Add the force_password_reset field to the users option in the
org.osbuild.users stage. This option forces the user to change their
password on first login.
Based on the filename, different sections of the unit configuration are
valid. Service (.service) units require a [Service] section and mount
(.mount) units requires a [Mount] section.
It might be possible to validate this in the schema but it would
probably require a major rewrite and could get complicated. For now,
validate it in the stage code itself.
With PR#1727 merged there is no need to test for individual stages
if they support the bootc style mounting in their schema. All
stages now support devices/mounts now. So let's remove this
redundant code.
Units can start with a -, for example, -.mount. Trying to enable,
disable, or mask a service like that fails with
systemctl: invalid option -- '.'
Hint: to specify units starting with a dash, use "--":
systemctl [OPTIONS...] COMMAND -- -.mount ...
Adding -- to all 'systemctl' calls lets us specify unit files that start
with -.
Previously, the SELinux stage would not force full contexts reset when
forcing auto-relabel on first boot. As a result, all files remained
`unconfined_u` after the auto-relabeling on first boot and only the type
part was reset.
We really need to mimic the behavior of `fixfiles -F onboot` command,
which creates the `/.autorelabel` file with "-F" in it.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This commit allows use to append kernel commandline options via
the kickstart file. This is useful for e.g. the bootc installer
where we support customizing this via blueprints.
Verifying the systemd unit also checks if any referred systemd units
(Wants, Requires, After) exist and if all commands in Exec exist and are
executable. Without '--root', the systemd-analyze verify command is
testing this against files in the build root, which isn't valid.
Units and binaries might not exist in the build root when referenced in
the image root tree, making the unit fail when when it's valid.
Conversely, the verification can succeed by finding executables in the
build root that don't exist in the image root tree when it should be
failing.
When verifying user units, systemd expects runtime directories.
All of this makes it quite difficult to verify systemd units properly
when building an image. The call is useful for making sure the unit is
structured properly, but the user unit verification setup is difficult
to accomplish in a general way while building.
Remove the systemd-analyze verify step from the stage. Move it to the
unit test so that we have some assurance that our unit file structure is
correct and things work as expected. Create referenced unit files and
commands to make the unit valid.
Add test values for Wants, Requires, and After.
Adding multiple values to test that arrays work and made sure they're
all different.
The units need to be valid, real unit names otherwise the
'systemd-analyze verify' check will fail.
We currently do not set the `--target-imgref` and do not allow to
override it. This means that on a fresh deploy it is set to an
incorrect value. This commit allows to set it via the
org.osbuild.bootc.install-to-filesystem stage.
This allows to combine `org.osbuild.mkdir` with the `osbuild.deployment`
mount and with the upcoming `org.osbuild.bind` mount. The use case is
that we need to create the dir `/var/home` so that `useradd` from inside
a ostree root works (there /home is a symlink and useradd will not
follow the symlink and create a dir in the target by itself).
This allows to write:
```json
{
"type": "org.osbuild.mkdir",
"options": {
"paths": [
{
"path": "/var/home"
}
]
},
"devices": {
"disk": {
"type": "org.osbuild.loopback",
"options": {
"filename": "disk.raw",
"partscan": true
}
}
},
"mounts": [
{
"name": "part4",
"type": "org.osbuild.ext4",
"source": "disk",
"target": "/",
"partition": 4
},
{
"name": "part3",
"type": "org.osbuild.ext4",
"source": "disk",
"target": "/boot",
"partition": 3
},
{
"name": "part2",
"type": "org.osbuild.fat",
"source": "disk",
"target": "/boot/efi",
"partition": 2
},
{
"name": "ostree.deployment",
"type": "org.osbuild.ostree.deployment",
"options": {
"source": "mount",
"deployment": {
"default": true
}
}
},
{
"name": "bind",
"type": "org.osbuild.bind",
"target": "tree://",
"options": {
"source": "mount://"
}
}
]
},
```
to fix this.
When moving to `bootc install to-filesystem` we will need support
for mounting the deployed disk and writing to the deployment root
this requires that we teach the users and selinux stages to
have them available. This is a first step towards this.
It also adds tests to ensure the options can be passed.
This is a preparation to allow adding mounts/devices to the users
stage so that we can eventually support bootc install to-filesystem.
It also adds some smoke tests for the schema to ensure it's still
valid.
In CoreOS Assembler, some hyperv artifact we `zip` for compression. This
new stage is modeled after the `org.osbuild.tar` stage with necessary
modifications.
Update the org.osbuild.systemd.unit stage to also support multiple
Environment options where each is an object with {key: value}. Enable
the allow_no_value option in configparser so we can add the multiple
entries.
Support the Environment and EnvironmentFile options in the Service
section of the unit file.
The Environment option is set as an object with keys "key" and "value"
and the key is validated with a pattern.
Updated the stage to special-case the Environment option.
By default "bootc" will refuse to work on a non-selinux system if
the bootc container requires selinux. This is a sensible approach
in general but for us it's tricky because we want to be able to
generate images when running on developer machines or CI machines
that may not necessarily have selinux. So make bootc more relaxed.
- Move functions to the 'util' to centralize common
functionality, reducing code duplication and improving
maintainability across the codebase.
Signed-off-by: Renata Ravanelli <rravanel@redhat.com>
This is needed because on a mounted `bootc` container `setfiles`
without excluding `/sysroot` will create many warnings like:
```
setfiles: conflicting specifications for /run/osbuild/tree/sysroot/ostree/repo/objects/00/0ef9ada2ee87792e8ba21afd65aa00d79a1253018832652b8694862fb80e84.file and /run/osbuild/tree/usr/lib/firmware/cirrus/cs35l41-dsp1-spk-prot-103c8b8f-r1.bin.xz, using system_u:object_r:lib_t:s0.
```
but simply excluding this dir fixes them.
