dgit.raspbian.org Git - ostree.git/log

lib: Define an alias OSTREE_REPO_MODE_ARCHIVE

For the old `OSTREE_REPO_MODE_ARCHIVE_Z2`. Use it mostly tree
wide except for the repo finder tests (to avoid conflicting with
some outstanding PRs).

Just noted another user coming in some of those tests and wanted to do a
cleanup.

Closes: #1209
Approved by: jlebon

lib/core: Add static assertions for OstreeRepoMode enum values

Prep for adding an alias.

Closes: #1209
Approved by: jlebon

Add a .vimrc and .editorconfig

The `.vimrc` requires the `exrc` option to be turned on, and
`.editorconfig` requires https://github.com/editorconfig/editorconfig-vim
apparently.

Closes: #1208
Approved by: cgwalters

tests/libtest: check that we have setfattr

We use `setfattr` to determine whether the filesystem we're on supports
xattrs, but we need to check that `setfattr` itself is available. We
just make it a hard requirement but only if trying to run tests that ask
about xattr support.

Closes: #1207
Approved by: cgwalters

tests: allow specifying tmpdir

Allow developers to override the default /var/tmp dir, which e.g. might
be on overlayfs and thus produces reduced coverage.

Closes: #1207
Approved by: cgwalters

tree-wide: Remove Emacs modelines

We added a `.dir-locals.el` in commit: 9a77017d87b74c5e2895cdd64ad098018929403f
There's no need to have it per-file, with that people might think
to add other editors, which is the wrong direction.

Closes: #1206
Approved by: jlebon

lib/repo: Add ostree_repo_hash() and tests

Add a hash function for OstreeRepo instances, which relies on the repo
being open, and hence being able to hash the device and inode of its
root directory.

Add unit tests for this and ostree_repo_equal().

Signed-off-by: Philip Withnall <withnall@endlessm.com>
https://github.com/ostreedev/ostree/issues/1191

Closes: #1205
Approved by: cgwalters

lib/repo: Use correct name for tmpdir lockfile

Such an evil bug 🙈. I was just reading an strace trying to figure out what was
going on, and noticed we had the `XXXXXX` in the lockfile name. It was only
after that I realized that that this might *be* the cause of the skopeo issue.

This is another case where we definitely need more test coverage of things that
actually use the API multiple times in process; might look at dusting off the
work for the rpm-ostree test.

Closes: https://github.com/ostreedev/ostree/issues/1196
Closes: #1204
Approved by: jlebon

ci: Add an "all options disabled" context

We keep occasionally regressing this so let's start covering it now. I'm
intentionally not running the tests since that would likely entail a lot more
conditionalizing pain.

Closes: #1194
Approved by: jlebon

lib/commit: Don't try to call linkat() for import on distinct devices

While opening a repo we've recorded the device/inode for a while; use it to
avoid calling `linkat()` during object import if we know it's going to fail.

Closes: #1193
Approved by: jlebon

lib: Move bareuseronly verification into commit/core

Conceptually `ostree-repo-pull.c` should be be written using
just public APIs; we theoretically support building without HTTP
for people who just want to use the object store portion and
do their own fetching.

We have some nontrivial behaviors in the pull layer though; one
of those is the "bareuseronly" verification. Make a new internal
API that accepts flags, move it into `commit.c`. This
is prep for further work in changing object import to support
reflinks.

Closes: #1193
Approved by: jlebon

rofiles-fuse: also pass mode for O_RDONLY

In the `O_RDONLY` case, we were calling `openat` without a mode
argument. However, it's perfectly legal (albeit unusual) to do
`open(O_RDONLY|O_CREAT)`. One such application that makes use of this is
`flock(1)`.

This was actually caught by `_FORTIFY_SOURCE=2`, and once we run
`rofiles-fuse` with `-f`, the message is clear:

```
*** invalid openat64 call: O_CREAT or O_TMPFILE without mode ***:
rofiles-fuse terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x7c8dc)[0x7f36d9f188dc]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f36d9fbfaa7]
/lib64/libc.so.6(+0x10019a)[0x7f36d9f9c19a]
rofiles-fuse[0x401768]
...
```

Without `_FORTIFY_SOURCE`, the file gets created, but its mode is
completely random.

I ran into this while investigating
https://github.com/projectatomic/rpm-ostree/pull/1003.

Closes: #1200
Approved by: cgwalters

tree-wide: Squash a few warnings when building with no features

Noticed these since I had a local configured build with no features for testing
the PAPR context for it.

Closes: #1201
Approved by: jlebon

lib/checkout: Squash a gcc maybe-uninitialized warning

gcc doesn't know that our enum cases must be exhaustive.

Closes: #1201
Approved by: jlebon

lib/repo: Move alloca() outside of loop

Just noticed this while looking at the code for a different issue.

Closes: #1201
Approved by: jlebon

lib/repo: Don't syncfs or fsync() dirs if fsync opt is disabled

There are use cases for not syncing at all; think build cache repos, etc. Let's
be consistent here and make sure if fsync is disabled we do no sync at all.

I chose this opportunity to add tests using the shiny new strace fault
injection. I can forsee using this for a lot more things, so I made
the support for detecting things generic.

Related: https://github.com/ostreedev/ostree/issues/1184

Closes: #1186
Approved by: jlebon

tests/libtest: Factor out user xattr detection

Make the equivalent of a `GOnce` or Rust `lazy_static!` detecting this and share
it between the two callers.

Prep for a future similar patch for strace fault injection.

Closes: #1186
Approved by: jlebon

lib/pull: Clarify use of unsigned summary support

Update the comments and remove an unneeded variable to make it clear
that the find_remotes_async() / pull_from_remotes_async() functions use
the unsigned summary support.

This is a follow-up of commit 8c148eb7e "lib/repo-finder: Emit
gpg-verify-summary=false in dynamic remote config".

Closes: #1195
Approved by: pwithnall

tests: Reset umask to 022 while creating test repository

In test-basic-root.sh we make assertions about the permissions
of files like baz/cow, which were created without an explicit chmod.
We can't do that unless we control the permissions.

For some reason the "debomatic" autobuilder used to do some Debian
archive rebuilds does the entire build including build-time tests
as uid 0 with umask 002, which broke those assertions. This seems
a weird thing to do, and I've opened a bug, but it also seems
reasonable to fix this test.

This also lets us remove a couple of existing workarounds for the
same issue.

Bug-Debian: https://bugs.debian.org/876138
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1192
Approved by: cgwalters

Add support for pkcs11 URIs in TLS client key/certificate

Closes: #1183
Approved by: cgwalters

lib/pull: Wait for pending ops to complete on error

I saw in a stack trace that the main thread was calling `exit()` even while
worker threads were alive and doing sha256/write/fsync etc. for objects.

The stack trace was a SEGV as the main thread was calling into library
`atexit()` handlers and we were a liblz4 destructor:

```
#0 0x00007f2db790f8d4 _fini (liblz4.so.1)
#1 0x00007f2dbbae1c68 __run_exit_handlers (libc.so.6)
```

(Why that library has a destructor I don't know offhand, can't find
it in the source in a quick look)

Anyways, global library destructors and worker threads continuing simply don't
mix. Let's wait for our outstanding operations before we exit. This is also a
good idea for projects using libostree as a shared library, as we don't want
worker threads outliving operations.

Our existing pull corruption tests exercise coverage here.

I added a new `caught-error` status boolean to the progress API, and use it the
commandline to tell the user that we're waiting for outstanding ops.

Closes: #1185
Approved by: jlebon

lib/repo: Minor cleanup to object import function

We have a lot of layers of abstraction here; let's fold in the `trusted`
conditional into the call, since that's all the public API we're using does
anyways.

Prep for a future patch around object copying during imports.

Closes: #1187
Approved by: jlebon

tests: Explicitly unset LANGUAGE after setting LC_ALL

As a GNU extension, LANGUAGE takes precedence over LC_ALL for
gettext(3) whenever the locale is not C, causing tests that grep for
specific English strings to fail when run in non-English locales.
The upstream glibc proposal for C.UTF-8 would give C.UTF-8 the same
special case as C here, but the implementation in Debian does not
currently have this, so we have to unset LANGUAGE too.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1188
Approved by: jlebon

tree-wide: Some glnx_fstatat_allow_noent() porting

The new API is definitely nicer.

Closes: #1180
Approved by: jlebon

lib/repo: Drop outdated FIXME comment from ostree-repo.h

This was some incomplete planning from while the find_remotes() API was
being designed; now totally outdated.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1179
Approved by: cgwalters

lib/repo-finder-mount: Change the schema for finding repos on volumes

See issue #1174 for the rationale behind this. In summary:
• It required two lists of collection–refs to be maintained: one in the
repository, and one pointing to the repository.
• It didn’t automatically work for live USBs of OSs based on OSTree
(where there’s always a repository at /ostree/repo).
• It was unnecessarily complex.

The new scheme allows a list of repositories to be searched, but without
needing a layer of indirection through their collection–refs. It adds
/ostree/repo and /.ostree/repo as well-known repository locations which
are always checked on a mounted volume (if they exist).

Update the unit tests accordingly.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
https://github.com/ostreedev/ostree/issues/1174

Closes: #1179
Approved by: cgwalters

lib/repo: Add ostree_repo_equal() for comparing repos

This will compare their root directory inodes to see if they are the
same repository on disk. A convenience method for the users of the
public API who can’t access OstreeRepo.inode.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1179
Approved by: cgwalters

ci: Use distro-sync instead of upgrade

This should help ensure that if installing `glibc-devel` downgrades `glibc`
we'll run through our hackround for
<https://bugzilla.redhat.com/show_bug.cgi?id=1394862>.

Closes: #1190
Approved by: jlebon

bin/prune: Add --only-branch

In 5c940987e768523ef1411b65bcaad09fba6befef / #646 we
added `--retain-branch-depth`; this adds a symmetric
`--only-branch` for the case where a repo owner just
wants to prune a specific branch.

The implementation here is pretty straightforward; we
just walk all refs and inject the equivalent of
`--retain-branch-depth=$ref=-1` if they're *not* in
`--only-branch`.

Closes: https://github.com/ostreedev/ostree/issues/1115
Closes: #1127
Approved by: jlebon

tests/prune: Factor out a helper for counting commits in the repo

We had lots of duplicates; prep for adding more tests.

Closes: #1127
Approved by: jlebon

Update libglnx

Update libglnx, which is mostly port the repo stagedir code
to the new tmpdir API. This turned out to require some
libglnx changes to support de-allocating the tmpdir ref while
still maintaining the on-disk dir.

Update submodule: libglnx

Closes: #1172
Approved by: jlebon

bin/commit: Fix build failure when libarchive is not used

A `"}"` at line 641 is missing when `HAVE_LIBARCHIVE` is not defined
(even though probably few will use ostree without libarchive).

Closes: #1181
Approved by: jlebon

test-help.sh: Skip trivial-httpd if enabled

Because it runs a binary in ${libexecdir}, it will only work if
libostree was already installed, which makes the build-time test fail.
It also doesn't produce the output we expect: its usage mechanism
mentions "ostree-trivial-httpd", not "ostree trivial-httpd".

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1177
Approved by: jlebon

tests: Fix JavaScript tests with gjs 1.50.0

In recent gjs, you can't declare a variable with "let" multiple times.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1178
Approved by: cgwalters

lib/pull: Drop partial fetch code from libsoup backend

Doing this in prep for libglnx tmpdir porting, but I think we should also do
this because the partial fetch code IMO was never fully baked; among other
things it was never integrated into the scheme we came up with for "boot id
sync" that we use for complete/staged objects.

There's a lot of complexity here that while we have some coverage for, I think
we need to refocus on the core functionality. The libcurl backend doesn't have
an equivalent to this today.

In particular for small objects, this is simply overly complex. The downside is
clearly for large objects like FAH's 61MB initramfs; not being able to resume
fetches of those is unfortunate.

In practice though, I think most people should be using deltas, and we need to
make sure deltas work for large objects anyways.

Further ultimately the peer-to-peer work should help a lot for people
with truly unreliable connections.

Closes: #1176
Approved by: jlebon

lib/checkout: Do UNION_FILES via atomic renameat()

I was looking at fixing an `rpm-ostree livefs` bug where we need to replace
`/usr/lib/passwd`. It's obviously bad if that temporarily disappears 😉. My plan
is to do a subpath checkout of just `/usr/lib/{passwd,group}`.

Make this atomic (i.e. file always exists) by changing the logic to create a
temporary link in repo/tmp, then rename() it into place.

A bonus here is we kill one of the very few (only?) non-error-cleanup i.e.
"non-linear" `goto`s in the ostree codebase.

Closes: #1171
Approved by: jlebon

lib/repo: Port gpg signing function to new code style

We already had all of the autocleanups ready for this.

Closes: #1164
Approved by: jlebon

build-sys: Post-release version bump

Closes: #1175
Approved by: cgwalters

Release 2017.11

Closes: #1173
Approved by: jlebon

tests: Port some bits of C to new style

Where we can; perhaps after updating libglnx we should use the
new test error macro?

Closes: #1169
Approved by: jlebon

lib/checkout: Rename disjoint union, change to merge identical files

It turns out that librpm automatically merges identical files between
distinct packages, and this occurs in practice with Fedora today between
`chkconfig` and `initscripts` for exmaple.

Since we added this for rpm-ostree, we basically want to do what librpm does,
let's change the semantics to do a merge. While we're here rename
to `UNION_IDENTICAL`.

Closes: #1156
Approved by: jlebon

lib/repo: Port tmpdir locking func to new style

Prep for future work.

Closes: #1168
Approved by: jlebon

build-sys: Add -Werror=switch

We use the "exhaustive enum" pattern (i.e. no `default:`) in some places so
we're forced to touch all users when adding cases.

Closes: #1167
Approved by: peterbaouoft

repo: Ensure new config doesn't set remotes in separate file

If the new configuration passed to ostree_write_config () tries to
update options for a remote defined in a separate config file, return an
error. Without this, the full configuration would contain duplicate
remote specifications, which would raise an error the next time the repo
is opened.

Closes: #1159
Approved by: cgwalters

bin/remote: don't load repo on root command

Subcommands will demand a repo argument themselves. This allows one to
call `ostree remote` and get the "No subcommand" error rather than the
"Missing --repo" error.

Closes: #1126
Approved by: cgwalters

bin/admin: Don't load sysroot for root commands

There's no need to load the sysroot for root commands which have
subcommands, like `ostree admin` and `ostree admin instutil`. Otherwise,
even just calling them without arguments will cause a failure. The
subcommands will have the appropriate flags set as needed.

Closes: #1126
Approved by: cgwalters

bin/static-delta: Convert to new style and tweak output

Convert the whole file to new style. Also tweak the help outputs to make
it similar enough to the other commands for tests to pass. Of course, we
should just centralize all subcommand handling the same way it was done
in rpm-ostree, though let's punt on that for now.

Closes: #1126
Approved by: cgwalters

bin/admin: Don't require root for instutil

Otherwise, we can't even do `--help` on it. The subcommands all already
have the root flag set.

Closes: #1126
Approved by: cgwalters

tests/test-help.sh: Rework and strengthen checks

The `sed` expression wasn't actually matching the main output, so we
weren't recursing into the subcommands. Update the syntax to match the
current output and add a check so we don't miss that happening again.

Add a check that the help output is only printed once in all
circumstances. Also add a check for proper handling of non-existent
commands.

Closes: #1126
Approved by: cgwalters

bin/config: Tweak parameter string

Make the parameter string more detailed.

Closes: #1126
Approved by: cgwalters

bin/main: Print usage when no command given

Minor regression from https://github.com/ostreedev/ostree/pull/1106. We
want to print the usage text both when unknown commands are passed, as
well as when no commands are passed at all.

Closes: #1126
Approved by: cgwalters

lib/sysroot: Use direct g_mkdtemp() for overlay tmpdir

The new libglnx `glnx_mkdtempat()` uses autocleanups, which
is inconvenient for this use case where we *don't* want autocleanups.
Since we don't need it to be fd-relative, just directly invoke
`g_mkdtemp_full()` which is fine for this use case.

Prep for updating libglnx.

Closes: #1161
Approved by: jlebon

ci: Fixate CentOS container image until rpm-md repos sync

Copy of https://github.com/projectatomic/rpm-ostree/pull/985

Closes: #1160
Approved by: jlebon

repo: Add add-remotes-config-dir option

This option allows a repo to explicitly opt out of adding new remotes in
a remotes configuration directory. This currently defaults to true for
system repos and false for non-system repos to maintain legacy behavior
that non-system repos don't add remotes in a configuration directory.
That would be problematic for flatpak, which specifies a remotes config
dir but adds remotes in ways that are incompatible with it.

So, what this really does is allow system repos to control whether they
want to add remotes in the config dir or not. That's important if your
flatpak repo is the system repo like at Endless.

Closes: #1134
Closes: #1155
Approved by: cgwalters

sysroot: Reload config after setting sysroot kind

This allows any repo configuration defaults to be set based on whether
it's a system repo or not.

Closes: #1155
Approved by: cgwalters

lib/repo: Update outdated comment

Closes: #1157
Approved by: cgwalters

rofiles-fuse: Fix lchown() and hardlink verification for symlinks

If you lchown("symlink") then we were incorrectly trying to chown the
symlink target, rather than the symlink itself. In particular, this cause
cp -a to fail for a broken symlink. Additionally, it was using the
symlink target when verifying writability, rather than the symlink
itself.

To fix this, we need pass AT_SYMLINK_NOFOLLOW in these cases.

In general, the kernel itself will always resolve any symlinks for us
before calling into the fuse backend, so we should really never do any
symlink following in the fuse fs itself. So, we pro-actively add
NOFOLLOW flags to a few other places:

truncate:
      In reality this will never be hit, because
      the kernel will resolve symlinks before calling us.
access:
      It seems the current fuse implementation never calls this
      (faccessat w/AT_SYMLINK_NOFOLLOW never reaches the fuse fs)
      but if this ever is implemented this is the correct behaviour.

We would ideally do `chmod` but this is not implemented on current kernels.
Because we're not multi-threaded, this is OK anyways.

Further, our write verification wasn't correctly handling the case of hardlinked
symlinks, which can occur for `bare` checkouts but *not* `bare-user` which the
tests were using. Change to `bare` mode to verify that.

Closes: #1137
Approved by: alexlarsson

lib/syslinux: Port to new code style

There was only one tricky bit here around the ownership of the lines; I made use
of `g_steal_pointer()` to consistently track ownership, and converted to a `for`
loop while still preserving the loop logic around the last entry.

Closes: #1154
Approved by: jlebon

lib: Add a private helper to abort txns, use in sysroot cleanup

Steal some code from flatpak for this, which allows porting a few more things to
new style. I started on a public API version of this but was trying to roll some
other things into it and it snowballed. Let's do this version since it's easy
for now.

While here I changed things so that `generate_deployment_refs()` now just uses
`_set_ref_immediate()` rather than requring a txn.

Also, AFAICS there was no test coverage of `generate_deployment_refs()`; I tried
commenting it out and at least `admin-test.sh` passed. Add some coverage of this
- I verified that with this commenting out bits of that function cause the test
to fail.

Closes: #1132
Approved by: jlebon

lib/grub2: Port some to new code style

I resisted trying to do anything invasive here like fd-relative porting as our
coverage is weak. But this was all straightforward porting to decl-after-stmt
style.

Closes: #1153
Approved by: jlebon

repo: Fix non-system remotes-config-dir usage

Before commit e0346c1, a non-system repo could specify
remotes-config-dir and have remotes read from there. However, adding
remotes would only be done in the config dir for a system repo. Restore
that by respecting remotes-config-dir when no sysroot is found and
adding back the ostree_repo_is_system() check when adding remotes.

Closes: #1133
Closes: #1151
Approved by: cgwalters

uboot: add non-default deployments to uEnv.txt

Include non-default deployments in the uEnv.txt file imported by
U-Boot. All the configurations beside the defaults will have
numerical suffix E.G. "kernel_image2" or "bootargs2".
Those U-Boot environment variables may be used from interactive boot
prompt or from "altbootcmd" script.

Closes: #1138
Approved by: cgwalters

uboot: move system uEnv merge to new function, clean up

Split the code that merge the system uEnv to new function. While we're here,
clean up the logic to e.g. use `ot_openat_ignore_enoent()`.

Closes: #1138
Approved by: cgwalters

tree-wide: Add error prefixing for most remaining syscalls

There were some important ones there like a random `syncfs()`. The remaining
users are mostly blocked on the "fstatat enoent" case, I'll wait to port those.

Closes: #1150
Approved by: jlebon

lib/sysroot: Use fd-relative acccess for bootversion cleanup

I noticed this was an easy change.

Closes: #1148
Approved by: peterbaouoft

lib/gpg: Provide the public key to the duplicate check

Add keys from the signing homedir to the GpgVerifier used to look
for duplicate signatures. This will allow signatures from subkeys
to be canonicalised and recognised as already signed despite the
differing key ID, avoiding duplicate signatures.

Closes: https://github.com/ostreedev/ostree/issues/608
Closes: #1092
Approved by: cgwalters

lib/gpg: Correct missing line prefix with bad signatures

In the case the signature time was bad, a line prefix was missing from the
result of `ostree_gpg_verify_result_describe_variant()`.

Closes: #1092
Approved by: cgwalters

lib/gpg: Add _FINGERPRINT_PRIMARY to OstreeGpgVerifyResult

Revert the switch of _FINGERPRINT to giving the primary key ID
rather than the signing key ID, and instead add the primary
key ID as a new attribute which is available if the key is not
missing.

Closes: https://github.com/ostreedev/ostree/issues/608
Closes: #1092
Approved by: cgwalters

tests: Check "refs -c PREFIX" behavior

This commit adds tests to check the behavior of "refs -c PREFIX", where
prefix is interpreted as a collection ID.

Closes: #1149
Approved by: cgwalters

lib/commit: Add some error prefixing for txn commit/tmpdir

To help debug this: https://lists.projectatomic.io/projectatomic-archives/atomic-devel/2017-September/msg00001.html

Currently we just get: `error: Commit: unlinkat: Directory not empty`

Closes: #1147
Approved by: jlebon

lib/pull: A bit of new style porting

A lof of the functions here are async and have nontrivial exits, but these ones
are all sync were straightforward ports.

Not prep for anything, just chipping away at porting.

Closes: #1146
Approved by: jlebon

lib/pull: Only look for cookie files for non-local remotes

Just noticed this while reading an strace.

Closes: https://github.com/ostreedev/ostree/issues/1139
Closes: #1145
Approved by: jlebon

lib/commit: Update docs/code style for ostree_repo_scan_hardlinks()

Happened to notice this one `goto out` user, and decided to tweak the docs at
the same time.

Closes: #1144
Approved by: jlebon

tree-wide: Use helpers for unlinkat()

We have `ot_ensure_unlinked_at()` for the "ignore ENOENT" case, and
`glnx_unlinkat()` otherwise. Port all in-tree callers to one or the other as
appropriate.

Just noticed an unprefixed error in the refs case and decided to do a tree-wide
check.

Closes: #1142
Approved by: jlebon

tests/rofiles-fuse: Add tests for chmod/chown

Prep for https://github.com/ostreedev/ostree/pull/1137 where
we were incorrectly handling `chown()` on symlinks.

Closes: #1141
Approved by: jlebon

lib/gpg: Port a few misc gpg functions to new style

I'd mostly been skipping the GPG functions due to lack of autoptr for a few
things, but I noticed these bits were straightforward.

Closes: #1136
Approved by: jlebon

lib/gpg: Use nicer helper for gpg error messages

The vast majority of invocations of `ot_gpgme_error_to_gio_error()` were paired
with `g_prefix_error()`; let's combine them for the same reason we do
`glnx_throw_errno_prefix()`. For the few cases that don't we might as well add
some prefix.

I also changed it to `return FALSE` in prep for more style porting.

Closes: #1135
Approved by: jlebon

lib/sysroot: A bit more new style porting

A few things not done in the last pass; prep for `ostree_sysroot_new_at()` work.

Closes: #1131
Approved by: jlebon

bin/local-pull: Clarify docs, add more tests for corrupted local pulls

I was reading the pull-local command docs and realized it was somewhat unclear
that `--untrusted` *only* applied to local repo pulls; in other words that we
always treat non-local pulls as untrusted.

Tweak the docstring, and add tests that verify this explicitly.

Closes: #1130
Approved by: jlebon

lib/repo: Add error prefixing during hardlink object import

I happened to have a repo with a missing commit object, and got an unprefixed
error during a pull-local.

Closes: #1129
Approved by: jlebon

lib/repo: Add apidoc for repo properties

However, they weren't showing up in the output HTML and I have
no idea why; I looked at what we're doing and it looks close enough
to what's going on in `GDBusConnection` that I was using as a reference.
I'm not going to spend a lot of time to debug it right now.

Closes: #1140
Approved by: jlebon

ci: Hackaround Fedora rpm/libdb/glibc issue

Not sure I want to wait a few days for a new container, so let's
give this a shot now.

See https://bugzilla.redhat.com/show_bug.cgi?id=1483553

Closes: #1143
Approved by: jlebon

bin/admin: Check for booted sysroot for root-required commands

Drops a use of `ostree_sysroot_get_path()`, prep for `ostree_sysroot_new_at()`.

Closes: #1123
Approved by: jlebon

bin/admin: Do sysroot loading during argument parsing

Followup from previous patch - we can now centralize the sysroot loading.
Besides the obvious cleanup value, this is also prep for dropping an
`ostree_sysroot_get_path()` user.

Closes: #1123
Approved by: jlebon

bin/admin: Change init-fs to stop loading a sysroot to init one

This is exactly analogous to the `ostree init` case where
we have `OSTREE_BUILTIN_FLAG_NO_REPO` to avoid trying to load
a repo when we're creating one.

Let's avoid the pointless sysroot for `init-fs`; among other
things this will then let us do `ostree_sysroot_load()` inside
the argument parsing, and drop it from every other user.

Closes: #1123
Approved by: jlebon

bin/admin: Check for booted deployment to see if we should reboot

Rather than calling `ostree_sysroot_get_path()`, which I'd like to deprecate for
the same reason as `ostree_repo_get_path()`.

Closes: #1123
Approved by: jlebon

bin/admin: Port switch,upgrade to new style

Was pretty easy. Prep for future work.

Closes: #1123
Approved by: jlebon

bin/prune: Port to new style

No functional changes, all straightforward. Prep for
https://github.com/ostreedev/ostree/issues/1115

Closes: #1124
Approved by: jlebon

tree-wide: Replace archive-z2 with archive

In almost all places. There are just a few exceptions; one tricky bit for
example is that the repo config must still have `mode=archive-z2`, since
`archive` used to mean something else. (We could very likely just get rid of
that check, but eh, later).

I also added a test that one can still do `ostree repo init --mode=archive-z2`.

Closes: #1125
Approved by: jlebon

checkout: add an extra checkout_overwrite mode

This is for issue projectatomic/rpm-ostree#365,
an extra option of overwrite mode is added to the checkout command
so that when there is "non-directory" file already exist
during checkout, the error will be handled.

Some tests are added for regression

Closes: #1116
Approved by: cgwalters

commit: filter out selinux label before commit

The new --selinux-policy added in [0] exposed a subtle issue in the way
we handle labeling during commit. The CI system in rpm-ostree hit this
when trying to make use of it[1].

Basically, because of the way we use a GVariant to represent xattrs, if
a file to be committed already has an SELinux label, the xattr object
ends up with *two* label entries. This of course throws off fsck later
on, since the checksum will have gone over both entries, even though the
on-disk file will only have a single label (in which the second entry
wins).

I confirmed that the `fsck` added in the installed test fails without
the rest of this patch.

[0] https://github.com/ostreedev/ostree/pull/1114
[1] https://github.com/projectatomic/rpm-ostree/pull/953

Closes: #1121
Approved by: cgwalters

tests: Make the deployment mutable in test-sysroot.js

We attempt to make deployments mutable in the test suite (as opposed to
immutable which is the default) to make it easier to chmod and clean up
the tmp files after each test. This is normally accomplished by setting
OSTREE_SYSROOT_DEBUG=mutable-deployments in libtest.sh, but that only
affects the environment variables for that bash instance, not the
process running gjs. So in test-sysroot.js OSTREE_SYSROOT_DEBUG wasn't
set when sysroot.deploy_tree() was called, which means the deployment
was made immutable which eventually causes the test to fail. This only
occurs when the test is run by the root user because for non-root users
_ostree_linuxfs_fd_alter_immutable_flag() would silently fail and the
deployment would be mutable.

This commit fixes this issue by setting the environment variable in
tests/test-sysroot.js.

Closes: #1122
Approved by: cgwalters

libarchive: Add support for translating paths during commit

For rpm-ostree, I want to move RPM files in `/boot` to `/usr/lib/ostree-boot`.
This is currently impossible without forking the libarchive code. Supporting
this is pretty straightforward; we already had pathname translation in
the libarchive code, we just need to expose it as an option.

On the command line side, I chose to wrap this as a regexp. That should be good
enough for a lot of use cases; sophisticated users should as always be making
use of the API. Note that this required some new `#ifdef LIBARCHIVE` bits to use
the new API. Following previous patterns here, we use the new API only if a
relevant option is enabled, ensuring unit test coverage of both paths.

For the test cases, I ended up changing the accounting to avoid having to
multiply the test count.

Closes: #1105
Approved by: jlebon

Remove shebang from bash completions

bash completions are to be sourced. It makes little sense to
execute them.

Detected by Debian's Lintian tool, which warns about non-executable
files that appear to be #! scripts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1119
Approved by: cgwalters

test-basic-user-only: Skip final step if no user xattrs

We don't want to skip the entire test, because the whole point of
bare-user-only is that it works in the absence of xattrs; but we do
need to skip this last stage, which explicitly uses a bare-user
repository.

Signed-off-by: Simon McVittie <smcv@debian.org>
Closes: #1120
Approved by: cgwalters

basic-test: Skip explicit uses of bare-user if no user xattrs

Signed-off-by: Simon McVittie <smcv@debian.org>
Closes: #1120
Approved by: cgwalters

libtest: Allow skipping single checks without user xattrs

Signed-off-by: Simon McVittie <smcv@debian.org>
Closes: #1120
Approved by: cgwalters

test-pull-bareuser.sh: This test uses bare-user, hence needs xattrs

Signed-off-by: Simon McVittie <smcv@debian.org>
Closes: #1120
Approved by: cgwalters

test-libarchive-import: Skip if extended attributes are unsupported

This is the case at build-time on some (all?) Debian autobuilders.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: #1120
Approved by: cgwalters

lib/repo-refs: Fix typos in last commit

This fixes a whitespace error and a mistake that made it into the last
commit, 7ed881baa, at the last minute.

Closes: #1112
Approved by: cgwalters