diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go index 558a63b5cd..6c26d34ee9 100644 --- a/internal/pathpolicy/policies.go +++ b/internal/pathpolicy/policies.go @@ -46,3 +46,16 @@ var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{ "/etc/passwd": {Deny: true}, "/etc/group": {Deny: true}, }) + +// MountpointPolicies for ostree +var OstreeMountpointPolicies = NewPathPolicies(map[string]PathPolicy{ + "/": {}, + "/ostree": {Deny: true}, + "/home": {Deny: true}, + "/var/home": {Deny: true}, + "/var/opt": {Deny: true}, + "/var/srv": {Deny: true}, + "/var/roothome": {Deny: true}, + "/var/usrlocal": {Deny: true}, + "/var/mnt": {Deny: true}, +}) diff --git a/internal/pathpolicy/policies_test.go b/internal/pathpolicy/policies_test.go index 0fbd624bcb..86aea96e37 100644 --- a/internal/pathpolicy/policies_test.go +++ b/internal/pathpolicy/policies_test.go @@ -78,3 +78,36 @@ func TestMountpointPolicies(t *testing.T) { }) } } + +func TestOstreeMountpointPolicies(t *testing.T) { + type testCase struct { + path string + allowed bool + } + + testCases := []testCase{ + {"/ostree", false}, + {"/ostree/foo", false}, + + {"/foo", true}, + {"/foo/bar", true}, + + {"/var", true}, + {"/var/myfiles", true}, + {"/var/roothome", false}, + + {"/home", false}, + {"/home/shadowman", false}, + } + + for _, tc := range testCases { + t.Run(tc.path, func(t *testing.T) { + err := OstreeMountpointPolicies.Check(tc.path) + if err != nil && tc.allowed { + t.Errorf("expected %s to be allowed, but got error: %v", tc.path, err) + } else if err == nil && !tc.allowed { + t.Errorf("expected %s to be denied, but got no error", tc.path) + } + }) + } +} diff --git a/pkg/distro/rhel9/distro_test.go b/pkg/distro/rhel9/distro_test.go index 0f741ade3e..72572cde1f 100644 --- a/pkg/distro/rhel9/distro_test.go +++ b/pkg/distro/rhel9/distro_test.go @@ -671,7 +671,7 @@ func TestDistro_CustomFileSystemManifestError(t *testing.T) { imgType, _ := arch.GetImageType(imgTypeName) _, _, err := imgType.Manifest(&bp, distro.ImageOptions{}, nil, 0) if imgTypeName == "edge-commit" || imgTypeName == "edge-container" { - assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types") + assert.EqualError(t, err, "Custom mountpoints are not supported for edge-container and edge-commit") } else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" || imgTypeName == "edge-ami" || imgTypeName == "edge-vsphere" { continue } else { @@ -699,7 +699,7 @@ func TestDistro_TestRootMountPoint(t *testing.T) { imgType, _ := arch.GetImageType(imgTypeName) _, _, err := imgType.Manifest(&bp, distro.ImageOptions{}, nil, 0) if imgTypeName == "edge-commit" || imgTypeName == "edge-container" { - assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types") + assert.EqualError(t, err, "Custom mountpoints are not supported for edge-container and edge-commit") } else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" || imgTypeName == "edge-ami" || imgTypeName == "edge-vsphere" { continue } else { @@ -829,7 +829,7 @@ func TestDistro_CustomUsrPartitionNotLargeEnough(t *testing.T) { imgType, _ := arch.GetImageType(imgTypeName) _, _, err := imgType.Manifest(&bp, distro.ImageOptions{}, nil, 0) if imgTypeName == "edge-commit" || imgTypeName == "edge-container" { - assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types") + assert.EqualError(t, err, "Custom mountpoints are not supported for edge-container and edge-commit") } else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" || imgTypeName == "edge-ami" || imgTypeName == "edge-vsphere" { continue } else { diff --git a/pkg/distro/rhel9/imagetype.go b/pkg/distro/rhel9/imagetype.go index 6d8b6e9dc6..5d98f73b05 100644 --- a/pkg/distro/rhel9/imagetype.go +++ b/pkg/distro/rhel9/imagetype.go @@ -167,12 +167,7 @@ func (t *imageType) getPartitionTable( partitioningMode := options.PartitioningMode if t.rpmOstree { // Edge supports only LVM, force it. - // Raw is not supported, return an error if it is requested // TODO Need a central location for logic like this - if partitioningMode == disk.RawPartitioningMode { - return nil, fmt.Errorf("partitioning mode raw not supported for %s on %s", t.Name(), t.arch.Name()) - } - partitioningMode = disk.LVMPartitioningMode } @@ -308,7 +303,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp } if t.name == "edge-simplified-installer" { - allowed := []string{"InstallationDevice", "FDO", "Ignition", "Kernel", "User", "Group", "FIPS"} + allowed := []string{"InstallationDevice", "FDO", "Ignition", "Kernel", "User", "Group", "FIPS", "Filesystem"} if err := customizations.CheckAllowed(allowed...); err != nil { return warnings, fmt.Errorf("unsupported blueprint customizations found for boot ISO image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", ")) } @@ -358,8 +353,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp if options.OSTree == nil || options.OSTree.URL == "" { return warnings, fmt.Errorf("%q images require specifying a URL from which to retrieve the OSTree commit", t.name) } - - allowed := []string{"Ignition", "Kernel", "User", "Group", "FIPS"} + allowed := []string{"Ignition", "Kernel", "User", "Group", "FIPS", "Filesystem"} if err := customizations.CheckAllowed(allowed...); err != nil { return warnings, fmt.Errorf("unsupported blueprint customizations found for image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", ")) } @@ -386,9 +380,14 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp } mountpoints := customizations.GetFilesystems() - - if mountpoints != nil && t.rpmOstree { - return warnings, fmt.Errorf("Custom mountpoints are not supported for ostree types") + if mountpoints != nil && t.rpmOstree && (t.name == "edge-container" || t.name == "edge-commit") { + return warnings, fmt.Errorf("Custom mountpoints are not supported for edge-container and edge-commit") + } else if mountpoints != nil && t.rpmOstree && !(t.name == "edge-container" || t.name == "edge-commit") { + //customization allowed for edge-raw-image,edge-ami,edge-vsphere,edge-simplified-installer + err := blueprint.CheckMountpointsPolicy(mountpoints, pathpolicy.OstreeMountpointPolicies) + if err != nil { + return warnings, err + } } err := blueprint.CheckMountpointsPolicy(mountpoints, pathpolicy.MountpointPolicies) diff --git a/test/config-map.json b/test/config-map.json index 2a7e555c26..e87be33b5e 100644 --- a/test/config-map.json +++ b/test/config-map.json @@ -193,5 +193,18 @@ "image-types": [ "ec2-sap" ] + }, + "./configs/ostree-filesystem-customizations.json": { + "image-types": [ + "edge-raw-image", + "edge-ami", + "edge-vsphere", + "simplified-installer" + ], + "distros": [ + "rhel-92", + "rhel-93", + "rhel-94" + ] } } diff --git a/test/configs/ostree-filesystem-customizations.json b/test/configs/ostree-filesystem-customizations.json new file mode 100644 index 0000000000..03ef336e22 --- /dev/null +++ b/test/configs/ostree-filesystem-customizations.json @@ -0,0 +1,53 @@ +{ + "name": "ostree-filesystem-customizations", + "ostree": { + "url": "http://example.com/repo" + }, + "blueprint": { + "customizations": { + "user": [ + { + "groups": [ + "wheel" + ], + "key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNebAh6SjpAn8wB53K4695cGnHGuCtl4RdaX3futZgJUultHyzeYHnzMO7d4++qnRL+Rworew62LKP560uvtncc= github.com/osbuild/images", + "name": "osbuild" + } + ], + "filesystem": [ + { + "mountpoint": "/foo", + "minsize": "2147483648" + }, + { + "mountpoint": "/foo/bar", + "minsize": "2 GiB" + }, + { + "mountpoint": "/root", + "minsize": "1 GiB" + }, + { + "mountpoint": "/mnt", + "minsize": "3 GiB" + }, + { + "mountpoint": "/srv", + "minsize": "4 GiB" + }, + { + "mountpoint": "/opt", + "minsize": "1 GiB" + }, + { + "mountpoint": "/var/mydata", + "minsize": "1 GiB" + } + ] + } + }, + "depends": { + "image-type": "edge-container", + "config": "empty.json" + } +} diff --git a/test/scripts/boot-image b/test/scripts/boot-image index bf96d00867..4bcf397345 100755 --- a/test/scripts/boot-image +++ b/test/scripts/boot-image @@ -86,6 +86,7 @@ def boot_ami(distro, arch, image_type, image_path): "--username", "osbuild", "--ssh-privkey", privkey, "--ssh-pubkey", pubkey, + "--boot-mode" , "uefi", raw_image_path, "test/scripts/base-host-check.sh"] runcmd(cmd)