checkout: Only verify digest if repo requires fsverity #3331
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
For the record apparently the reason this got through FCOS CI is because #3326 landed literally just before the switch to f41 where composefs is enabled by default there. But CI on this PR should run through with composefs enabled for FCOS. |
jmarrero
approved these changes
Oct 30, 2024
There was a problem hiding this comment.
Looks like still we are not good:
[2024-10-30T16:39:36.656Z] Oct 30 16:39:35 qemu0 systemd[1]: kola-runext.service: Consumed 4.882s CPU time, 221.3M memory peak.
[2024-10-30T16:39:39.904Z] --- FAIL: ext.ostree.destructive.bootupd-static.sh (38.60s)
[2024-10-30T16:39:39.904Z] cluster.go:151: Error: Unit kola-runext.service exited with code 1
[2024-10-30T16:39:39.904Z] cluster.go:151: 2024-10-30T16:39:36Z cli: Unit kola-runext.service exited with code 1
[2024-10-30T16:39:39.904Z] harness.go:1265: kolet failed: : kolet run-test-unit failed: Process exited with status 1
[2024-10-30T16:51:46.499Z] Fetching status failed: ssh: handshake failed: read tcp 127.0.0.1:54814->127.0.0.1:42069: read: connection reset by peer
[2024-10-30T16:51:47.853Z] --- FAIL: ext.ostree.destructive-rs.composefs::itest_composefs (766.37s)
[2024-10-30T16:51:47.853Z] harness.go:1265: kolet failed: : Waiting for reboot: machine "6ad0c746-e827-4c63-9459-30dceb402826" failed to start: ssh journalctl failed: time limit exceeded
[2024-10-30T16:51:47.853Z] harness.go:106: TIMEOUT[10m0s]: ssh: journalctl -t kola-runext-composefs::itest_composefs
[2024-10-30T16:51:47.853Z] FAIL, output in /home/jenkins/agent/workspace/ostree_PR-3331/tmp/kola-b9ma7/kola/rerun
jmarrero
requested changes
Oct 30, 2024
|
Some of the test failures here are unrelated to this PR, it just also happens to be the first one after the FCOS default switch. I put one test update in #3332 |
jmarrero
approved these changes
Oct 30, 2024
cgwalters
force-pushed
the
verity-no-verity
branch
from
7f9da52 to
c0be5bf
Compare
Fixes a regression from the previous commit; in the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either. The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled. Closes: ostreedev#3330 Signed-off-by: Colin Walters <[email protected]>
cgwalters
force-pushed
the
verity-no-verity
branch
from
c0be5bf to
6ed1f83
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes a regression from the previous commit; in
the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either.
The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled.
Closes: #3330