Unified core #940
Unified core #940
Conversation
|
Depends: ostreedev/ostree#1105 |
cgwalters
force-pushed
the
unified-core
branch
2 times, most recently
from
63f1485 to
6d79556
Compare
|
☔ The latest upstream changes (presumably 3047513) made this pull request unmergeable. Please resolve the merge conflicts. |
cgwalters
force-pushed
the
unified-core
branch
from
6d79556 to
aabc023
Compare
|
☔ The latest upstream changes (presumably f113fc5) made this pull request unmergeable. Please resolve the merge conflicts. |
cgwalters
force-pushed
the
unified-core
branch
from
aabc023 to
cfaaf81
Compare
Lots of confusion in the codebase about this. The basic problem is that in *most* cases, our code doesn't care; it's conceptually operating on `/usr/etc`, which we could maintain as `/etc` and just rename it back at the very end. The exceptions though are the `/etc/passwd` handling and livefs. And of course libostree needs to handle `/usr/etc` vs `/etc` for config merging. I considered trying to keep things the other way, but while I think we have some ugly added here in this patch for things where we need to maintain an external view (`remove-files` and `remove-from-packages`, and boy am I glad we had tests for those), this ends up being mostly more consistent elsewhere. One thing that might help is to maintain a fd for it; but that'd be an even more invasive change. This also ends up rolling in some unified core prep from coreos#940 in the form of `rename_if_exists()` - basically for some minimal rootfs we may not have `/boot`, or for that matter potentially even `etc`. Prep for coreos#997
Lots of confusion in the codebase about this. The basic problem is that in *most* cases, our code doesn't care; it's conceptually operating on `/usr/etc`, which we could maintain as `/etc` and just rename it back at the very end. The exceptions though are the `/etc/passwd` handling and livefs. And of course libostree needs to handle `/usr/etc` vs `/etc` for config merging. I considered trying to keep things the other way, but while I think we have some ugly added here in this patch for things where we need to maintain an external view (`remove-files` and `remove-from-packages`, and boy am I glad we had tests for those), this ends up being mostly more consistent elsewhere. One thing that might help is to maintain a fd for it; but that'd be an even more invasive change. This also ends up rolling in some unified core prep from coreos#940 in the form of `rename_if_exists()` - basically for some minimal rootfs we may not have `/boot`, or for that matter potentially even `etc`. Prep for coreos#997
Lots of confusion in the codebase about this. The basic problem is that in *most* cases, our code doesn't care; it's conceptually operating on `/usr/etc`, which we could maintain as `/etc` and just rename it back at the very end. The exceptions though are the `/etc/passwd` handling and livefs. And of course libostree needs to handle `/usr/etc` vs `/etc` for config merging. I considered trying to keep things the other way, but while I think we have some ugly added here in this patch for things where we need to maintain an external view (`remove-files` and `remove-from-packages`, and boy am I glad we had tests for those), this ends up being mostly more consistent elsewhere. One thing that might help is to maintain a fd for it; but that'd be an even more invasive change. This also ends up rolling in some unified core prep from #940 in the form of `rename_if_exists()` - basically for some minimal rootfs we may not have `/boot`, or for that matter potentially even `etc`. Prep for #997 Closes: #997 Approved by: jlebon
cgwalters
force-pushed
the
unified-core
branch
from
cfaaf81 to
1aa4c9d
Compare
|
OK, this is updated again against master. Required for rpm-ostree jigdo ♲📦. Still WIP...going to try to clean things up a bit. |
cgwalters
force-pushed
the
unified-core
branch
from
1aa4c9d to
d192635
Compare
|
Note to self, need to implement |
|
☔ The latest upstream changes (presumably 1240d8d) made this pull request unmergeable. Please resolve the merge conflicts. |
cgwalters
force-pushed
the
unified-core
branch
from
d192635 to
ee60d1f
Compare
|
OK, lifting WIP on this. I have been squashing issues in the unprivileged path for a while but I am not sure how many more remain, and none of those really block the jigdo work. So I think my vote is let's land this, it's just an |
| if (!glnx_opendirat (AT_FDCWD, "/", TRUE, &host_rootfs_dfd, error)) | ||
| return FALSE; | ||
| g_autoptr(OstreeSePolicy) sepolicy = ostree_sepolicy_new_at (host_rootfs_dfd, cancellable, error); | ||
| if (!sepolicy) |
There was a problem hiding this comment.
I should note this also means that --ex-unified-core requires having selinux-policy-targeted in the container/host.
There was a problem hiding this comment.
Let's just print a notice instead and keep going? It would make it easier to test from a container. :)
Anyway if caching, then we only pay that relabel cost once, right?
There was a problem hiding this comment.
One can install the policy in a container, that's what I've done. We could stumble on but it means the relabel actually rewrites every object. Seems easier to require people to install policy?
(That said of course this whole thing intersects with #971)
| { | ||
| if (!rpmostree_context_import (self->corectx, cancellable, error)) | ||
| return FALSE; | ||
| if (!rpmostree_context_relabel (self->corectx, cancellable, error)) |
There was a problem hiding this comment.
We don't need this relabel though, right? Otherwise IIUC, we will unnecessarily relabel the whole cache everytime the build env changes policy, even if the target tree didn't.
There was a problem hiding this comment.
It seems you're right...I am not entirely sure what I was thinking there. Deleted in a fixup ⬇️
| @@ -0,0 +1,41 @@ | |||
| # This used to live in test-basic.sh, but it's now shared with test-basic-unified.sh | |||
There was a problem hiding this comment.
Minor: any reason for formatting this as a lib? Seems cleaner as a basic-test.sh we just source directly like ostree's basic-test.sh. Not super opposed either way though.
There was a problem hiding this comment.
I kept this as just to avoid too much churn but may revisit later.
|
Looks like |
cgwalters
force-pushed
the
unified-core
branch
from
ee60d1f to
3225aea
Compare
|
bot, retest this please |
|
Looks good! Though seems like CI is now failing with: |
|
☔ The latest upstream changes (presumably 7ab8869) made this pull request unmergeable. Please resolve the merge conflicts. |
Adding the 2nd test revealed this didn't actually work, will fix at some point.
It seems that libarchive ends up returning `getuid()` actually, possibly because the cpio doesn't actually have ownership information? Anyways, what we really want here is to set `0/0`, which is what happens for the `ex container` path via `OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS`. Prep for unified core 🌐.
In an unprivileged case, we can't do this on the real filesystem. For `ex container`, we want to completely ignore uid/gid. I added a test installing `httpd` which failed previously. TODO: For non-root `--ex-unified-core` we need to do it as a commit modifier.
Yup, definitely also hitting this now. Did you investigate why it happens? It looks like we're getting |
|
Yeah it's the |
|
(I suppose we could actually bind a host |
The "--ex" prefix here means it's an experimental option. A tremendous change here is that start to support non-uid 0, but there are various things to fix there; the unpacker for example needs to learn to set imported objects fully based on the rpmfi information (i.e. default to uid 0, since libarchive gives the current uid by default). And even when run as uid 0, there are some bugs, though I'm not sure of any showstoppers yet. For example, dracut's `dracut-install` calls `cp --preserve=xattrs` which fails to copy the `user.ostreemeta` xattrs from a checkout (it shouldn't be copying that anyways...) Nevertheless, the infrastructure behind this really helps (is almost a hard requirement for) the [jigdo effort](coreos#1081). Which is really only true due to SELinux - we need to import the packages, then generate the final tree to get the final policy, then use that policy to relabel all of the packages.
cgwalters
force-pushed
the
unified-core
branch
from
a8cf584 to
281ea46
Compare
|
Ahhh right, bwrap itself uses a tmpfs when creating the container root. Yeah, probably easier to just bind a Seems like the unified test is still failing. |
|
I am not sure what's going on, that |
|
Well, that fixed it anyways! |
|
⚡ Test exempted: merge already tested. |
It seems that libarchive ends up returning `getuid()` actually, possibly because the cpio doesn't actually have ownership information? Anyways, what we really want here is to set `0/0`, which is what happens for the `ex container` path via `OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS`. Prep for unified core 🌐. Closes: #940 Approved by: jlebon
In an unprivileged case, we can't do this on the real filesystem. For `ex container`, we want to completely ignore uid/gid. I added a test installing `httpd` which failed previously. TODO: For non-root `--ex-unified-core` we need to do it as a commit modifier. Closes: #940 Approved by: jlebon
The "--ex" prefix here means it's an experimental option. A tremendous change here is that start to support non-uid 0, but there are various things to fix there; the unpacker for example needs to learn to set imported objects fully based on the rpmfi information (i.e. default to uid 0, since libarchive gives the current uid by default). And even when run as uid 0, there are some bugs, though I'm not sure of any showstoppers yet. For example, dracut's `dracut-install` calls `cp --preserve=xattrs` which fails to copy the `user.ostreemeta` xattrs from a checkout (it shouldn't be copying that anyways...) Nevertheless, the infrastructure behind this really helps (is almost a hard requirement for) the [jigdo effort](#1081). Which is really only true due to SELinux - we need to import the packages, then generate the final tree to get the final policy, then use that policy to relabel all of the packages. Closes: #940 Approved by: jlebon
WIP for #729
May extract some of the prep to a separate PR soon.