From 9a0acd7249bb0c7f55c2bf56e5073902cd60038b Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Sat, 14 Dec 2024 08:45:19 -0500 Subject: [PATCH 1/2] libostree/deploy: enable composefs by default The composefs libostree integration has been supported for a while now and is actively in use in various ostree/bootc-based systems. Let's turn it on by default. This has no effect if composefs support is not compiled in. Note also that this does not change the default value of the `composefs.enabled` tristate to `true`. The default is still `maybe`, but the deploy API will now also create composefs images for `maybe`. The reason for doing it this way is so that systems upgrading from old libostree versions (which may either not have composefs support or may have composefs-related bugs) will still be able to upgrade and not trip `ostree-prepare-root` in the new deployment (which allows missing composefs images for `maybe`). We may in the future change the default value to `true`. See also: https://github.com/ostreedev/ostree/issues/2867 --- src/libostree/ostree-sysroot-deploy.c | 2 +- tests/admin-test.sh | 7 ++++--- tests/test-admin-deploy-composefs.sh | 20 +++++++++++++++++++- 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index 43f380f68c..2dd57dc65f 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -667,7 +667,7 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy g_debug ("composefs enabled by config: %d repo: %d", composefs_enabled, repo->composefs_wanted); if (repo->composefs_wanted == OT_TRISTATE_YES) composefs_enabled = repo->composefs_wanted; - if (composefs_enabled == OT_TRISTATE_YES) + if (composefs_enabled != OT_TRISTATE_NO) { composefs_start_time = g_get_monotonic_time (); // TODO: Clean up our mess around composefs/fsverity...we have duplication diff --git a/tests/admin-test.sh b/tests/admin-test.sh index 2adae9df5c..0c442cfd8b 100644 --- a/tests/admin-test.sh +++ b/tests/admin-test.sh @@ -71,9 +71,10 @@ assert_not_file_has_content status.txt "pending" assert_not_file_has_content status.txt "rollback" validate_bootloader -# Someday probably soon we'll turn this on by default, but for now -if test -f sysroot/ostree/deploy/testos/deploy/*.0/.ostree.cfs; then - fatal "found composefs unexpectedly" +if has_ostree_feature composefs; then + if ! test -f sysroot/ostree/deploy/testos/deploy/*.0/.ostree.cfs; then + fatal "missing composefs" + fi fi # Test the bootable and linux keys diff --git a/tests/test-admin-deploy-composefs.sh b/tests/test-admin-deploy-composefs.sh index fd39dc8d5d..ff20005d70 100755 --- a/tests/test-admin-deploy-composefs.sh +++ b/tests/test-admin-deploy-composefs.sh @@ -26,14 +26,32 @@ skip_without_ostree_feature composefs # Exports OSTREE_SYSROOT so --sysroot not needed. setup_os_repository "archive" "syslinux" +# check disablement cd osdata mkdir -p usr/lib/ostree cat > usr/lib/ostree/prepare-root.conf << 'EOF' [composefs] +enabled=false +EOF +cd - + +${CMD_PREFIX} ostree --repo=${test_tmpdir}/testos-repo commit --add-metadata-string version=1.composefs -b testos/buildmain/x86_64-runtime osdata +${CMD_PREFIX} ostree --repo=sysroot/ostree/repo pull-local --remote=testos testos-repo testos/buildmain/x86_64-runtime + +${CMD_PREFIX} ostree admin deploy --os=testos --karg=root=LABEL=foo --karg=testkarg=1 testos:testos/buildmain/x86_64-runtime +if test -f sysroot/ostree/deploy/testos/deploy/*.0/.ostree.cfs; then + fatal "found composefs unexpectedly" +fi + +# check explicit enablement +cd osdata +cat > usr/lib/ostree/prepare-root.conf << 'EOF' +[composefs] enabled=true EOF -${CMD_PREFIX} ostree --repo=${test_tmpdir}/testos-repo commit --add-metadata-string version=1.composefs -b testos/buildmain/x86_64-runtime cd - + +${CMD_PREFIX} ostree --repo=${test_tmpdir}/testos-repo commit --add-metadata-string version=1.composefs -b testos/buildmain/x86_64-runtime osdata ${CMD_PREFIX} ostree --repo=sysroot/ostree/repo pull-local --remote=testos testos-repo testos/buildmain/x86_64-runtime ${CMD_PREFIX} ostree admin deploy --os=testos --karg=root=LABEL=foo --karg=testkarg=1 testos:testos/buildmain/x86_64-runtime From 41a7f36f8e0aefd154c8eeea57dd7ab1e7064dac Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Sat, 14 Dec 2024 08:47:21 -0500 Subject: [PATCH 2/2] lib/deploy: error out if composefs enabled but unsupported If composefs was explicitly requested (`enabled = true`) but libostree was not compiled with composefs support, error out at deploy time. This matches the logic in `ostree-prepare-root`. --- src/libostree/ostree-sysroot-deploy.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index 2dd57dc65f..5c52e64bdb 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -640,9 +640,6 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy if (!glnx_opendirat (osdeploy_dfd, checkout_target_name, TRUE, &ret_deployment_dfd, error)) return FALSE; - guint64 composefs_start_time = 0; - guint64 composefs_end_time = 0; -#ifdef HAVE_COMPOSEFS /* TODO: Consider changing things in the future to parse the deployment config from memory, and * if composefs is enabled, then we can check out in "user mode" (i.e. only have suid binaries * enabled in composefs, etc.) @@ -667,6 +664,10 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy g_debug ("composefs enabled by config: %d repo: %d", composefs_enabled, repo->composefs_wanted); if (repo->composefs_wanted == OT_TRISTATE_YES) composefs_enabled = repo->composefs_wanted; + + guint64 composefs_start_time = 0; + guint64 composefs_end_time = 0; +#ifdef HAVE_COMPOSEFS if (composefs_enabled != OT_TRISTATE_NO) { composefs_start_time = g_get_monotonic_time (); @@ -694,6 +695,9 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy } else g_debug ("not using composefs"); +#else + if (composefs_enabled == OT_TRISTATE_YES) + return glnx_throw (error, "composefs: enabled at runtime, but support is not compiled in"); #endif *checkout_elapsed = (checkout_end_time - checkout_start_time);