Implement lua #749
Comments
I honestly didn't really dive into this, but it looks like this is yet another "hack upgrades in the yum case", which we should be able to ignore since we always do reassembly. I at least tested `java -version` works with this. This is a band-aid for the bigger issue of: coreos#749 (Doing this one since an AtomicWS user reported it)
I honestly didn't really dive into this, but it looks like this is yet another "hack upgrades in the yum case", which we should be able to ignore since we always do reassembly. I at least tested `java -version` works with this. This is a band-aid for the bigger issue of: #749 (Doing this one since an AtomicWS user reported it) Closes: #750 Approved by: jlebon
|
Changing this to just Lua, since #763 |
This is compatible with rpm-ostree, which implements offline and transactional updates by creating a new root, sandboxing each RPM script in a bwrap container: coreos/rpm-ostree#749 Further, the "test for a directory and run a binary" pattern is significantly shorter and more obvious in shell script. Discussion in: systemd#8090 (comment) One counter was that this causes systemd to depend on `/bin/sh`, but that's true today in Fedora at least, and I'd be extremely surprised if there were a distribution where that wasn't the case. Down the line RPM could probably learn to omit `Requires` for `%transfiletrigger` on `/bin/sh`. Downstream: https://bugzilla.redhat.com/show_bug.cgi?id=1559141
It does not obviate all the point of using Lua. The only reason this is a problem for you is because you refuse to implement the rpmlua interpreter and you use nearly zero of librpm's facilities to actually handle scriptlets. While most of what rpm-ostree is doing is good, I vehemently disagree that you should be forcing people to rely on shell when they want to use Lua for scriptlets. |
I wouldn't say "refuse"...I'm not opposed to doing it. One thing that holds this type of thing back a bit is rpm-ostree needs to work on RHEL7 today, so it's hard to require new changes to librpm.
True. The way I see this is rpm-ostree makes some fundamental changes to the rpm stack; there are a lot of improvements, but also risky/invasive. Perhaps down the line we could try to add the "run scripts via bwrap" logic to librpm at some point, but note it's fairly intertwined with the higher level rpm-ostree model. For example, how we make |
This is compatible with rpm-ostree, which implements offline and transactional updates by creating a new root, sandboxing each RPM script in a bwrap container: coreos/rpm-ostree#749 Further, the "test for a directory and run a binary" pattern is significantly shorter and more obvious in shell script. Discussion in: systemd#8090 (comment) One counter was that this causes systemd to depend on `/bin/sh`, but that's true today in Fedora at least, and I'd be extremely surprised if there were a distribution where that wasn't the case. Down the line RPM could probably learn to omit `Requires` for `%transfiletrigger` on `/bin/sh`. Downstream: https://bugzilla.redhat.com/show_bug.cgi?id=1559141
This is compatible with rpm-ostree, which implements offline and transactional updates by creating a new root, sandboxing each RPM script in a bwrap container: coreos/rpm-ostree#749 Further, the "test for a directory and run a binary" pattern is significantly shorter and more obvious in shell script. Discussion in: systemd#8090 (comment) One counter was that this causes systemd to depend on `/bin/sh`, but that's true today in Fedora at least, and I'd be extremely surprised if there were a distribution where that wasn't the case. Down the line RPM could probably learn to omit `Requires` for `%transfiletrigger` on `/bin/sh`. Downstream: https://bugzilla.redhat.com/show_bug.cgi?id=1559141
|
One thing we could do fairly easily is support embedding a shell implementation in Lua comments, for projects like glibc that may want to do both, something like this: |
This misses the point of I'd actually like to have rpm run -p in a newly forked process to protect the main rpm from side-effects, but there are compatibility etc concerns with that. The original main point of |
Would be great if rpm had that. Are there any plans to work through the compat issues there and support this? |
See: http://lists.rpm.org/pipermail/rpm-ecosystem/2016-August/000396.html If there's nothing to exec, there's also no reason to have a Now, it's true today that the Fedora Anyways per that thread I think what we really want is something like
And agree this would be great! We could probably spare a bit of bandwidth to help with design/testing if a librpm developer was able to start the ball rolling. |
Lua isn't used just for |
Fair; though...why the heck does Anyways, that also came up in the above-linked thread; today rpm-ostree unpacks all packages before running any scripts which solves that problem. And as I said in the thread, there's really no reason for "installing" bash to involve anything more than unpacking the files to get basic execution. Is there a specific motivation for the increased activity in this ticket? "We want to use the lua systemd macros"? |
Likely because I linked to it from https://bugzilla.redhat.com/show_bug.cgi?id=1780827#c30 (see also coreos/fedora-coreos-tracker#459). |
|
Please just fix RPM-OSTree to handle Lua scriptlets properly. Being artificially restricted to shell is a terrible situation to be in... |
As is being discussed above, doing so requires new librpm API. |
|
I guess one thing we could do is synthesize an RPM containing just the target script to run and install it running something like |
The latest crypto-policies package changed recently to dynamically set the policy at install time so that if FIPS is enabled, the selected backend is `FIPS`: https://src.fedoraproject.org/rpms/crypto-policies/c/9b9c9f7378c3fd375b9a08d5283c530a51a5de34?branch=master This doesn't really make sense for us though since the compose server configuration should be decoupled from the installroot. (More generally, this also affects e.g. `yum install --installroot`). Override the script so that we always select the `DEFAULT` policy. This also works around the fact that rpm-ostree doesn't yet implement Lua (coreos#749). Related: https://bugzilla.redhat.com/show_bug.cgi?id=1847454 Resolves: coreos/fedora-coreos-tracker#540
The latest crypto-policies package changed recently to dynamically set the policy at install time so that if FIPS is enabled, the selected backend is `FIPS`: https://src.fedoraproject.org/rpms/crypto-policies/c/9b9c9f7378c3fd375b9a08d5283c530a51a5de34?branch=master This doesn't really make sense for us though since the compose server configuration should be decoupled from the installroot. (More generally, this also affects e.g. `yum install --installroot`). Override the script so that we always select the `DEFAULT` policy. This also works around the fact that rpm-ostree doesn't yet implement Lua (coreos#749). Related: https://bugzilla.redhat.com/show_bug.cgi?id=1847454 Resolves: coreos/fedora-coreos-tracker#540
The latest crypto-policies package changed recently to dynamically set the policy at install time so that if FIPS is enabled, the selected backend is `FIPS`: https://src.fedoraproject.org/rpms/crypto-policies/c/9b9c9f7378c3fd375b9a08d5283c530a51a5de34?branch=master This doesn't really make sense for us though since the compose server configuration should be decoupled from the installroot. (More generally, this also affects e.g. `yum install --installroot`). Override the script for now so that we always select the `DEFAULT` policy. We'll discuss with upstream to see what the right solution is there. This also works around the fact that rpm-ostree doesn't yet implement Lua (coreos#749). Related: https://bugzilla.redhat.com/show_bug.cgi?id=1847454 Resolves: coreos/fedora-coreos-tracker#540
The latest crypto-policies package changed recently to dynamically set the policy at install time so that if FIPS is enabled, the selected backend is `FIPS`: https://src.fedoraproject.org/rpms/crypto-policies/c/9b9c9f7378c3fd375b9a08d5283c530a51a5de34?branch=master This doesn't really make sense for us though since the compose server configuration should be decoupled from the installroot. (More generally, this also affects e.g. `yum install --installroot`). Override the script for now so that we always select the `DEFAULT` policy. We'll discuss with upstream to see what the right solution is there. This also works around the fact that rpm-ostree doesn't yet implement Lua (#749). Related: https://bugzilla.redhat.com/show_bug.cgi?id=1847454 Resolves: coreos/fedora-coreos-tracker#540
OK, I split this out into rpm-software-management/rpm#1273. Let's discuss there how feasible this is before we resort to something a bit more drastic on the rpm-ostree side? |
|
Seems related to fedora-silverblue/issue-tracker#210 is there a workaround? or a way to pinpoint the dependency leading to this? |
|
Edit: Apparently it's not enough as we will be missing the execution context. |
|
This now breaks Fedora 36 builds due to the filesystem package using lua in posttrans. Does anyone know some workaround? Like, can we tell |
Today rpm-ostree doesn't implement
-p <lua>. We currently today carry overrides for a few packages in Fedora. The reason we don't implement Lua is it directly conflicts with our per-script sandboxing (using bwrap). We theoretically could run Lua in a new process, but doing so basically obviates all of the point of using Lua in the first place. It might as well be shell script.A major challenge in doing even the new process model is that the
posixAPI that a lot of scripts use is actually implemented inside the guts of librpm. We'd have to implement something likerpm --lua-evalwhere we pass the script on stdin or so.For more background, see this thread on rpm-ecosystem around lua and
%pretrans.And this thread: http://lists.rpm.org/pipermail/rpm-ecosystem/2017-May/000477.html
The text was updated successfully, but these errors were encountered: