{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":27534297,"defaultBranch":"master","name":"ostree","ownerLogin":"alexlarsson","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2014-12-04T10:00:43.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/990736?v=4","public":true,"private":false,"isOrgOwned":false},"refInfo":{"name":"","listCacheKey":"v0:1715787370.0","currentOid":""},"activityList":{"items":[{"before":null,"after":"083eacd6de914ab8b1a950333c5e9c137f3bd67c","ref":"refs/heads/fix-fsverity-supported","pushedAt":"2024-05-15T15:36:10.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Fix _ostree_ensure_fsverity reporting of supports in early exit\n\nIf supported_out is passed to _ostree_ensure_fsverity and we\nsuccessfully exit early, for example because the file is a symlink, then\n*supported_out is not initialized.\n\nThis is problematic in the case of ostree_sysroot_update_post_copy(),\nbecause it passes in an uninitialized supported, and on successfull\nreturn of _ostree_ensure_fsverity() it assumes that it is iniialized.\n\nIn case supported happened to be initialized to non-zero it will take\nthis branch:\n\n      if (!supported)\n        break; /* If not supported, skip rest */\n\nWhich means *all* further objects will not get fs-verity enabled.","shortMessageHtmlLink":"Fix _ostree_ensure_fsverity reporting of supports in early exit"}},{"before":null,"after":"6ac8c49a8347c939b7ce92cce86d0addb5d0a670","ref":"refs/heads/fix-aboot-non-ab","pushedAt":"2024-04-15T18:11:49.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"prepare-root: Handle non-AB aboot properly\n\notcore_get_ostree_target() should set is_aboot for android boot\nsystems, but currently it only does this on A/B boot systems, not\nsingle-boot-partition systems. Fix this by setting it in the second\ncase.","shortMessageHtmlLink":"prepare-root: Handle non-AB aboot properly"}},{"before":null,"after":"374fb05d0eab6f889460f9517d47f1f9b4207bfa","ref":"refs/heads/fix-fsverity-error-check","pushedAt":"2024-04-08T15:07:19.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"_ostree_ensure_fsverity: Properly check for errors\n\nIf fs_verity_wanted == _OSTREE_FEATURE_YES we should fail if\n!suported, but we were checking !supported where supported is a\npointer, not a boolean. This caused us to miss errors when the kernel\ndidn't support fs-verity that lead to lots of debugging.","shortMessageHtmlLink":"_ostree_ensure_fsverity: Properly check for errors"}},{"before":null,"after":"41fd55aa794809c759fdeb25052b5322ad87e524","ref":"refs/heads/composefs-no-hotfix","pushedAt":"2024-02-22T11:12:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"prepare-root: Disallow hotfixes if using signed composefs images\n\nAs mentioned in https://github.com/ostreedev/ostree/issues/3187, we\ncan't allow a hotfix overlay of /usr when using signed composefs\nimages as that would allow an attacker to persist something used\nacross boots.","shortMessageHtmlLink":"prepare-root: Disallow hotfixes if using signed composefs images"}},{"before":"5162d7dd72703814eecdfcac1308084310456643","after":"b7688609b53895682c5cf768e8d17b8431df2a4b","ref":"refs/heads/composefs-config-with-no-key","pushedAt":"2024-02-21T09:21:27.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"deploy: Don't fail if loading composefs configuration fails due to missing keys\n\nWhen we load the configuration during deploy we don't need to actually\nuse the keys, so avoid loading them. This fixes an issue we had where\nthis broke the initial deploy becasue of a failure to load the key. In\nour case it fails because the code looks for the config file in the\ndeploy dir, but then for the binding key in the real root.\n\nHowever, even if it were to look for the key in the deploy dir I don't\nthink it necessarily has to be in the rootfs, it could be only in the\ninitrd.\n\nThis fixes https://github.com/ostreedev/ostree/issues/3188","shortMessageHtmlLink":"deploy: Don't fail if loading composefs configuration fails due to mi…"}},{"before":null,"after":"5162d7dd72703814eecdfcac1308084310456643","ref":"refs/heads/composefs-config-with-no-key","pushedAt":"2024-02-21T09:20:43.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"deploy: Don't fail if loading composefs configuration fails due to missing keys\n\nWhen we load the configuration during deploy we don't need to actually\nuse the keys, so avoid loading them. This fixes an issue we had where\nthis broke the initial deploy becasue of a failure to load the key. In\nour case it fails because the code looks for the config file in the\ndeploy dir, but then for the binding key in the real root.\n\nHowever, even if it were to look for the key in the deploy dir I don't\nthink it necessarily has to be in the rootfs, it could be only in the\ninitrd.","shortMessageHtmlLink":"deploy: Don't fail if loading composefs configuration fails due to mi…"}},{"before":null,"after":"b7285311257738f6062f3d55ac84a2ae0a5fc714","ref":"refs/heads/fix-fsverity-rofiles-fuse","pushedAt":"2024-02-14T15:51:39.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"rofiles-fuse: Support breaking hardlinks to fs-verity files\n\nIn case fs-verity is in used for the repo objects, and something like\n\"rpm-ostree apply-live\" uses rofiles-fuse with --copyup, then writing\nto a hard-linked file fails to copy up, like this:\n\necho foo > /a/rofile-mnt/a-file\n/a/rofile-mnt/a-file: Operation not permitted\n\nThe reason for this is that do_write() starts by opening the file\nnon-truncating for writing, stat:ing it and then calling\nverify_write_or_copyup(). It is expecting the the open(write) to\nsucceed, however, in the fs-verity case any open with write fails with\nEPERM.\n\nWe fix this by delaying the EPERM failure, only reporting it when the\nfile descriptor needs to be used. In the case this triggered a copyup\nthe file descriptor will be reopened, and in this case we will not get\nthe EPERM anymore.\n\nTo simplify this code the fd variable now uses glnx_autofd.\n\nThis fixes https://github.com/coreos/rpm-ostree/issues/4827","shortMessageHtmlLink":"rofiles-fuse: Support breaking hardlinks to fs-verity files"}},{"before":null,"after":"91c5ee74259910677cdcaae73bbb74770956bb22","ref":"refs/heads/find-deploydir-with-transient-etc","pushedAt":"2024-02-08T13:59:51.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Fix booted deploy detection with transient /etc\n\nWhen /etc is transient, and composefs is root, there is currently no\nbind-mount of the deploy directory so the checks for finding if a\ndeploy is booted are failing.\n\nWe fix this by bind-mounting the deploy dir as /run/ostree/deploy and\nuse that to look for the booted deploy directory.","shortMessageHtmlLink":"Fix booted deploy detection with transient /etc"}},{"before":"63839c392bd6d7d0e87dc2fe642a00971391c6c4","after":"808f2433722ae24bca3c13f319f3a6fbba93926e","ref":"refs/heads/new-composefs-format","pushedAt":"2024-01-31T11:09:46.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"composefs: Bump composefs max version to 1\n\nThis generates the new format for whiteout markers which was added in\n6.8 (and which will be backported to 6.7). Without this whiteouts\nwill not work anymore.\n\nThis is a slight format change, but will only affect ostree commits\nthat already were broken (i.e that had whiteouts), and since the\ncomposefs code is still marked experimental I think it is fine to\ndo this without introducing another format version on the ostree\nside.\n\nSigned-off-by: Alexander Larsson <alexl@redhat.com>","shortMessageHtmlLink":"composefs: Bump composefs max version to 1"}},{"before":null,"after":"63839c392bd6d7d0e87dc2fe642a00971391c6c4","ref":"refs/heads/new-composefs-format","pushedAt":"2024-01-31T11:07:15.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"composefs: Bump composefs max version to 1\n\nThis generates the new format for whiteout markers which was added in\n6.8 (and which will be backported to 6.7). Without this whiteouts\nwill not work anymore.\n\nThis is a slight format change, but will only affect ostree commits\nthat already were broken (i.e that had whiteouts), and since the\ncomposefs code is still marked experimental I think it is fine to\ndo this without introducing another format version on the ostree\nside.\n\nSigned-off-by: Alexander Larsson <alexl@redhat.com>","shortMessageHtmlLink":"composefs: Bump composefs max version to 1"}},{"before":null,"after":"acb886008830994b6a6bd08c27df7270e22afaed","ref":"refs/heads/fix-post-copy-symlinks","pushedAt":"2023-11-14T21:39:01.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Fix admin post-copy handling of symlinks\n\nThe code to enable fs-verity on an object file was failing with ENOENT\nfor symlink objects.","shortMessageHtmlLink":"Fix admin post-copy handling of symlinks"}},{"before":"1ab4ec46aa49ee77ca4050a925d28aedf4e22768","after":"accb1f0602ffcfb977030380516cee64a29285f0","ref":"refs/heads/admin-deploy-post-copy","pushedAt":"2023-11-14T09:15:24.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Add `ostree admin post-copy` command\n\nThis command will apply fs-verity on all objects that need it and\nneeds to be called when an ostree deployment has been copied on a\nfile-by-file basis, which would loose information such as fs-verity.\n\nThis is needed by osbuild which works by creating the final image in a\nrootfs, and then separately copying that rootfs file-by-file to a\nloopback mounted filesystem image.","shortMessageHtmlLink":"Add <code>ostree admin post-copy</code> command"}},{"before":"6e6a558a338392b7709fcf6b15542f13ab02eedf","after":"1ab4ec46aa49ee77ca4050a925d28aedf4e22768","ref":"refs/heads/admin-deploy-post-copy","pushedAt":"2023-11-14T08:22:37.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Add `ostree admin post-copy` command\n\nThis command will apply fs-verity on all objects that need it and\nneeds to be called when an ostree deployment has been copied on a\nfile-by-file basis, which would loose information such as fs-verity.\n\nThis is needed by osbuild which works by creating the final image in a\nrootfs, and then separately copying that rootfs file-by-file to a\nloopback mounted filesystem image.","shortMessageHtmlLink":"Add <code>ostree admin post-copy</code> command"}},{"before":null,"after":"6e6a558a338392b7709fcf6b15542f13ab02eedf","ref":"refs/heads/admin-deploy-post-copy","pushedAt":"2023-11-13T16:37:29.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Add `ostree admin post-copy` command\n\nThis command will apply fs-verity on all objects that need it and\nneeds to be called when an ostree deployment has been copied on a\nfile-by-file basis, which would loose information such as fs-verity.\n\nThis is needed by osbuild which works by creating the final image in a\nrootfs, and then separately copying that rootfs file-by-file to a\nloopback mounted filesystem image.","shortMessageHtmlLink":"Add <code>ostree admin post-copy</code> command"}},{"before":"186f210150fa321f7df8ae22de1d9756754a3c50","after":"f617a341f371fdfde89abe0ec546fec66c4489fb","ref":"refs/heads/transient-etc","pushedAt":"2023-10-12T15:05:37.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Support transient /etc\n\nIf the `prepare-root.conf` file contains:\n```\n[etc]\ntransient=yes\n```\n\nThen during prepare-root, an overlayfs is mounted as /etc, with the\nupper dir being in /run. If composefs is used, the lower dir is\n`usr/etc` from the composefs image , or it is the deployed\n`$deploydir/usr/etc`.\n\nNote that for this to work with selinux, the commit must have been\nbuilt with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise\nthe lowerdir (/usr/etc) will have the wrong selinux contexts for the\nfinal location of the mount (/etc).\n\nWe also set the transient-etc key in the ostree-booted file, pointing it\nto the directory that is used for the overlayfs.\n\nThere are some additional work happening in ostree-remount, mostly\nrelated to selinux (as this needs to happen post selinux policy\nload):\n\n * Recent versions of selinux-poliy have issues with the overlayfs\n   mount being kernel_t, and that is not allowed to manage files as\n   needed. This is fixed in\n   https://github.com/fedora-selinux/selinux-policy/pull/1893\n\n * Any /etc files created in the initramfs will not be labeled,\n   because the selinux policy has not been loaded. In addition, the\n   upper dir is on a tmpfs, and any manually set xattr-based selinux\n   labels on those are reset during policy load. To work around this\n   ostree-remount will relabel all files on /etc that have\n   corresponding files in overlayfs upper dir.\n\n * During early boot, systemd mounts /run/machine-id on top of\n   /etc/machine-id (as /etc is readonly). Later during boot, when etc\n   is readwrite, systemd-machine-id-commit.service will remove the\n   mount and update the real file under it with the right content. To\n   ensure that this keeps working, we need to ensure that when we\n   relabel /etc/machine-id we relabel the real (covered) file, not the\n   temporary bind-mount.\n\n * ostree-remount no longer needs to remount /etc read-only in the\n   transient-etc case.\n\nSigned-off-by: Alexander Larsson <alexl@redhat.com>","shortMessageHtmlLink":"Support transient /etc"}},{"before":null,"after":"397a11762e87e5c6ecc272ce629a100c88458417","ref":"refs/heads/fix-whiteout-test","pushedAt":"2023-10-12T08:22:02.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"tests: Fix whiteout test\n\nThis test was always skipped, because the check:\n\n if touch overlay/baz/.wh.cow &&\n    touch overlay/.wh.deeper &&\n    touch overlay/baz/another/.wh..wh..opq; then\n\nalways fails due to the missing overlay/baz/another directory.\nFix by creating the directory.","shortMessageHtmlLink":"tests: Fix whiteout test"}},{"before":"50de0ff466b6a0ab45af05a948138da937a3a0ec","after":"186f210150fa321f7df8ae22de1d9756754a3c50","ref":"refs/heads/transient-etc","pushedAt":"2023-10-12T08:04:36.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Support transient /etc\n\nIf the `prepare-root.conf` file contains:\n```\n[etc]\ntransient=yes\n```\n\nThen during prepare-root, an overlayfs is mounted as /etc, with the\nupper dir being in /run. If composefs is used, the lower dir is\n`usr/etc` from the composefs image , or it is the deployed\n`$deploydir/usr/etc`.\n\nNote that for this to work with selinux, the commit must have been\nbuilt with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise\nthe lowerdir (/usr/etc) will have the wrong selinux contexts for the\nfinal location of the mount (/etc).\n\nWe also set the transient-etc key in the ostree-booted file, pointing it\nto the directory that is used for the overlayfs.\n\nThere are some additional work happening in ostree-remount, mostly\nrelated to selinux (as this needs to happen post selinux policy\nload):\n\n * Recent versions of selinux-poliy have issues with the overlayfs\n   mount being kernel_t, and that is not allowed to manage files as\n   needed. This is fixed in\n   https://github.com/fedora-selinux/selinux-policy/pull/1893\n\n * Any /etc files created in the initramfs will not be labeled,\n   because the selinux policy has not been loaded. In addition, the\n   upper dir is on a tmpfs, and any manually set xattr-based selinux\n   labels on those are reset during policy load. To work around this\n   ostree-remount will relabel all files on /etc that have\n   corresponding files in overlayfs upper dir.\n\n * During early boot, systemd mounts /run/machine-id on top of\n   /etc/machine-id (as /etc is readonly). Later during boot, when etc\n   is readwrite, systemd-machine-id-commit.service will remove the\n   mount and update the real file under it with the right content. To\n   ensure that this keeps working, we need to ensure that when we\n   relabel /etc/machine-id we relabel the real (covered) file, not the\n   temporary bind-mount.\n\n * ostree-remount no longer needs to remount /etc read-only in the\n   transient-etc case.\n\nSigned-off-by: Alexander Larsson <alexl@redhat.com>","shortMessageHtmlLink":"Support transient /etc"}},{"before":"bc9d29210198fac72d8353dbfe74477e43d5c174","after":"50de0ff466b6a0ab45af05a948138da937a3a0ec","ref":"refs/heads/transient-etc","pushedAt":"2023-10-09T09:25:37.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Support transient /etc\n\nIf the `prepare-root.conf` file contains:\n```\n[etc]\ntransient=yes\n```\n\nThen during prepare-root, an overlayfs is mounted as /etc, with the\nupper dir being in /run. If composefs is used, the lower dir is\n`usr/etc` from the composefs image , or it is the deployed\n`$deploydir/usr/etc`.\n\nNote that for this to work with selinux, the commit must have been\nbuilt with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise\nthe lowerdir (/usr/etc) will have the wrong selinux contexts for the\nfinal location of the mount (/etc).\n\nWe also set the transient-etc key in the ostree-booted file, pointing it\nto the directory that is used for the overlayfs.\n\nThere are some additional work happening in ostree-remount, mostly\nrelated to selinux (as this needs to happen post selinux policy\nload):\n\n * Recent versions of selinux-poliy have issues with the overlayfs\n   mount being kernel_t, and that is not allowed to manage files as\n   needed. This is fixed in\n   https://github.com/fedora-selinux/selinux-policy/pull/1893\n\n * Any /etc files created in the initramfs will not be labeled,\n   because the selinux policy has not been loaded. In addition, the\n   upper dir is on a tmpfs, and any manually set xattr-based selinux\n   labels on those are reset during policy load. To work around this\n   ostree-remount will relabel all files on /etc that have\n   corresponding files in overlayfs upper dir.\n\n * During early boot, systemd mounts /run/machine-id on top of\n   /etc/machine-id (as /etc is readonly). Later during boot, when etc\n   is readwrite, systemd-machine-id-commit.service will remove the\n   mount and update the real file under it with the right content. To\n   ensure that this keeps working, we need to ensure that when we\n   relabel /etc/machine-id we relabel the real (covered) file, not the\n   temporary bind-mount.\n\n * ostree-remount no longer needs to remount /etc read-only in the\n   transient-etc case.\n\nSigned-off-by: Alexander Larsson <alexl@redhat.com>","shortMessageHtmlLink":"Support transient /etc"}},{"before":"326e2eb2c10542a01e40d7afc7839223570e7c91","after":"bc9d29210198fac72d8353dbfe74477e43d5c174","ref":"refs/heads/transient-etc","pushedAt":"2023-10-09T09:22:46.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Support transient /etc\n\nIf the `prepare-root.conf` file contains:\n```\n[etc]\ntransient=yes\n```\n\nThen during prepare-root, an overlayfs is mounted as /etc, with the\nupper dir being in /run. If composefs is used, the lower dir is\n`usr/etc` from the composefs image , or it is the deployed\n`$deploydir/usr/etc`.\n\nNote that for this to work with selinux, the commit must have been\nbuilt with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise\nthe lowerdir (/usr/etc) will have the wrong selinux contexts for the\nfinal location of the mount (/etc).\n\nWe also set the transient-etc key in the ostree-booted file, pointing it\nto the directory that is used for the overlayfs.\n\nThere are some additional work happening in ostree-remount, mostly\nrelated to selinux (as this needs to happen post selinux policy\nload):\n\n * Recent versions of selinux-poliy have issues with the overlayfs\n   mount being kernel_t, and that is not allowed to manage files as\n   needed. This is fixed in\n   https://github.com/fedora-selinux/selinux-policy/pull/1893\n\n * Any /etc files created in the initramfs will not be labeled,\n   because the selinux policy has not been loaded. In addition, the\n   upper dir is on a tmpfs, and any manually set xattr-based selinux\n   labels on those are reset during policy load. To work around this\n   ostree-remount will relabel all files on /etc that have\n   corresponding files in overlayfs upper dir.\n\n * During early boot, systemd mounts /run/machine-id on top of\n   /etc/machine-id (as /etc is readonly). Later during boot, when etc\n   is readwrite, systemd-machine-id-commit.service will remove the\n   mount and update the real file under it with the right content. To\n   ensure that this keeps working, we need to ensure that when we\n   relabel /etc/machine-id we relabel the real (covered) file, not the\n   temporary bind-mount.\n\n * ostree-remount no longer needs to remount /etc read-only in the\n   transient-etc case.\n\nSigned-off-by: Alexander Larsson <alexl@redhat.com>","shortMessageHtmlLink":"Support transient /etc"}},{"before":"2976576b5ce0957253a058260937c13b95f3872e","after":"326e2eb2c10542a01e40d7afc7839223570e7c91","ref":"refs/heads/transient-etc","pushedAt":"2023-10-06T13:50:49.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"WORKAROUND: Add ostree selinux module to workaround issues with relabeling permissions\n\nWhen using transient /etc, ostree-prepare-root will mount an overlayfs on /etc\nfrom the initrd. This overlay mount will have the context kernel_t, meaning\nthat not only will an external process need to pass its selinux checks against\nthe overlay file, the overlay filesystem itself need to pass the selinux check\nagainst the overlayfs upper/work dirs.\n\nUnfortunately, even with a recent selinux-policy\n(e.g. selinux-policy-38.1.23) the kernel_t type doesn't have right to\nrelabel files, nor the rights to manage device nodes so boot fails.","shortMessageHtmlLink":"WORKAROUND: Add ostree selinux module to workaround issues with relab…"}},{"before":"4f5026dec9200c171418c63645e48f76fca58cd1","after":"2976576b5ce0957253a058260937c13b95f3872e","ref":"refs/heads/transient-etc","pushedAt":"2023-10-06T09:02:59.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"WORKAROUND: Add ostree selinux module to workaround issues with relabeling permissions\n\nWhen using transient /etc, ostree-prepare-root will mount an overlayfs on /etc\nfrom the initrd. This overlay mount will have the context kernel_t, meaning\nthat not only will an external process need to pass its selinux checks against\nthe overlay file, the overlay filesystem itself need to pass the selinux check\nagainst the overlayfs upper/work dirs.\n\nUnfortunately, even with a recent selinux-policy\n(e.g. selinux-policy-38.1.23) the kernel_t type doesn't have right to\nrelabel files, nor the rights to manage device nodes so boot fails.","shortMessageHtmlLink":"WORKAROUND: Add ostree selinux module to workaround issues with relab…"}},{"before":"fb575ba34082deb12b5ff1907a44ed6b4f8afa29","after":"4f5026dec9200c171418c63645e48f76fca58cd1","ref":"refs/heads/transient-etc","pushedAt":"2023-10-05T14:51:02.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"selinux: Make kernel_t permissions more specific than unconfined.\n\nAn unconfined domain has all sorts of premissions, like executing\nfiles, doing state transitions, etc. Overlayfs will never do these\non behalf of a filesystem user, so it seems overly risky to allow it.\n\nInstead just give kernel_t persmissions to do the kind of operations\nthat overlayfs does, on *all* types of files and dirs. This is a\nrather limited set. For example, the kernel never needs execute\npermissions on the /etc files, because a process executing a file in\n/etc is resolved against the overlayfs inode permissions, and not\nproxied via the filesystem implementation.\n\nAll we need is the abiltiy to read/modify file content (for e.g\ncopy-up) and the ability to read/modify metadata and filesystem\nstructure. You can easily see this by tracking where the overlayfs\nimplementation calls ovl_override_creds(), which is (mainly) these\nfunctions (with rather understandable names):\n\novl_copy_up_flags, ovl_create_or_link, ovl_do_remove, ovl_rename,\novl_open_realfile, ovl_llseek, ovl_read/write_iter,\novl_splice_read/write, ovl_fsync, ovl_mmap, ovl_fallocate,\novl_fadvise, ovl_copyfile, ovl_flush, ovl_get/setattr, ovl_permission,\novl_get_link, do_ovl_get_acl, ovl_set_or_remove_acl, ovl_fiemap,\novl_fileattr_get/set, ovl_lookup, ovl_iterate, ovl_xattr_get/set,\novl_listxattr\n\nSigned-off-by: Alexander Larsson <alexl@redhat.com>","shortMessageHtmlLink":"selinux: Make kernel_t permissions more specific than unconfined."}},{"before":"47cb0a51000aa49ffb317148218b26a65494b96c","after":"fb575ba34082deb12b5ff1907a44ed6b4f8afa29","ref":"refs/heads/transient-etc","pushedAt":"2023-10-02T15:35:34.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Support transient /etc\n\nIf the `prepare-root.conf` file contains:\n```\n[etc]\ntransient=yes\n```\n\nThen during prepare-root, an overlayfs is mounted as /etc, with the upper\ndir being in /run. If composefs is used, the lower dir is `usr/etc` from\nthe composefs image (which is ralabeled to work as /etc), or it is the\ndeployed `$deploydir/usr/etc`.\n\nNote that for this to work with selinux, the commit must have been\nbuilt with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise\nthe lower will have the wrong selinux contexts for the final location.\n\nWe also set the transient-etc key in the ostree-booted file, pointing it\nto the upper directory that is used.\n\nThere are some additional complexities here:\n\n * Any system using selinux and using transient etc must enable the\n   new ostree selinux module. Otherwise the overlayfs filesystem will\n   not have enough permissions to access the expected files in etc.\n\n * Any /etc files created in the initramfs will not be labeled,\n   because the selinux policy has not been loaded. In addition, the\n   upper dir is on a tmpfs, and any manually set xattr-based selinux\n   labels on those are reset during policy load. To work around\n   this we hook into ostree-remount and relabel all files on /etc\n   that have are from the overlayfs upper dir.\n\n * During the initramfs, Systemd mounts /run/machine-id on top\n   of /etc/machine-id, and if this mount exists during boot, then\n   systemd-machine-id-commit.service will remove it and update\n   the real file with its content once etc is writable. This\n   conflicts with the relabeling above as we will relabel the\n   bind mount. To handle this we do the relabeling in a private\n   mount namespace where the machine-id file has been unmounted.\n\n * ostree-remount no longer needs to remount /etc read-only in the\n   transient-etc case.\n\nSigned-off-by: Alexander Larsson <alexl@redhat.com>","shortMessageHtmlLink":"Support transient /etc"}},{"before":"84632ca5ad9a8c21868b45fece5198e05208be1f","after":"47cb0a51000aa49ffb317148218b26a65494b96c","ref":"refs/heads/transient-etc","pushedAt":"2023-10-02T14:12:40.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"Support transient /etc\n\nIf the `prepare-root.conf` file contains:\n```\n[etc]\ntransient=yes\n```\n\nThen during prepare-root, an overlayfs is mounted as /etc, with the upper\ndir being in /run. If composefs is used, the lower dir is `usr/etc` from\nthe composefs image (which is ralabeled to work as /etc), or it is the\ndeployed `$deploydir/etc`, which is relabeled during deploy.\n\nWe also set the transient-etc key in the ostree-booted file, pointing it\nto the upper directory that is used.\n\nThere are some additional complexities here:\n\n * Any system using selinux and using transient etc must enable the\n   new ostree selinux module. Otherwise the overlayfs filesystem will\n   not have enough permissions to access the expected files in etc.\n\n * Any /etc files created in the initramfs will not be labeled,\n   because the selinux policy has not been loaded. In addition, the\n   upper dir is on a tmpfs, and any manually set xattr-based selinux\n   labels on those are reset during policy load. To work around\n   this we hook into ostree-remount and relabel all files on /etc\n   that have are from the overlayfs upper dir.\n\n * During the initramfs, Systemd mounts /run/machine-id on top\n   of /etc/machine-id, and if this mount exists during boot, then\n   systemd-machine-id-commit.service will remove it and update\n   the real file with its content once etc is writable. This\n   conflicts with the relabeling above as we will relabel the\n   bind mount. To handle this we do the relabeling in a private\n   mount namespace where the machine-id file has been unmounted.\n\n * ostree-remount no longer needs to remount /etc read-only in the\n   transient-etc case.\n\nSigned-off-by: Alexander Larsson <alexl@redhat.com>","shortMessageHtmlLink":"Support transient /etc"}},{"before":"1841d0b1f604c2df27ff8b99b7d00669ef7061ee","after":"84632ca5ad9a8c21868b45fece5198e05208be1f","ref":"refs/heads/transient-etc","pushedAt":"2023-10-02T13:55:15.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"composefs: Inline small files\n\nSince we're changing composefs format anyway (due to the usr/etc relabel)\nmight as well import the change from mkcomposefs that inlines files up\nto 64 bytes.","shortMessageHtmlLink":"composefs: Inline small files"}},{"before":"a0d9b81c7134491dbe34284fdf5a8e05683089ed","after":"1841d0b1f604c2df27ff8b99b7d00669ef7061ee","ref":"refs/heads/transient-etc","pushedAt":"2023-10-02T13:35:27.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"composefs: Inline small files\n\nSince we're changing composefs format anyway (due to the usr/etc relabel)\nmight as well import the change from mkcomposefs that inlines files up\nto 64 bytes.","shortMessageHtmlLink":"composefs: Inline small files"}},{"before":"e2dd2d2eba9ea890f5143e47ddbebc4280632e1b","after":"a0d9b81c7134491dbe34284fdf5a8e05683089ed","ref":"refs/heads/transient-etc","pushedAt":"2023-10-02T13:32:36.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"composefs: Inline small files\n\nSince we're changing composefs format anyway (due to the usr/etc relabel)\nmight as well import the change from mkcomposefs that inlines files up\nto 64 bytes.","shortMessageHtmlLink":"composefs: Inline small files"}},{"before":null,"after":"e2dd2d2eba9ea890f5143e47ddbebc4280632e1b","ref":"refs/heads/transient-etc","pushedAt":"2023-10-02T13:22:55.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"composefs: Inline small files\n\nSince we're changing composefs format anyway (due to the usr/etc relabel)\nmight as well import the change from mkcomposefs that inlines files up\nto 64 bytes.","shortMessageHtmlLink":"composefs: Inline small files"}},{"before":"8589f687e933e2f1613baa76282a3a54b3eed3ae","after":"0a79b3b1e298117d5d951e171caa569b041ec627","ref":"refs/heads/prepare-root-no-raw-key","pushedAt":"2023-08-16T09:00:48.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"prepare-root: Only support base64 formated public key files\n\nI've updated the automotive samples to not use the raw format, so\nthere is no use anymore to support both formats, as base64 is strictly\nbetter.","shortMessageHtmlLink":"prepare-root: Only support base64 formated public key files"}},{"before":"9d45ef569b6f18a10926685699f8bc643c6f1e89","after":"8589f687e933e2f1613baa76282a3a54b3eed3ae","ref":"refs/heads/prepare-root-no-raw-key","pushedAt":"2023-08-16T09:00:05.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"alexlarsson","name":"Alexander Larsson","path":"/alexlarsson","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/990736?s=80&v=4"},"commit":{"message":"prepare-root: Only support base64 formated public key files\n\nI've updated the automotive samples to not use the raw format, so\nthere is no use anymore to support both formats, as base64 is strictly\nbetter.","shortMessageHtmlLink":"prepare-root: Only support base64 formated public key files"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAESrhZ8AA","startCursor":null,"endCursor":null}},"title":"Activity · alexlarsson/ostree"}