Skip to content

Commit

Permalink
core: also wrap kernel-install for scriptlets
Browse files Browse the repository at this point in the history
It's confusing right now how specifically for the kernel, one has to use
this obscure `rpm-ostree cliwrap install-to-root /` command to make it
work. Let's just always enable it: in the client-side layering case, we
don't run kernel scriptlets anyway so the wrapper is unused, and in the
container case, this will allow users to not have to enable cliwrap and
have it leak into their derived image.

I guess in theory, this should also allow us to *stop* ignoring kernel
scriptlets and rely on this instead, though let's leave that for a
separate investigation.

Closes: coreos#4949
  • Loading branch information
jlebon committed May 7, 2024
1 parent 32fd7a0 commit 2a8017c
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 5 deletions.
9 changes: 5 additions & 4 deletions ci/test-container.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,11 @@ fi
rm "${origindir}/clienterror.yaml"
rpm-ostree ex rebuild

# test kernel installs *before* enabling cliwrap
rpm-ostree override replace $koji_kernel_url
# test that the new initramfs was generated
test -f /usr/lib/modules/${kver}-${krev}.fc${versionid}.x86_64/initramfs.img

rpm-ostree cliwrap install-to-root /

# Test a critical path package
Expand Down Expand Up @@ -119,10 +124,6 @@ rpm -q strace
rpm -q afterburn | grep g
rpm -q afterburn-dracut | grep g

rpm-ostree override replace $koji_kernel_url
# test that the new initramfs was generated
test -f /usr/lib/modules/${kver}-${krev}.fc${versionid}.x86_64/initramfs.img

# test --enablerepo --disablerepo --releasever
rpm-ostree --releasever=38 --disablerepo="*" \
--enablerepo=fedora install tmux
Expand Down
18 changes: 17 additions & 1 deletion rust/src/core.rs
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ const USERADD_PATH: &str = "usr/sbin/useradd";
const USERADD_WRAPPER: &[u8] = include_bytes!("../../src/libpriv/useradd-wrapper.sh");
const USERMOD_PATH: &str = "usr/sbin/usermod";
const USERMOD_WRAPPER: &[u8] = include_bytes!("../../src/libpriv/usermod-wrapper.sh");
const KERNEL_INSTALL_PATH: &str = "usr/bin/kernel-install";
const KERNEL_INSTALL_WRAPPER: &[u8] = include_bytes!("../../src/libpriv/kernel-install-wrapper.sh");

const RPMOSTREE_CORE_STAGED_RPMS_DIR: &str = "rpm-ostree/staged-rpms";

Expand Down Expand Up @@ -148,6 +150,7 @@ impl FilesystemScriptPrep {
(SYSTEMCTL_PATH, SYSTEMCTL_WRAPPER),
(USERADD_PATH, USERADD_WRAPPER),
(USERMOD_PATH, USERMOD_WRAPPER),
(KERNEL_INSTALL_PATH, KERNEL_INSTALL_WRAPPER),
];

fn saved_name(name: &str) -> String {
Expand Down Expand Up @@ -441,7 +444,7 @@ mod test {
// Replaced usermod.
{
let original_usermod = "original usermod";
d.atomic_write_with_perms(super::USERMOD_PATH, original_usermod, mode)?;
d.atomic_write_with_perms(super::USERMOD_PATH, original_usermod, mode.clone())?;
let contents = d.read_to_string(super::USERMOD_PATH)?;
assert_eq!(contents, original_usermod);
let mut g = super::prepare_filesystem_script_prep(d.as_raw_fd())?;
Expand All @@ -451,6 +454,19 @@ mod test {
let contents = d.read_to_string(super::USERMOD_PATH)?;
assert_eq!(contents, original_usermod);
}
// Replaced kernel-install.
{
let original_kernel_install = "original kernel_install";
d.atomic_write_with_perms(super::KERNEL_INSTALL_PATH, original_kernel_install, mode)?;
let contents = d.read_to_string(super::KERNEL_INSTALL_PATH)?;
assert_eq!(contents, original_kernel_install);
let mut g = super::prepare_filesystem_script_prep(d.as_raw_fd())?;
let contents = d.read_to_string(super::KERNEL_INSTALL_PATH)?;
assert_eq!(contents.as_bytes(), super::KERNEL_INSTALL_WRAPPER);
g.undo()?;
let contents = d.read_to_string(super::KERNEL_INSTALL_PATH)?;
assert_eq!(contents, original_kernel_install);
}
Ok(())
}

Expand Down
9 changes: 9 additions & 0 deletions src/libpriv/kernel-install-wrapper.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/usr/bin/bash
# Used in the container layering path to make kernel replacements Just Work
# without having to enable cliwrap first. If cliwrap is enabled, then this will
# technically override the cliwrap wrapper, but the script is exactly the same.
# This wrapper is technically also installed when doing client-side layering,
# but we already ignore kernel scriptlets there anyway.
# See also https://github.com/coreos/rpm-ostree/issues/4949

exec /usr/bin/rpm-ostree cliwrap kernel-install "$@"

0 comments on commit 2a8017c

Please sign in to comment.