As of today the functionality is broken if somebody passes more than one
karg as the join would simply unify the strings but
ignition_network_kcmdline is unquoted and results in just the very first
karg to be consumed by the set command.
Signed-off-by: Antonio Murdaca <antoniomurdaca@gmail.com>
Extend the copy stage to optionally allow removing the destination
before copying. This allows one to not follow symlinks if the
destination is a symlink to a file. By default, `cp` would change
the file pointed to by the destination if it is symlink.
Extend the stage doc text to cover the behavior with regard to
destination being a symlink.
Add unit tests for the copy stage to also test the newly added option.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Add a top level property "files" to the schema and move the rest of the
existing schema one level down. This way we can support adding global
properties in the future if we ever need to expand the scope of the
stage.
Pattern for valid environment variable names as defined in
The Open Group Base Specifications Issue 7, 2018 edition
IEEE Std 1003.1-2017 (Revision of IEEE Std 1003.1-2008)
https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html
Updated tests to match UPPERCASE ONLY var names.
Add a new `org.osbuild.chown` stage for setting user and group ownershop
of files. The stage runs the `chown` from the image using `chroot` to
enable it to use users and groups that exist only in the (image) tree.
Add unit test testing the stage in various scenarios.
Co-authored-by: Janine Olear <pninak@web.de>
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Explicitly mention the stage behavior with regard to setting mode on
newly created or existing directories.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This reverts commit a988aacf99.
After some discussion, the original behavior was intentional. With the
added support for gracefully handling the existence of directories, the
stage would originally not set the mode of an existing directory, while
now it will. Additional issue is that `mkdir` applies the provided mode
- umask, which was intentional. Setting the same mode without taking
umask value into account is not desired.
Add a new optional stage option to not fail if the specified directory
already exists. This will make it easier to support creation of custom
repositories via customizations in osbuild-composer. The reason is that
if a specified directory exists in an image, because it was created by
an RPM, then creating it would fail. However, the user may have
specified different mode for the directory, than it already has. Since
there is no way to know for sure if the directory already exists on the
image, without building the image itself, it is desired to handle this
case gracefully as valid in specific use cases.
The default behavior stays the same - specifying an existing directory
path will lead to an error.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Documentation for os.mkdir() says that the mode is
ignored on some systems. Also umask value may affect
the final mode. So we set the mode explicitly.
Set the mode explicitly.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Instead of creating the file in /usr/share and symlinking to /etc,
create it directly in /etc. This fixes an issue with SELinux labeling.
The file in /usr/share does not get labelled correctly because it
doesn't match the policy and causes issues with some tools (rhc).
See rhbz#2147450.
We want to add aboot to the list of possible bootloaders so we can
distinguish if we are using aboot or one of the other bootloaders.
Signed-off-by: Eric Curtin <ecurtin@redhat.com>
If a home directory is specified for an existing user that does
not have one, `usermod` does not create one. This case is now
detected and `mkhomedir_helper(8)` is run inside the chroot to
create the home dir. In Fedora this utility is provided by the
`pam` package so this is now installed in the corresponding
tests together with a new user that simulates the aforementioned
scenario.
Enahnce the stage description: drop an superflous line and add
a description for the home-dir scenario.
Accept a `uid` option for an existing user if it is the existing
one. This allows to have the same options for existing as well as
new users, which in turn allows for the same blueprint in Composer
for new and upgrade OSTree commits. In the latter we pre-fill the
password database from a previous commit, which is needed to make
sure that uids do not change. Since Composer can't know which of
the specified users in the blueprint are new ones or existing ones
it cannot easily omit the corresponding stage options. Thus the
stage options have to be the same for new and existing users.
In newer version of the container storage package the config file
moved from `/etc/containers` to `/usr/containers/`. The later is
not marked as config, so we don't want to change it.
The current containers code[1] will read _either_ a file in `usr`
or in `etc` depending on the existence of the latter. This we can
not just write the keys we want into a file in `/etc/containers`
without losing all other defaults set in the config file.
A new option `filebase` is therefore added, that when given will
be read and form the bases of the configuration data. Then data
from the target file (given via `filename`) will be merged into
and finally the actual configuration will be applied on top.
[1] 232bf398bd/types/options.go (L85)
If the existing config does not have a section that is being set
by the stage it currently would crash since we assume that it
exists. Default to an empty dict in that case.
add the ability to configure the grub timeout. Today it defealts to 1
minute and we can't configure it from osbuild-composer either (the
simplified-installer is mainly using this afaict and 1 min is just too
much).
Signed-off-by: Antonio Murdaca <antoniomurdaca@gmail.com>
This code was clearly influenced/copied from rpm-ostree,
since it's now duplicated let's cross-link to help ensure that
if someone wants to change this they hopefully consider changing
rpm-ostree too.
This stage allows to configure a systemd-journald
config drop-in file located in
`/usr/lib/systemd/journald.conf.d`.
Currently it supports the following options for
the 'Journal' section: Storage, Compress, SplitMode,
MaxFileSec, MaxRetentionSec, SyncIntervalSec, Audit.
Signed-off-by: Irene Diez <idiez@redhat.com>
From machine-id(5): machine ID is a single *newline-terminated*, hexadecimal,
32-character, lowercase ID.
This commit fixes that by adding a newline.
This broke us on Fedora 38:
This pull request added `set -e` to kernel-install:
https://github.com/systemd/systemd/pull/23881
This caused F38 pipeline failing because the script also runs
`read -r MACHINE_ID </etc/machine-id`. `read` returns 1 if the input doesn't
contain a newline, thus after the addition of `set -e`, the script started
crashing with our bad machine-id. This caused crashing of the whole image build
in the grub2 stage which requires kernel-install to work (because kernel-install
is responsible for putting vmlinuz into /boot).
Currently we're using `str(value)` on a boolean which yields `True` or
`False` - turns out ostree reads these values case sensitive and despite
setting `True|False`, it doesn't just work.
From jlebon on slack:
> the syntax is readonly=true . it's case sensitive
Fix the above and also just remove the loop as, while it's handy, we'll
have to differentiate between options' values anyway and it's just two
options we support today.
Signed-off-by: Antonio Murdaca <runcom@linux.com>
The `consider-using-f-string` suppression is new, thus old pylint will
complain about unknown directives. If we start ignoring unknown
directives for this reasons, we will no longer get warned about
misspelled directives. Hence, lets avoid this for now and just use an
f-string.
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
The explicit string-formatting is definitely easier to manage than an
f-string in the greenboot case. Make pylint suppress its recommendation.
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
This allows setting Entrypoint (as well as Cmd) in the oci image,
as per the spec:
https://github.com/opencontainers/image-spec/blob/main/config.md
Note: These two are not equivalent, the Cmd part is replaced by the
argument on the `docker run` commandline, whereas the entrypoint is
kept from the config, so it is important to expose both of these.
The script will update /etc/greenboot/greenboot.conf if user passes
the parameter in the config. Right now this only tweaks one config but
it will/can be expanded if other use cases come.
Signed-off-by: Antonio Murdaca <runcom@linux.com>
OSTree remotes can be configured with a contenturl that is separate from
the metadata url. When specified, the contenturl is used for content
and the url is used only for metadata.
Updated the description of the url property for clarity.
OSTree remotes can be configured to import keys from a file on disk or a
directory containing multiple keys.
When specified, explicitly enables gpg-verify=true.
An ostree system can be identified as such by the presence of a
marker file: /run/ostree-booted. The `rpm-ostree` tool also
creates this marker during the _installation_ of the system[1,2].
Recently, starting with F36, the authselect package has taken
has become mandatory[3] and is now owning the nsswitch config.
An rpm-ostree system, which has parts of the user database in
/usr, release on the nss-altfiles to read these databases. The
necessary entries are added during the post-processing, which
is called in our `org.osbuild.ostree.preptree` stage[4]. This
installation is skipped though if the nsswitch is the file is
a symlink, indicating that it is owned by some other package,
like authselect. So the F36 authselect change first broke rpm-
ostree[6]. The fix was to check for `/run/ostree-booted` in
the authselect scriptlet and special case this situation[7,8].
Now, our `org.osbuild.rpm` stage does not yet have the ability
to pretend it is a running ostree system and thus we did not
get the special treatment resulting in nss-altfiles not being
enabled in our ostree commits. Therefore the passwd database in
/usr was not read and a lot of daemons and programs without a
valid user, like e.g. `sshd`.
This change introduces a new option, `ostree_booted` that if
set, will create the `/run/ostree-booted` marker and thus our
installation phase will get the same treatments from packages
as rpm-ostree. Hopefully.
[1] 730bec87b1/rust/src/builtins/compose/mod.rs (L24)
[2] 6211d1452e/src/app/rpmostree-compose-builtin-tree.cxx (L501)
[3] https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory
[4] 7993c6f565/rust/src/composepost.rs (L635)
[5] d614caeca1/f/0010-spec-fix-detection-of-ostree-system.patch
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2034360
[7] https://src.fedoraproject.org/rpms/authselect/c/d614caeca1a68f55542aefd0d76bda2691c85d24?branch=f36
[8] https://github.com/authselect/authselect/issues/48
Convert the code that sets up the bind mounts to /dev, /sys/ and
/proc from a bash script to python by using the new mount helper
that were moved from the `objectstore`.
