Update the osbuild/images to the version which introduces "dot notation"
for distro release versions.
- Replace all uses of distroregistry by distrofactory.
- Delete local version of reporegistry and use the one from the
osbuild/images.
- Weldr: unify `createWeldrAPI()` and `createWeldrAPI2()` into a single
`createTestWeldrAPI()` function`.
- store/fixture: rework fixtures to allow overriding the host distro
name and host architecture name. A cleanup function to restore the
host distro and arch names is always part of the fixture struct.
- Delete `distro_mock` package, since it is no longer used.
- Bump the required version of osbuild to 98, because the OSCAP
customization is using the 'compress_results' stage option, which is
not available in older versions of osbuild.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Move the filesystem customization tests into their own file.
Additionally add tests for unmarshalling filesystem customizations
from TOML, since we have added a new `minsize` tag to ensure
consistency with the json tag.
The new tests check the validation of the TOML input and ensures
that either one or both of the `minsize` and `size` inputs are
set. If both are set, the input is checked to ensure that both
match.
Due to an oversight, the toml and json tags for the `MinSize`
field had different keywords. This commit fixes this by creating
a `minsize` toml tag and ensuring backwards compatability by
checking the old `size` tag.
If both `minsize` & `size` are set in the toml block, the
custom unmarshal function validates the input for inconsistencies.
These functions are leftover from the `osbuild/images` split and are not
used by any code in osbuild composer. Instead, the version in
`osbuild/images` is used by distro definitions.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This function is no longer used by any code. Instead, its copy in the
`osbuild/images` repository is used by distro definitions to validate
the customization.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This copy of the package in osbuild-composer is no longer used by any
code. Instead, the copy which is in the `osbuild/images` repository (and
module) is the implementation used by distro definitions.
Delete this code to reduce potential confusion and code duplication.
Also delete code in `internal/blueprint` package, which uses the
pathpolicy package. This code is no longer used, but instead the version
from `osbuild/images` is being used.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Previously, nil values in the conversion source were in some cases converted
to empty arrays or empty objects. This is undesirable, because it can be in
certain cases changing the semantics of the blueprint. See e.g.
f317064da5/pkg/distro/rhel7/imagetype.go (L239C7-L239C7)
This commit modifies the conversion process so nil values are converted
without any changes. Also, the `Convert` function was covered with a unit
test.
UBI and the oldest support Fedora (37) now all have go 1.19, so we are
cleared to switch.
gofmt now reformats comments in certain cases, so that explains the formatting
changes in this commit.
See https://go.dev/doc/go1.19#go-doc
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Remove all the internal package that are now in the
github.com/osbuild/images package and vendor it.
A new function in internal/blueprint/ converts from an osbuild-composer
blueprint to an images blueprint. This is necessary for keeping the
blueprint implementation in both packages. In the future, the images
package will change the blueprint (and most likely rename it) and it
will only be part of the osbuild-composer internals and interface. The
Convert() function will be responsible for converting the blueprint into
the new configuration object.
Validate custome repository filenames in order to
avoid unexpected `5xx` errors when building an image.
Before this the filename was only validated at the
yum repo stage, which was causing unexpected errors.
Create some utility functions that will be used for implementing
custom repo configuration files. This commit adds these functions:
- a helper to get the filename of a custom repo, or the
`<repo-id>.repo` if the filename is empty
- a function to convert the custom repos to a map of `RepoConfig`.
This function also creates an `fsnode.File` for each inline gpg
key set in the customizations and swaps the inline key for the
file path. The function returns the map of `RepoConfig` and a list
of `fsnode.File` containing the inline gpg keys.
Convert some of the fields in the `RepoConfig` struct
to pointers. Since `RepoConfig` will be used to convert
custom repositories to an array of `osbuild.YumRepository`,
we need to ensure that fields that are not set explicitly
are not saved to the `/etc/yum.repos.d` repository files.
We had this weird condition in code that prevented composer to create groups
with the same name as a user has. This unfortunately means that you are not
able to create a user with a primary group with a certain GID that has the
same name as the user. There's the gid field in the user customization,
but it requires that the group already exists.
In order to allow that, we need to remove the condition. From now on, it's
possible to create groups with the same name as a user has, which can be used
to create primary groups with a custom gid.
Note that the lorax compatibility behaviour was actually wrong. When lorax was
given a custom gid for a user, it didn't require the gid to exist. When it
didn't, the group was just created. Thus, we still don't have full backward
compatibility, but at least we now have support for this.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Add helper functions for checking directory and file blueprint
customizations against the policy of allowed paths.
These functions are not yet used in the distro definitions.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Add a helper function for validating the user-provided directory and
file customizations. This is necessary to fail early on invalid input,
instead of when building the image.
The function ensures that:
- No file path is a prefix of another file or directory path
- There are no duplicate file or directory paths in the
customizations
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Add helper functions for converting slices of directory and file
customizations structures from the `blueprint` package to a slice of
structures from the `fsnode` package, which are used in image type
definitions.
These will be used to convert BP customizations to the os pipeline
customization then used by the pipeline generator.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Extend the Blueprint customizations with the representation for custom
Directories and Files specified by the user.
Implement custom Unmarshalers for TOML and JSON. These ensure that all
user-provided values are validated before use and also handle the fact
that user and group ownership for directories and files can be
specifies as a string or as an integer.
Implement helper functions for converting the Blueprint-specific types
for these customizations to their internal representation from `fsnode`
package.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Move the `CheckMountpoints()` implementation to `blueprint` package,
since it does not operate on any data structures from the `disk`.
Move the default mountpoint allow list policy definition to the
`pathpolicy` package.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Move the `FilesystemCustomization` structure and its custom
unmarshallers to a dedicated file. This makes `customizations.go` easier
to read.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Unify how are allowed options checked in distro implementation in
relation to Ignition customization. Specifically, delete `HasIgnition()`
function and replace its use by `GetIgnition()` call and checking if it is
`nil`. This approach is consistent with how this is checked for other
customizations.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This allows a user to configure the system via `edge-simplified-installer`
using an ignition configuration specified in the blueprint.
This ignition config can be embedded in the ISO as a Base64
encoded file (ignition.embedded.data) or as a file
containing the URL where the ignition config file is served
(ignition.embedded.url).
The user can also instead specify an URL serving an ignition
config file that will passed as a karg and be fetched at first
boot (ignition.firstboot.url).
Signed-off-by: Irene Diez <idiez@redhat.com>
Updates firewall stage customizations to allow zones
as per the changes made on osbuild/osbuild#1157
Relevant tests and pipelines for rhel8+9 updated.
Signed-off-by: Irene Diez <idiez@redhat.com>
Adding support for container embedding.
The containers need to be specified in the image function (imageFunc)
arguments and when specified, propagate down to the OS pipeline
generator to add the necessary stages.
Support is added for RHEL 9.x and Fedora.
Requires a temporary container spec array with the info from the
blueprint for the first initialization of the manifest that's needed
when collecting required packages.
This should be simplified in the future.
- build simplified installer iso without mentioning FDO section.
- change done for rhel8 and rhel9
- add test case for this use case in test/case/ostree-simplified-installer.shovisioning
- fixed review comments
Signed-off-by: Sarita Mahajan <sarmahaj@redhat.com>
With an empty or missing version number the commit message would not
include the version (which is set to 0.0.0 by calling Initialize). This
adds a call to Initialize() in the API code before constructing the
commit message. It also moves the check for non-empty blueprint name
into the Initialize call where it belongs.
See https://github.com/BurntSushi/toml/issues/360
A recent change in BurntSushi/toml made encoding fail (later changed to
error) if a struct is marked as omitempty and is comparable. Go docs about
equality: https://go.dev/doc/go1#equality. Basically: A struct is comparable
if all of its fields are comparable. Slices are not comparable.
Customizations are marked as omitempty but they contain a lot of slices,
thus they are not comparable. The new version of BurntSushi/toml therefore
panics when we encode them.
The solution is to remove the omitempty tag from Customizations.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Add a new `containers` section that can be used to request the
embedding of containers into images. The only requirement is
the source property to specify where to fetch the container from.
This suppports specifying the digest of the container or the tag.
In case none is given it defaults to the `latest` tag. The `Name`
field can be used to optionally specify a name to use inside the
image.
NB: currently no tools or apis support container resolution yet.
This follows in the next commits.
If the password is set to "" it will get hashed, allowing access to the
account in some circumstances. Console and ssh login don't appear to
work in practice, but su to the account from another user account is
possible.
This sets the empty password to nil which makes sure that it ends up as
a locked account.
This commit changes blueprint behavior to always store the hash of the
password for the 'customizations.user' accounts. Note that missing or
blank passwords are not hashed and should be dealt with at a lower
layer.
Resolves: rhbz#2107358
Add a new extended helper `GetPackagesEx` that includes a flag
to specify if the target is bootlable or not and only include
the kernel package in case it is set to true. Delegate to this
new helper from the existing `GetPackages`.
If a home directory has a trailing slash, the `useradd` command fails to
set the correct selinux contexts for the home directory on creation.
This can lead to various issues, but the one that we came across was
that the ~/.ssh directory and authorized_keys file cannot be read by
sshd and we couldn't log in to the system.
This only manifests if the user is created through the kickstart file
because:
1. `useradd` does not set the selinux contexts when creating the
directory
2. Anaconda runs `restorecon` on the home directory and authorized_keys
file when it creates them, but uses the install-time mount path
`/mnt/sysroot/...` for which selinux does not have contexts.
In most cases we get around this bug because we run `setfiles` on the
tree at the end of our pipelines.
For the ostree case, the relabeling in Anaconda is done correctly.
