From f982b1f61af012dfdf7addf78c363f8d293638de Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Tue, 11 Jul 2023 11:25:17 +0200 Subject: [PATCH] Add org.osbuild.ostree.post-copy stage If fs-verity is configured in ostree then ostree will (try to) enable fs-verity on various repo files. However, in osbuild this will happen in a separate pipeline, and these files will later be copied to the final location on the physical filesystem, and any fs-verity status then is lost. To support fs-verity we need to run this stage after copying the image to the filesystem. It uses the ostree "admin post-copy" operation. which it will re-enable fs-verity as needed. --- stages/org.osbuild.ostree.post-copy | 60 +++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100755 stages/org.osbuild.ostree.post-copy diff --git a/stages/org.osbuild.ostree.post-copy b/stages/org.osbuild.ostree.post-copy new file mode 100755 index 00000000..269f807e --- /dev/null +++ b/stages/org.osbuild.ostree.post-copy @@ -0,0 +1,60 @@ +#!/usr/bin/python3 +"""Apply post-copy updates to an ostree repo/deployment + +The way osbuild works the ostree deployment is built in a chroot and +stored as a regular directory of files before finally being copied to +the physical filesystem. This means that for example, ostree fs-verity +support doesn't work, as the fs-verity setting of files is not copied. + +To support fs-verity in generated images you have to run this stage +after copying the final ostree tree onto the target filesystem. + +Notes: + - Ensure the target filesystem supports fs-verity. See e.g. the + `verity` option in org.osbuild.mkfs.ext4. + - Requires ostree version 2023.8 or later in the buildroot. +""" + +import os +import sys + +import osbuild.api +from osbuild.util import ostree + +SCHEMA_2 = r""" +"options": { + "additionalProperties": false, + "properties": { + "sysroot": { + "type": "string", + "description": "Custom sysroot path", + "pattern": "^\\/(?!\\.\\.)((?!\\/\\.\\.\\/).)+$" + } + } +}, +"devices": { + "type": "object", + "additionalProperties": true +}, +"mounts": { + "type": "array" +} +""" + + +def main(paths, options): + custom_sysroot = options.get("sysroot") + root = paths["mounts"] + + sysroot = root + if custom_sysroot: + sysroot = os.path.join(root, custom_sysroot.lstrip("/")) + + ostree.cli("admin", "post-copy", sysroot=sysroot) + + +if __name__ == '__main__': + stage_args = osbuild.api.arguments() + r = main(stage_args["paths"], + stage_args["options"]) + sys.exit(r)