Skip to content

Commit

Permalink
repo+tests: Add [core]disable-xattrs=true, use it on overlayfs
Browse files Browse the repository at this point in the history 
There are a lot of things suboptimal about this approach, but
on the other hand we need to get our CI back up and running.

The basic approach is to - in the test suite, detect if we're on overlayfs. If
so, set a flag in the repo, which gets picked up by a few strategic places in
the core to turn on "ignore xattrs".

I also had to add a variant of this for the sysroot work.

The core problem here is while overlayfs will let us read and
see the SELinux labels, it won't let us write them.

Down the line, we should improve this so that we can selectively ignore e.g.
`security.*` attributes but not `user.*` say.

Closes: #758

Closes: #759
Approved by: jlebon
  • Loading branch information
@cgwalters @rh-atomic-bot
cgwalters authored and rh-atomic-bot committed Mar 24, 2017
1 parent 4d87338 commit 455cc5e
Show file tree
Hide file tree
Showing 40 changed files with 208 additions and 122 deletions.
2 changes: 1 addition & 1 deletion manual-tests/static-delta-generate-crosscheck.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ assert_streq() {

validate_delta_options() {
mkdir testrepo
ostree --repo=testrepo init --mode=bare-user
ostree_repo_init testrepo --mode=bare-user
ostree --repo=testrepo remote add --set=gpg-verify=false local file://${repo}
ostree --repo=${repo} static-delta generate $@ --from=${from} --to=${to}
ostree --repo=testrepo pull --require-static-deltas local ${branch}@${from}
Expand Down
14 changes: 14 additions & 0 deletions src/libostree/ostree-diff.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@

#include "libglnx.h"
#include "ostree.h"
#include "ostree-repo-private.h"
#include "otutil.h"

static gboolean
Expand Down Expand Up @@ -269,6 +270,19 @@ ostree_diff_dirs_with_options (OstreeDiffFlags flags,
if (!options)
options = &default_opts;

/* If we're diffing versus a repo, and either of them have xattrs disabled,
* then disable for both.
*/
OstreeRepo *repo;
if (OSTREE_IS_REPO_FILE (a))
repo = ostree_repo_file_get_repo ((OstreeRepoFile*)a);
else if (OSTREE_IS_REPO_FILE (b))
repo = ostree_repo_file_get_repo ((OstreeRepoFile*)b);
else
repo = NULL;
if (repo != NULL && repo->disable_xattrs)
flags |= OSTREE_DIFF_FLAGS_IGNORE_XATTRS;

if (a == NULL)
{
if (!diff_add_dir_recurse (b, added, cancellable, error))
Expand Down
3 changes: 2 additions & 1 deletion src/libostree/ostree-repo-commit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2304,7 +2304,8 @@ get_modified_xattrs (OstreeRepo *self,
ret_xattrs = modifier->xattr_callback (self, relpath, file_info,
modifier->xattr_user_data);
}
else if (!(modifier && (modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS) > 0))
else if (!(modifier && (modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS) > 0)
&& !self->disable_xattrs)
{
if (path && OSTREE_IS_REPO_FILE (path))
{
Expand Down
1 change: 1 addition & 0 deletions src/libostree/ostree-repo-private.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ struct OstreeRepo {
GError *writable_error;
gboolean in_transaction;
gboolean disable_fsync;
gboolean disable_xattrs;
guint zlib_compression_level;
GHashTable *loose_object_devino_hash;
GHashTable *updated_uncompressed_dirs;
Expand Down
24 changes: 17 additions & 7 deletions src/libostree/ostree-repo.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1584,8 +1584,9 @@ ostree_repo_remote_gpg_import (OstreeRepo *self,

if (fstatat (self->repo_dir_fd, remote->keyring, &stbuf, AT_SYMLINK_NOFOLLOW) == 0)
{
GLnxFileCopyFlags copyflags = self->disable_xattrs ? GLNX_FILE_COPY_NOXATTRS : 0;
if (!glnx_file_copy_at (self->repo_dir_fd, remote->keyring,
&stbuf, target_temp_fd, "pubring.gpg", 0,
&stbuf, target_temp_fd, "pubring.gpg", copyflags,
cancellable, error))
{
g_prefix_error (error, "Unable to copy remote's keyring: ");
Expand Down Expand Up @@ -2067,6 +2068,11 @@ reload_core_config (OstreeRepo *self,
ostree_repo_set_disable_fsync (self, TRUE);
}

/* See https://github.com/ostreedev/ostree/issues/758 */
if (!ot_keyfile_get_boolean_with_default (self->config, "core", "disable-xattrs",
TRUE, &self->disable_xattrs, error))
return FALSE;

{ g_autofree char *tmp_expiry_seconds = NULL;

/* 86400 secs = one day */
Expand Down Expand Up @@ -2920,8 +2926,10 @@ ostree_repo_load_file (OstreeRepo *self,

if (out_xattrs)
{
if (!glnx_fd_get_all_xattrs (fd, &ret_xattrs,
cancellable, error))
if (self->disable_xattrs)
ret_xattrs = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("(ayay)"), NULL, 0));
else if (!glnx_fd_get_all_xattrs (fd, &ret_xattrs,
cancellable, error))
goto out;
}

Expand All @@ -2934,15 +2942,17 @@ ostree_repo_load_file (OstreeRepo *self,
else if (g_file_info_get_file_type (ret_file_info) == G_FILE_TYPE_SYMBOLIC_LINK
&& out_xattrs)
{
if (!glnx_dfd_name_get_all_xattrs (self->objects_dir_fd, loose_path_buf,
&ret_xattrs,
cancellable, error))
if (self->disable_xattrs)
ret_xattrs = g_variant_ref_sink (g_variant_new_array (G_VARIANT_TYPE ("(ayay)"), NULL, 0));
else if (!glnx_dfd_name_get_all_xattrs (self->objects_dir_fd, loose_path_buf,
&ret_xattrs,
cancellable, error))
goto out;
}
}
}
}

if (!found)
{
if (self->parent_repo)
Expand Down
63 changes: 42 additions & 21 deletions src/libostree/ostree-sysroot-deploy.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,15 @@ symlink_at_replace (const char *oldpath,
return ret;
}

static GLnxFileCopyFlags
sysroot_flags_to_copy_flags (GLnxFileCopyFlags defaults,
OstreeSysrootDebugFlags sysrootflags)
{
if (sysrootflags & OSTREE_SYSROOT_DEBUG_NO_XATTRS)
defaults |= GLNX_FILE_COPY_NOXATTRS;
return defaults;
}

/* Try a hardlink if we can, otherwise fall back to copying. Used
* right now for kernels/initramfs in /boot, where we can just
* hardlink if we're on the same partition.
Expand All @@ -97,6 +106,7 @@ hardlink_or_copy_at (int src_dfd,
const char *src_subpath,
int dest_dfd,
const char *dest_subpath,
OstreeSysrootDebugFlags flags,
GCancellable *cancellable,
GError **error)
{
Expand All @@ -106,7 +116,8 @@ hardlink_or_copy_at (int src_dfd,
{
if (errno == EMLINK || errno == EXDEV)
{
return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath, 0,
return glnx_file_copy_at (src_dfd, src_subpath, NULL, dest_dfd, dest_subpath,
sysroot_flags_to_copy_flags (0, flags),
cancellable, error);
}
else
Expand All @@ -126,6 +137,7 @@ dirfd_copy_attributes_and_xattrs (int src_parent_dfd,
const char *src_name,
int src_dfd,
int dest_dfd,
OstreeSysrootDebugFlags flags,
GCancellable *cancellable,
GError **error)
{
Expand All @@ -136,13 +148,16 @@ dirfd_copy_attributes_and_xattrs (int src_parent_dfd,
/* Clone all xattrs first, so we get the SELinux security context
* right. This will allow other users access if they have ACLs, but
* oh well.
*/
if (!glnx_dfd_name_get_all_xattrs (src_parent_dfd, src_name,
&xattrs, cancellable, error))
goto out;
if (!glnx_fd_set_all_xattrs (dest_dfd, xattrs,
cancellable, error))
goto out;
*/
if (!(flags & OSTREE_SYSROOT_DEBUG_NO_XATTRS))
{
if (!glnx_dfd_name_get_all_xattrs (src_parent_dfd, src_name,
&xattrs, cancellable, error))
goto out;
if (!glnx_fd_set_all_xattrs (dest_dfd, xattrs,
cancellable, error))
goto out;
}

if (fstat (src_dfd, &src_stbuf) != 0)
{
Expand All @@ -169,6 +184,7 @@ static gboolean
copy_dir_recurse (int src_parent_dfd,
int dest_parent_dfd,
const char *name,
OstreeSysrootDebugFlags flags,
GCancellable *cancellable,
GError **error)
{
Expand All @@ -190,7 +206,7 @@ copy_dir_recurse (int src_parent_dfd,
return FALSE;

if (!dirfd_copy_attributes_and_xattrs (src_parent_dfd, name, src_dfd_iter.fd, dest_dfd,
cancellable, error))
flags, cancellable, error))
return FALSE;

while (TRUE)
Expand All @@ -212,14 +228,14 @@ copy_dir_recurse (int src_parent_dfd,
if (S_ISDIR (child_stbuf.st_mode))
{
if (!copy_dir_recurse (src_dfd_iter.fd, dest_dfd, dent->d_name,
cancellable, error))
flags, cancellable, error))
return FALSE;
}
else
{
if (!glnx_file_copy_at (src_dfd_iter.fd, dent->d_name, &child_stbuf,
dest_dfd, dent->d_name,
GLNX_FILE_COPY_OVERWRITE,
sysroot_flags_to_copy_flags (GLNX_FILE_COPY_OVERWRITE, flags),
cancellable, error))
return FALSE;
}
Expand All @@ -234,6 +250,7 @@ ensure_directory_from_template (int orig_etc_fd,
int new_etc_fd,
const char *path,
int *out_dfd,
OstreeSysrootDebugFlags flags,
GCancellable *cancellable,
GError **error)
{
Expand Down Expand Up @@ -262,7 +279,7 @@ ensure_directory_from_template (int orig_etc_fd,
if (strcmp (parent_path, ".") != 0)
{
if (!ensure_directory_from_template (orig_etc_fd, modified_etc_fd, new_etc_fd,
parent_path, NULL, cancellable, error))
parent_path, NULL, flags, cancellable, error))
goto out;

/* Loop */
Expand All @@ -286,7 +303,7 @@ ensure_directory_from_template (int orig_etc_fd,
goto out;

if (!dirfd_copy_attributes_and_xattrs (modified_etc_fd, path, src_dfd, target_dfd,
cancellable, error))
flags, cancellable, error))
goto out;

ret = TRUE;
Expand All @@ -312,6 +329,7 @@ copy_modified_config_file (int orig_etc_fd,
int modified_etc_fd,
int new_etc_fd,
const char *path,
OstreeSysrootDebugFlags flags,
GCancellable *cancellable,
GError **error)
{
Expand All @@ -332,7 +350,7 @@ copy_modified_config_file (int orig_etc_fd,
g_autofree char *parent = g_path_get_dirname (path);

if (!ensure_directory_from_template (orig_etc_fd, modified_etc_fd, new_etc_fd,
parent, &dest_parent_dfd, cancellable, error))
parent, &dest_parent_dfd, flags, cancellable, error))
goto out;
}
else
Expand Down Expand Up @@ -386,15 +404,15 @@ copy_modified_config_file (int orig_etc_fd,

if (S_ISDIR (modified_stbuf.st_mode))
{
if (!copy_dir_recurse (modified_etc_fd, new_etc_fd, path,
if (!copy_dir_recurse (modified_etc_fd, new_etc_fd, path, flags,
cancellable, error))
goto out;
}
else if (S_ISLNK (modified_stbuf.st_mode) || S_ISREG (modified_stbuf.st_mode))
{
if (!glnx_file_copy_at (modified_etc_fd, path, &modified_stbuf,
new_etc_fd, path,
GLNX_FILE_COPY_OVERWRITE,
sysroot_flags_to_copy_flags (GLNX_FILE_COPY_OVERWRITE, flags),
cancellable, error))
goto out;
}
Expand Down Expand Up @@ -426,6 +444,7 @@ static gboolean
merge_etc_changes (GFile *orig_etc,
GFile *modified_etc,
GFile *new_etc,
OstreeSysrootDebugFlags flags,
GCancellable *cancellable,
GError **error)
{
Expand Down Expand Up @@ -496,7 +515,7 @@ merge_etc_changes (GFile *orig_etc,
g_assert (path);

if (!copy_modified_config_file (orig_etc_fd, modified_etc_fd, new_etc_fd, path,
cancellable, error))
flags, cancellable, error))
goto out;
}
for (i = 0; i < added->len; i++)
Expand All @@ -507,7 +526,7 @@ merge_etc_changes (GFile *orig_etc,
g_assert (path);

if (!copy_modified_config_file (orig_etc_fd, modified_etc_fd, new_etc_fd, path,
cancellable, error))
flags, cancellable, error))
goto out;
}

Expand Down Expand Up @@ -827,7 +846,7 @@ merge_configuration (OstreeSysroot *sysroot,
/* TODO - set out labels as we copy files */
g_assert (!etc_exists);
if (!copy_dir_recurse (deployment_usr_dfd, deployment_dfd, "etc",
cancellable, error))
sysroot->debug_flags, cancellable, error))
goto out;

/* Here, we initialize SELinux policy from the /usr/etc inside
Expand All @@ -847,8 +866,8 @@ merge_configuration (OstreeSysroot *sysroot,

if (source_etc_path)
{
if (!merge_etc_changes (source_etc_pristine_path, source_etc_path, deployment_etc_path,
cancellable, error))
if (!merge_etc_changes (source_etc_pristine_path, source_etc_path, deployment_etc_path,
sysroot->debug_flags, cancellable, error))
goto out;
}

Expand Down Expand Up @@ -1319,6 +1338,7 @@ install_deployment_kernel (OstreeSysroot *sysroot,
}
if (!hardlink_or_copy_at (tree_boot_dfd, tree_kernel_name,
bootcsum_dfd, dest_kernel_name,
sysroot->debug_flags,
cancellable, error))
goto out;
}
Expand All @@ -1336,6 +1356,7 @@ install_deployment_kernel (OstreeSysroot *sysroot,
}
if (!hardlink_or_copy_at (tree_boot_dfd, tree_initramfs_name,
bootcsum_dfd, dest_initramfs_name,
sysroot->debug_flags,
cancellable, error))
goto out;
}
Expand Down
4 changes: 3 additions & 1 deletion src/libostree/ostree-sysroot-private.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,9 @@ G_BEGIN_DECLS
typedef enum {

/* Don't flag deployments as immutable. */
OSTREE_SYSROOT_DEBUG_MUTABLE_DEPLOYMENTS = 1 << 0
OSTREE_SYSROOT_DEBUG_MUTABLE_DEPLOYMENTS = 1 << 0,
/* See https://github.com/ostreedev/ostree/pull/759 */
OSTREE_SYSROOT_DEBUG_NO_XATTRS = 1 << 1,

} OstreeSysrootDebugFlags;

Expand Down
3 changes: 2 additions & 1 deletion src/libostree/ostree-sysroot.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,9 +161,10 @@ ostree_sysroot_init (OstreeSysroot *self)
{
const GDebugKey keys[] = {
{ "mutable-deployments", OSTREE_SYSROOT_DEBUG_MUTABLE_DEPLOYMENTS },
{ "no-xattrs", OSTREE_SYSROOT_DEBUG_NO_XATTRS },
};

self->debug_flags = g_parse_debug_string (g_getenv("OSTREE_SYSROOT_DEBUG"),
self->debug_flags = g_parse_debug_string (g_getenv ("OSTREE_SYSROOT_DEBUG"),
keys, G_N_ELEMENTS (keys));

self->sysroot_fd = -1;
Expand Down
2 changes: 1 addition & 1 deletion tests/archive-test.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ echo "ok content"

cd ${test_tmpdir}
mkdir repo2
${CMD_PREFIX} ostree --repo=repo2 init
ostree_repo_init repo2
${CMD_PREFIX} ostree --repo=repo2 pull-local repo
echo "ok local clone"

Expand Down
Loading

0 comments on commit 455cc5e

Please sign in to comment.