From 32fd7a04994b132a514d9914464f6617c6dd0599 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Tue, 7 May 2024 10:43:36 -0400 Subject: [PATCH 1/2] ci/test-container: move URL definitions to the top Prep for next patch. --- ci/test-container.sh | 53 ++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/ci/test-container.sh b/ci/test-container.sh index f51cbef757..f5a0d7cdce 100755 --- a/ci/test-container.sh +++ b/ci/test-container.sh @@ -6,6 +6,30 @@ fatal() { exit 1 } +versionid=$(. /usr/lib/os-release && echo $VERSION_ID) + +# Test overrides +case $versionid in + 40) + ignition_url_suffix=2.16.2/2.fc39/x86_64/ignition-2.16.2-2.fc39.x86_64.rpm + # 2.15.0-3 + koji_ignition_url="https://koji.fedoraproject.org/koji/buildinfo?buildID=2158585" + koji_kernel_url="https://koji.fedoraproject.org/koji/buildinfo?buildID=2435097" + kver=6.8.5 + krev=300 + ;; + 39) + ignition_url_suffix=2.16.2/1.fc39/x86_64/ignition-2.16.2-1.fc39.x86_64.rpm + # 2.15.0-3 + koji_ignition_url="https://koji.fedoraproject.org/koji/buildinfo?buildID=2158585" + koji_kernel_url="https://koji.fedoraproject.org/koji/buildinfo?buildID=2294111" + kver=6.5.5 + krev=300 + ;; + *) fatal "Unsupported Fedora version: $versionid";; +esac +IGNITION_URL=https://kojipkgs.fedoraproject.org//packages/ignition/$ignition_url_suffix + repodir=/usr/lib/coreos-assembler/tests/kola/rpm-ostree/destructive/data/rpm-repos/ cat >/etc/yum.repos.d/libtest.repo < Date: Tue, 7 May 2024 10:05:03 -0400 Subject: [PATCH 2/2] core: also wrap `kernel-install` for scriptlets It's confusing right now how specifically for the kernel, one has to use this obscure `rpm-ostree cliwrap install-to-root /` command to make it work. Let's just always enable it: in the client-side layering case, we don't run kernel scriptlets anyway so the wrapper is unused, and in the container case, this will allow users to not have to enable cliwrap and have it leak into their derived image. I guess in theory, this should also allow us to *stop* ignoring kernel scriptlets and rely on this instead, though let's leave that for a separate investigation. Closes: #4949 --- ci/test-container.sh | 9 +++++---- rust/src/core.rs | 18 +++++++++++++++++- src/libpriv/kernel-install-wrapper.sh | 9 +++++++++ 3 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 src/libpriv/kernel-install-wrapper.sh diff --git a/ci/test-container.sh b/ci/test-container.sh index f5a0d7cdce..062bfc248d 100755 --- a/ci/test-container.sh +++ b/ci/test-container.sh @@ -66,6 +66,11 @@ fi rm "${origindir}/clienterror.yaml" rpm-ostree ex rebuild +# test kernel installs *before* enabling cliwrap +rpm-ostree override replace $koji_kernel_url +# test that the new initramfs was generated +test -f /usr/lib/modules/${kver}-${krev}.fc${versionid}.x86_64/initramfs.img + rpm-ostree cliwrap install-to-root / # Test a critical path package @@ -119,10 +124,6 @@ rpm -q strace rpm -q afterburn | grep g rpm -q afterburn-dracut | grep g -rpm-ostree override replace $koji_kernel_url -# test that the new initramfs was generated -test -f /usr/lib/modules/${kver}-${krev}.fc${versionid}.x86_64/initramfs.img - # test --enablerepo --disablerepo --releasever rpm-ostree --releasever=38 --disablerepo="*" \ --enablerepo=fedora install tmux diff --git a/rust/src/core.rs b/rust/src/core.rs index 11c2d9822a..02255a8481 100644 --- a/rust/src/core.rs +++ b/rust/src/core.rs @@ -44,6 +44,8 @@ const USERADD_PATH: &str = "usr/sbin/useradd"; const USERADD_WRAPPER: &[u8] = include_bytes!("../../src/libpriv/useradd-wrapper.sh"); const USERMOD_PATH: &str = "usr/sbin/usermod"; const USERMOD_WRAPPER: &[u8] = include_bytes!("../../src/libpriv/usermod-wrapper.sh"); +const KERNEL_INSTALL_PATH: &str = "usr/bin/kernel-install"; +const KERNEL_INSTALL_WRAPPER: &[u8] = include_bytes!("../../src/libpriv/kernel-install-wrapper.sh"); const RPMOSTREE_CORE_STAGED_RPMS_DIR: &str = "rpm-ostree/staged-rpms"; @@ -148,6 +150,7 @@ impl FilesystemScriptPrep { (SYSTEMCTL_PATH, SYSTEMCTL_WRAPPER), (USERADD_PATH, USERADD_WRAPPER), (USERMOD_PATH, USERMOD_WRAPPER), + (KERNEL_INSTALL_PATH, KERNEL_INSTALL_WRAPPER), ]; fn saved_name(name: &str) -> String { @@ -441,7 +444,7 @@ mod test { // Replaced usermod. { let original_usermod = "original usermod"; - d.atomic_write_with_perms(super::USERMOD_PATH, original_usermod, mode)?; + d.atomic_write_with_perms(super::USERMOD_PATH, original_usermod, mode.clone())?; let contents = d.read_to_string(super::USERMOD_PATH)?; assert_eq!(contents, original_usermod); let mut g = super::prepare_filesystem_script_prep(d.as_raw_fd())?; @@ -451,6 +454,19 @@ mod test { let contents = d.read_to_string(super::USERMOD_PATH)?; assert_eq!(contents, original_usermod); } + // Replaced kernel-install. + { + let original_kernel_install = "original kernel_install"; + d.atomic_write_with_perms(super::KERNEL_INSTALL_PATH, original_kernel_install, mode)?; + let contents = d.read_to_string(super::KERNEL_INSTALL_PATH)?; + assert_eq!(contents, original_kernel_install); + let mut g = super::prepare_filesystem_script_prep(d.as_raw_fd())?; + let contents = d.read_to_string(super::KERNEL_INSTALL_PATH)?; + assert_eq!(contents.as_bytes(), super::KERNEL_INSTALL_WRAPPER); + g.undo()?; + let contents = d.read_to_string(super::KERNEL_INSTALL_PATH)?; + assert_eq!(contents, original_kernel_install); + } Ok(()) } diff --git a/src/libpriv/kernel-install-wrapper.sh b/src/libpriv/kernel-install-wrapper.sh new file mode 100644 index 0000000000..4cfb605b2b --- /dev/null +++ b/src/libpriv/kernel-install-wrapper.sh @@ -0,0 +1,9 @@ +#!/usr/bin/bash +# Used in the container layering path to make kernel replacements Just Work +# without having to enable cliwrap first. If cliwrap is enabled, then this will +# technically override the cliwrap wrapper, but the script is exactly the same. +# This wrapper is technically also installed when doing client-side layering, +# but we already ignore kernel scriptlets there anyway. +# See also https://github.com/coreos/rpm-ostree/issues/4949 + +exec /usr/bin/rpm-ostree cliwrap kernel-install "$@"