An ostree system can be identified as such by the presence of a
marker file: /run/ostree-booted. The `rpm-ostree` tool also
creates this marker during the _installation_ of the system[1,2].
Recently, starting with F36, the authselect package has taken
has become mandatory[3] and is now owning the nsswitch config.
An rpm-ostree system, which has parts of the user database in
/usr, release on the nss-altfiles to read these databases. The
necessary entries are added during the post-processing, which
is called in our `org.osbuild.ostree.preptree` stage[4]. This
installation is skipped though if the nsswitch is the file is
a symlink, indicating that it is owned by some other package,
like authselect. So the F36 authselect change first broke rpm-
ostree[6]. The fix was to check for `/run/ostree-booted` in
the authselect scriptlet and special case this situation[7,8].
Now, our `org.osbuild.rpm` stage does not yet have the ability
to pretend it is a running ostree system and thus we did not
get the special treatment resulting in nss-altfiles not being
enabled in our ostree commits. Therefore the passwd database in
/usr was not read and a lot of daemons and programs without a
valid user, like e.g. `sshd`.
This change introduces a new option, `ostree_booted` that if
set, will create the `/run/ostree-booted` marker and thus our
installation phase will get the same treatments from packages
as rpm-ostree. Hopefully.
[1] 730bec87b1/rust/src/builtins/compose/mod.rs (L24)
[2] 6211d1452e/src/app/rpmostree-compose-builtin-tree.cxx (L501)
[3] https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory
[4] 7993c6f565/rust/src/composepost.rs (L635)
[5] d614caeca1/f/0010-spec-fix-detection-of-ostree-system.patch
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2034360
[7] https://src.fedoraproject.org/rpms/authselect/c/d614caeca1a68f55542aefd0d76bda2691c85d24?branch=f36
[8] https://github.com/authselect/authselect/issues/48
Convert the code that sets up the bind mounts to /dev, /sys/ and
/proc from a bash script to python by using the new mount helper
that were moved from the `objectstore`.
Our format for the global module doc-string is usually:
"""
<short summary>
<longer description>
"""
Introduce the short summary and also reformat the rest of the
doc string a bit.
This stage allows to manifests to define information to be put into a
built image. The information can then later be used by RHSM/Insights.
The facts are stored in `/usr/share/osbuild/rhsm.facts` and then
symlinked into `/etc/rhsm/facts/osbuild.facts`.
From IEEE Std 1003.1-2017:
3.437 User Name:
A string that is used to identify a user; see also User Database. To be
portable across systems conforming to POSIX.1-2017, the value is composed
of characters from the portable filename character set. The <hyphen-minus>
character should not be used as the first character of a portable user name.
3.282 Portable Filename Character Set
The set of characters from which portable filenames are constructed.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -
The last three characters are the <period>, <underscore>, and <hyphen-minus>
characters, respectively.
---
The regex checking the username in org.osbuild.users stage omitted the
<period> character before. This commit adds it and modifies the stage
test in order to cover this change.
Fixes: rhbz#2104464
New stage to create or modify `containers-storage.conf` config
files. The currently implement strategy is to merge the given
and existing configuration options.
Add a new stage to import public keys into the RPM database via the
`rpmkeys` command. This is similar as to what the `org.osbuild.rpm`
stage already does but it uses inputs instead of inline data.
This commit introduces a new vagrant stage and initially only supports
the libvirt backend. The vagrant stage takes a disk image as input
generates a Vagrantfile and metadata.json.
The option will force `mkfs.fat` to ignore existing partitions on
the target device. The check is done via the corresponding device
node in sysfs, i.e. the contents of the `partition` attribute in
`/sys/dev/block/<major>:<minor>`. In certain situations this info
can be stale. Passing `-I` will work-around these situations.
Currently we hard code the vpc options `subformat=fixed` and
`force_size`, which are needed to generate valid azure images
with newer versions of qemu. But for other use cases or other
versions of qemu these options might not be wanted or valid.
Expose all the options but with defaults corresponding to the
old behavior.
Add a unit test for the `force_size` option to check its
effect. Also add a check for the correct size to the existing,
default value (i.e. `force_size` being `true`).
Add a new stage to handle openscap first boot
remediation. The openscap-remediation.service
looks for a `/system-update` symlink which
points to an openscap config file. This stage
creates both the necessary configuration and
the `/system-update` symlink.
The `architecture` served two purposes: 1) the selection of the loader
and 2) the selection of the platform. Instead of inferring the latter
from `architecture`, it is now explicitly specified as a property of
the `bios` value, which in turn was transformed into an object.
The loader is still inferred but since `bios` is an object now there
is the option of adding an explicit `loader` option to it.
All this should make it more transparent what is happening and is
also more in line with the normal `grub2` stage.
Can be used to create partition tables via GPT laypout via `sgdisk(8)`.
The schema of `partitions` is intentionally kept identical to the one
in `org.osbuild.sfdisk`.
Add corresponding tests.
When merging user and group database from individual commits also merge
the corresponding /etc/sub{u,g}id database. These are created when the
users are added via `useradd` and thus also need to be imported with
the corresponding users.
Drop `CAP_MAC_ADMIN` from the default capabilities which is needed
to write and read(!) unknown SELinux labels. Adjust the stages
that need to read or write SELinux labels accordingly.
Drop CAP_{NET_ADMIN,SYS_PTRACE} from the default capabilities which
are only needed to run bwrap from inside a stage which is done by
the `ostree.commit` and `ostree.preptree` stages, so retain them
directly there.
mkfs.xfs already has `additionalProperties: true` for the devices
section, as this is necessary for example when creating lvm2 setups.
This should be possible for other filesystem types too.
When is specified change the GPT partition attribute bits. The attributes
is a comma list of bits numbers or bit names. You can take a look at the
manual page of sfdisk to see the supported attribute bits.
If instructed, the rpm stage checks all digests and signatures of a package
explicitly using `rpmkeys` tool. The default stage behavior is that no
package signatures are checked when installed by the stage (not even
explicitly).
For these reasons, the package signature checking is supposed to be
disabled when installing rpm packages. This was achieved by passing the
`--define "_pkgverify_level none"` option to rpm. However this option
specifies only requirements for a package to be installed and `none`
means that packages without any signature are accepted by rpm. If the
package signature is deemed BAD, the package installation fails even
though this option has been passed to rpm.
There are valid cases when even packages which signature marked as BAD
should be installed. It may happen, that the GPG key used to sign a
package uses an algorithm not allowed by the system crypto policy, e.g.
SHA1. If such GPG key is imported on the system and a package signed
using it is being installed, its installation would fail when the
package is read by rpm. This is because its signatures are by default
checked if they exist in the package.
The desired behavior to not check any package signatures when installing
a package is instead achieved by using `--nosignature` rpm option. It
turns off the whole signature checking mechanism.
Use the `--nosignature` rpm option instead of
`--define "_pkgverify_level none"`, when installing packages using rpm.
Fix https://github.com/osbuild/osbuild/issues/991
Instead of using `chcon`, directly call `selinux.setfilecon`.
On systems without SELinux support, i.e. coreutils was built
without `<selinux.h>` present, `chcon` will return `ENOTSUP`
for all calls to SElinux functions like `setfilecon` even if
the selinux libraries are later installed.
Therefore we directly call the new osbuild helper function,
which really is just a wrapper around setting extended file
attributes and thus will work even if SELinux support is not
compiled into coreutils.
The only other thing `chcon` is doing besides a cal to the
`setfilecon` method is to convert the context string to a
new `contex_t` and back to validate it. This should not be
needed since the kernel will do this for us. On system
without SELinux support `context_new` will also not validate
the context.
Add a new attribute `config.default` that when set will be written to
`GRUB_DEFAULT`. This should be set to `saved` when a `saved_entry` is
specified so that the functionality will be preserved if the grub cfg
gets regenerated (which is really should not, but we can not prohibit
it).
