Skip to content

Commit

Permalink
Add support for composefs
Browse files Browse the repository at this point in the history 
This pairs with ostreedev/ostree#2640

It's all off by default (to state the obvious).  But one can do e.g.:

```
$ cat >> src/config/image.yaml << EOF
rootfs: ext4verity
composefs: unsigned
EOF
```

You can also try out `composefs: signed` and also do:

```
$ mkdir -p secrets
$ openssl req -newkey rsa:4096 -nodes -keyout secrets/root-composefs-key.pem -x509 -out secrets/root-composefs-cert.pem
```

(But this is not *yet* a focus)

More in ostreedev/ostree#2867
  • Loading branch information
@cgwalters
cgwalters committed Jun 2, 2023
1 parent e92b5fe commit d8e342b
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 1 deletion.
25 changes: 25 additions & 0 deletions src/cmd-build
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,31 @@ fi
if [ ! -f "${workdir}"/builds/builds.json ] && [ ! -f "${fetch_stamp}" ] ; then
fatal "Must fetch before building"
fi
composefs="$(jq -r .composefs < "${image_json}")"
case "${composefs}" in
"")
;;
unsigned)
ostree config --repo="${tmprepo}" set ex-integrity.composefs yes
;;
signed)
ostree config --repo="${tmprepo}" set ex-integrity.composefs yes
# Generate with e.g.
# openssl req -newkey rsa:4096 -nodes -keyout secrets/root-composefs-key.pem -x509 -out secrets/root-composefs-cert.pem
composefs_cert="${workdir}/secrets/root-composefs-cert.pem"
composefs_key="${workdir}/secrets/root-composefs-key.pem"
if test '!' -f "${composefs_cert}"; then
fatal "composefs enabled, but missing ${composefs_cert}"
fi
if test '!' -f "${composefs_key}"; then
fatal "composefs enabled, but missing ${composefs_key}"
fi
ostree config --repo="${tmprepo}" set ex-integrity.composefs-certfile "${composefs_cert}"
ostree config --repo="${tmprepo}" set ex-integrity.composefs-keyfile "${composefs_key}"
;;
*) fatal "Unhandled composefs setting: ${composefs}" ;;
esac

# --cache-only is here since `fetch` is a separate verb
# shellcheck disable=SC2086
if test -n "${previous_commit}"; then
Expand Down
2 changes: 2 additions & 0 deletions src/cmd-init
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,8 @@ fi

mkdir -p cache
mkdir -p builds
# This directory may hold e.g. private key material
mkdir -p secrets
mkdir -p tmp
mkdir -p overrides/rpm
mkdir -p overrides/rootfs
Expand Down
6 changes: 5 additions & 1 deletion src/create_disk.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ esac
rootfs_args=$(getconfig_def "rootfs-args" "")

bootfs=$(getconfig "bootfs")
composefs=$(jq .composefs < "${config}")
grub_script=$(getconfig "grub-script")
ostree_container=$(getconfig "ostree-container")
commit=$(getconfig "ostree-commit")
Expand Down Expand Up @@ -310,11 +311,14 @@ ostree config --repo $rootfs/ostree/repo set sysroot.bootloader none
# Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA
# https://github.com/ostreedev/ostree/issues/1265
ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
if test -n "${composefs}"; then
ostree config --repo $rootfs/ostree/repo set ex-integrity.composefs true
fi
# Initialize the "stateroot"
ostree admin os-init "$os_name" --sysroot $rootfs

# Propagate flags into target repository
if [ "${rootfs_type}" = "ext4verity" ]; then
if [ "${rootfs_type}" = "ext4verity" ] && [ -z "${composefs}" ]; then
ostree config --repo=$rootfs/ostree/repo set ex-fsverity.required 'true'
fi

Expand Down
2 changes: 2 additions & 0 deletions src/image-default.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ bootfs: "ext4"
rootfs: "xfs"
# Add arguments here that will be passed to e.g. mkfs.xfs
rootfs-args: ""
# Set to either "unsigned" or "signed" to use composefs; see e.g. https://github.com/ostreedev/ostree/pull/2640
composefs: ""

# Additional default kernel arguments injected into disk images
extra-kargs: []
Expand Down

0 comments on commit d8e342b

Please sign in to comment.