes: #1359
Approved by: jlebon

lib/repo: Add a DEVINO_CANONICAL commit modifier flag

I was seeing the `Writing OSTree commit...` phase of rpm-ostree
being very slow lately. This turns out to be more fallout from
https://github.com/ostreedev/ostree/pull/1170
AKA commit: 8fe4536

Loading the xattrs is slow on my system (F27AW, XFS+LVM, NVMe). I haven't fully
traced through why, but AIUI at least on XFS the xattrs are often stored outside
of the inode so it's a little bit like doing an `open()+read()`. Plus there's
the LSM overhead, etc.

The thing is that for rpm-ostree's package layering use case, we
basically always want to treat the on-disk state as canonical. (There's
a subtle case here if one does overrides for something that contains
policy but we'll fix that).

Anyways, so we're in a state now where we do the slow but correct thing by
default, which seems sane. But let's allow the app to opt-in to telling us
"really trust devino". The difference between a `stat()` + hash table lookup
versus the full xattr load on my test case of `rpm-ostree install
./tree-1.7.0-10.fc27.x86_64.rpm` is absolutely dramatic; consistently on the
order of 10s without this support, and <1s with (800ms).

Closes: #1357
Approved by: jlebon

lib/repo: Verify txn stagedir existence after locking

This squashes the last race condition I was actively hitting while running
`test-concurrency.py` in a loop. The race is when process A finds a tmpdir to
reuse, and goes to lock it. Meanwhile process B deletes it and unlocks the lock.
Process A then succeeds at grabbing a lock, but the tmpdir is deleted.

Closes: #1352
Approved by: dbnicholson

lib/commit: Move txn stagedir deletion/unlock into one place

Previously we'd delete the tmpdir in `rename_pending_loose_objects()`
but do the unlock inside `ostree_repo_commit_transaction()`. Move
them into the same place in the latter function for consistency.

Doesn't fix anything, just a cleanup while reading the code and
working on `test-concurrency.py`.

Closes: #1352
Approved by: dbnicholson

ci: Really show test-suite.log on travis

The test-suite.log file is created in the top directory, not in test
(which isn't even a directory here).

Closes: #1352
Approved by: dbnicholson

tests: Run python tests with stdout unbuffered

Set the PYTHONUNBUFFERED environment variable during tests so that
python leaves stdout unbuffered. This is helpful when reading logs for
failures since the interleaved stdout and stderr will generally come out
in the right order. It's not perfect since tap-driver.sh does some
special redirection to the log file, but it's an improvement.

Closes: #1352
Approved by: dbnicholson

lib/commit: Minor refactoring of tmpdir cleanup code

Prep for future work here; let's cleanly separate the path for cleaning up the
txn staging directories from the code that cleans up "other stuff". Currently
only the former case uses the `GLnxLockFile` etc.

Closes: #1352
Approved by: dbnicholson

lib/commit: Reuse txn dir for tmpfiles

This closes a race condition I was seeing with `test-concurrency.py`. If we
don't have `O_TMPFILE` (or for symlinks) we'll create temporary files;
previously these would be subject to the date-based pruning because we set the
timestamp to 0 for objects.

Having our temporary files also in the txn staging dir ensures that they're
covered by the locking we do for that directory, and it's also generally cleaner
since the lifecycle of all the temporary data for a txn is in one place.

Closes: #1352
Approved by: dbnicholson

tests/delta-crosscheck: Disable fsync

I was running this recently to test the last delta write changes, and this
helps. We should add an option to repo-init to make this easier at some point.

Closes: #1356
Approved by: jlebon

lib/repo: Add a new private API for bare content writes

This lowers into the commit core what the static delta code
was doing, and improves the API.

The bigger picture issue is that for writing large files, our current "pull" API
where the caller provides a `GInputStream` is very awkward in some scenarios.
For example, we have a whole "libarchive input stream" that is a ~200 line
GObject that boils down to wrapping `archive_read_data()`.

This came more to a head when I was working on rpm-ostree jigdo since I had to
copy that object.

One step we can take after this is to further split `write_content_object()`
into a "write symlink or archive object" versus "write bare content object"
(it already has a mess of conditionals) and teach the latter case to call
this.

The eventual goal here is to make this API public.

Closes: #1355
Approved by: jlebon

lib/commit: Use direct repo writes if fsync is disabled

For situations where fsync is disabled, there's basically
no reason to do the whole "staging directory" dance. Just
write directly into the repo.

Today I use `fsync=false` for my build/cache repos.

I briefly considered not allocating a tmpdir at all
in this case, but we actually do want the txn tmpdir
for the non-`O_TMPFILE` case.

Part of https://github.com/ostreedev/ostree/issues/1184

Closes: #1354
Approved by: giuseppe

lib/remote: Add a method to return the URL

When using dynamic remotes (LAN and USB), we cannot use their name with
the common remote related ops (ostree_repo_remote_...) because ostree
doesn't keep this type of remotes in its internal hash table.
Unfortunately this means that we cannot access the URL of those remotes
either (in order to e.g. set the right URL for those remotes in
Flatpak).

Since the URL is actually stored in a key file that belongs to the
OstreeRemote, then we can simply allow users access to it through a
getter.

So this patch adds a method that allows to return the URL directly from
the OstreeRemote without having to go through the OstreeRepo.

The test-repo-finder-config is also updated by this patch to check if
the URL is correct.

Closes: #1353
Approved by: cgwalters

rofiles-fuse: Fix utime() support

We use utimens instead of utime, thus allowing nanosecond timestamps,
and also fixes a bug where we used to passed UTIME_OMIT to tv_nsec
which made the entire operation a no-op.

Closes: #1351
Approved by: cgwalters

fetcher/curl: Stop using CURLOPT_LOW_SPEED_TIME/_LIMIT

They don't play nicely currently with HTTP2 where we may
have lots of requests queued.

https://github.com/ostreedev/ostree/issues/878#issuecomment-347228854

In practice anyways I think issues here are better solved on a higher level -
e.g. apps today can use an overall timeout on pulls and if they exceed the limit
set the cancellable.

Closes: #1349
Approved by: jlebon

ci: Make sure we save gtdr test results on failures

If a test fails, we immediately exit and thus never get a chance to
actually upload the test results. Add a trap so that they always
uploaded, even on failure.

Closes: #1350
Approved by: cgwalters

papr: Bump primary to f27

Let's start with just f27-primary for now.

Closes: #1350
Approved by: cgwalters

add back helpful --allow-downgrade err message

Closes: #1348
Approved by: cgwalters

lib/repo: Don't delete new tmpdir if it can't be locked

If a newly allocated tmpdir can't be locked, set initialized to FALSE so
that glnx_tmpdir_cleanup doesn't delete it when new_tmpdir goes out of
scope.

Closes: #1346
Approved by: cgwalters

lib/repo: Handle race with existing tmpdir being deleted

Another tmpdir user may have deleted an existing tmpdir between the time
the current user called readdir and tried to open it.

Closes: #1346
Approved by: cgwalters

lib/repo: Restore tmpdir reusing out parameter

This got lost in d0b0578 and now the caller always thinks it got a new
tmpdir.

Closes: #1346
Approved by: cgwalters

lib/repo: Add debug messages when allocating tmpdir

This code is pretty complex and has some races when reusing tmpdirs, so
print some messages for debugging.

Closes: #1346
Approved by: cgwalters

build: fix "executible" typo

Closes: #1345
Approved by: jlebon

bin: Port a few commands (diff,remote,static-delta) to new style

No functional changes, not prep for anything, just keeping up some momentum.

Closes: #1344
Approved by: jlebon

grub-generator: If OSTREE_BOOT_PARTITION is not set, default to /boot

Closes: #1326
Approved by: cgwalters

lib/repo: Fix a memory leak of options in ostree_repo_create()

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1341
Approved by: dbnicholson

lib/repo: Add (transfer) annotations to various GHashTable arguments

By default, unless it’s const, an (out) GHashTable will be assumed to be
(transfer full). That means the binding needs to free all the items in
the hash table, plus the table itself.

However, all the GHashTables we use have free functions set already, so
freeing the hash table will free its items. This results in a
double-free.

Fix that by ensuring we annotate such (out) hash tables as (transfer
container). Also annotate some other hash tables as (transfer none)
where appropriate, for clarity.

This fixes OSTree.Repo.list_collection_refs() in the Python bindings.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1341
Approved by: dbnicholson

lib/traverse: Port to new style

Not prep for anything, was just reading this code a bit while
working on rpm-ostree jigdo.

Closes: #1338
Approved by: jlebon

Revert "lib/pull: Skip ostree_repo_resolve_keyring_for_collection for bindings"

This reverts commit 519b30b7e1979fea827ea4fe9b0e9ac4db99d631. Now that
the experimental GIR is being built correctly and OstreeRemote is a real
boxed type, this can be exposed again.

Closes: #1337
Approved by: pwithnall

lib: Include OstreeRemote and OstreeCollectionRef in GIR

Now that g-ir-scanner is being told about ENABLE_EXPERIMENTAL_API, it
can include these types correctly. Drop the __GI_SCANNER__ guards in the
header files so that all the declarations are found.

After this, you can actually construct the types normally:

>>> OSTree.CollectionRef.new('com.example.Foo', 'bar')
<OSTree.CollectionRef object at 0x7f2bba4c7528 (OstreeCollectionRef at 0x55c033ff2f30)>

Closes: #1337
Approved by: pwithnall

lib/remote: Export ostree_remote_get_type symbol

Without this, you can't really use OstreeRemote as a GObject, which is a
requirement for bindings.

This was found when attempting to include OstreeRemote in the GIR, and
g-ir-scanner wasn't able to link it's temporary object due to an
"undefined reference to `ostree_remote_get_type'" error.

Closes: #1337
Approved by: pwithnall

bin/summary: Fix --raw option

I wanted to inspect a summary file the other day and was saddened to
find it was broken:

$ ostree summary --raw
error: No option specified; use -u to update summary

Fix the test to do the normal thing of passing just --raw without
--view. It's legal to pass --raw and --view, but it shouldn't be a
requirement.

Closes: #1336
Approved by: cgwalters

deltas: Don't try to rollsum/bsdiff .xz files

Fedora switched to 'xz' compress kernel modules, and recently
[RHEL7 did too](https://bugzilla.redhat.com/show_bug.cgi?id=1367496).
This compression defeats bsdiff.

While we have a "rollsum-able" test, we don't have a "bsdiff-able" test as it'd
be very expensive (we'd have to bsdiff, then apply it and compare the result).

Let's do the tactical quick fix here and just not try to delta files ending in
`.xz.`. This avoids us using bsdiff pointlessly for over 4000 files, which is
quite a notable speed increase for generating deltas.

Closes: #1333
Approved by: jlebon

lib/repo: Add gtk-doc comment to OstreeRepoCommitState

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1335
Approved by: cgwalters

lib/repo: Add OSTREE_REPO_COMMIT_STATE_NORMAL to represent most commits

This allows more explicit handling of commit state in code using
libostree, rather than hard-coding a commit state of 0 for ‘normal’.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1335
Approved by: cgwalters

fetcher/curl: Fix invalid memory access in finalize()

Reorder cleanup functions so that curl_multi_cleanup() runs before
self->sockets is destroyed. This avoids an assert and invalid memory
access in sock_cb where self->sockets is dereferenced during
curl_multi_cleanup().

Closes: https://github.com/ostreedev/ostree/issues/1331
Closes: #1332
Approved by: cgwalters

build: Add a TODO comment about improving glib-mkenums usage in future

Signed-off-by: Philip Withnall <withnall@endlessm.com>
https://github.com/ostreedev/ostree/pull/1329

Closes: #1330
Approved by: cgwalters

build: Also fix -Werror=undef for old libsoup

Same change as before, but for libsoup.

Closes: #1328
Approved by: jlebon

build: Work around -Wundef with older GLib

This previous PR caused our `-Werror=undef` to trigger when building
with older GLib; this should work around it.

Closes: #1327
Approved by: jlebon

lib/pull: Avoid error if current with --require-static-deltas

A tricky thing here that caused this to go past a lot of our tests
is that the code was mostly OK if there was an available delta from
an older commit.  But this case broke if we e.g. had a new OS
deployment and did a `--require-static-deltas` pull, i.e. the initial
state.

I cleaned up our "find static delta state" function to return an enumeration,
and extended it with an "already have the commit" state.  A problem
I then hit is that we've historically fetched detached metadata for
non-delta pulls, even if the commit hasn't changed.  I decided not to
do that for `--require-static-deltas` pulls for now; otherwise the
code gets notably more complex.

Closes: https://github.com/ostreedev/ostree/issues/1321
Closes: #1323
Approved by: jlebon

build: Add -Werror=undef by default, fix fallout

The main thing here is that a ton of stuff has happened in gnulib since we
imported `parse-datetime.y`. I cherry-picked a little bit of it, but that
upstream doesn't seem to build with `-Wundef`, so I just deleted some hunks.

(Note I reindented the warnings consistently)

Update submodule: libglnx

Closes: #1320
Approved by: jlebon

tests: Don't symlink rofiles-fuse if it's disabled

Creating the symlink will cause make to try to build rofiles-fuse, which
will fail if it's disabled. Normally I wouldn't disable rofiles-fuse,
but it's triggering a hang in our ARM Xenial builder's kernel in splice.
I'm sure that's fuse's fault, but for now I just need to disable
rofiles-fuse there and found --disable-rofiles-fuse didn't actually
work.

Closes: #1325
Approved by: cgwalters

lib/pull: Skip ostree_repo_resolve_keyring_for_collection for bindings

Since ostree_remote_get_type is not made available to g-ir-scanner, it
treats OstreeRemote as a bare struct. That's not kosher for bindings and
it issues the following warning:

  src/libostree/ostree-repo-pull.c:5560: Warning: OSTree:
  ostree_repo_resolve_keyring_for_collection: return value: Invalid
  non-constant return of bare structure or union; register as boxed type
  or (skip)

For now, just skip this API for bindings.

Closes: #1322
Approved by: pwithnall

lib/core: Fix documentation comment in ostree_validate_collection_id

g-ir-scanner was spitting this warning:

  src/libostree/ostree-core.c:281: Warning: OSTree:
  ostree_validate_collection_id: unknown parameter 'rev' in
  documentation comment, should be 'collection_id'

Closes: #1322
Approved by: pwithnall

build: Define OSTREE_ENABLE_EXPERIMENTAL_API for g-ir-scanner

When compiling libostree, OSTREE_ENABLE_EXPERIMENTAL_API is managed via
config.h. However, g-ir-scanner can't use that since it gets confused
about the namespace of all the random macros. It won't include the
experimental APIs unless the macro is defined through another means.
Without this, none of the experimental APIs were being included in the
gir data.

Closes: #1322
Approved by: pwithnall

build: Ensure enumtypes.h is built before enumtypes.c

ostree-enumtypes.c includes ostree-enumtypes.h, so make needs to be told
about the dependency. Without it, parallel make could try to build
ostree-enumtypes.c before the header file exists.

I hit this when running `make -j OSTree-1.0.gir`.

Closes: #1322
Approved by: pwithnall

build-sys: Post-release version bump

Closes: #1324
Approved by: pwithnall

Release 2017.13

We've accumulated a fair bit, time for a new release before we
e.g. try to land the locking PR.

Closes: #1319
Approved by: jlebon

Update libglnx

Mostly for https://github.com/GNOME/libglnx/pull/94
since I keep seeing it in the terminal.

Update submodule: libglnx

Closes: #1318
Approved by: jlebon

static deltas: Set optional flag for superblock

Closes: #1317
Approved by: cgwalters

tests: Add a "pull-test2" that uses slightly more realistic content

This one actually exercises the delta paths more; I pulled the
data from some local F26AH builds. One thing I noticed while doing
that is that we try bsdiff on xz'd data, but that won't be useful.
https://github.com/projectatomic/rpm-ostree/issues/470
https://bugzilla.redhat.com/show_bug.cgi?id=1367496

Anyways I verified this test fails without the fixup for `pread()`
in https://github.com/ostreedev/ostree/pull/1312

Closes: #1314
Approved by: jlebon

deltas: Add an if0'd bit to print bsdiff objects

I used this to find the bsdiff'd objects.

Closes: #1314
Approved by: jlebon

bin/delta-compilation: Add a "progress bar" for bsdiff generation

It's the slowest part, let's show admins something. This "update every 10%" code
was copied from the fsck command; obviously a better approach would be "progress
every N seconds" but doing that somewhat accurately requires making things
async; not worth it here yet.

Closes: #1314
Approved by: jlebon

lib/pull: Delete unused "exampleos" code

We never ended up using this, and I'm going to revisit this in another patch
with a different approach that has useful *content* and not just a lot of files.

Closes: #1314
Approved by: jlebon

lib/pull: When --require-static-deltas, use them even for file:/// repos

I didn't fully spelunk this, but from what `static-delta-generate-crosscheck.sh`
had, we appeared to be doing this before, and it's clearly useful for local
testing rather than needing to spin up a HTTP server.

Closes: #1313
Approved by: jlebon

lib: Minor static delta fixes

First, the manual crosscheck script bitrotted; it got caught up
in the "use libtest repo creation wrapper" bit, and also it
seems like at some point `pull --require-static-deltas` changed
meaning when dealing with `file:///` repos. I have more work to
unwind that.

Next, I'm seeing a delta failure which looks like a static delta
miscompilation with rollsums; change the compiler to print out
the source object too, which helped me debug this.

And finally in the processing code, fix incorrect error prefixing, which was
misleading.

Closes: #1311
Approved by: ashcrow

lib/deltas: Fix change to use pread() in write opcode

Fixes: 93457071cb5d47c08b60d3244f9632725634010a "lib/deltas: Use pread() instead of lseek()+read()"
Caught this when trying to test alex's patch locally. I am going to review our
static delta pulls and try to get something more comprehensive locally. But in
the meantime this patch is clearly right.

Closes: #1312
Approved by: jlebon

static deltas: Process each part as soon as its done

Directly when we allocate a new part we finish the old one,
writing the compressed data to a temporary file and generating
the delta header for it.

When all these are done we loop over them and collect the headers,
sizes and either copy the tempfile data into the inlined superblock
or link the tempfiles to disk with the proper names.

Closes: #1309
Approved by: cgwalters

static-delta-compilation: Move some things around

We will do some changes later that need these earliers, so move them up.

Closes: #1309
Approved by: cgwalters

static deltas: Use OtVariantBuilder to create deltas

This allows us to create the final delta desciptor directly on disk
rather than having it all in memory. This is nice because it can
become quite large if inlined parts are used.

Note however, that we currently generate all the delta parts in
memory before adding them to the delta, so we still keep all individual
parts in memory. Fixing that is the next step.

Closes: #1309
Approved by: cgwalters

Add OtVariantBuilder

This is similar to GVariantBuilder in that it constructs variant
containers, but it writes it directly to a file descriptor rather
than keep the entier thing in memory. This is useful to create large
variants without using a lot of memory.

Closes: #1309
Approved by: cgwalters

ostree-system-generator: Include <libglnx.h> for autocleanups

g_autoptr was new in GLib 2.44, but we officially only require 2.40,
so we need to use the backport in libglnx.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1310
Approved by: cgwalters

lib/repo: Fix loading commitstate with parent repos

This makes the code nicer too. Properly unit testing this though really wants
like a whole set of stuff around parent repos...but we do have coverage of the
non-parent path in the current pull tests.

Closes: https://github.com/ostreedev/ostree/issues/1306
Closes: #1308
Approved by: alexlarsson

lib/repo-finder-mount: Ignore mounts which have a ‘system’ file system

For example, tmpfs or a cgroup file system. This is basically an
optimisation of the list of file systems we check for repositories,
since we would never expect any of these file systems to be capable of
containing a repository.

Depends on the new API from
https://bugzilla.gnome.org/show_bug.cgi?id=788927.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1307
Approved by: cgwalters

tree-wide: Use autoptr for OstreeKernelArgs

Much nicer looking. Prep for more cleanup from
https://github.com/projectatomic/rpm-ostree/pull/1013

Closes: #1302
Approved by: peterbaouoft

lib/repo: Properly handle NULL homedir when signing commit

Without this, ostree_repo_sign_commit throws a critical message when no
homedir is provided:

(ostree gpg-sign:5034): GLib-GIO-CRITICAL **: g_file_new_for_path: assertion 'path != NULL' failed

Closes: #1305
Approved by: cgwalters

lib/repo-finder-mount: Fix propagating NULL errors

These two code paths tried to propagate errors which had never been set.
Set new errors instead.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1303
Approved by: cgwalters

ci: Update centos container to current again

Repo sync issue should be cleared now, and for some reason the previous
container is already GC'd.

Closes: #1304
Approved by: peterbaouoft

lib/repo-finder-avahi: Fix memory corruption of a GVariantIter

A GVariantIter* was being passed to a GVariant format string varargs,
rather than a GVariantIter**. This resulted in memory corruption.

So we can continue to reuse ref_map throughout the function, make it a
GVariantIter* rather than a stack-allocated GVariantIter.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1301
Approved by: cgwalters

lib/commit: Fix hardlink checkout commit with bare-user + mod xattrs

This is more subtle fallout from:
https://github.com/ostreedev/ostree/pull/1170
AKA commit: 8fe45362578a43260876134d6547ebd0bb2485c3

Before, if we found a devino cache hit, we'd use it unconditionally.

Recall that `bare-user` repositories are very special in that they're the only
mode where the on disk state ("physical state") is not the "real" state. The
latter is stored in the `user.ostreemeta` xattr. (`bare-user` repos are also
highly special in that symlinks are regular files physically, but that's not
immediately relevant here).

Since we now have `bare-user-only` for the "pure unprivileged container" case,
`bare-user` should just be used for "OS builds" which have nonzero uids (and
possibly SELinux labels etc.)

In an experimental tool I'm writing "skopeo2ostree" which imports OCI images
into refs, then squashes them together into a single final commit, we lost the
the `81` group ID for `/usr/libexec/dbus-1/dbus-daemon-launch-helper`.

This happened because the commit code was loading the "physical" disk state,
where the uid/gid are zero because that's the uid I happened to be using. We
didn't just directly do the link speedup because I was using `--selinux-policy`
which caused the xattrs to change, which caused us to re-commit objects from the
physical state.

The unit test I added actually doesn't quite trigger this, but I left
it because "why not". Really testing this requires the installed test
which uses SELinux policy from `/`.

The behavior without this fix looks like:

```
-00755 0 0 12 { [(b'user.ostreemeta', [byte 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x81, 0xed]), (b'security.selinux', b'system_u:object_r:lib_t:s0')] } /usr/lib/dbus-daemon-helper
```

which was obviously totally broken - we shouldn't be picking up the
`user.ostreemeta` xattr and actually committing it of course.

Closes: #1297
Approved by: jlebon

lib/sysroot: Expand docs for ostree_sysroot_get_repo()

Add some missing annotations and clarify that it always returns an open
repository on success.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1300
Approved by: cgwalters

core: Add standard SOURCE_TITLE metadata key

This is a freeform string useful to track/display when a commit is "derived"
from some other format. For example, in the rpm-ostree test we make a
`vmcheck` ref that conceptually overlays the default ref like
`fedora-atomic:fedora/26/x86_64/atomic-host`.

My current patch sets the source title to e.g.
"Dev overlay on fedora-atomic:fedora/26/x86_64/atomic-host".

Another case I'm working on now is importing OCI images to use
as host images. For that case, the source title is
With this patch we could then set the original OCI image name + tag
as the source name, like:
"oci:cgwalters/demo-custom-fedora-atomic-host:26".

Closes: #1296
Approved by: jlebon

bin/status: Inline metadata parsing for versions

Pull out the commit metadata explicitly; still just rendering the version, but
this is prep for rendering other metadata keys.

Closes: #1296
Approved by: jlebon

bin/status: Port to new style

No functional changes; prep for more work.

Closes: #1296
Approved by: jlebon

docs/related-projects: Add Google Usenix link

Closes: https://github.com/ostreedev/ostree/issues/1284
Closes: #1299
Approved by: cgwalters

repo: Add wrapper function for setting devino cache on checkout opts

I was trying to use this with pygobject for an OCI+ostree project, and pygobject
rejected simply assigning to the field (understandably, since it can't bind the
lifetime together).

Add a wrapper function, which is still unsafe, but hides that unsafety
where most people shouldn't find it. And if they do...well, sorry,
Rust wasn't invented when ostree was started.

Closes: #1295
Approved by: pwithnall

lib/checkout: For "process whiteouts" mode, replace directories too

I'm playing around with some ostree ⇔ OCI/Docker bits, and ran
into this while importing an OCI image that built from the Fedora
base image where `/home` is a regular directory, and I added a layer
that did the ostree bits of moving it to `/var` and leaving a symlink.

OCI/Docker supports this. Now since "process whiteouts" is really the
"enable OCI/Docker" mode, let's only replace dirs if that's enabled.
This leaves the `UNION_FILES` targeted for its original use case
which is unioning components/packages. (Although that use case itself
is now a bit superceded by `UNION_IDENTICAL`, but eh).

Closes: #1294
Approved by: jlebon

ostree: provide command description in a better place

This is similar idea as
https://github.com/projectatomic/rpm-ostree/pull/916/commits/5c0bf889155573feec108501ce849ac09a0c9567,

The duplicated description is now removed, and the description
of the command is now displayed beneath the Usage.

For example:
ostree cat -h will output the following:

"Usage:
ostree cat [OPTION?] COMMIT PATH...

Concatenate contents of files"

Closes: #1267
Approved by: cgwalters

ostree: move flags into command struct, pass down through builtins

This is a similar approach as
https://github.com/projectatomic/rpm-ostree/commit/12c34bb2491a07079c911ef26401fee939e5573c.

One thing to note is when we parse the admin related functions,
we still keep the old admin related flags, and added a new parameter
to represent the command struct.

This allows us to identify the caller of the function, making it
easier for us to possibly deduplicate the subcommand handling in
the future. A similar approach is done in rpm-ostree:
https://github.com/projectatomic/rpm-ostree/commit/83aeb018c1012c7a43783c09b74ec71bc9c45826

This also makes it easier for us to change the prototype of the function.
If we want to add something new in the future, we won't need to touch every prototype.

Closes: #1267
Approved by: cgwalters

ostree: Describe subcommands in help output

Added a description argument to all type
of commands. Now when we include -h or --help
for commands that contain subcommands, the description
for those subcommands are shown.

The added subcommands help will be provided to the following commands:
- ostree -h
- ostree admin -h
- ostree admin instutil -h
- ostree remote -h
- ostree static-delta -h

Closes: #1267
Approved by: cgwalters

lib/repo-finder: Add OstreeRepoFinderOverride

This is another OstreeRepoFinder implementation; it returns results from
a given set of URIs. It’s designed to be used for implementing user
overrides to other repo-finders, or for implementing unit tests.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1281
Approved by: mwleeds

lib/repo-finder-avahi: Fix a leak in a GVariantIter loop

Use g_variant_iter_loop() rather than next(), since it automatically
handles freeing the child memory each iteration. Previously, we leaked
it for all but the last iteration.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1293
Approved by: cgwalters

Disallow refs starting with a non-letter or digit

Change the regexp for validating refs to require at least one letter or digit
before allowing the other special chars in the set `[.-_]`. Names that start
with `.` are traditionally Unix hidden files; let's ignore them under the
assumption they're metadata for some other tool, and we don't want to
potentially conflict with the special `.` and `..` Unix directory entries.
Further, names starting with `-` are problematic for Unix cmdline option
processing; there's no good reason to support that. Finally, disallow `_` just
on general principle - it's simpler to say that ref identifiers must start with
a letter or digit.

We also ignore any existing files (that might be previously created refs) that
start with `.` in the `refs/` directory - there's a Red Hat tool for content
management that injects `.rsync` files, which is why this patch was first
written.

V1: Update to ban all refs starting with a non-letter/digit, and
also add another call to `ostree_validate_rev` in the pull
code.

Closes: https://github.com/ostreedev/ostree/issues/1285
Closes: #1286
Approved by: jlebon

build: Do *.am.inc substitutions from make correctly

The string needs to be escaped with a $ since we want to replace the
literal string $(path). Without this make will run the command with the
value of the variable, which won't match anything in the input Makefile
stub.

Closes: #1291
Approved by: smcv

lib/commit: fix checking flag with bitwise OR

Caught by Coverity.

Coverity CID: 1458339

Closes: #1290
Approved by: cgwalters