Add the option to specify the SELinux type label and file type label for
the process.
Add the option to specify a tmpfs mount to create into the container.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
The useradd, usermod, and passwd commands support a `--root` option that
handles chroot-ing for the command. In general, we prefer using this
option for commands that provide it and relying on the utility itself to
know how to set up the chroot in the way it needs.
The option has been available for these commands since 2011 [1] and it's
unclear why they weren't used originally.
The `mkhomedir_helper` command is still run using our Chroot context, so
the fix introduced in 9071cd0abb is
unaffected.
[1] 365279ea95/ChangeLog (L1339)
Use the chroot utility module for all cases where we need to chroot
during a stage's execution.
The advantage is that all stages use the same tested code path for
setting up a chroot and all chrooted commands run in the same
environment, with the /proc, /dev, and /sys filesystems mounted.
Use Chroot class from osbuild.util.chroot module, instead of calling
`chroot` directly. The class handles mounting of various paths in the
chroot to make us more usable. This resolves new failure when running
the stage test on F41 results in `mkhomedir_heper` failing with `6`
return code, meaning permissions denied.
Adjust the stage unit tests, because `chroot.Chroot` can't work with
`pathlib.Path`.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Since v2.23.0, TuneD changed the default directory under which it
looks for profiles. The profiles are newly nested under `profiles/`
directory. More information in [1].
Modify the stage implementation to check if the default profile
directories contain `profiles/` directory. If yes, then look for
profiles in it. If not, use the original behavior.
[1] https://github.com/redhat-performance/tuned/releases/tag/v2.23.0
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
On Fedora 41 with DNF5, the dnf-automatic plugin by default does not
install any configuration file. This means that the stage would fail in
such case.
Previously, the full config file was placed in /etc and its purpose was
also to document all possible options. The example config file is now
installed only in /usr/share/dnf5/dnf5-plugins/automatic.conf.
Relax the stage implementation to not fail when the configuration file
does not exist. Just log a warning and create the configuration file.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Fix:
assemblers/org.osbuild.qemu:310:36: E0606: Possibly using variable 'prep_type' before assignment (possibly-used-before-assignment)
inputs/org.osbuild.tree:85:15: E0606: Possibly using variable 'path' before assignment (possibly-used-before-assignment)
stages/org.osbuild.sfdisk:58:36: E0606: Possibly using variable 'prep_type' before assignment (possibly-used-before-assignment)
stages/org.osbuild.systemd.unit:23:16: E0606: Possibly using variable 'unit_dropins_dir' before assignment (possibly-used-before-assignment)
test/mod/test_meta.py:219:29: E0606: Possibly using variable 'schema_part' before assignment (possibly-used-before-assignment)
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
The test case is skipped in the upstream CI, because the `autotailor`
executable is not installed in the `osbuild-ci` image. This will not
be the case in the future and the CI run will reveal a Python 3.6
incompatibility in the test implementation. Fix it.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This adds support for specifying paths to operate on,
rather than just the root of the target:
```
- type: org.osbuild.selinux
options:
file_contexts: etc/selinux/targeted/contexts/files/file_contexts
target: mount://root/path/to/dir
mounts:
- name: root
source: disk
target: /
```
or
```
- type: org.osbuild.selinux
options:
labels:
mount://root/path/to/file: system_u:object_r:boot_t:s0
mount://root/path/to/other/file: system_u:object_r:var_t:s0
mounts:
- name: root
source: disk
target: /
```
Add remove-signatures option to container-deploy stage.
The option will be translated to --remove-signatures
skopeo option and passed to skopeo when copying the container.
This option must be set when deploying signed containers.
Signed-off-by: Miguel Martín <mmartinv@redhat.com>
For usecases where for example selinux is not supported,
we should expect more errors from tar so we should also accept this
when matching the string.
Kudos go to Achilleas Koutsou <achilleas@koutsou.net> for this hint
We currently use the absolute path of these binaries in the
helper. This has some advantages but given that we control the
inputs for PATH in general it seems unnecessary.
We are also slightly inconsistent about this in the codebase but
favor the non absolute path version. A quick count:
```
$ git grep '"chroot"'|wc -l
13
$ git grep '"/usr/sbin/chroot"'|grep -v test_|wc -l
8
```
for `mount` and `umount` it seems this is the only place that uses
the absolute path.
It's not an important change but it has the nice property that it
allows us to use e.g. `testutil.mock_command()` in our tests and
it would be nice to be consistent.
This commit adds a new `transform` option to the tar stages that
maps directly to the `--transform=` comamndline argument of tar(1).
This allows to transform the names while files/dirs are added to
a tarfile. This is useful for the `gcp` pipeline for
bootc-image-builder where we want to create a gcp tar file that
expects the disk image filename in the tar to be exactly `disk.raw`.
Note that tar allows only a single `--transform` and we leave it
to the user to construct `sed` expressions if multiple renames
are required.
With the labels option the user is specifying the exact context
they want to set on the path so it's not necessary to supply a
context here. This can be also useful in the case where you want
to set some labels and you haven't yet populated the tree yet.
This is essentially org.osbuild.systemd.unit.create but creates
file where podman looks for quadlets instead.
For now only container, volume and network is supported.
Not all quadlet options are supported, but at least the most usef ones, and enough for the automotive sample-images.
Its not uncommon for systemd unit key values to contain things like
"%t", as these are magic values expanded by systemd. We need to
disable the ConfigParser default interpolation that treats '%' as
meaning interpolation.
Otherwise you will get errors like:
```
File "/run/osbuild/bin/org.osbuild.systemd.unit.create", line 66, in <module>
r = main(args["tree"], args["options"])
File "/run/osbuild/bin/org.osbuild.systemd.unit.create", line 46, in main
config.set(section, option, str(value))
File "/usr/lib64/python3.9/configparser.py", line 1204, in set
super().set(section, option, value)
File "/usr/lib64/python3.9/configparser.py", line 894, in set
value = self._interpolation.before_set(self, section, option,
File "/usr/lib64/python3.9/configparser.py", line 402, in before_set
raise ValueError("invalid interpolation syntax in %r at "
ValueError: invalid interpolation syntax in '%t/asil-ipc-demo/asil_ipc.socket' at position 0
```
Add a new stage, which allows analyzing the installed packages in a
given filesystem tree using DNF4 API and generating an SPDX v2.3 SBOM
document for it.
One can provide the filesystem tree to be analyzed as a stage input. If
no input is provided, the stage will analyze the filesystem tree of the
current pipeline.
Add tests cases for both usage variants of the stage, as well as the
unit test for stage schema validation.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
The code currently does not support btrfs subvolumes that are not
directly under the root directory. This commit fixes this by adding
`-p` to `btrfs subvolume create` and adding an integration test.
Closes: https://github.com/osbuild/osbuild/issues/1882
We need to pass loopback devices for these properties, but the schema
says that there will be a `path` property, so osbuild complains.
osbuild is right of course, but this definitely *did* work in an earlier
version, so something changed. Ideally, we'd narrow down here what
happened exactly, but at the same time this approach of just making the
property more generic matches what's done in e.g. the `zipl.inst` stage
where we also use a loopback device.
For reference, this is where we use this stage:
ba45b296ec/src/osbuild-manifests/platform.qemu.ipp.yaml (L100-L119)
Adds a new stage that calls update-ca-trust tool with extract argument
to extract CA certificates. It is expected that one or more CAs are
placed in the /etc/pki/ca-trust/source/anchors directory in PEM format.
Filenames do not matter but must be unique enough. See the
update-ca-trust man page for more details on what it does.
For consistency, use subprocess.run() with check=True for the calls that
were previously using subprocess.check_call().
Update the affected tests to match.
Different toml libraries write arrays differently, so we can't know
exactly what the file contents will look like. Some will write an array
in a single line (toml) while others will break it into one element per
line (tomli_w). Parse the file that's written by the stage so we can
compare the objects instead of the text contents directly.
Recently [1], the update-crypto-policies script added a check to verify
that the FIPS policy was automounted by reading the
/proc/self/mountinfo. The script will fail if the proc filesystem isn't
available.
Use the new Chroot context to set up the environment for the command.
[1] 04ceadccfc
New chroot utility module that sets up a tree with the necessary virtual
filesystems needed for running commands in the root tree in a similar
environment as they would run in the build root.
This is needed for some stages, but may also be used for all chroot
calls to unify the setup and teardown of the root environment.
The Chroot context class was previously part of the org.osbuild.dracut
stage, which was the first stage to need this setup.
dracut expects the environment, in which it is run, to have properly
mounted /proc, /dev and /sys. Otherwise, some of its modules don't work
properly. E.g. dracut fails to embed the CA cert bundle into the initram
disk, which means that HTTPS won't work in it. dracut also prints a lot
of errors and warnings about this, but we used to ignore them until now.
The buildroot environment in which the stage runs is OK, but we actually
run dracut using 'chroot', which is the core of the problem. The runtime
environment in such case lacks the necessary mounts.
Add a context manager for setting up and cleaning up all the necessary
mounts in the image FS tree when running dracut.
This change is related to:
https://bugzilla.redhat.com/show_bug.cgi?id=1962975
And the implementation has been inspired by the fix in lorax:
https://github.com/weldr/lorax/pull/1151
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
There was a small mistake in the schema since either one of
`new_profile` or `tailored_profile_id` is required. This commit fixes
this and updates the tests to check for this case.
According to `autotailor(8)` arguments passed in via the cli take
precedence over the JSON tailoring file contents.
Make the `new_profile` a required field for the json tailoring too and
pass it as an option to the `autotailor` command. This approach has some
trade-offs. It allows us to maintain the explicitness of the manifest
that is consumed by `osbuild`. The downside is that it will override the
profile id that is set by the user in the JSON tailoring file.
