Add support for composefs

This pairs with ostreedev/ostree#2640 It's all off by default (to state the obvious). But one can do e.g.: ``` $ cat >> src/config/image.yaml << EOF rootfs: ext4verity composefs: true EOF ``` And then you'll also want to do ``` $ mkdir -p secrets $ openssl req -newkey rsa:4096 -nodes -keyout secrets/root-composefs-key.pem -x509 -out secrets/root-composefs-cert.pem ``` Then with the ostree with support, we'll at least build things.
coreos · May 24, 2023 · 710cc0a · 710cc0a
1 parent e34aea5
commit 710cc0a
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 0 deletions.
diff --git a/src/cmd-build b/src/cmd-build
@@ -326,6 +326,22 @@ fi
 if [ ! -f "${workdir}"/builds/builds.json ] && [ ! -f "${fetch_stamp}" ] ; then
     fatal "Must fetch before building"
 fi
+composefs="$(jq .composefs < "${image_json}")"
+if test "${composefs}" = true; then
+    # Generate with e.g.
+    # openssl req -newkey rsa:4096 -nodes -keyout secrets/root-composefs-key.pem -x509 -out secrets/root-composefs-cert.pem
+    composefs_cert="${workdir}/secrets/root-composefs-cert.pem"
+    composefs_key="${workdir}/secrets/root-composefs-key.pem"
+    if test '!' -f "${composefs_cert}"; then
+        fatal "composefs enabled, but missing ${composefs_cert}"
+    fi
+    if test '!' -f "${composefs_key}"; then
+        fatal "composefs enabled, but missing ${composefs_key}"
+    fi
+    ostree config --repo="${tmprepo}" set ex-integrity.composefs-certfile "${composefs_cert}"
+    ostree config --repo="${tmprepo}" set ex-integrity.composefs-keyfile "${composefs_key}"
+fi
+
 # --cache-only is here since `fetch` is a separate verb
 # shellcheck disable=SC2086
 if test -n "${previous_commit}"; then

diff --git a/src/cmd-init b/src/cmd-init
@@ -201,6 +201,8 @@ fi
 
 mkdir -p cache
 mkdir -p builds
+# This directory may hold e.g. private key material
+mkdir -p secrets
 mkdir -p tmp
 mkdir -p overrides/rpm
 mkdir -p overrides/rootfs

diff --git a/src/create_disk.sh b/src/create_disk.sh
@@ -118,6 +118,7 @@ esac
 rootfs_args=$(getconfig_def "rootfs-args" "")
 
 bootfs=$(getconfig "bootfs")
+composefs=$(jq .composefs < "${config}")
 grub_script=$(getconfig "grub-script")
 ostree_container=$(getconfig "ostree-container")
 commit=$(getconfig "ostree-commit")
@@ -310,6 +311,9 @@ ostree config --repo $rootfs/ostree/repo set sysroot.bootloader none
 # Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA
 # https://github.com/ostreedev/ostree/issues/1265
 ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
+if test "${composefs}" = true; then
+    ostree config --repo $rootfs/ostree/repo set ex-integrity.composefs true
+fi
 # Initialize the "stateroot"
 ostree admin os-init "$os_name" --sysroot $rootfs
 

diff --git a/src/image-default.yaml b/src/image-default.yaml
@@ -4,6 +4,8 @@ bootfs: "ext4"
 rootfs: "xfs"
 # Add arguments here that will be passed to e.g. mkfs.xfs
 rootfs-args: ""
+# Set to true to use composefs; see e.g. https://github.com/ostreedev/ostree/pull/2640
+composefs: false
 
 # Additional default kernel arguments injected into disk images
 extra-kargs: []