Add support for wrapping binaries (rpm) #1789
Merged
Commits on Apr 15, 2020
-
Add support for wrapping binaries (rpm, dracut, grubby)
We need to be friendlier to people who are transitioning from "traditional" yum managed systems. This patchset starts to lay out the groundwork for supporting "intercepting" binaries that are in the tree. For backwards compatibility, this feature is disabled by default, to enable it, one can add `cliwrap: true` to the manifest. To start with for example, we wrap `/usr/bin/rpm` and cause it to drop privileges. This way it can't corrupt anything; we're not just relying on the read-only bind mount. For example nothing will accidentally get written to `/var/lib/rpm`. Now a tricky thing with this one is we *do* want it to write if we're in an unlocked state. There are various other examples of binaries we want to intercept, among them: - `grubby` -> `rpm-ostree kargs` - `dracut` -> `rpm-ostree initramfs` - `yum` -> well...we'll talk about that later
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.