rhel9: fix conditionals for sysroot.readonly enablement

Signed-off-by: Antonio Murdaca <antoniomurdaca@gmail.com>
2023-02-08 18:29:07 +01:00 · 2023-02-08 18:29:07 +01:00 · 6afab3dff2
commit 6afab3dff2
parent 1b9e008c29
2 changed files with 31 additions and 8 deletions
--- a/internal/distro/rhel9/images.go
+++ b/internal/distro/rhel9/images.go
@ -340,7 +340,6 @@ func edgeRawImage(workload workload.Workload,
 		Checksum:   options.OSTree.FetchChecksum,
 	}
 	img := image.NewOSTreeRawImage(commit)
-	// TODO: add Fedora once it's ready
 	if !common.VersionLessThan(t.arch.distro.osVersion, "9.2") || t.arch.distro.osVersion == "9-stream" {
 		img.Ignition = true
 	}
@ -350,10 +349,13 @@ func edgeRawImage(workload workload.Workload,

 	// "rw" kernel option is required when /sysroot is mounted read-only to
 	// keep stateful parts of the filesystem writeable (/var/ and /etc)
-	img.KernelOptionsAppend = []string{"modprobe.blacklist=vc4", "rw"}
+	img.KernelOptionsAppend = []string{"modprobe.blacklist=vc4"}
 	img.Keyboard = "us"
 	img.Locale = "C.UTF-8"
-	img.SysrootReadOnly = true
+	if !common.VersionLessThan(t.arch.distro.osVersion, "9.2") || t.arch.distro.osVersion == "9-stream" {
+		img.SysrootReadOnly = true
+		img.KernelOptionsAppend = append(img.KernelOptionsAppend, "rw")
+	}

 	img.Platform = t.platform
 	img.Workload = workload
@ -400,7 +402,6 @@ func edgeSimplifiedInstallerImage(workload workload.Workload,
 		Checksum:   options.OSTree.FetchChecksum,
 	}
 	rawImg := image.NewOSTreeRawImage(commit)
-	// TODO: add Fedora once it's ready
 	if !common.VersionLessThan(t.arch.distro.osVersion, "9.2") || t.arch.distro.osVersion == "9-stream" {
 		rawImg.Ignition = true
 	}
@ -410,10 +411,13 @@ func edgeSimplifiedInstallerImage(workload workload.Workload,

 	// "rw" kernel option is required when /sysroot is mounted read-only to
 	// keep stateful parts of the filesystem writeable (/var/ and /etc)
-	rawImg.KernelOptionsAppend = []string{"modprobe.blacklist=vc4", "rw"}
+	rawImg.KernelOptionsAppend = []string{"modprobe.blacklist=vc4"}
 	rawImg.Keyboard = "us"
 	rawImg.Locale = "C.UTF-8"
-	rawImg.SysrootReadOnly = true
+	if !common.VersionLessThan(t.arch.distro.osVersion, "9.2") || t.arch.distro.osVersion == "9-stream" {
+		rawImg.SysrootReadOnly = true
+		rawImg.KernelOptionsAppend = append(rawImg.KernelOptionsAppend, "rw")
+	}

 	rawImg.Platform = t.platform
 	rawImg.Workload = workload
--- a/test/data/ansible/check_ostree.yaml
+++ b/test/data/ansible/check_ostree.yaml
@ -259,7 +259,7 @@
    # There are three checks here for /sysroot permission based on pr https://github.com/osbuild/osbuild-composer/pull/3053
    # 1. for edge-commit and edge-installer, check ro when fedora >= 37
    # 2. for edge-commit and edge-installer, check rw for other os.
-    # 3. for edge-simplified-installer and edge-raw-image, check ro for all os.
+    # 3. for edge-simplified-installer and edge-raw-image, check ro for 9.2+ and F37+.
    - name: /sysroot should be mount with ro permission for edge-commit and edge-installer on Fedora >= 37
      block:
        - assert:
@ -307,7 +307,26 @@
        - name: failed count + 1
          set_fact:
            failed_counter: "{{ failed_counter | int + 1 }}"
-      when: edge_type == "edge-simplified-installer" or edge_type == "edge-raw-image"
+      when: (edge_type == "edge-simplified-installer" or edge_type == "edge-raw-image") and ((ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '>=')) or
+            (ansible_facts['distribution'] == 'CentOS' and ansible_facts['distribution_version'] is version('9', '>=')) or (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_version'] is version('9.2', '>=')))
+
+    - name: /sysroot should be mount with rw permission for edge-simplified-installer and edge-raw-image for <9.2 and <F37
+      block:
+        - assert:
+            that:
+              - result_sysroot_mount_status.stdout == "rw"
+            fail_msg: "/sysroot is not mounted with rw permission"
+            success_msg: "/sysroot is mounted with rw permission"
+      always:
+        - set_fact:
+            total_counter: "{{ total_counter | int + 1 }}"
+      rescue:
+        - name: failed count + 1
+          set_fact:
+            failed_counter: "{{ failed_counter | int + 1 }}"
+      when: (edge_type == "edge-simplified-installer" or edge_type == "edge-raw-image") and ((ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '<')) or
+            (ansible_facts['distribution'] == 'CentOS' and ansible_facts['distribution_version'] is version('9', '<')) or (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_version'] is version('9.2', '<')))
+

    # case: check /var mount point
    - name: check /var mount point