docs: Add comprehensive documentation and update planning

- Add docs/README.md with project overview and current status - Add docs/architecture.md with detailed architecture documentation - Add docs/development.md with development guide for contributors - Update .notes/todo.md to reflect architecture fix completion - Update .notes/plan.md with completed phases and next priorities Architecture fixes (daemon and dbus), bubblewrap integration are now complete. Ready for OCI integration phase.
2025-07-18 23:38:57 +00:00 · 2025-07-18 23:38:57 +00:00 · 97a9c40d7e
commit 97a9c40d7e
parent 1cc175c110
33 changed files with 4488 additions and 118 deletions
--- a/src/daemon/apt-ostree-countme.service
+++ b/src/daemon/apt-ostree-countme.service
@ -0,0 +1,18 @@
+[Unit]
+Description=apt-ostree Usage Reporting
+Documentation=man:apt-ostree-countme.service(8)
+DefaultDependencies=no
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/apt-ostree countme
+User=root
+# Create state directory with secure permissions
+ExecStartPre=/bin/mkdir -p /var/lib/apt-ostree/countme
+ExecStartPre=/bin/chmod 700 /var/lib/apt-ostree/countme
+# Privacy-compliant data collection
+Environment=APT_OSTREE_COUNTME_PRIVACY=1
+# Non-blocking operation
+TimeoutSec=30 
--- a/src/daemon/apt-ostree-countme.timer
+++ b/src/daemon/apt-ostree-countme.timer
@ -0,0 +1,12 @@
+[Unit]
+Description=Weekly apt-ostree Usage Reporting
+Documentation=man:apt-ostree-countme.timer(8)
+Requires=apt-ostree-countme.service
+
+[Timer]
+OnCalendar=weekly
+RandomizedDelaySec=86400
+Persistent=true
+
+[Install]
+WantedBy=timers.target 
--- a/src/daemon/apt-ostreed-automatic.service
+++ b/src/daemon/apt-ostreed-automatic.service
@ -0,0 +1,23 @@
+[Unit]
+Description=apt-ostree Automatic Updates
+Documentation=man:apt-ostreed-automatic.service(8)
+After=network-online.target apt-ostreed.service
+Wants=network-online.target
+Requires=apt-ostreed.service
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/apt-ostree upgrade --automatic
+User=root
+# Debian/Ubuntu specific update handling
+Environment=DEBIAN_FRONTEND=noninteractive
+Environment=APT_OSTREE_AUTOMATIC=1
+# Security updates only by default
+Environment=APT_OSTREE_AUTOMATIC_SECURITY_ONLY=1
+# Non-blocking operation
+TimeoutSec=300
+Restart=on-failure
+RestartSec=60
+
+[Install]
+WantedBy=multi-user.target 
--- a/src/daemon/apt-ostreed-automatic.timer
+++ b/src/daemon/apt-ostreed-automatic.timer
@ -0,0 +1,12 @@
+[Unit]
+Description=Daily apt-ostree Automatic Updates
+Documentation=man:apt-ostreed-automatic.timer(8)
+Requires=apt-ostreed-automatic.service
+
+[Timer]
+OnCalendar=daily
+RandomizedDelaySec=3600
+Persistent=true
+
+[Install]
+WantedBy=timers.target 
--- a/src/daemon/apt-ostreed.conf
+++ b/src/daemon/apt-ostreed.conf
@ -0,0 +1,44 @@
+# apt-ostreed Configuration File
+# This file configures the apt-ostree daemon behavior
+
+[Daemon]
+# OSTree repository path
+RepoPath=/var/lib/apt-ostree/repo
+
+# APT configuration
+AptCacheDir=/var/cache/apt-ostree
+AptStateDir=/var/lib/apt-ostree/apt
+
+# Transaction management
+TransactionTimeout=300
+MaxConcurrentTransactions=1
+
+# Automatic update settings
+AutomaticEnabled=false
+AutomaticSecurityOnly=true
+AutomaticReboot=false
+
+# Logging configuration
+LogLevel=info
+LogFile=/var/log/apt-ostreed.log
+
+# D-Bus configuration
+DbusName=org.aptostree.dev
+DbusPath=/org/aptostree/dev
+
+# Security settings
+RequireAuthentication=true
+AllowUnprivilegedRead=true
+
+# Debian/Ubuntu specific settings
+Distribution=ubuntu
+Release=24.04
+Architecture=x86_64
+
+# Package management
+DefaultRepositories=main,universe,multiverse,restricted
+SecurityRepositories=security
+
+# OSTree settings
+OstreeMode=bare
+OstreeRef=ubuntu/24.04/x86_64 
--- a/src/daemon/apt-ostreed.service
+++ b/src/daemon/apt-ostreed.service
@ -1,41 +1,17 @@
 [Unit]
 Description=apt-ostree System Management Daemon
 Documentation=man:apt-ostree(1)
-ConditionPathExists=/ostree
-RequiresMountsFor=/boot

 [Service]
-Type=notify
-ExecStart=/usr/bin/apt-ostreed
+Type=simple
+ExecStart=/usr/libexec/apt-ostreed
 Restart=on-failure
 RestartSec=1
 StandardOutput=journal
 StandardError=journal
-NotifyAccess=main

-# Security settings
+# Basic security settings (minimal for development)
 NoNewPrivileges=true
-ProtectSystem=strict
-ProtectHome=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
-PrivateTmp=true
-PrivateDevices=true
-PrivateUsers=true
-LockPersonality=true
-MemoryDenyWriteExecute=true
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
-
-# OSTree-specific settings
-ReadWritePaths=/var/lib/apt-ostree
-ReadWritePaths=/var/cache/apt-ostree
-ReadWritePaths=/var/log/apt-ostree
-ReadWritePaths=/run/apt-ostree

 [Install]
 WantedBy=multi-user.target 
--- a/src/daemon/org.aptostree.dev.conf
+++ b/src/daemon/org.aptostree.dev.conf
@ -0,0 +1,87 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <!-- apt-ostree D-Bus Policy Configuration -->
+  
+  <!-- Allow apt-ostreed to own the service name -->
+  <policy user="root">
+    <allow own="org.aptostree.dev"/>
+    <allow send_destination="org.aptostree.dev"/>
+    <allow receive_sender="org.aptostree.dev"/>
+  </policy>
+
+  <!-- Allow system users to call methods -->
+  <policy context="default">
+    <!-- Allow introspection for all users -->
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.freedesktop.DBus.Introspectable"
+           send_member="Introspect"/>
+    
+    <!-- Read-only operations -->
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="ping"/>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="status"/>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="list_packages"/>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="search_packages"/>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="show_package_info"/>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="show_history"/>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="show_status"/>
+    
+    <!-- Privileged operations require authentication -->
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="install_packages">
+      <allow send_destination="org.aptostree.dev"/>
+    </allow>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="remove_packages">
+      <allow send_destination="org.aptostree.dev"/>
+    </allow>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="upgrade_system">
+      <allow send_destination="org.aptostree.dev"/>
+    </allow>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="rollback">
+      <allow send_destination="org.aptostree.dev"/>
+    </allow>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="checkout">
+      <allow send_destination="org.aptostree.dev"/>
+    </allow>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="prune_deployments">
+      <allow send_destination="org.aptostree.dev"/>
+    </allow>
+    <allow send_destination="org.aptostree.dev"
+           send_interface="org.aptostree.dev.Daemon"
+           send_member="initialize">
+      <allow send_destination="org.aptostree.dev"/>
+    </allow>
+  </policy>
+
+  <!-- Allow apt-ostreed to receive signals -->
+  <policy user="root">
+    <allow receive_sender="org.aptostree.dev"/>
+  </policy>
+
+</busconfig> 
--- a/src/daemon/org.aptostree.dev.policy
+++ b/src/daemon/org.aptostree.dev.policy
@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+  <vendor>apt-ostree</vendor>
+  <vendor_url>https://github.com/apt-ostree/apt-ostree</vendor_url>
+
+  <action id="org.aptostree.dev.install-packages">
+    <description>Install packages via apt-ostree</description>
+    <message>Authentication is required to install packages</message>
+    <icon_name>system-software-install</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/apt-ostree</annotate>
+  </action>
+
+  <action id="org.aptostree.dev.remove-packages">
+    <description>Remove packages via apt-ostree</description>
+    <message>Authentication is required to remove packages</message>
+    <icon_name>system-software-install</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/apt-ostree</annotate>
+  </action>
+
+  <action id="org.aptostree.dev.upgrade-system">
+    <description>Upgrade system via apt-ostree</description>
+    <message>Authentication is required to upgrade the system</message>
+    <icon_name>system-software-update</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/apt-ostree</annotate>
+  </action>
+
+  <action id="org.aptostree.dev.rollback">
+    <description>Rollback system via apt-ostree</description>
+    <message>Authentication is required to rollback the system</message>
+    <icon_name>system-software-update</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/apt-ostree</annotate>
+  </action>
+
+  <action id="org.aptostree.dev.modify-kernel-args">
+    <description>Modify kernel arguments via apt-ostree</description>
+    <message>Authentication is required to modify kernel arguments</message>
+    <icon_name>system-settings</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/apt-ostree</annotate>
+  </action>
+
+  <action id="org.aptostree.dev.initramfs">
+    <description>Manage initramfs via apt-ostree</description>
+    <message>Authentication is required to manage initramfs</message>
+    <icon_name>system-settings</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/apt-ostree</annotate>
+  </action>
+
+  <action id="org.aptostree.dev.rebase">
+    <description>Rebase system via apt-ostree</description>
+    <message>Authentication is required to rebase the system</message>
+    <icon_name>system-software-update</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/apt-ostree</annotate>
+  </action>
+
+  <action id="org.aptostree.dev.reset">
+    <description>Reset system via apt-ostree</description>
+    <message>Authentication is required to reset the system</message>
+    <icon_name>system-software-update</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/apt-ostree</annotate>
+  </action>
+
+</policyconfig> 
--- a/src/daemon/org.aptostree.dev.service
+++ b/src/daemon/org.aptostree.dev.service
@ -0,0 +1,5 @@
+[D-BUS Service]
+Name=org.aptostree.dev
+Exec=/usr/libexec/apt-ostreed
+User=root
+SystemdService=apt-ostreed.service