treefile: Add option to label /usr/etc as /etc#4640
Conversation
|
Skipping CI for Draft Pull Request. |
|
Running the coreos kola tests against this, because we need to make client side layering also auto-inherit this behavior if present in the base image. |
jlebon
left a comment
There was a problem hiding this comment.
Not strictly required, but would be good to add a substitution rule for it too so that SELinux userspace tooling is aware of this too. (Could probably just add it as part of postprocess_subs_dist().)
docs/treefile.md
Outdated
| to the UNIX epoch time to be used as the build timestamp. Currently only | ||
| fully supports the `bdb` backend. Somewhat experimental. | ||
|
|
||
| * `label-usretc-as-etc`: boolean, optional: If enabled, this sets the SELinux label for |
There was a problem hiding this comment.
I wonder if we even need a new knob for this. Should be safe to always do this, right? Since we basically own /usr/etc anyway.
There was a problem hiding this comment.
Yes, I'm being conservative here by making it opt in (both here and on the ostree side).
Dunno. I guess we could try to actually do it by default ostree side, and add an option to disable it in case we regress things somehow.
There was a problem hiding this comment.
This is a nontrivial change though, and so far we've been really conservative with options that should be on by default but aren't (sysroot.readonly is a good example) to ensure that updating ostree doesn't break anything.
There was a problem hiding this comment.
Yeah, I'm less sure about making it default in libostree. I think it makes sense to make it opt in there. For rpm-ostree, it seems safer to do but cool of course to be conservative there.
There was a problem hiding this comment.
I think making it opt-in in ostree. but always enable in rpm-ostree (possibly with an opt-out) is the right approach.
There was a problem hiding this comment.
It's painful every time we add an opt-in for sure because we end up having to update so many different manifest/treefiles (coreos vs edge vs atomic desktop etc etc.)
However I still just feel we need to be conservative because this can easily have non-obvious effects.
Even on-by-default with a knob to turn it off gets tricky because then the build system requires a new rpm-ostree (old ones will barf on the unexpected field).
There was a problem hiding this comment.
Not only that, we need a new version of osbuild, and any other tools that call out to rpm-ostree to compose a commit.
|
So, all the base stuff in ostree has landed, maybe time to un-draft this? |
|
Well, we have the annoying thing that we have to wait through the new ostree to go all the way through the fedora 7 days bodhi update right now. I just did coreos/fedora-coreos-config#2684 |
5dfdf32 to
a70e776
Compare
|
Ah right, the ostree update hasn't made it out to c9s prod. Let's split out that hack to #4672 Man, it's times like this that really makes one feel actively punished for splitting things out into multiple components... (Or of course, using Nix where we aren't playing "rpmfind" but are just referencing source code that gets built if not present in the build cache...) |
Prep for new release.
a70e776 to
b49dbb1
Compare
|
|
||
| osid="$(. /etc/os-release && echo $ID)" | ||
| if [ "${osid}" == centos ]; then | ||
| dnf -y update https://kojihub.stream.centos.org/kojifiles/packages/ostree/2023.7/2.el9/$(arch)/ostree-{,libs-,devel-}2023.7-2.el9.$(arch).rpm |
Check warning
Code scanning / shellcheck
Quote this to prevent word splitting.
|
|
||
| osid="$(. /etc/os-release && echo $ID)" | ||
| if [ "${osid}" == centos ]; then | ||
| dnf -y update https://kojihub.stream.centos.org/kojifiles/packages/ostree/2023.7/2.el9/$(arch)/ostree-{,libs-,devel-}2023.7-2.el9.$(arch).rpm |
Check warning
Code scanning / shellcheck
Quote this to prevent word splitting.
jlebon
left a comment
There was a problem hiding this comment.
LGTM overall. Thoughts on #4640 (review) ?
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
b49dbb1 to
5083302
Compare
Hmmm. I think what's a bit weird about that is logically nothing else should put things in That said I had completely forgotten that |
One concrete example is doing
The history there is messy, but I think we do still need it. IIRC this is related to the |
This avoids the unnecessary `b` for bytestrings and literal `\n` newlines.
This ensures file labeling equivalency outside of ostree too.
This is a feature that was added in rpm-ostree 2023.10 and is needed for the new transient /etc feature to work. What it does is change the labeling of /usr/etc to match those of /etc, so that /usr/etc can be used directly as a bind-mount or an overlay mount when mounted on /etc. See coreos/rpm-ostree#4640 for details.
This is a feature that was added in rpm-ostree 2023.10 and is needed for the new transient /etc feature to work. What it does is change the labeling of /usr/etc to match those of /etc, so that /usr/etc can be used directly as a bind-mount or an overlay mount when mounted on /etc. See coreos/rpm-ostree#4640 for details.
|
It turns out this isn't quite complete. There is a pre-existing alias already: Which means that /etc/systemd/system is special: However, the aliases are not recursively applied, so this rule doesn't apply to /usr/etc/systemd/system: To fix this we need to also add: |
The previous fix for /usr/etc (coreos#4640) was only partial. We also need to make sure /usr/etc/systemd/systemd is aliased, because aliases are not applied recursively, so the original alias for /etc/systemd/system is not applied.
The previous fix for /usr/etc (coreos#4640) was only partial. We also need to make sure /usr/etc/systemd/systemd is aliased, because aliases are not applied recursively, so the original alias for /etc/systemd/system is not applied.
The previous fix for /usr/etc (coreos#4640) was only partial. We also need to make sure /usr/etc/systemd/systemd is aliased, because aliases are not applied recursively, so the original alias for /etc/systemd/system is not applied. Also, since fedora-selinux/selinux-policy@56a0bacb this file already contains an alias for /usr/etc, so avoid duplicating it. Rather than hardcoding /usr/etc/systemd/system, we scan for all aliases in /etc, and duplicate them in /usr. Note: Order is important, the /usr/etc/.. subdir aliases must come after the main /usr/etc alias.
Depends on ostreedev/ostree#3063
This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.