New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attempt to re-pull missing signatures from a remote #630
Comments
This is going to be messy to fix. I think my vote here is to plow forward instead on doing the reworked content model in f25. |
so, i have been able to hit this in other cases as well. I know it shouldn't happen but if somehow a commit gets into the repo without being signed and a client tries to pull it, it will get into this state. I know it shouldn't happen where a commit gets in unsigned, but I'm experiencing this right now with f25 as I'm finding commits that get in without getting signed and working with patrick to understand why. Either way it would be good for the client systems to be able to overcome temporary server side issues without us having to tell them how to "work around" the issue every time it happens. Also, with this technology we won't always be the one hosting the ostree repo and it will be much more straightforward if the client user tells an admin |
This issue was originally about fixing upgrades for the ISO path for new installs. You're now talking about making it work better when transitioning existing installations. That's fine, and we probably should do that. But there are a number of things that need to be unwound to do that properly - the main one is that we need to figure out whether we even can upgrade the remote config automatically. Right now it isn't part of the tree (or a package) formally. |
yes. sorry for the pivot. the original description of the issue was the only way I could reliably recreate the problem, but I had seen the issue in the past manifest itself from time to time when we were initially starting to sign trees. I just saw it again last night when trying to do
I'm not actually proposing that we start managing the "remote config" as part of the upgrade. While this might allow us for interesting abilities in the future (i.e. rebasing to a different remote ostree repo (25->26)), it wasn't what I was suggesting. I don't know how valid this is, but I was just suggesting that if we encounter a "local commit" that is missing signed commit metadata, then try to query the remote to see if it exists there. If not, then error. Another thing we could probably do is if the commitmeta does exist and is invalid then try to refetch it (in case there was some kind of corruption during download or fs corruption later), but that is really just a nice-to-have. WDYT? |
Yeah, it might not be hard to make the upgrader not error out if it's missing signatures for the current commit. |
I'd prefer not to limit it to the "current commit". What about having it "retry" the pull of the commitmeta for any local commit that is missing the commitmeta? |
We actually do that today in pull, so I am thinking the bug is elsewhere. Regardless I think we can make it work to turn on GPG for existing installs that might be missing signed commits. |
really? that is interesting. I think I've noticed this when running "upgrades" and/or "deploys". |
I just hit the same issue (pulled once when there wasn't a commitmeta file, then commitmeta was put in place, but rpm-ostree still said there was no signature found). |
This is likely an ostree bug - I bet what's happening is we're detecting nothing changed, and aborting the transaction. |
If somehow a repo has gpg verification on but doesn't have signatures present for the existing commit, ostree would error out if it needs to scan the commit object (e.g. if there are no updates available). An instance of this is currently happening in Fedora AH, in which signatures are not shipped in the ISO due to filesystem restrictions. Another possible scenario is if a content provider switches from not signing commits to signing them; even if older commits are retroactively signed, clients' local commit objects would error out if they needed scanning. This patch adds a check to ensure that we always attempt to fetch the detached metadata and wait for its result (whether it exists or not) before moving on to scan their corresponding commit objects. See also: coreos/rpm-ostree#630
If somehow a repo has gpg verification on but doesn't have signatures present for the existing commit, ostree would error out if it needs to scan the commit object (e.g. if there are no updates available). An instance of this is currently happening in Fedora AH, in which signatures are not shipped in the ISO due to filesystem restrictions. Another possible scenario is if a content provider switches from not signing commits to signing them; even if older commits are retroactively signed, clients' local commit objects would error out if they needed scanning. This patch adds a check to ensure that we always attempt to fetch the detached metadata and wait for its result (whether it exists or not) before moving on to scan their corresponding commit objects. See also: coreos/rpm-ostree#630 Closes: #873 Approved by: cgwalters
This should be fixed by ostreedev/ostree#873. |
If I have an rpm-ostree system that is initially not using gpg verification and I later convert it to use them I can get into a weird situation. In Fedora 25 right now we aren't including gpg signatures in the ISO image we create. When I install from the ISO I have gpg verification turned off. I then later enable gpg verification but the system fails to even "get off the ground" for an
rpm-ostree upgrade
because there is no signature on the system for the current commit that is deployed.A snippet of the kickstart file I used is below:
After boot, I then configured the remote to do gpg verification:
Then I tried to do an upgrade (Note, no upgrade is available at this time):
However if I manually pull down the signed file I can then upgrade fine:
The text was updated successfully, but these errors were encountered: