rpms
/
ostree
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import ostree-2022.2-6.el8

Browse Source
c8 imports/c8/ostree-2022.2-6.el8
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
commit 9c65a4dd76
12 changed files with 2299 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/libostree-2022.2.tar.xz

1
.ostree.metadata
Unescape View File

@ -0,0 +1 @@
9f1cc3796da8b7892a8ef930a5086d4ff42c475f SOURCES/libostree-2022.2.tar.xz

374
SOURCES/0001-Add-an-ostree-boot-complete.service-to-propagate-sta.patch
Unescape View File

@ -0,0 +1,374 @@
From a6d45dc165e48e2a463880ebb90f34c2b9d3c4ce Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 22 Apr 2022 18:46:28 -0400
Subject: [PATCH 1/6] Add an `ostree-boot-complete.service` to propagate
staging failures
Quite a while ago we added staged deployments, which solved
a bunch of issues around the `/etc` merge. However...a persistent
problem since then is that any failures in that process that
happened in the *previous* boot are not very visible.
We ship custom code in `rpm-ostree status` to query the previous
journal. But that has a few problems - one is that on systems
that have been up a while, that failure message may even get
rotated out. And second, some systems may not even have a persistent
journal at all.
A general thing we do in e.g. Fedora CoreOS testing is to check
for systemd unit failures. We do that both in our automated tests,
and we even ship code that displays them on ssh logins. And beyond
that obviously a lot of other projects do the same; it's easy via
`systemctl --failed`.
So to make failures more visible, change our `ostree-finalize-staged.service`
to have an internal wrapper around the process that "catches" any
errors, and copies the error message into a file in `/boot/ostree`.
Then, a new `ostree-boot-complete.service` looks for this file on
startup and re-emits the error message, and fails.
It also deletes the file. The rationale is to avoid *continually*
warning. For example we need to handle the case when an upgrade
process creates a new staged deployment. Now, we could change the
ostree core code to delete the warning file when that happens instead,
but this is trying to be a conservative change.
This should make failures here much more visible as is.
---
Makefile-boot.am | 2 +
Makefile-ostree.am | 1 +
src/boot/ostree-boot-complete.service | 33 +++++++++++
src/libostree/ostree-cmdprivate.c | 1 +
src/libostree/ostree-cmdprivate.h | 1 +
src/libostree/ostree-impl-system-generator.c | 2 +
src/libostree/ostree-sysroot-deploy.c | 62 ++++++++++++++++++--
src/libostree/ostree-sysroot-private.h | 7 +++
src/libostree/ostree-sysroot.c | 2 +
src/ostree/ot-admin-builtin-boot-complete.c | 58 ++++++++++++++++++
src/ostree/ot-admin-builtins.h | 1 +
src/ostree/ot-builtin-admin.c | 3 +
tests/kolainst/destructive/staged-deploy.sh | 12 ++++
13 files changed, 181 insertions(+), 4 deletions(-)
create mode 100644 src/boot/ostree-boot-complete.service
create mode 100644 src/ostree/ot-admin-builtin-boot-complete.c
diff --git a/Makefile-boot.am b/Makefile-boot.am
index ec10a0d6..e42e5180 100644
--- a/Makefile-boot.am
+++ b/Makefile-boot.am
@@ -38,6 +38,7 @@ endif
if BUILDOPT_SYSTEMD
systemdsystemunit_DATA = src/boot/ostree-prepare-root.service \
src/boot/ostree-remount.service \
+ src/boot/ostree-boot-complete.service \
src/boot/ostree-finalize-staged.service \
src/boot/ostree-finalize-staged.path \
$(NULL)
@@ -64,6 +65,7 @@ endif
EXTRA_DIST += src/boot/dracut/module-setup.sh \
src/boot/dracut/ostree.conf \
src/boot/mkinitcpio \
+ src/boot/ostree-boot-complete.service \
src/boot/ostree-prepare-root.service \
src/boot/ostree-finalize-staged.path \
src/boot/ostree-remount.service \
diff --git a/Makefile-ostree.am b/Makefile-ostree.am
index 82af1681..0fe2c5f8 100644
--- a/Makefile-ostree.am
+++ b/Makefile-ostree.am
@@ -70,6 +70,7 @@ ostree_SOURCES += \
src/ostree/ot-admin-builtin-diff.c \
src/ostree/ot-admin-builtin-deploy.c \
src/ostree/ot-admin-builtin-finalize-staged.c \
+ src/ostree/ot-admin-builtin-boot-complete.c \
src/ostree/ot-admin-builtin-undeploy.c \
src/ostree/ot-admin-builtin-instutil.c \
src/ostree/ot-admin-builtin-cleanup.c \
diff --git a/src/boot/ostree-boot-complete.service b/src/boot/ostree-boot-complete.service
new file mode 100644
index 00000000..5c09fdc9
--- /dev/null
+++ b/src/boot/ostree-boot-complete.service
@@ -0,0 +1,33 @@
+# Copyright (C) 2022 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+Description=OSTree Complete Boot
+Documentation=man:ostree(1)
+# For now, this is the only condition on which we start, but it's
+# marked as a triggering condition in case in the future we want
+# to do something else.
+ConditionPathExists=|/boot/ostree/finalize-failure.stamp
+RequiresMountsFor=/boot
+# Ensure that we propagate the failure into the current boot before
+# any further finalization attempts.
+Before=ostree-finalize-staged.service
+
+[Service]
+Type=oneshot
+# To write to /boot while keeping it read-only
+MountFlags=slave
+RemainAfterExit=yes
+ExecStart=/usr/bin/ostree admin boot-complete
diff --git a/src/libostree/ostree-cmdprivate.c b/src/libostree/ostree-cmdprivate.c
index c9a6e2e1..f6c114f4 100644
--- a/src/libostree/ostree-cmdprivate.c
+++ b/src/libostree/ostree-cmdprivate.c
@@ -51,6 +51,7 @@ ostree_cmd__private__ (void)
_ostree_repo_static_delta_delete,
_ostree_repo_verify_bindings,
_ostree_sysroot_finalize_staged,
+ _ostree_sysroot_boot_complete,
};
return &table;
diff --git a/src/libostree/ostree-cmdprivate.h b/src/libostree/ostree-cmdprivate.h
index 46452ebd..17f943c8 100644
--- a/src/libostree/ostree-cmdprivate.h
+++ b/src/libostree/ostree-cmdprivate.h
@@ -33,6 +33,7 @@ typedef struct {
gboolean (* ostree_static_delta_delete) (OstreeRepo *repo, const char *delta_id, GCancellable *cancellable, GError **error);
gboolean (* ostree_repo_verify_bindings) (const char *collection_id, const char *ref_name, GVariant *commit, GError **error);
gboolean (* ostree_finalize_staged) (OstreeSysroot *sysroot, GCancellable *cancellable, GError **error);
+ gboolean (* ostree_boot_complete) (OstreeSysroot *sysroot, GCancellable *cancellable, GError **error);
} OstreeCmdPrivateVTable;
/* Note this not really "public", we just export the symbol, but not the header */
diff --git a/src/libostree/ostree-impl-system-generator.c b/src/libostree/ostree-impl-system-generator.c
index 769f0cbd..92d71605 100644
--- a/src/libostree/ostree-impl-system-generator.c
+++ b/src/libostree/ostree-impl-system-generator.c
@@ -134,6 +134,8 @@ require_internal_units (const char *normal_dir,
return FALSE;
if (symlinkat (SYSTEM_DATA_UNIT_PATH "/ostree-finalize-staged.path", normal_dir_dfd, "multi-user.target.wants/ostree-finalize-staged.path") < 0)
return glnx_throw_errno_prefix (error, "symlinkat");
+ if (symlinkat (SYSTEM_DATA_UNIT_PATH "/ostree-boot-complete.service", normal_dir_dfd, "multi-user.target.wants/ostree-boot-complete.service") < 0)
+ return glnx_throw_errno_prefix (error, "symlinkat");
return TRUE;
#else
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index b7cc232f..fc5916d8 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -3255,10 +3255,10 @@ ostree_sysroot_stage_tree_with_options (OstreeSysroot *self,
}
/* Invoked at shutdown time by ostree-finalize-staged.service */
-gboolean
-_ostree_sysroot_finalize_staged (OstreeSysroot *self,
- GCancellable *cancellable,
- GError **error)
+static gboolean
+_ostree_sysroot_finalize_staged_inner (OstreeSysroot *self,
+ GCancellable *cancellable,
+ GError **error)
{
/* It's totally fine if there's no staged deployment; perhaps down the line
* though we could teach the ostree cmdline to tell systemd to activate the
@@ -3355,9 +3355,63 @@ _ostree_sysroot_finalize_staged (OstreeSysroot *self,
if (!ostree_sysroot_prepare_cleanup (self, cancellable, error))
return FALSE;
+ // Cleanup will have closed some FDs, re-ensure writability
+ if (!_ostree_sysroot_ensure_writable (self, error))
+ return FALSE;
+
return TRUE;
}
+/* Invoked at shutdown time by ostree-finalize-staged.service */
+gboolean
+_ostree_sysroot_finalize_staged (OstreeSysroot *self,
+ GCancellable *cancellable,
+ GError **error)
+{
+ g_autoptr(GError) finalization_error = NULL;
+ if (!_ostree_sysroot_ensure_boot_fd (self, error))
+ return FALSE;
+ if (!_ostree_sysroot_finalize_staged_inner (self, cancellable, &finalization_error))
+ {
+ g_autoptr(GError) writing_error = NULL;
+ g_assert_cmpint (self->boot_fd, !=, -1);
+ if (!glnx_file_replace_contents_at (self->boot_fd, _OSTREE_FINALIZE_STAGED_FAILURE_PATH,
+ (guint8*)finalization_error->message, -1,
+ 0, cancellable, &writing_error))
+ {
+ // We somehow failed to write the failure message...that's not great. Maybe ENOSPC on /boot.
+ g_printerr ("Failed to write %s: %s\n", _OSTREE_FINALIZE_STAGED_FAILURE_PATH, writing_error->message);
+ }
+ g_propagate_error (error, g_steal_pointer (&finalization_error));
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/* Invoked at bootup time by ostree-boot-complete.service */
+gboolean
+_ostree_sysroot_boot_complete (OstreeSysroot *self,
+ GCancellable *cancellable,
+ GError **error)
+{
+ if (!_ostree_sysroot_ensure_boot_fd (self, error))
+ return FALSE;
+
+ glnx_autofd int failure_fd = -1;
+ if (!ot_openat_ignore_enoent (self->boot_fd, _OSTREE_FINALIZE_STAGED_FAILURE_PATH, &failure_fd, error))
+ return FALSE;
+ // If we didn't find a failure log, then there's nothing to do right now.
+ // (Actually this unit shouldn't even be invoked, but we may do more in the future)
+ if (failure_fd == -1)
+ return TRUE;
+ g_autofree char *failure_data = glnx_fd_readall_utf8 (failure_fd, NULL, cancellable, error);
+ if (failure_data == NULL)
+ return glnx_prefix_error (error, "Reading from %s", _OSTREE_FINALIZE_STAGED_FAILURE_PATH);
+ // Remove the file; we don't want to continually error out.
+ (void) unlinkat (self->boot_fd, _OSTREE_FINALIZE_STAGED_FAILURE_PATH, 0);
+ return glnx_throw (error, "ostree-finalize-staged.service failed on previous boot: %s", failure_data);
+}
+
/**
* ostree_sysroot_deployment_set_kargs:
* @self: Sysroot
diff --git a/src/libostree/ostree-sysroot-private.h b/src/libostree/ostree-sysroot-private.h
index cb34eeb3..a49a406c 100644
--- a/src/libostree/ostree-sysroot-private.h
+++ b/src/libostree/ostree-sysroot-private.h
@@ -96,6 +96,9 @@ struct OstreeSysroot {
#define _OSTREE_SYSROOT_BOOT_INITRAMFS_OVERLAYS "ostree/initramfs-overlays"
#define _OSTREE_SYSROOT_INITRAMFS_OVERLAYS "boot/" _OSTREE_SYSROOT_BOOT_INITRAMFS_OVERLAYS
+// Relative to /boot, consumed by ostree-boot-complete.service
+#define _OSTREE_FINALIZE_STAGED_FAILURE_PATH "ostree/finalize-failure.stamp"
+
gboolean
_ostree_sysroot_ensure_writable (OstreeSysroot *self,
GError **error);
@@ -142,6 +145,10 @@ gboolean
_ostree_sysroot_finalize_staged (OstreeSysroot *self,
GCancellable *cancellable,
GError **error);
+gboolean
+_ostree_sysroot_boot_complete (OstreeSysroot *self,
+ GCancellable *cancellable,
+ GError **error);
OstreeDeployment *
_ostree_sysroot_deserialize_deployment_from_variant (GVariant *v,
diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c
index 266a2975..f083f950 100644
--- a/src/libostree/ostree-sysroot.c
+++ b/src/libostree/ostree-sysroot.c
@@ -356,6 +356,8 @@ _ostree_sysroot_ensure_writable (OstreeSysroot *self,
ostree_sysroot_unload (self);
if (!ensure_sysroot_fd (self, error))
return FALSE;
+ if (!_ostree_sysroot_ensure_boot_fd (self, error))
+ return FALSE;
return TRUE;
}
diff --git a/src/ostree/ot-admin-builtin-boot-complete.c b/src/ostree/ot-admin-builtin-boot-complete.c
new file mode 100644
index 00000000..6e1052f5
--- /dev/null
+++ b/src/ostree/ot-admin-builtin-boot-complete.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2022 Red Hat, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.0+
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include "config.h"
+
+#include <stdlib.h>
+
+#include "ot-main.h"
+#include "ot-admin-builtins.h"
+#include "ot-admin-functions.h"
+#include "ostree.h"
+#include "otutil.h"
+
+#include "ostree-cmdprivate.h"
+
+static GOptionEntry options[] = {
+ { NULL }
+};
+
+gboolean
+ot_admin_builtin_boot_complete (int argc, char **argv, OstreeCommandInvocation *invocation, GCancellable *cancellable, GError **error)
+{
+ /* Just a sanity check; we shouldn't be called outside of the service though.
+ */
+ struct stat stbuf;
+ if (fstatat (AT_FDCWD, OSTREE_PATH_BOOTED, &stbuf, 0) < 0)
+ return TRUE;
+ // We must have been invoked via systemd which should have set up a mount namespace.
+ g_assert (getenv ("INVOCATION_ID"));
+
+ g_autoptr(GOptionContext) context = g_option_context_new ("");
+ g_autoptr(OstreeSysroot) sysroot = NULL;
+ if (!ostree_admin_option_context_parse (context, options, &argc, &argv,
+ OSTREE_ADMIN_BUILTIN_FLAG_SUPERUSER,
+ invocation, &sysroot, cancellable, error))
+ return FALSE;
+
+ if (!ostree_cmd__private__()->ostree_boot_complete (sysroot, cancellable, error))
+ return FALSE;
+
+ return TRUE;
+}
diff --git a/src/ostree/ot-admin-builtins.h b/src/ostree/ot-admin-builtins.h
index d32b617e..8d9451be 100644
--- a/src/ostree/ot-admin-builtins.h
+++ b/src/ostree/ot-admin-builtins.h
@@ -39,6 +39,7 @@ BUILTINPROTO(deploy);
BUILTINPROTO(cleanup);
BUILTINPROTO(pin);
BUILTINPROTO(finalize_staged);
+BUILTINPROTO(boot_complete);
BUILTINPROTO(unlock);
BUILTINPROTO(status);
BUILTINPROTO(set_origin);
diff --git a/src/ostree/ot-builtin-admin.c b/src/ostree/ot-builtin-admin.c
index e0d2a60c..af09a614 100644
--- a/src/ostree/ot-builtin-admin.c
+++ b/src/ostree/ot-builtin-admin.c
@@ -43,6 +43,9 @@ static OstreeCommand admin_subcommands[] = {
{ "finalize-staged", OSTREE_BUILTIN_FLAG_NO_REPO | OSTREE_BUILTIN_FLAG_HIDDEN,
ot_admin_builtin_finalize_staged,
"Internal command to run at shutdown time" },
+ { "boot-complete", OSTREE_BUILTIN_FLAG_NO_REPO | OSTREE_BUILTIN_FLAG_HIDDEN,
+ ot_admin_builtin_boot_complete,
+ "Internal command to run at boot after an update was applied" },
{ "init-fs", OSTREE_BUILTIN_FLAG_NO_REPO,
ot_admin_builtin_init_fs,
"Initialize a root filesystem" },

515
SOURCES/0001-Support-overlayfs-whiteouts-on-checkout.patch
Unescape View File

@ -0,0 +1,515 @@
From 0085494e350c72599fc5c0e00422885d80b3c660 Mon Sep 17 00:00:00 2001
From: Miguel Angel Ajo <majopela@redhat.com>
Date: Mon, 19 Sep 2022 17:15:24 +0200
Subject: [PATCH] Support overlayfs whiteouts on checkout
Introduces an intermediate format for overlayfs storage, where
.wh-ostree. prefixed files will be converted into char 0:0
whiteout devices used by overlayfs to mark deletions across layers.
The CI scripts now uses a volume for the scratch directories
previously in /var/tmp otherwise we cannot create whiteout
devices into an overlayfs mounted filesystem.
Related-Issue: #2712
(cherry picked from commit e234b630f85b97e48ecf45d5aaba9b1aa64e6b54)
---
.github/workflows/tests.yml | 8 +-
Makefile-tests.am | 1 +
bash/ostree | 1 +
man/ostree-checkout.xml | 11 ++
src/libostree/ostree-repo-checkout.c | 129 ++++++++++++++++++++-
src/libostree/ostree-repo.h | 5 +-
src/libostree/ostree-sysroot-deploy.c | 2 +-
src/ostree/ot-builtin-checkout.c | 7 +-
tests/archive-test.sh | 7 +-
tests/basic-test.sh | 29 ++++-
tests/kolainst/data-shared/libtest-core.sh | 7 ++
tests/libtest.sh | 52 ++++++++-
tests/test-admin-deploy-whiteouts.sh | 42 +++++++
13 files changed, 292 insertions(+), 9 deletions(-)
create mode 100755 tests/test-admin-deploy-whiteouts.sh
--- a/Makefile-tests.am
+++ b/Makefile-tests.am
@@ -107,6 +107,7 @@ _installed_or_uninstalled_test_scripts = \
tests/test-admin-deploy-nomerge.sh \
tests/test-admin-deploy-none.sh \
tests/test-admin-deploy-bootid-gc.sh \
+ tests/test-admin-deploy-whiteouts.sh \
tests/test-osupdate-dtb.sh \
tests/test-admin-instutil-set-kargs.sh \
tests/test-admin-upgrade-not-backwards.sh \
diff --git a/bash/ostree b/bash/ostree
index 46363315..6f3b86ea 100644
--- a/bash/ostree
+++ b/bash/ostree
@@ -249,6 +249,7 @@ _ostree_checkout() {
--union-identical
--user-mode -U
--whiteouts
+ --process-passthrough-whiteouts
"
local options_with_args="
diff --git a/man/ostree-checkout.xml b/man/ostree-checkout.xml
index 4ed53a91..8f7d4f9b 100644
--- a/man/ostree-checkout.xml
+++ b/man/ostree-checkout.xml
@@ -114,6 +114,17 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--process-passthrough-whiteouts</option></term>
+
+ <listitem><para>
+ Enable overlayfs whiteout extraction into 0:0 character devices.
+ Overlayfs whiteouts are encoded inside ostree as <literal>.ostree-wh.filename</literal>
+ and extracted as 0:0 character devices. This is useful to carry
+ container storage embedded into ostree.
+ </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--allow-noent</option></term>
diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c
index 663292a9..7c7d0cc7 100644
--- a/src/libostree/ostree-repo-checkout.c
+++ b/src/libostree/ostree-repo-checkout.c
@@ -35,6 +35,8 @@
#define WHITEOUT_PREFIX ".wh."
#define OPAQUE_WHITEOUT_NAME ".wh..wh..opq"
+#define OVERLAYFS_WHITEOUT_PREFIX ".ostree-wh."
+
/* Per-checkout call state/caching */
typedef struct {
GString *path_buf; /* buffer for real path if filtering enabled */
@@ -582,6 +584,117 @@ checkout_file_hardlink (OstreeRepo *self,
return TRUE;
}
+static gboolean
+_checkout_overlayfs_whiteout_at_no_overwrite (OstreeRepoCheckoutAtOptions *options,
+ int destination_dfd,
+ const char *destination_name,
+ GFileInfo *file_info,
+ GVariant *xattrs,
+ gboolean *found_exant_file,
+ GCancellable *cancellable,
+ GError **error)
+{
+ if (found_exant_file != NULL)
+ *found_exant_file = FALSE;
+ guint32 file_mode = g_file_info_get_attribute_uint32 (file_info, "unix::mode");
+ if (mknodat(destination_dfd, destination_name, (file_mode & ~S_IFMT) | S_IFCHR, (dev_t)0) < 0)
+ {
+ if (errno == EEXIST && found_exant_file != NULL)
+ {
+ *found_exant_file = TRUE;
+ return TRUE;
+ }
+ return glnx_throw_errno_prefix (error, "Creating whiteout char device");
+ }
+ if (options->mode != OSTREE_REPO_CHECKOUT_MODE_USER)
+ {
+ if (xattrs != NULL &&
+ !glnx_dfd_name_set_all_xattrs(destination_dfd, destination_name, xattrs,
+ cancellable, error))
+ return glnx_throw_errno_prefix (error, "Setting xattrs for whiteout char device");
+
+ if (TEMP_FAILURE_RETRY(fchownat(destination_dfd, destination_name,
+ g_file_info_get_attribute_uint32 (file_info, "unix::uid"),
+ g_file_info_get_attribute_uint32 (file_info, "unix::gid"),
+ AT_SYMLINK_NOFOLLOW) < 0))
+ return glnx_throw_errno_prefix (error, "fchownat");
+ if (TEMP_FAILURE_RETRY (fchmodat (destination_dfd, destination_name, file_mode & ~S_IFMT, 0)) < 0)
+ return glnx_throw_errno_prefix (error, "fchmodat %s to 0%o", destination_name, file_mode & ~S_IFMT);
+ }
+
+ return TRUE;
+}
+
+static gboolean
+_checkout_overlayfs_whiteout_at (OstreeRepo *repo,
+ OstreeRepoCheckoutAtOptions *options,
+ int destination_dfd,
+ const char *destination_name,
+ GFileInfo *file_info,
+ GVariant *xattrs,
+ GCancellable *cancellable,
+ GError **error)
+{
+ gboolean found_exant_file = FALSE;
+ if (!_checkout_overlayfs_whiteout_at_no_overwrite(options, destination_dfd, destination_name,
+ file_info, xattrs,&found_exant_file,
+ cancellable, error))
+ return FALSE;
+
+ if (!found_exant_file)
+ return TRUE;
+
+ guint32 uid = g_file_info_get_attribute_uint32 (file_info, "unix::uid");
+ guint32 gid = g_file_info_get_attribute_uint32 (file_info, "unix::gid");
+ guint32 file_mode = g_file_info_get_attribute_uint32 (file_info, "unix::mode");
+
+ struct stat dest_stbuf;
+
+ switch(options->overwrite_mode)
+ {
+ case OSTREE_REPO_CHECKOUT_OVERWRITE_NONE:
+ return FALSE;
+ case OSTREE_REPO_CHECKOUT_OVERWRITE_UNION_FILES:
+ if (!ot_ensure_unlinked_at (destination_dfd, destination_name, error))
+ return FALSE;
+ return _checkout_overlayfs_whiteout_at_no_overwrite(options, destination_dfd, destination_name,
+ file_info, xattrs, NULL, cancellable, error);
+ case OSTREE_REPO_CHECKOUT_OVERWRITE_ADD_FILES:
+ return TRUE;
+
+ case OSTREE_REPO_CHECKOUT_OVERWRITE_UNION_IDENTICAL:
+ if (!glnx_fstatat(destination_dfd, destination_name, &dest_stbuf, AT_SYMLINK_NOFOLLOW,
+ error))
+ return FALSE;
+ if (!(repo->disable_xattrs || repo->mode == OSTREE_REPO_MODE_BARE_USER_ONLY))
+ {
+ g_autoptr(GVariant) fs_xattrs;
+ if (!glnx_dfd_name_get_all_xattrs (destination_dfd, destination_name,
+ &fs_xattrs, cancellable, error))
+ return FALSE;
+ if (!g_variant_equal(fs_xattrs, xattrs))
+ return glnx_throw(error, "existing destination file %s xattrs don't match",
+ destination_name);
+ }
+ if (options->mode != OSTREE_REPO_CHECKOUT_MODE_USER)
+ {
+ if (gid != dest_stbuf.st_gid)
+ return glnx_throw(error, "existing destination file %s does not match gid %d",
+ destination_name, gid);
+
+ if (uid != dest_stbuf.st_uid)
+ return glnx_throw(error, "existing destination file %s does not match uid %d",
+ destination_name, gid);
+
+ if ((file_mode & ALLPERMS) != (dest_stbuf.st_mode & ALLPERMS))
+ return glnx_throw(error, "existing destination file %s does not match mode %o",
+ destination_name, file_mode);
+ }
+ break;
+ }
+ return TRUE;
+}
+
static gboolean
checkout_one_file_at (OstreeRepo *repo,
OstreeRepoCheckoutAtOptions *options,
@@ -603,7 +716,8 @@ checkout_one_file_at (OstreeRepo *repo,
/* FIXME - avoid the GFileInfo here */
g_autoptr(GFileInfo) source_info = NULL;
- if (!ostree_repo_load_file (repo, checksum, NULL, &source_info, NULL,
+ g_autoptr(GVariant) source_xattrs = NULL;
+ if (!ostree_repo_load_file (repo, checksum, NULL, &source_info, &source_xattrs,
cancellable, error))
return FALSE;
@@ -623,6 +737,7 @@ checkout_one_file_at (OstreeRepo *repo,
const gboolean is_unreadable = (!is_symlink && (source_mode & S_IRUSR) == 0);
const gboolean is_whiteout = (!is_symlink && options->process_whiteouts &&
g_str_has_prefix (destination_name, WHITEOUT_PREFIX));
+ const gboolean is_overlayfs_whiteout = (!is_symlink && g_str_has_prefix (destination_name, OVERLAYFS_WHITEOUT_PREFIX));
const gboolean is_reg_zerosized = (!is_symlink && g_file_info_get_size (source_info) == 0);
const gboolean override_user_unreadable = (options->mode == OSTREE_REPO_CHECKOUT_MODE_USER && is_unreadable);
@@ -643,6 +758,18 @@ checkout_one_file_at (OstreeRepo *repo,
need_copy = FALSE;
}
+ else if (is_overlayfs_whiteout && options->process_passthrough_whiteouts)
+ {
+ const char *name = destination_name + (sizeof (OVERLAYFS_WHITEOUT_PREFIX) - 1);
+
+ if (!name[0])
+ return glnx_throw (error, "Invalid empty overlayfs whiteout '%s'", name);
+
+ g_assert (name[0] != '/'); /* Sanity */
+
+ return _checkout_overlayfs_whiteout_at(repo, options, destination_dfd, name,
+ source_info, source_xattrs, cancellable, error);
+ }
else if (is_reg_zerosized || override_user_unreadable)
{
/* In https://github.com/ostreedev/ostree/commit/673cacd633f9d6b653cdea530657d3e780a41bbd we
diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h
index 98571170..b3d7f986 100644
--- a/src/libostree/ostree-repo.h
+++ b/src/libostree/ostree-repo.h
@@ -989,8 +989,9 @@ typedef struct {
gboolean force_copy; /* Since: 2017.6 */
gboolean bareuseronly_dirs; /* Since: 2017.7 */
gboolean force_copy_zerosized; /* Since: 2018.9 */
- gboolean unused_bools[4];
- /* 4 byte hole on 64 bit */
+ gboolean process_passthrough_whiteouts;
+ gboolean unused_bools[3];
+ /* 3 byte hole on 64 bit */
const char *subpath;
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index 404f336f..5c98103b 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -641,7 +641,7 @@ checkout_deployment_tree (OstreeSysroot *sysroot,
return FALSE;
/* Generate hardlink farm, then opendir it */
- OstreeRepoCheckoutAtOptions checkout_opts = { 0, };
+ OstreeRepoCheckoutAtOptions checkout_opts = { .process_passthrough_whiteouts = TRUE };
if (!ostree_repo_checkout_at (repo, &checkout_opts, osdeploy_dfd,
checkout_target_name, csum,
cancellable, error))
diff --git a/src/ostree/ot-builtin-checkout.c b/src/ostree/ot-builtin-checkout.c
index d69c8b0b..bfa43885 100644
--- a/src/ostree/ot-builtin-checkout.c
+++ b/src/ostree/ot-builtin-checkout.c
@@ -37,6 +37,7 @@ static gboolean opt_union;
static gboolean opt_union_add;
static gboolean opt_union_identical;
static gboolean opt_whiteouts;
+static gboolean opt_process_passthrough_whiteouts;
static gboolean opt_from_stdin;
static char *opt_from_file;
static gboolean opt_disable_fsync;
@@ -77,6 +78,7 @@ static GOptionEntry options[] = {
{ "union-add", 0, 0, G_OPTION_ARG_NONE, &opt_union_add, "Keep existing files/directories, only add new", NULL },
{ "union-identical", 0, 0, G_OPTION_ARG_NONE, &opt_union_identical, "When layering checkouts, error out if a file would be replaced with a different version, but add new files and directories", NULL },
{ "whiteouts", 0, 0, G_OPTION_ARG_NONE, &opt_whiteouts, "Process 'whiteout' (Docker style) entries", NULL },
+ { "process-passthrough-whiteouts", 0, 0, G_OPTION_ARG_NONE, &opt_process_passthrough_whiteouts, "Enable overlayfs whiteout extraction into char 0:0 devices", NULL },
{ "allow-noent", 0, 0, G_OPTION_ARG_NONE, &opt_allow_noent, "Do nothing if specified path does not exist", NULL },
{ "from-stdin", 0, 0, G_OPTION_ARG_NONE, &opt_from_stdin, "Process many checkouts from standard input", NULL },
{ "from-file", 0, 0, G_OPTION_ARG_STRING, &opt_from_file, "Process many checkouts from input file", "FILE" },
@@ -129,7 +131,8 @@ process_one_checkout (OstreeRepo *repo,
if (opt_disable_cache || opt_whiteouts || opt_require_hardlinks ||
opt_union_add || opt_force_copy || opt_force_copy_zerosized ||
opt_bareuseronly_dirs || opt_union_identical ||
- opt_skiplist_file || opt_selinux_policy || opt_selinux_prefix)
+ opt_skiplist_file || opt_selinux_policy || opt_selinux_prefix ||
+ opt_process_passthrough_whiteouts)
{
OstreeRepoCheckoutAtOptions checkout_options = { 0, };
@@ -162,6 +165,8 @@ process_one_checkout (OstreeRepo *repo,
}
if (opt_whiteouts)
checkout_options.process_whiteouts = TRUE;
+ if (opt_process_passthrough_whiteouts)
+ checkout_options.process_passthrough_whiteouts = TRUE;
if (subpath)
checkout_options.subpath = subpath;
diff --git a/tests/archive-test.sh b/tests/archive-test.sh
index b6d84979..6b45790e 100644
--- a/tests/archive-test.sh
+++ b/tests/archive-test.sh
@@ -71,6 +71,11 @@ mkdir -p test-overlays
date > test-overlays/overlaid-file
$OSTREE commit ${COMMIT_ARGS} -b test-base --base test2 --owner-uid 42 --owner-gid 42 test-overlays/
$OSTREE ls -R test-base > ls.txt
-assert_streq "$(wc -l < ls.txt)" 14
+if can_create_whiteout_devices; then
+ assert_streq "$(wc -l < ls.txt)" 17
+else
+ assert_streq "$(wc -l < ls.txt)" 14
+fi
+
assert_streq "$(grep '42.*42' ls.txt | wc -l)" 2
echo "ok commit overlay base"
diff --git a/tests/basic-test.sh b/tests/basic-test.sh
index 04506c3d..0878e6f6 100644
--- a/tests/basic-test.sh
+++ b/tests/basic-test.sh
@@ -19,7 +19,7 @@
set -euo pipefail
-echo "1..$((87 + ${extra_basic_tests:-0}))"
+echo "1..$((89 + ${extra_basic_tests:-0}))"
CHECKOUT_U_ARG=""
CHECKOUT_H_ARGS="-H"
@@ -1187,3 +1187,30 @@ if test "$(id -u)" != "0"; then
else
echo "ok # SKIP not run when root"
fi
+
+if ! skip_one_without_whiteouts_devices; then
+ cd ${test_tmpdir}
+ rm checkout-test2 -rf
+ $OSTREE checkout test2 checkout-test2
+
+ assert_not_has_file checkout-test2/whiteouts/whiteout
+ assert_not_has_file checkout-test2/whiteouts/whiteout2
+ assert_has_file checkout-test2/whiteouts/.ostree-wh.whiteout
+ assert_has_file checkout-test2/whiteouts/.ostree-wh.whiteout2
+
+ echo "ok checkout: no whiteout passthrough by default"
+fi
+
+if ! skip_one_without_whiteouts_devices; then
+ cd ${test_tmpdir}
+ rm checkout-test2 -rf
+ $OSTREE checkout --process-passthrough-whiteouts test2 checkout-test2
+
+ assert_not_has_file checkout-test2/whiteouts/.ostree-wh.whiteout
+ assert_not_has_file checkout-test2/whiteouts/.ostree-wh.whiteout2
+
+ assert_is_whiteout_device checkout-test2/whiteouts/whiteout
+ assert_is_whiteout_device checkout-test2/whiteouts/whiteout2
+
+ echo "ok checkout: whiteout with overlayfs passthrough processing"
+fi
diff --git a/tests/libtest.sh b/tests/libtest.sh
index 686f08dc..5830f210 100755
--- a/tests/libtest.sh
+++ b/tests/libtest.sh
@@ -148,6 +148,20 @@ if ! have_selinux_relabel; then
fi
echo done
+# whiteout char 0:0 devices can be created as regular users, but
+# cannot be created inside containers mounted via overlayfs
+can_create_whiteout_devices() {
+ mknod -m 000 ${test_tmpdir}/.test-whiteout c 0 0 || return 1
+ rm -f ${test_tmpdir}/.test-whiteout
+ return 0
+}
+
+echo -n checking for overlayfs whiteouts...
+if ! can_create_whiteout_devices; then
+ export OSTREE_NO_WHITEOUTS=1
+fi
+echo done
+
if test -n "${OT_TESTS_DEBUG:-}"; then
set -x
fi
@@ -245,6 +259,15 @@ setup_test_repository () {
ln -s nonexistent baz/alink
mkdir baz/another/
echo x > baz/another/y
+
+ # if we are running inside a container we cannot test
+ # the overlayfs whiteout marker passthrough
+ if ! test -n "${OSTREE_NO_WHITEOUTS:-}"; then
+ mkdir whiteouts
+ touch whiteouts/.ostree-wh.whiteout
+ touch whiteouts/.ostree-wh.whiteout2
+ chmod 755 whiteouts/.ostree-wh.whiteout2
+ fi
umask "${oldumask}"
cd ${test_tmpdir}/files
@@ -406,7 +429,7 @@ setup_os_repository () {
mkdir osdata
cd osdata
kver=3.6.0
- mkdir -p usr/bin ${bootdir} usr/lib/modules/${kver} usr/share usr/etc
+ mkdir -p usr/bin ${bootdir} usr/lib/modules/${kver} usr/share usr/etc usr/container/layers/abcd
kernel_path=${bootdir}/vmlinuz
initramfs_path=${bootdir}/initramfs.img
# the HMAC file is only in /usr/lib/modules
@@ -449,6 +472,17 @@ EOF
mkdir -p usr/etc/testdirectory
echo "a default daemon file" > usr/etc/testdirectory/test
+ # if we are running inside a container we cannot test
+ # the overlayfs whiteout marker passthrough
+ if ! test -n "${OSTREE_NO_WHITEOUTS:-}"; then
+ # overlayfs whiteout passhthrough marker files
+ touch usr/container/layers/abcd/.ostree-wh.whiteout
+ chmod 400 usr/container/layers/abcd/.ostree-wh.whiteout
+
+ touch usr/container/layers/abcd/.ostree-wh.whiteout2
+ chmod 777 usr/container/layers/abcd/.ostree-wh.whiteout2
+ fi
+
${CMD_PREFIX} ostree --repo=${test_tmpdir}/testos-repo commit ${bootable_flag} --add-metadata-string version=1.0.9 -b testos/buildmain/x86_64-runtime -s "Build"
# Ensure these commits have distinct second timestamps
@@ -588,6 +622,22 @@ skip_without_user_xattrs () {
fi
}
+# Usage: if ! skip_one_without_whiteouts_devices; then ... more tests ...; fi
+skip_one_without_whiteouts_devices() {
+ if ! can_create_whiteout_devices; then
+ echo "ok # SKIP - this test requires whiteout device support (test outside containers)"
+ return 0
+ else
+ return 1
+ fi
+}
+
+skip_without_whiteouts_devices () {
+ if ! can_create_whiteout_devices; then
+ skip "this test requires whiteout device support (test outside containers)"
+ fi
+}
+
_have_systemd_and_libmount=''
have_systemd_and_libmount() {
if test "${_have_systemd_and_libmount}" = ''; then
diff --git a/tests/test-admin-deploy-whiteouts.sh b/tests/test-admin-deploy-whiteouts.sh
new file mode 100755
index 00000000..66421949
--- /dev/null
+++ b/tests/test-admin-deploy-whiteouts.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+#
+# Copyright (C) 2022 Red Hat, Inc.
+#
+# SPDX-License-Identifier: LGPL-2.0+
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+set -euox pipefail
+
+. $(dirname $0)/libtest.sh
+
+skip_without_whiteouts_devices
+
+# Exports OSTREE_SYSROOT so --sysroot not needed.
+setup_os_repository "archive" "syslinux"
+${CMD_PREFIX} ostree --repo=sysroot/ostree/repo pull-local --remote=testos testos-repo testos/buildmain/x86_64-runtime
+
+echo "1..3"
+${CMD_PREFIX} ostree admin deploy --os=testos --karg=root=LABEL=foo --karg=testkarg=1 testos:testos/buildmain/x86_64-runtime
+origdeployment=$(${CMD_PREFIX} ostree admin --sysroot=sysroot --print-current-dir)
+
+assert_is_whiteout_device "${origdeployment}"/usr/container/layers/abcd/whiteout
+echo "ok whiteout deployment"
+
+assert_not_has_file "${origdeployment}"/usr/container/layers/abcd/.ostree-wh.whiteout
+echo "ok .ostree-wh.whiteout not created"
+
+assert_file_has_mode "${origdeployment}"/usr/container/layers/abcd/whiteout 400
+assert_file_has_mode "${origdeployment}"/usr/container/layers/abcd/whiteout2 777
+echo "ok whiteout permissions are preserved"
--
2.37.3

40
SOURCES/0002-libarchive-Handle-archive_entry_symlink-returning-NU.patch
Unescape View File

@ -0,0 +1,40 @@
From e5b45f861a4d5738679f37d46ebca6e171bb3212 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Mon, 4 Apr 2022 10:25:35 -0400
Subject: [PATCH 2/6] libarchive: Handle `archive_entry_symlink()` returning
NULL
The `archive_entry_symlink()` API can definitely return `NULL`,
reading through the libarchive sources.
I hit this in the wild when using old ostree-ext to try to unpack
a chunked archive.
I didn't try to characterize this more, and sorry no unit test right
now.
---
src/libostree/ostree-repo-libarchive.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libostree/ostree-repo-libarchive.c b/src/libostree/ostree-repo-libarchive.c
index 679aa44d..631c6d4b 100644
--- a/src/libostree/ostree-repo-libarchive.c
+++ b/src/libostree/ostree-repo-libarchive.c
@@ -146,8 +146,12 @@ file_info_from_archive_entry (struct archive_entry *entry)
g_autoptr(GFileInfo) info = _ostree_stbuf_to_gfileinfo (&stbuf);
if (S_ISLNK (stbuf.st_mode))
- g_file_info_set_attribute_byte_string (info, "standard::symlink-target",
- archive_entry_symlink (entry));
+ {
+ const char *target = archive_entry_symlink (entry);
+ if (target != NULL)
+ g_file_info_set_attribute_byte_string (info, "standard::symlink-target",
+ target);
+ }
return g_steal_pointer (&info);
}
--
2.31.1

82
SOURCES/0003-repo-Factor-out-_ostree_repo_auto_transaction_new.patch
Unescape View File

@ -0,0 +1,82 @@
From 4a997ae08605ebe6ca02d9f422082f954e667a6c Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Sat, 30 Apr 2022 12:20:11 +0100
Subject: [PATCH 3/6] repo: Factor out _ostree_repo_auto_transaction_new()
This will allow the direct allocation in
ostree_repo_prepare_transaction() to be replaced with a call to this
function, avoiding breaking encapsulation.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 540e60c3e3ace66dd4e6cf825488fc918260a642)
---
src/libostree/ostree-repo-private.h | 4 ++++
src/libostree/ostree-repo.c | 32 ++++++++++++++++++++++++-----
2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/src/libostree/ostree-repo-private.h b/src/libostree/ostree-repo-private.h
index 988c2179..96253e77 100644
--- a/src/libostree/ostree-repo-private.h
+++ b/src/libostree/ostree-repo-private.h
@@ -554,4 +554,8 @@ GType _ostree_repo_auto_transaction_get_type (void);
G_DEFINE_AUTOPTR_CLEANUP_FUNC (OstreeRepoAutoTransaction, _ostree_repo_auto_transaction_unref);
+/* Internal function to break a circular dependency:
+ * should not be made into public API, even if the rest is */
+OstreeRepoAutoTransaction *_ostree_repo_auto_transaction_new (OstreeRepo *repo);
+
G_END_DECLS
diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c
index a27591b3..f6bffd60 100644
--- a/src/libostree/ostree-repo.c
+++ b/src/libostree/ostree-repo.c
@@ -709,6 +709,32 @@ ostree_repo_auto_lock_cleanup (OstreeRepoAutoLock *auto_lock)
}
}
+/**
+ * _ostree_repo_auto_transaction_new:
+ * @repo: (not nullable): an #OsreeRepo object
+ * @cancellable: Cancellable
+ * @error: a #GError
+ *
+ * Return a guard for a transaction in @repo.
+ *
+ * Do not call this function outside the OstreeRepo transaction implementation.
+ * Use _ostree_repo_auto_transaction_start() instead.
+ *
+ * Returns: (transfer full): an #OstreeRepoAutoTransaction guard on success,
+ * %NULL otherwise.
+ */
+OstreeRepoAutoTransaction *
+_ostree_repo_auto_transaction_new (OstreeRepo *repo)
+{
+ g_assert (repo != NULL);
+
+ OstreeRepoAutoTransaction *txn = g_malloc(sizeof(OstreeRepoAutoTransaction));
+ txn->atomic_refcount = 1;
+ txn->repo = g_object_ref (repo);
+
+ return g_steal_pointer (&txn);
+}
+
/**
* _ostree_repo_auto_transaction_start:
* @repo: (not nullable): an #OsreeRepo object
@@ -730,11 +756,7 @@ _ostree_repo_auto_transaction_start (OstreeRepo *repo,
if (!ostree_repo_prepare_transaction (repo, NULL, cancellable, error))
return NULL;
- OstreeRepoAutoTransaction *txn = g_malloc(sizeof(OstreeRepoAutoTransaction));
- txn->atomic_refcount = 1;
- txn->repo = g_object_ref (repo);
-
- return g_steal_pointer (&txn);
+ return _ostree_repo_auto_transaction_new (repo);
}
/**
--
2.31.1

39
SOURCES/0004-repo-Correctly-initialize-refcount-of-temporary-tran.patch
Unescape View File

@ -0,0 +1,39 @@
From 51c7960bea081446ad217e9725408ce5cb531157 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Sat, 30 Apr 2022 12:53:42 +0100
Subject: [PATCH 4/6] repo: Correctly initialize refcount of temporary
transaction
Previously, the reference count was left uninitialized as a result of
bypassing the constructor, and the intended abort-on-error usually
wouldn't have happened.
Fixes: 8a9737a "repo/private: move OstreeRepoAutoTransaction to a boxed type"
Resolves: https://github.com/ostreedev/ostree/issues/2592
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 71304e854cdb344adb8b1ae7866929fbdde6c327)
---
src/libostree/ostree-repo-commit.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
index 5b16be5b..dba98c32 100644
--- a/src/libostree/ostree-repo-commit.c
+++ b/src/libostree/ostree-repo-commit.c
@@ -1688,10 +1688,10 @@ ostree_repo_prepare_transaction (OstreeRepo *self,
g_debug ("Preparing transaction in repository %p", self);
/* Set up to abort the transaction if we return early from this function.
- * This needs to be manually built here due to a circular dependency. */
- g_autoptr(OstreeRepoAutoTransaction) txn = g_malloc(sizeof(OstreeRepoAutoTransaction));
+ * We can't call _ostree_repo_auto_transaction_start() here, because that
+ * would be a circular dependency; use the lower-level version instead. */
+ g_autoptr(OstreeRepoAutoTransaction) txn = _ostree_repo_auto_transaction_new (self);
g_assert (txn != NULL);
- txn->repo = self;
memset (&self->txn.stats, 0, sizeof (OstreeRepoTransactionStats));
--
2.31.1

172
SOURCES/0005-deploy-Try-to-rebuild-policy-in-new-deployment-if-ne.patch
Unescape View File

@ -0,0 +1,172 @@
From 62e62bcfd8a1770b906faed083d11e451a50f566 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 9 Mar 2022 15:27:11 +0100
Subject: [PATCH 5/6] deploy: Try to rebuild policy in new deployment if needed
Whenever the user has SELinux enabled and has any local
modules/modifications installed, it is necessary to rebuild the policy
in the final deployment, otherwise ostree will leave the binary policy
files unchanged from last deployment as it detects difference against
the base content (in rpm-ostree case this is the RPM content).
To avoid the situation where the policy binaries go stale once any local
customization of the policy is made, try to rebuild the policy as part
of sysroot_finalize_deployment(). Use the special
--rebuild-if-modules-changed switch, which detects if the input module
files have changed relative to last time the policy was built and skips
the most time-consuming part of the rebuild process if modules are
unchanged (thus making this a relatively cheap operation if the user
hasn't made any modifications to the shipped policy).
As suggested by Jonathan Lebon, this uses bubblewrap (via
g_spawn_sync()) to perform the rebuild inside the deployment's
filesystem tree, which also means that ostree will have a runtime
dependency on bubblewrap.
Partially addresses: https://github.com/coreos/fedora-coreos-tracker/issues/701
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
(cherry picked from commit edb4f3893474736156c654aa43bdbf3784991811)
---
ci/gh-install.sh | 1 +
src/libostree/ostree-sysroot-deploy.c | 117 ++++++++++++++++++++++++++
2 files changed, 118 insertions(+)
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index fc5916d8..a44721d8 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -2830,6 +2830,118 @@ get_var_dfd (OstreeSysroot *self,
return glnx_opendirat (base_dfd, base_path, TRUE, ret_fd, error);
}
+#ifdef HAVE_SELINUX
+static void
+child_setup_fchdir (gpointer data)
+{
+ int fd = (int) (uintptr_t) data;
+ int rc __attribute__((unused));
+
+ rc = fchdir (fd);
+}
+
+/*
+ * Derived from rpm-ostree's rust/src/bwrap.rs
+ */
+static gboolean
+run_in_deployment (int deployment_dfd,
+ const gchar * const *child_argv,
+ gsize child_argc,
+ gint *exit_status,
+ gchar **stdout,
+ GError **error)
+{
+ static const gchar * const COMMON_ARGV[] = {
+ "/usr/bin/bwrap",
+ "--dev", "/dev", "--proc", "/proc", "--dir", "/run", "--dir", "/tmp",
+ "--chdir", "/",
+ "--die-with-parent",
+ "--unshare-pid",
+ "--unshare-uts",
+ "--unshare-ipc",
+ "--unshare-cgroup-try",
+ "--ro-bind", "/sys/block", "/sys/block",
+ "--ro-bind", "/sys/bus", "/sys/bus",
+ "--ro-bind", "/sys/class", "/sys/class",
+ "--ro-bind", "/sys/dev", "/sys/dev",
+ "--ro-bind", "/sys/devices", "/sys/devices",
+ "--bind", "usr", "/usr",
+ "--bind", "etc", "/etc",
+ "--bind", "var", "/var",
+ "--symlink", "/usr/lib", "/lib",
+ "--symlink", "/usr/lib32", "/lib32",
+ "--symlink", "/usr/lib64", "/lib64",
+ "--symlink", "/usr/bin", "/bin",
+ "--symlink", "/usr/sbin", "/sbin",
+ };
+ static const gsize COMMON_ARGC = sizeof (COMMON_ARGV) / sizeof (*COMMON_ARGV);
+
+ gsize i;
+ GPtrArray *args = g_ptr_array_sized_new (COMMON_ARGC + child_argc + 1);
+ g_autofree gchar **args_raw = NULL;
+
+ for (i = 0; i < COMMON_ARGC; i++)
+ g_ptr_array_add (args, (gchar *) COMMON_ARGV[i]);
+
+ for (i = 0; i < child_argc; i++)
+ g_ptr_array_add (args, (gchar *) child_argv[i]);
+
+ g_ptr_array_add (args, NULL);
+
+ args_raw = (gchar **) g_ptr_array_free (args, FALSE);
+
+ return g_spawn_sync (NULL, args_raw, NULL, 0, &child_setup_fchdir,
+ (gpointer) (uintptr_t) deployment_dfd,
+ stdout, NULL, exit_status, error);
+}
+
+/*
+ * Run semodule to check if the module content changed after merging /etc
+ * and rebuild the policy if needed.
+ */
+static gboolean
+sysroot_finalize_selinux_policy (int deployment_dfd, GError **error)
+{
+ struct stat stbuf;
+ gint exit_status;
+ g_autofree gchar *stdout = NULL;
+
+ if (!glnx_fstatat_allow_noent (deployment_dfd, "etc/selinux/config", &stbuf,
+ AT_SYMLINK_NOFOLLOW, error))
+ return FALSE;
+
+ /* Skip the SELinux policy refresh if /etc/selinux/config doesn't exist. */
+ if (errno != 0)
+ return TRUE;
+
+ /*
+ * Skip the SELinux policy refresh if the --rebuild-if-modules-changed
+ * flag is not supported by semodule.
+ */
+ static const gchar * const SEMODULE_HELP_ARGV[] = {
+ "semodule", "--help"
+ };
+ static const gsize SEMODULE_HELP_ARGC = sizeof (SEMODULE_HELP_ARGV) / sizeof (*SEMODULE_HELP_ARGV);
+ if (!run_in_deployment (deployment_dfd, SEMODULE_HELP_ARGV,
+ SEMODULE_HELP_ARGC, &exit_status, &stdout, error))
+ return FALSE;
+ if (!g_spawn_check_exit_status (exit_status, error))
+ return FALSE;
+ if (!strstr(stdout, "--rebuild-if-modules-changed"))
+ return TRUE;
+
+ static const gchar * const SEMODULE_REBUILD_ARGV[] = {
+ "semodule", "-N", "--rebuild-if-modules-changed"
+ };
+ static const gsize SEMODULE_REBUILD_ARGC = sizeof (SEMODULE_REBUILD_ARGV) / sizeof (*SEMODULE_REBUILD_ARGV);
+
+ if (!run_in_deployment (deployment_dfd, SEMODULE_REBUILD_ARGV,
+ SEMODULE_REBUILD_ARGC, &exit_status, NULL, error))
+ return FALSE;
+ return g_spawn_check_exit_status (exit_status, error);
+}
+#endif /* HAVE_SELINUX */
+
static gboolean
sysroot_finalize_deployment (OstreeSysroot *self,
OstreeDeployment *deployment,
@@ -2866,6 +2978,11 @@ sysroot_finalize_deployment (OstreeSysroot *self,
return FALSE;
}
+#ifdef HAVE_SELINUX
+ if (!sysroot_finalize_selinux_policy(deployment_dfd, error))
+ return FALSE;
+#endif /* HAVE_SELINUX */
+
const char *osdeploypath = glnx_strjoina ("ostree/deploy/", ostree_deployment_get_osname (deployment));
glnx_autofd int os_deploy_dfd = -1;
if (!glnx_opendirat (self->sysroot_fd, osdeploypath, TRUE, &os_deploy_dfd, error))
--
2.31.1

35
SOURCES/0006-deploy-Be-a-bit-more-verbose-about-SELinux-bits.patch
Unescape View File

@ -0,0 +1,35 @@
From dd194eca7272afa457541abb2d8c25f90c4f478a Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Mon, 28 Mar 2022 17:46:59 -0400
Subject: [PATCH 6/6] deploy: Be a bit more verbose about SELinux bits
Let's log when we don't find the expected CLI argument which
will help debug things.
(cherry picked from commit c58a4fe661d9d3bf2c515aa5605b1e094c0a62ca)
---
src/libostree/ostree-sysroot-deploy.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index a44721d8..404f336f 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -2926,9 +2926,12 @@ sysroot_finalize_selinux_policy (int deployment_dfd, GError **error)
SEMODULE_HELP_ARGC, &exit_status, &stdout, error))
return FALSE;
if (!g_spawn_check_exit_status (exit_status, error))
- return FALSE;
+ return glnx_prefix_error (error, "failed to run semodule");
if (!strstr(stdout, "--rebuild-if-modules-changed"))
- return TRUE;
+ {
+ ot_journal_print (LOG_INFO, "semodule does not have --rebuild-if-modules-changed");
+ return TRUE;
+ }
static const gchar * const SEMODULE_REBUILD_ARGV[] = {
"semodule", "-N", "--rebuild-if-modules-changed"
--
2.31.1

298
SOURCES/0007-backport-GH2694-secure-execution-enablement-s390x.patch
Unescape View File

@ -0,0 +1,298 @@
From 00697be199c08242e54c02e4557e20834030aaf3 Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Mon, 4 Apr 2022 16:09:50 +0200
Subject: [PATCH 1/5] s390x: generate sd-boot at its own partition
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
---
src/libostree/ostree-bootloader-zipl.c | 36 ++++++++++++++++++++++----
src/libostree/s390x-se-luks-gencpio | 4 +--
2 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
index 02c10826c3..fe024d8046 100644
--- a/src/libostree/ostree-bootloader-zipl.c
+++ b/src/libostree/ostree-bootloader-zipl.c
@@ -21,12 +21,17 @@
#include "ostree-bootloader-zipl.h"
#include "ostree-deployment-private.h"
#include "otutil.h"
+#include <sys/mount.h>
+#include <sys/stat.h>
#include <string.h>
-#define SECURE_EXECUTION_BOOT_IMAGE "/boot/sd-boot"
+#define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
+#define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
+#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
#define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/"
#define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
#define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"
+#define SECURE_EXECUTION_LUKS_BOOT_KEY "/etc/luks/boot"
#define SECURE_EXECUTION_LUKS_CONFIG "/etc/crypttab"
#define SECURE_EXECUTION_RAMDISK_TOOL PKGLIBEXECDIR "/s390x-se-luks-gencpio"
@@ -67,6 +72,25 @@ _ostree_bootloader_zipl_get_name (OstreeBootloader *bootloader)
return "zipl";
}
+static gboolean
+_ostree_secure_execution_mount(GError **error)
+{
+ const char *device = realpath (SECURE_EXECUTION_PARTITION, NULL);
+ if (device == NULL)
+ return glnx_throw_errno_prefix(error, "s390x SE: resolving %s", SECURE_EXECUTION_PARTITION);
+ if (mount (device, SECURE_EXECUTION_MOUNTPOINT, "ext4", 0, NULL) < 0)
+ return glnx_throw_errno_prefix (error, "s390x SE: Mounting %s", device);
+ return TRUE;
+}
+
+static gboolean
+_ostree_secure_execution_umount(GError **error)
+{
+ if (umount (SECURE_EXECUTION_MOUNTPOINT) < 0)
+ return glnx_throw_errno_prefix (error, "s390x SE: Unmounting %s", SECURE_EXECUTION_MOUNTPOINT);
+ return TRUE;
+}
+
static gboolean
_ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
int bootversion,
@@ -152,8 +176,8 @@ _ostree_secure_execution_get_bls_config (OstreeBootloaderZipl *self,
static gboolean
_ostree_secure_execution_luks_key_exists (void)
{
- return (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 &&
- access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0);
+ return (access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0 &&
+ (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 || access(SECURE_EXECUTION_LUKS_BOOT_KEY, F_OK) == 0));
}
static gboolean
@@ -250,7 +274,7 @@ static gboolean
_ostree_secure_execution_call_zipl (GError **error)
{
int status = 0;
- const char *const zipl_argv[] = {"zipl", "-V", "-t", "/boot", "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
+ const char *const zipl_argv[] = {"zipl", "-V", "-t", SECURE_EXECUTION_MOUNTPOINT, "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH,
NULL, NULL, NULL, NULL, &status, error))
return glnx_prefix_error(error, "s390x SE: spawning zipl");
@@ -274,9 +298,11 @@ _ostree_secure_execution_enable (OstreeBootloaderZipl *self,
g_autofree gchar* options = NULL;
gboolean rc =
+ _ostree_secure_execution_mount (error) &&
_ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) &&
_ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) &&
- _ostree_secure_execution_call_zipl (error);
+ _ostree_secure_execution_call_zipl (error) &&
+ _ostree_secure_execution_umount (error);
return rc;
}
diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio
index f0ad24eb32..7d62258a31 100755
--- a/src/libostree/s390x-se-luks-gencpio
+++ b/src/libostree/s390x-se-luks-gencpio
@@ -12,11 +12,11 @@ gzip -cd ${old_initrd} | cpio -imd --quiet
# Adding LUKS root key and crypttab config
mkdir -p etc/luks
-cp -f /etc/luks/root etc/luks/
+cp -f /etc/luks/* etc/luks/
cp -f /etc/crypttab etc/
# Creating new initramdisk image
-find . | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
+find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
# Cleanup
rm -rf ${workdir}
From 91e71022ebc2422f278c285e55f4c88d7f572eeb Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Mon, 23 May 2022 17:28:54 +0200
Subject: [PATCH 2/5] s390x: ensure SecureExecution is enabled before sd-boot
generation
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
---
src/libostree/ostree-bootloader-zipl.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
index fe024d8046..348dfe036d 100644
--- a/src/libostree/ostree-bootloader-zipl.c
+++ b/src/libostree/ostree-bootloader-zipl.c
@@ -25,6 +25,7 @@
#include <sys/stat.h>
#include <string.h>
+#define SECURE_EXECUTION_SYSFS_FLAG "/sys/firmware/uv/prot_virt_guest"
#define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
#define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
@@ -109,6 +110,14 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
return TRUE;
}
+static gboolean _ostree_secure_execution_is_enabled (GCancellable *cancellable) {
+ gsize len = 0;
+ g_autofree char *data = glnx_file_get_contents_utf8_at (-1, SECURE_EXECUTION_SYSFS_FLAG, &len, cancellable, NULL);
+ if (!data)
+ return FALSE;
+ return strstr (data, "1") != NULL;
+}
+
static gboolean
_ostree_secure_execution_get_keys (GPtrArray **keys,
GCancellable *cancellable,
@@ -329,12 +338,15 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader,
return TRUE;
/* Try with Secure Execution */
- g_autoptr(GPtrArray) keys = NULL;
- if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
- return FALSE;
- if (keys && keys->len)
- return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
-
+ if ( _ostree_secure_execution_is_enabled (cancellable) )
+ {
+ g_autoptr(GPtrArray) keys = NULL;
+ if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
+ return FALSE;
+ if (!keys || keys->len == 0)
+ return glnx_throw (error, "s390x SE: no keys");
+ return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
+ }
/* Fallback to non-SE setup */
const char *const zipl_argv[] = {"zipl", NULL};
int estatus;
From 2e2854239189044cc1ffd100959b7c7bfe92b0f9 Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Tue, 24 May 2022 19:30:35 +0200
Subject: [PATCH 3/5] s390x: fail on error during reading of SecureExecution
sysfs flag
---
src/libostree/ostree-bootloader-zipl.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
index 348dfe036d..87b9b67aec 100644
--- a/src/libostree/ostree-bootloader-zipl.c
+++ b/src/libostree/ostree-bootloader-zipl.c
@@ -110,12 +110,21 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
return TRUE;
}
-static gboolean _ostree_secure_execution_is_enabled (GCancellable *cancellable) {
- gsize len = 0;
- g_autofree char *data = glnx_file_get_contents_utf8_at (-1, SECURE_EXECUTION_SYSFS_FLAG, &len, cancellable, NULL);
+static gboolean _ostree_secure_execution_is_enabled (gboolean *out_enabled,
+ GCancellable *cancellable,
+ GError **error)
+{
+ *out_enabled = FALSE;
+ glnx_autofd int fd = -1;
+ if (!ot_openat_ignore_enoent (AT_FDCWD, SECURE_EXECUTION_SYSFS_FLAG, &fd, error))
+ return FALSE;
+ if (fd == -1)
+ return TRUE; //ENOENT --> SecureExecution is disabled
+ g_autofree char *data = glnx_fd_readall_utf8 (fd, NULL, cancellable, error);
if (!data)
return FALSE;
- return strstr (data, "1") != NULL;
+ *out_enabled = strstr (data, "1") != NULL;
+ return TRUE;
}
static gboolean
@@ -338,13 +347,16 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader,
return TRUE;
/* Try with Secure Execution */
- if ( _ostree_secure_execution_is_enabled (cancellable) )
+ gboolean se_enabled = FALSE;
+ if ( !_ostree_secure_execution_is_enabled (&se_enabled, cancellable, error))
+ return FALSE;
+ if (se_enabled)
{
g_autoptr(GPtrArray) keys = NULL;
if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
return FALSE;
if (!keys || keys->len == 0)
- return glnx_throw (error, "s390x SE: no keys");
+ return glnx_throw (error, "s390x SE: no keys");
return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
}
/* Fallback to non-SE setup */
From 89ed46e8a9f584e2a6c1966fbf4c99f0fe51424e Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Fri, 27 May 2022 09:13:18 +0200
Subject: [PATCH 4/5] s390x: do not unpack existing initrd, just append LUKS
keys to its copy
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
---
src/libostree/s390x-se-luks-gencpio | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio
index 7d62258a31..f444198a40 100755
--- a/src/libostree/s390x-se-luks-gencpio
+++ b/src/libostree/s390x-se-luks-gencpio
@@ -4,19 +4,19 @@ set -euo pipefail
old_initrd=$1
new_initrd=$2
+currdir=$PWD
-# Unpacking existing initramdisk
+# Copying existing initramdisk
+cp ${old_initrd} ${new_initrd}
+
+# Appending LUKS root keys and crypttab config to the end of initrd
workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX)
cd ${workdir}
-gzip -cd ${old_initrd} | cpio -imd --quiet
-
-# Adding LUKS root key and crypttab config
mkdir -p etc/luks
cp -f /etc/luks/* etc/luks/
cp -f /etc/crypttab etc/
-
-# Creating new initramdisk image
find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
# Cleanup
+cd ${currdir}
rm -rf ${workdir}
From 2c8d5b95c7f2fee90e73bdd9222e002c44e797b7 Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Thu, 23 Jun 2022 15:54:04 +0200
Subject: [PATCH 5/5] s390x: rename sd-boot to sdboot
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
---
src/libostree/ostree-bootloader-zipl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
index 87b9b67aec..0ff350f942 100644
--- a/src/libostree/ostree-bootloader-zipl.c
+++ b/src/libostree/ostree-bootloader-zipl.c
@@ -28,7 +28,7 @@
#define SECURE_EXECUTION_SYSFS_FLAG "/sys/firmware/uv/prot_virt_guest"
#define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
#define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
-#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
+#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sdboot"
#define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/"
#define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
#define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"

32
SOURCES/0008-backport-GH2696-ed25519-verify-signatures-minimum-length.patch
Unescape View File

@ -0,0 +1,32 @@
From 56820e54392efc5dd59032f8872aaf219190ad4f Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 14 Jul 2022 14:42:19 -0400
Subject: [PATCH] sign/ed25519: Verify signatures are minimum length
The ed25519 signature verification code does not
check that the signature is a minimum/correct length.
As a result, if the signature is too short, libsodium will end up
reading a few bytes out of bounds.
Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Co-authored-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Closes: https://github.com/ostreedev/ostree/security/advisories/GHSA-gqf4-p3gv-g8vw
---
src/libostree/ostree-sign-ed25519.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/libostree/ostree-sign-ed25519.c b/src/libostree/ostree-sign-ed25519.c
index 809ffe8790..f271fd49e0 100644
--- a/src/libostree/ostree-sign-ed25519.c
+++ b/src/libostree/ostree-sign-ed25519.c
@@ -209,6 +209,9 @@ gboolean ostree_sign_ed25519_data_verify (OstreeSign *self,
g_autoptr (GVariant) child = g_variant_get_child_value (signatures, i);
g_autoptr (GBytes) signature = g_variant_get_data_as_bytes(child);
+ if (g_bytes_get_size (signature) != crypto_sign_BYTES)
+ return glnx_throw (error, "Invalid signature length of %" G_GSIZE_FORMAT " bytes, expected %" G_GSIZE_FORMAT, (gsize) g_bytes_get_size (signature), (gsize) crypto_sign_BYTES);
+
g_autofree char * hex = g_malloc0 (crypto_sign_PUBLICKEYBYTES*2 + 1);
g_debug("Read signature %d: %s", (gint)i, g_variant_print(child, TRUE));

710
SPECS/ostree.spec
Unescape View File

@ -0,0 +1,710 @@
# Don't ship tests on RHEL > 7.
%if 0%{?rhel} > 7
%bcond_with tests
%else
%bcond_without tests
%endif
Summary: Tool for managing bootable, immutable filesystem trees
Name: ostree
Version: 2022.2
Release: 6%{?dist}
Source0: https://github.com/ostreedev/%{name}/releases/download/v%{version}/libostree-%{version}.tar.xz
License: LGPLv2+
URL: https://ostree.readthedocs.io/en/latest/
# We now track the rhel8 branch upstream, these are the patches
# since the 2022.2 release.
Patch0: 0001-Add-an-ostree-boot-complete.service-to-propagate-sta.patch
Patch1: 0002-libarchive-Handle-archive_entry_symlink-returning-NU.patch
Patch2: 0003-repo-Factor-out-_ostree_repo_auto_transaction_new.patch
Patch3: 0004-repo-Correctly-initialize-refcount-of-temporary-tran.patch
Patch4: 0005-deploy-Try-to-rebuild-policy-in-new-deployment-if-ne.patch
Patch5: 0006-deploy-Be-a-bit-more-verbose-about-SELinux-bits.patch
Patch6: 0007-backport-GH2694-secure-execution-enablement-s390x.patch
Patch7: 0008-backport-GH2696-ed25519-verify-signatures-minimum-length.patch
Patch8: 0001-Support-overlayfs-whiteouts-on-checkout.patch
BuildRequires: make
BuildRequires: git
# We always run autogen.sh
BuildRequires: autoconf automake libtool
# For docs
BuildRequires: gtk-doc
# Core requirements
BuildRequires: pkgconfig(zlib)
BuildRequires: pkgconfig(libcurl)
BuildRequires: openssl-devel
# The tests still require soup
BuildRequires: pkgconfig(libsoup-2.4)
BuildRequires: libattr-devel
# Extras
BuildRequires: pkgconfig(libarchive)
BuildRequires: pkgconfig(liblzma)
BuildRequires: pkgconfig(libselinux)
BuildRequires: pkgconfig(mount)
BuildRequires: pkgconfig(fuse)
BuildRequires: pkgconfig(e2p)
BuildRequires: libcap-devel
BuildRequires: gpgme-devel
BuildRequires: pkgconfig(libsystemd)
BuildRequires: /usr/bin/g-ir-scanner
BuildRequires: dracut
BuildRequires: bison
# Runtime requirements
Requires: dracut
Requires: /usr/bin/gpgv2
Requires: systemd-units
Requires: %{name}-libs%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
%description
libostree is a shared library designed primarily for
use by higher level tools to manage host systems (e.g. rpm-ostree),
as well as container tools like flatpak and the atomic CLI.
%package libs
Summary: Development headers for %{name}
%description libs
The %{name}-libs provides shared libraries for %{name}.
%package devel
Summary: Development headers for %{name}
Requires: %{name}-libs%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
%description devel
The %{name}-devel package includes the header files for the %{name} library.
%ifnarch s390 s390x
%package grub2
Summary: GRUB2 integration for OSTree
%ifnarch aarch64 %{arm}
Requires: grub2
%else
Requires: grub2-efi
%endif
Requires: ostree
%description grub2
GRUB2 integration for OSTree
%endif
%if %{with tests}
%package tests
Summary: Tests for the %{name} package
Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
%description tests
This package contains tests that can be used to verify
the functionality of the installed %{name} package.
%endif
%prep
%autosetup -Sgit -n libostree-%{version}
%build
env NOCONFIGURE=1 ./autogen.sh
%configure --disable-silent-rules \
--enable-gtk-doc \
--with-selinux \
--with-curl \
--with-openssl \
%{?with_tests:--enable-installed-tests=exclusive} \
--with-dracut=yesbutnoconf
%make_build
%install
%make_install INSTALL="install -p -c"
find %{buildroot} -name '*.la' -delete
# Needed to enable the service at compose time currently
%post
%systemd_post ostree-remount.service
%preun
%systemd_preun ostree-remount.service
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README.md
%{_bindir}/ostree
%{_bindir}/rofiles-fuse
%{_datadir}/ostree
%{_datadir}/bash-completion/completions/*
%dir %{_prefix}/lib/dracut/modules.d/98ostree
%{_prefix}/lib/systemd/system/ostree*.*
%{_prefix}/lib/dracut/modules.d/98ostree/*
%{_mandir}/man*/*.gz
%{_prefix}/lib/systemd/system-generators/ostree-system-generator
%exclude %{_sysconfdir}/grub.d/*ostree
%exclude %{_libexecdir}/libostree/grub2*
%exclude %{_libexecdir}/libostree/ostree-trivial-httpd
%{_prefix}/lib/tmpfiles.d/*
%{_prefix}/lib/ostree
# Moved in git master
%{_libexecdir}/libostree/*
%files libs
%{_sysconfdir}/ostree
%{_libdir}/*.so.1*
%{_libdir}/girepository-1.0/OSTree-1.0.typelib
%files devel
%{_libdir}/lib*.so
%{_includedir}/*
%{_libdir}/pkgconfig/*
%dir %{_datadir}/gtk-doc/html/ostree
%{_datadir}/gtk-doc/html/ostree
%{_datadir}/gir-1.0/OSTree-1.0.gir
%ifnarch s390 s390x
%files grub2
%{_sysconfdir}/grub.d/*ostree
%dir %{_libexecdir}/libostree
%{_libexecdir}/libostree/grub2*
%endif
%if %{with tests}
%files tests
%{_libexecdir}/installed-tests
%{_datadir}/installed-tests
%{_libexecdir}/libostree/ostree-trivial-httpd
%endif
%changelog
* Fri Oct 14 2022 Colin Walters <walters@verbum.org> - 2022.2-6
- Backport https://github.com/ostreedev/ostree/commit/0085494e350c72599fc5c0e00422885d80b3c660
- Resolves: rhbz#2134629
* Tue Aug 23 2022 Luca BRUNO <lucab@redhat.com> - 2022.2-5
- Backport enablement patches for Secure Execution on s390x
https://github.com/ostreedev/ostree/pull/2694
Resolves: rhbz#2120522
- Backport security fix to verify signatures are minimum length (advisory GHSA-gqf4-p3gv-g8vw)
https://github.com/ostreedev/ostree/pull/2696
Resolves: rhbz#2119444
* Wed May 04 2022 Colin Walters <walters@verbum.org> - 2022.2-4
- Backport patches from 2022.3, particularly SELinux
Resolves: rhbz#2057497
* Tue Apr 19 2022 Colin Walters <walters@verbum.org> - 2022.2-3
- https://github.com/ostreedev/ostree/releases/tag/v2022.2
Resolves: rhbz#2057497
* Mon Jan 10 2022 Colin Walters <walters@verbum.org> - 2022.1-2
- Rebase to 2022.1
Resolves: rhbz#2032593
* Wed Dec 15 2021 Colin Walters <walters@verbum.org> - 2021.6-2
- Rebase to 2021.6
Resolves: rhbz#2032593
* Tue Nov 30 2021 Colin Walters <walters@verbum.org> - 2021.3-2
- Backport
https://github.com/ostreedev/ostree/pull/2453/commits/e6a560b40797324aa8b90e7100c6d50bff91f14d
Resolves: rhbz#2027788
* Tue Jul 20 2021 Luca BRUNO <lucab@redhat.com> - 2021.3-1
- New upstream version
https://github.com/ostreedev/ostree/releases/tag/v2021.3
Resolves: rhbz#1981865
* Fri May 14 2021 Luca BRUNO <lucab@redhat.com> - 2021.2-1
- New upstream version 2021.2
https://github.com/ostreedev/ostree/releases/tag/v2021.2
* Tue Nov 3 15:04:48 UTC 2020 Colin Walters <walters@verbum.org> - 2020.7-1
- Update to 2020.7
Resolves: #1894062
* Wed Sep 09 2020 Colin Walters <walters@verbum.org> - 2020.5-4
- Backport patches for https://bugzilla.redhat.com/show_bug.cgi?id=1875567
* Mon Aug 24 2020 Colin Walters <walters@verbum.org> - 2020.5-3
- Backport
https://github.com/ostreedev/ostree/pull/2179/commits/06ed04a816141914adb9bd3e32392801fce5bc8e
Resolves: #1867601
* Tue Aug 18 2020 Colin Walters <walters@verbum.org> - 2020.5-2
- Update to https://github.com/ostreedev/ostree/releases/tag/v2020.5
Specifically to fix readonly-sysroot for e.g. RHEL Edge and
older RHCOS versions
- Related: #1861507
* Tue Jul 28 2020 Colin Walters <walters@verbum.org> - 2020.4-1
- https://github.com/ostreedev/ostree/releases/tag/v2020.4
- We plan to use per-object-fsync for etcd in OpenShift 4
- Resolves: #1861507
* Thu May 21 2020 Colin Walters <walters@verbum.org> - 2020.3-3
- Backport https://github.com/ostreedev/ostree/pull/2108
* Fri May 15 2020 Colin Walters <walters@verbum.org> - 2020.3-2
- https://github.com/ostreedev/ostree/releases/tag/v2020.3
Resolves: #1836306
* Tue Dec 10 2019 Colin Walters <walters@verbum.org> - 2019.6-2
- https://github.com/ostreedev/ostree/releases/tag/v2019.6
* Wed Oct 30 2019 Colin Walters <walters@verbum.org> - 2019.5-1
- https://github.com/ostreedev/ostree/releases/tag/v2019.5
* Mon Oct 14 2019 Colin Walters <walters@verbum.org> - 2019.4-3
- https://github.com/ostreedev/ostree/releases/tag/v2019.4
* Wed Apr 24 2019 Jonathan Lebon <jonathan@jlebon.com> - 2019.2-1
- https://github.com/ostreedev/ostree/releases/tag/v2019.2
* Sat Feb 09 2019 Dusty Mabe <dusty@dustymabe.com> - 2019.1-5
- Re-enable http2 in ostree build
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jan 17 2019 Sinny Kumari <ksinny@gmail.com> - 2019.1-3
- Backport patch to fix bare → bare imports
- Backport patch to Set xattr on correct fd for bare-user → bare-user imports
* Fri Jan 11 2019 Colin Walters <walters@verbum.org> - 2019.1-2
- https://github.com/ostreedev/ostree/releases/tag/v2019.1
* Fri Jan 11 2019 Colin Walters <walters@verbum.org> - 2018.9-2
- Work around https://src.fedoraproject.org/rpms/nfs-utils/pull-request/7
* Thu Oct 25 2018 Colin Walters <walters@verbum.org> - 2018.9-1
- https://github.com/ostreedev/ostree/releases/tag/v2018.9
* Wed Oct 17 2018 Jonathan Lebon <jonathan@jlebon.com>
- Add conditional for tests and disable by default on RHEL > 7
* Wed Aug 22 2018 Colin Walters <walters@verbum.org> - 2018.8-1
- https://github.com/ostreedev/ostree/releases/tag/v2018.8
* Sun Aug 12 2018 Peter Robinson <pbrobinson@fedoraproject.org> 2018.7-2
- Enable grub2 support on ARMv7
* Fri Jul 20 2018 Colin Walters <walters@verbum.org> - 2018.7-1
- https://github.com/ostreedev/ostree/releases/tag/v2018.7
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jul 04 2018 Jonathan Lebon <jonathan@jlebon.com> - 2018.6-4
- Backport patch to fix /var mountpoints
https://github.com/ostreedev/ostree/issues/1667
* Thu Jun 21 2018 Colin Walters <walters@redhat.com> - 2018.6-3
- https://github.com/ostreedev/ostree/releases/tag/v2018.6
* Fri May 11 2018 Colin Walters <walters@verbum.org> - 2018.5-1
- https://github.com/ostreedev/ostree/releases/tag/v2018.5
* Tue Apr 03 2018 Kalev Lember <klember@redhat.com> - 2018.3-2
- Backport a patch to avoid writing to parent repo
* Wed Mar 21 2018 Colin Walters <walters@verbum.org> - 2018.3-1
- https://github.com/ostreedev/ostree/releases/tag/v2018.3
* Fri Mar 02 2018 Jonathan Lebon <jlebon@redhat.com> - 2018.2-2
- Drop ostree-remount systemd service preset, already in fedora-release
https://bugzilla.redhat.com/show_bug.cgi?id=1550799
* Thu Feb 15 2018 Colin Walters <walters@verbum.org> - 2018.2-1
- https://github.com/ostreedev/ostree/releases/tag/v2018.2
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Jan 15 2018 Colin Walters <walters@verbum.org> - 2018.1-1
- https://github.com/ostreedev/ostree/releases/tag/v2018.1
* Wed Dec 20 2017 Colin Walters <walters@verbum.org> - 2017.15-1
- https://github.com/ostreedev/ostree/releases/tag/v2017.15
- Drop upstreamed patches; note this build disabled HTTP2 by
default for now since we are hitting it with koji. For more
information see https://github.com/ostreedev/ostree/issues/1362
* Mon Dec 18 2017 Jonathan Lebon <jlebon@redhat.com> - 2017.14-2
- Backport patch to drop HTTP2
* Mon Dec 04 2017 Colin Walters <walters@verbum.org> - 2017.14-1
- https://github.com/ostreedev/ostree/releases/tag/v2017.14
- Update description
* Mon Nov 27 2017 Colin Walters <walters@verbum.org> - 2017.13-4
- Backport patch to drop curl low speed checks; requested by flatpak
* Tue Nov 07 2017 Kalev Lember <klember@redhat.com> - 2017.13-3
- Backport a patch to fix a gnome-software crash when installing flatpaks
(#1497642)
* Thu Nov 02 2017 Colin Walters <walters@verbum.org> - 2017.13-2
- https://github.com/ostreedev/ostree/releases/tag/v2017.13
* Tue Oct 03 2017 Jonathan Lebon <jlebon@redhat.com> - 2017.12-2
- Let tests subpackage own ostree-trivial-httpd
* Mon Oct 02 2017 Colin Walters <walters@verbum.org> - 2017.12-1
- New upstream version
- https://github.com/ostreedev/ostree/releases/tag/v2017.12
* Thu Sep 14 2017 Colin Walters <walters@verbum.org> - 2017.11-1
- New upstream version
- Add tests subpackage, prep for https://fedoraproject.org/wiki/CI
* Tue Aug 22 2017 Ville Skyttä <ville.skytta@iki.fi> - 2017.10-3
- Own the %%{_libexecdir}/libostree dir
* Thu Aug 17 2017 Colin Walters <walters@verbum.org> - 2017.10-2
- New upstream version
* Sat Aug 12 2017 Ville Skyttä <ville.skytta@iki.fi> - 2017.9-5
- Own the %%{_datadir}/ostree dir
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2017.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Sun Jul 30 2017 Florian Weimer <fweimer@redhat.com> - 2017.9-3
- Rebuild with binutils fix for ppc64le (#1475636)
* Thu Jul 27 2017 Colin Walters <walters@verbum.org> - 2017.9-2
- New upstream version
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2017.8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Mon Jul 17 2017 Colin Walters <walters@verbum.org> - 2017.8-3
- Switch to libcurl for F26+
I think it works well; to recap the arguments below:
It has various advantages like HTTP2, plus now that NetworkManager
switched we are the last thing left in Fedora Atomic Host depending
on libsoup.
* Thu Jul 06 2017 Colin Walters <walters@verbum.org> - 2017.8-2
- New upstream version
* Mon Jun 19 2017 Colin Walters <walters@verbum.org> - 2017.7-2
- Update to new upstream
* Fri Jun 02 2017 Colin Walters <walters@verbum.org> - 2017.6-4
- Fix previous commit to actually work
* Thu May 18 2017 Colin Walters <walters@verbum.org> - 2017.6-3
- Enable curl+openssl on f27+
It has various advantages like HTTP2, plus now that NetworkManager
switched we are the last thing left in Fedora Atomic Host depending
on libsoup.
* Wed May 17 2017 Colin Walters <walters@verbum.org> - 2017.6-2
- New upstream version
* Wed Apr 19 2017 Colin Walters <walters@verbum.org> - 2017.5-2
- New upstream version
* Wed Apr 12 2017 Colin Walters <walters@verbum.org> - 2017.4-2
- New upstream version
* Fri Mar 10 2017 Colin Walters <walters@verbum.org> - 2017.3-2
- New upstream version
* Fri Mar 03 2017 Colin Walters <walters@redhat.com> - 2017.2-4
- Add patch for ppc64le grub2
* Thu Feb 23 2017 Colin Walters <walters@verbum.org> - 2017.2-3
- Backport libmount unref patch
* Tue Feb 14 2017 Colin Walters <walters@verbum.org> - 2017.2-2
- New upstream version
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2017.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Feb 07 2017 Jonathan Lebon <jlebon@redhat.com> - 2017.1-4
- Make ostree-grub2 require ostree
* Tue Feb 07 2017 Colin Walters <walters@verbum.org> - 2017.1-3
- Split off ostree-libs. This is the inverse of upstream
https://github.com/ostreedev/ostree/pull/659
but renaming the package would be hard for low immediate gain.
With this at least, flatpak could theoretically depend just on libostree.
And similarly for rpm-ostree compose tree (when that gets split out).
* Mon Jan 23 2017 Colin Walters <walters@verbum.org> - 2017.1-2
- New upstream version
* Wed Jan 18 2017 Colin Walters <walters@verbum.org> - 2016.15-2
- Enable libmount for /boot readonly
* Mon Dec 12 2016 walters@redhat.com - 2016.15-1
- New upstream version
* Sat Dec 10 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 2016.14-3
- Rebuild for gpgme 1.18
* Tue Nov 29 2016 Kalev Lember <klember@redhat.com> - 2016.14-2
- Backport a patch to remove an accidental print statement
* Wed Nov 23 2016 walters@redhat.com - 2016.14-1
- New upstream version
* Tue Nov 15 2016 walters@redhat.com - 2016.13-2
- New upstream version
- Require glib-networking to fix https://pagure.io/pungi-fedora/pull-request/103
* Sun Oct 23 2016 walters@verbum.org - 2016.12-1
- New upstream release
* Fri Oct 07 2016 walters@redhat.com - 2016.11-1
- New upstream version
* Tue Sep 20 2016 walters@redhat.com - 2016.10-8
- Backport another patch for systemd journal
Resolves: #1265295
* Fri Sep 16 2016 walters@verbum.org - 2016.10-6
- Set --with-dracut=yesbutnoconf
Resolves: #1331369
* Thu Sep 15 2016 walters@verbum.org - 2016.10-4
- Backport patch to fix bug#1265295
* Mon Sep 12 2016 Kalev Lember <klember@redhat.com> - 2016.10-3
- pull: Do allow executing deltas when mirroring into bare{,-user}
* Fri Sep 09 2016 Kalev Lember <klember@redhat.com> - 2016.10-2
- Drop libgsystem dependency
* Thu Sep 08 2016 walters@redhat.com - 2016.10-1
- New upstream version
* Wed Aug 31 2016 Colin Walters <walters@verbum.org> - 2016.9-1
- New upstream version
* Tue Aug 09 2016 walters@redhat.com - 2016.8-1
- New upstream version
* Tue Aug 09 2016 Colin Walters <walters@verbum.org> - 2016.7-4
- Add pending patch to fix date-based pruning
* Fri Jul 08 2016 walters@redhat.com - 2016.7-1
- New upstream version
* Mon Jun 20 2016 Colin Walters <walters@redhat.com> - 2016.6-1
- New upstream version
* Sun May 8 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2016.5-3
- aarch64 only has grub2-efi
- Use %%license
* Fri Apr 15 2016 Colin Walters <walters@redhat.com> - 2016.5-2
- New upstream version
* Wed Mar 23 2016 Colin Walters <walters@redhat.com> - 2016.4-2
- New upstream version
* Fri Feb 26 2016 Colin Walters <walters@redhat.com> - 2016.3-1
- New upstream version
* Tue Feb 23 2016 Colin Walters <walters@redhat.com> - 2016.2-1
- New upstream version
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2016.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jan 12 2016 Colin Walters <walters@redhat.com> - 2016.1-2
- New upstream version
* Fri Dec 04 2015 Colin Walters <walters@redhat.com> - 2015.11-2
- New upstream version
* Sun Nov 22 2015 Colin Walters <walters@redhat.com> - 2015.10-1
- New upstream version
* Thu Nov 12 2015 Matthew Barnes <mbarnes@redhat.com> - 2015.9-3
- Add ostree-tmp-chmod.service to fix /tmp permissions on existing installs.
Resolves: #1276775
* Fri Oct 30 2015 Colin Walters <walters@redhat.com> - 2015.9-2
- Add patch to fix permissions of /tmp
Resolves: #1276775
* Wed Sep 23 2015 Colin Walters <walters@redhat.com> - 2015.9-1
- New upstream version
* Wed Aug 26 2015 Colin Walters <walters@redhat.com> - 2015.8-1
- New upstream version
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2015.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Jun 02 2015 Colin Walters <walters@redhat.com> - 2015.7-1
- New upstream version
* Thu May 28 2015 Colin Walters <walters@redhat.com> - 2015.6-4
- Add patch to ensure reliable bootloader ordering
See: #1225088
* Thu Apr 30 2015 Colin Walters <walters@redhat.com> - 2015.6-3
- Close sysroot fd in finalize to fix Anaconda
https://bugzilla.redhat.com/show_bug.cgi?id=1217578
* Fri Apr 17 2015 Colin Walters <walters@redhat.com> - 2015.6-2
- New upstream release
* Sun Apr 12 2015 Colin Walters <walters@redhat.com> - 2015.5-4
- (Really) Handle null epoch as well; this was injected for https://github.com/cgwalters/rpmdistro-gitoverlay
* Tue Apr 07 2015 Colin Walters <walters@redhat.com> - 2015.5-2
- New upstream release
* Mon Mar 30 2015 Dan Horák <dan[at]danny.cz> - 2015.4-5
- ExcludeArch is a build restriction and is global, switching to %%ifnarch
* Fri Mar 27 2015 Colin Walters <walters@redhat.com> - 2015.4-4
- Have grub2 subpackage match ExcludeArch with grub2
* Fri Mar 27 2015 Colin Walters <walters@redhat.com> - 2015.4-3
- Handle null epoch as well; this was injected for https://github.com/cgwalters/rpmdistro-gitoverlay
* Wed Mar 25 2015 Colin Walters <walters@redhat.com> - 2015.4-2
- New upstream release
* Mon Feb 16 2015 Colin Walters <walters@redhat.com> - 2015.3-3
- Require latest libgsystem to ensure people have it
* Fri Jan 23 2015 Colin Walters <walters@redhat.com> - 2015.3-2
- New upstream release
* Thu Jan 08 2015 Colin Walters <walters@redhat.com> - 2015.2-1
- New upstream release
* Sun Jan 04 2015 Colin Walters <walters@redhat.com> - 2014.13-2
- Add patch to ensure correct xattrs on modified config files
Fixes: #1178208
* Wed Dec 17 2014 Colin Walters <walters@redhat.com> - 2014.13-1
- New upstream release
* Wed Nov 26 2014 Colin Walters <walters@redhat.com> - 2014.12-1
- New upstream version
* Thu Oct 30 2014 Colin Walters <walters@redhat.com> - 2014.11-1
- New upstream release
* Wed Oct 29 2014 Colin Walters <walters@redhat.com> - 2014.10.1.gedc3b9a-1
- New upstream release
* Fri Oct 24 2014 Colin Walters <walters@redhat.com> - 2014.9-2
- New upstream release
* Thu Oct 16 2014 Colin Walters <walters@redhat.com>
- New upstream release
* Mon Sep 08 2014 Colin Walters <walters@redhat.com> - 2014.6-1
- New upstream release
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2014.5-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Jul 22 2014 Kalev Lember <kalevlember@gmail.com> - 2014.5-4
- Rebuilt for gobject-introspection 1.41.4
* Wed Jun 25 2014 Colin Walters <walters@verbum.org>
- Rebuild to pick up new libsoup
* Fri Jun 13 2014 Colin Walters <walters@verbum.org> - 2014.4-2
- Include /etc/ostree, even though it is empty
* Mon Jun 09 2014 Colin Walters <walters@verbum.org> - 2014.4-1
- New upstream release
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2014.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sun Apr 13 2014 Colin Walters <walters@verbum.org> - 2014.4-1
- New upstream release
* Mon Mar 31 2014 Colin Walters <walters@verbum.org>
- New git snapshot for rpm-ostree
* Fri Mar 21 2014 Colin Walters <walters@verbum.org> - 2014.3-1
- New upstream release
* Fri Mar 14 2014 Colin Walters <walters@verbum.org> - 2014.2-3
- Move trusted.gpg.d to main runtime package, where it should be
* Fri Mar 07 2014 Colin Walters <walters@verbum.org> - 2014.2-2
- Depend on gpgv2
- Resolves: #1073813
* Sat Mar 01 2014 Colin Walters <walters@verbum.org> - 2014.2-1
- New upstream release
- Depend on libselinux
- Explicitly depend on libarchive too, we were actually failing
to disable it before
* Fri Jan 24 2014 Colin Walters <walters@verbum.org> - 2014.1-1
- New upstream release
* Mon Jan 13 2014 Colin Walters <walters@verbum.org> - 2013.7-2
- Add preset file so ostree-remount is enabled by default, since
it needs to be.
* Tue Oct 15 2013 Colin Walters <walters@verbum.org> - 2013.7-1
- New upstream release
- Now LGPLv2+ only
- Enable libarchive since it might be useful for people
- Enable new gpgme dependency
* Thu Sep 12 2013 Colin Walters <walters@verbum.org> - 2013.6-3
- Enable introspection
* Mon Sep 09 2013 Colin Walters <walters@verbum.org> - 2013.6-2
- Tweak description
* Mon Sep 09 2013 Colin Walters <walters@verbum.org> - 2013.6-1
- New upstream release
* Sat Aug 25 2013 Colin Walters <walters@verbum.org> - 2013.5-3
- And actually while we are here, drop all the embedded dependency
goop from this spec file; it may live on in the EPEL branch.
* Sat Aug 25 2013 Colin Walters <walters@verbum.org> - 2013.5-2
- Drop requirement on linux-user-chroot
We now require triggers to be processed on the build server
by default, so ostree does not runtime-depend on linux-user-chroot.
* Sat Aug 17 2013 Colin Walters <walters@verbum.org> - 2013.5-1
- New upstream release
- Add devel package
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2013.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue Jul 16 2013 Colin Walters <walters@verbum.org> - 2013.4-1
- New upstream release
* Sun Jul 07 2013 Colin Walters <walters@verbum.org> - 2013.3-1
- New upstream release
* Mon Apr 01 2013 Colin Walters <walters@verbum.org> - 2013.1-1
- New upstream release
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2012.13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Sun Dec 23 2012 Colin Walters <walters@verbum.org> - 2012.13-1
- New upstream release
* Tue Dec 18 2012 Colin Walters <walters@verbum.org> - 2012.12-2
- Explicitly enable grub2 hook; otherwise we pick up whatever
the buildroot has, which is not what we want.
* Mon Nov 19 2012 Colin Walters <walters@verbum.org> - 2012.12-1
- Initial import; thanks to Michel Alexandre Salim for review
https://bugzilla.redhat.com/show_bug.cgi?id=819951
Write Preview
Loading…
Cancel
Save