treefile: Add option to label /usr/etc as /etc
#4640
Conversation
|
Skipping CI for Draft Pull Request. |
|
Running the coreos kola tests against this, because we need to make client side layering also auto-inherit this behavior if present in the base image. |
docs/treefile.md
Outdated
| @@ -138,6 +138,10 @@ It supports the following parameters: | |||
| to the UNIX epoch time to be used as the build timestamp. Currently only | |||
| fully supports the `bdb` backend. Somewhat experimental. | |||
|
|
|||
| * `label-usretc-as-etc`: boolean, optional: If enabled, this sets the SELinux label for | |||
There was a problem hiding this comment.
I wonder if we even need a new knob for this. Should be safe to always do this, right? Since we basically own /usr/etc anyway.
There was a problem hiding this comment.
Yes, I'm being conservative here by making it opt in (both here and on the ostree side).
Dunno. I guess we could try to actually do it by default ostree side, and add an option to disable it in case we regress things somehow.
There was a problem hiding this comment.
This is a nontrivial change though, and so far we've been really conservative with options that should be on by default but aren't (sysroot.readonly is a good example) to ensure that updating ostree doesn't break anything.
There was a problem hiding this comment.
Yeah, I'm less sure about making it default in libostree. I think it makes sense to make it opt in there. For rpm-ostree, it seems safer to do but cool of course to be conservative there.
There was a problem hiding this comment.
I think making it opt-in in ostree. but always enable in rpm-ostree (possibly with an opt-out) is the right approach.
There was a problem hiding this comment.
It's painful every time we add an opt-in for sure because we end up having to update so many different manifest/treefiles (coreos vs edge vs atomic desktop etc etc.)
However I still just feel we need to be conservative because this can easily have non-obvious effects.
Even on-by-default with a knob to turn it off gets tricky because then the build system requires a new rpm-ostree (old ones will barf on the unexpected field).
There was a problem hiding this comment.
Not only that, we need a new version of osbuild, and any other tools that call out to rpm-ostree to compose a commit.
|
So, all the base stuff in ostree has landed, maybe time to un-draft this? |
|
Well, we have the annoying thing that we have to wait through the new ostree to go all the way through the fedora 7 days bodhi update right now. I just did coreos/fedora-coreos-config#2684 |
cgwalters
force-pushed
the
label-usretc-as-etc
branch
3 times, most recently
from
5dfdf32
to
a70e776
Compare
|
Ah right, the ostree update hasn't made it out to c9s prod. Let's split out that hack to #4672 Man, it's times like this that really makes one feel actively punished for splitting things out into multiple components... (Or of course, using Nix where we aren't playing "rpmfind" but are just referencing source code that gets built if not present in the build cache...) |
Prep for new release.
cgwalters
force-pushed
the
label-usretc-as-etc
branch
from
a70e776
to
b49dbb1
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| osid="$(. /etc/os-release && echo $ID)" | ||
| if [ "${osid}" == centos ]; then | ||
| dnf -y update https://kojihub.stream.centos.org/kojifiles/packages/ostree/2023.7/2.el9/$(arch)/ostree-{,libs-,devel-}2023.7-2.el9.$(arch).rpm |
Check warning
Code scanning / shellcheck
Quote this to prevent word splitting. Warning
|
|
||
| osid="$(. /etc/os-release && echo $ID)" | ||
| if [ "${osid}" == centos ]; then | ||
| dnf -y update https://kojihub.stream.centos.org/kojifiles/packages/ostree/2023.7/2.el9/$(arch)/ostree-{,libs-,devel-}2023.7-2.el9.$(arch).rpm |
Check warning
Code scanning / shellcheck
Quote this to prevent word splitting. Warning
Depends on ostreedev/ostree#3063 This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.
cgwalters
force-pushed
the
label-usretc-as-etc
branch
from
b49dbb1
to
5083302
Compare
Hmmm. I think what's a bit weird about that is logically nothing else should put things in That said I had completely forgotten that |
One concrete example is doing
The history there is messy, but I think we do still need it. IIRC this is related to the |
This avoids the unnecessary `b` for bytestrings and literal `\n` newlines.
This ensures file labeling equivalency outside of ostree too.
This is a feature that was added in rpm-ostree 2023.10 and is needed for the new transient /etc feature to work. What it does is change the labeling of /usr/etc to match those of /etc, so that /usr/etc can be used directly as a bind-mount or an overlay mount when mounted on /etc. See coreos/rpm-ostree#4640 for details.
This is a feature that was added in rpm-ostree 2023.10 and is needed for the new transient /etc feature to work. What it does is change the labeling of /usr/etc to match those of /etc, so that /usr/etc can be used directly as a bind-mount or an overlay mount when mounted on /etc. See coreos/rpm-ostree#4640 for details.
Depends on ostreedev/ostree#3063
This is intended for use with ostreedev/ostree#2868 but is conceptually orthogonal to it; we probably want to try switching to this by default actually.