Different toml libraries write arrays differently, so we can't know
exactly what the file contents will look like. Some will write an array
in a single line (toml) while others will break it into one element per
line (tomli_w). Parse the file that's written by the stage so we can
compare the objects instead of the text contents directly.
Recently [1], the update-crypto-policies script added a check to verify
that the FIPS policy was automounted by reading the
/proc/self/mountinfo. The script will fail if the proc filesystem isn't
available.
Use the new Chroot context to set up the environment for the command.
[1] 04ceadccfc
New chroot utility module that sets up a tree with the necessary virtual
filesystems needed for running commands in the root tree in a similar
environment as they would run in the build root.
This is needed for some stages, but may also be used for all chroot
calls to unify the setup and teardown of the root environment.
The Chroot context class was previously part of the org.osbuild.dracut
stage, which was the first stage to need this setup.
dracut expects the environment, in which it is run, to have properly
mounted /proc, /dev and /sys. Otherwise, some of its modules don't work
properly. E.g. dracut fails to embed the CA cert bundle into the initram
disk, which means that HTTPS won't work in it. dracut also prints a lot
of errors and warnings about this, but we used to ignore them until now.
The buildroot environment in which the stage runs is OK, but we actually
run dracut using 'chroot', which is the core of the problem. The runtime
environment in such case lacks the necessary mounts.
Add a context manager for setting up and cleaning up all the necessary
mounts in the image FS tree when running dracut.
This change is related to:
https://bugzilla.redhat.com/show_bug.cgi?id=1962975
And the implementation has been inspired by the fix in lorax:
https://github.com/weldr/lorax/pull/1151
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
There was a small mistake in the schema since either one of
`new_profile` or `tailored_profile_id` is required. This commit fixes
this and updates the tests to check for this case.
According to `autotailor(8)` arguments passed in via the cli take
precedence over the JSON tailoring file contents.
Make the `new_profile` a required field for the json tailoring too and
pass it as an option to the `autotailor` command. This approach has some
trade-offs. It allows us to maintain the explicitness of the manifest
that is consumed by `osbuild`. The downside is that it will override the
profile id that is set by the user in the JSON tailoring file.
Rename the `new_profile` option to `tailoring_profile_id` for clarity.
This also ensures that the change is backwards compatible by falling
back to the `new_profile` option if that was set instead of the
`tailoring_profile` id option.
This is a small adjustment to how the `osbuild.util.mnt.mount` fuction
is imported. While adding unit tests, the tests failed when trying to
patch the function, this commit fixes the issue.
With the `oscap-utils-1.3.10` release, the `autotailor` command now
supports importing a JSON tailoring file[1] that is then converted to the
XML tailoring file which is consumed by the `oscap` command in the
remediation stage.
[1] https://github.com/ComplianceAsCode/schemas/blob/main/tailoring/schema.json
Add the force_password_reset field to the users option in the
org.osbuild.users stage. This option forces the user to change their
password on first login.
Based on the filename, different sections of the unit configuration are
valid. Service (.service) units require a [Service] section and mount
(.mount) units requires a [Mount] section.
It might be possible to validate this in the schema but it would
probably require a major rewrite and could get complicated. For now,
validate it in the stage code itself.
With PR#1727 merged there is no need to test for individual stages
if they support the bootc style mounting in their schema. All
stages now support devices/mounts now. So let's remove this
redundant code.
Units can start with a -, for example, -.mount. Trying to enable,
disable, or mask a service like that fails with
systemctl: invalid option -- '.'
Hint: to specify units starting with a dash, use "--":
systemctl [OPTIONS...] COMMAND -- -.mount ...
Adding -- to all 'systemctl' calls lets us specify unit files that start
with -.
Previously, the SELinux stage would not force full contexts reset when
forcing auto-relabel on first boot. As a result, all files remained
`unconfined_u` after the auto-relabeling on first boot and only the type
part was reset.
We really need to mimic the behavior of `fixfiles -F onboot` command,
which creates the `/.autorelabel` file with "-F" in it.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This commit allows use to append kernel commandline options via
the kickstart file. This is useful for e.g. the bootc installer
where we support customizing this via blueprints.
Verifying the systemd unit also checks if any referred systemd units
(Wants, Requires, After) exist and if all commands in Exec exist and are
executable. Without '--root', the systemd-analyze verify command is
testing this against files in the build root, which isn't valid.
Units and binaries might not exist in the build root when referenced in
the image root tree, making the unit fail when when it's valid.
Conversely, the verification can succeed by finding executables in the
build root that don't exist in the image root tree when it should be
failing.
When verifying user units, systemd expects runtime directories.
All of this makes it quite difficult to verify systemd units properly
when building an image. The call is useful for making sure the unit is
structured properly, but the user unit verification setup is difficult
to accomplish in a general way while building.
Remove the systemd-analyze verify step from the stage. Move it to the
unit test so that we have some assurance that our unit file structure is
correct and things work as expected. Create referenced unit files and
commands to make the unit valid.
Add test values for Wants, Requires, and After.
Adding multiple values to test that arrays work and made sure they're
all different.
The units need to be valid, real unit names otherwise the
'systemd-analyze verify' check will fail.
We currently do not set the `--target-imgref` and do not allow to
override it. This means that on a fresh deploy it is set to an
incorrect value. This commit allows to set it via the
org.osbuild.bootc.install-to-filesystem stage.
