Add support for composefs

This pairs with ostreedev/ostree#2640 It's all off by default (to state the obvious). But one can do e.g.: ``` $ cat >> src/config/image.yaml << EOF rootfs: ext4verity composefs: true EOF ``` And then you'll also want to do ``` $ mkdir -p secrets $ openssl req -newkey rsa:4096 -nodes -keyout secrets/root-composefs-key.pem -x509 -out secrets/root-composefs-cert.pem ``` Then with the ostree with support, we'll at least build things.
coreos · May 19, 2023 · d46ce9e · d46ce9e
1 parent e34aea5
commit d46ce9e
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 0 deletions.
diff --git a/src/cmd-build b/src/cmd-build
@@ -326,6 +326,22 @@ fi
 if [ ! -f "${workdir}"/builds/builds.json ] && [ ! -f "${fetch_stamp}" ] ; then
     fatal "Must fetch before building"
 fi
+composefs="$(jq .composefs < "${image_json}")"
+if test -n "${composefs}"; then
+    # Generate with e.g.
+    # openssl req -newkey rsa:4096 -nodes -keyout secrets/root-composefs-key.pem -x509 -out secrets/root-composefs-cert.pem
+    composefs_cert=${workdir}/secrets/root-composefs-cert.pem
+    composefs_key=${workdir}/secrets/root-composefs-key.pem
+    if test '!' -f "${composefs_cert}"; then
+        fatal "composefs enabled, but missing ${composefs_cert}"
+    fi
+    if test '!' -f "${composefs_key}"; then
+        fatal "composefs enabled, but missing ${composefs_key}"
+    fi
+    ostree config --repo="${tmprepo}" set ex-composefs.certfile ${composefs_cert}
+    ostree config --repo="${tmprepo}" set ex-composefs.keyfile ${composefs_key}
+fi
+
 # --cache-only is here since `fetch` is a separate verb
 # shellcheck disable=SC2086
 if test -n "${previous_commit}"; then

diff --git a/src/cmd-init b/src/cmd-init
@@ -201,6 +201,8 @@ fi
 
 mkdir -p cache
 mkdir -p builds
+# This directory may hold e.g. private key material
+mkdir -p secrets
 mkdir -p tmp
 mkdir -p overrides/rpm
 mkdir -p overrides/rootfs

diff --git a/src/cmdlib.sh b/src/cmdlib.sh
@@ -731,6 +731,9 @@ runvm() {
     # and include all GPG keys
     find /etc/pki/rpm-gpg/ -type f >> "${vmpreparedir}/hostfiles"
 
+    # This will be an ostree dep, not reflected in the RPM deps yet
+    echo /usr/lib64/libcomposefs.so* | tr " " "\n"  >> "${vmpreparedir}/hostfiles"
+
     # the reason we do a heredoc here is so that the var substition takes
     # place immediately instead of having to proxy them through to the VM
     cat > "${vmpreparedir}/init" <<EOF

diff --git a/src/create_disk.sh b/src/create_disk.sh
@@ -118,6 +118,7 @@ esac
 rootfs_args=$(getconfig_def "rootfs-args" "")
 
 bootfs=$(getconfig "bootfs")
+composefs=$(getconfig "composefs" "")
 grub_script=$(getconfig "grub-script")
 ostree_container=$(getconfig "ostree-container")
 commit=$(getconfig "ostree-commit")
@@ -310,6 +311,11 @@ ostree config --repo $rootfs/ostree/repo set sysroot.bootloader none
 # Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA
 # https://github.com/ostreedev/ostree/issues/1265
 ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
+if test -n "${composefs}"; then
+    for k in ex-fsverity.required ex-composefs.required; do
+        ostree config --repo $rootfs/ostree/repo set $k true
+    done
+fi
 # Initialize the "stateroot"
 ostree admin os-init "$os_name" --sysroot $rootfs
 

diff --git a/src/image-default.yaml b/src/image-default.yaml
@@ -4,6 +4,8 @@ bootfs: "ext4"
 rootfs: "xfs"
 # Add arguments here that will be passed to e.g. mkfs.xfs
 rootfs-args: ""
+# Set to true to use composefs; see e.g. https://github.com/ostreedev/ostree/pull/2640
+composefs: false
 
 # Additional default kernel arguments injected into disk images
 extra-kargs: []