checkout: Add force_copy+SELinux options for checkout, use in deploy #797
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
WIP, needs more testing. Also I note that we should really make more use of |
cgwalters
force-pushed
the
checkout-labeling
branch
2 times, most recently
from
79ea5ba
to
3d14c7a
Compare
|
OK, removing WIP. I've tested this manually on a F25AH host. Note this rolls in #801 |
cgwalters
commented
Apr 19, 2017
src/libostree/ostree-repo.h
Outdated
| @@ -767,14 +767,17 @@ typedef struct { | |||
| gboolean enable_fsync; /* Deprecated */ | |||
| gboolean process_whiteouts; | |||
| gboolean no_copy_fallback; | |||
| gboolean unused_bools[7]; | |||
| gboolean force_copy; | |||
There was a problem hiding this comment.
I may break this out as a separate PR too with exposure via the cmdline as well.
cgwalters
force-pushed
the
checkout-labeling
branch
from
e761345
to
663ee93
Compare
|
☔ The latest upstream changes (presumably 50ca653) made this pull request unmergeable. Please resolve the merge conflicts. |
cgwalters
force-pushed
the
checkout-labeling
branch
from
663ee93
to
26b698d
Compare
jlebon
reviewed
Apr 24, 2017
| &label, cancellable, error)) | ||
| return FALSE; | ||
| if (fsetxattr (temp_fd, "security.selinux", label, strlen (label), 0) < 0) | ||
| return glnx_throw_errno_prefix (error, "Setting security.selinux"); |
There was a problem hiding this comment.
Nit: would be helpful to include the name of the file in the error msg.
There was a problem hiding this comment.
We already do that via the
return g_prefix_error (error, "Checkout of %s to %s: ", checksum, destination_name), FALSE;
in the caller.
| state.selabel_path_buf = buf; | ||
|
|
||
| /* Otherwise it'd just be corrupting things, and there's no use case */ | ||
| g_assert (options->force_copy); |
There was a problem hiding this comment.
Hmm, let's enforce this at the API entry point too.
There was a problem hiding this comment.
This was already very close to the entrypoint, but OK. Fixup ⬇️
src/libostree/ostree-repo-checkout.c
Outdated
| @@ -579,22 +652,15 @@ checkout_tree_at (OstreeRepo *self, | |||
| (guint64)repo_dfd_stat.st_dev, (guint64)destination_stat.st_dev); | |||
|
|
|||
| /* Set the xattrs now, so any derived labeling works */ | |||
There was a problem hiding this comment.
Can we update this comment as well since we might have done labeling already above?
cgwalters
force-pushed
the
checkout-labeling
branch
from
26b698d
to
a76b8ee
Compare
|
☔ The latest upstream changes (presumably 511b31c) made this pull request unmergeable. Please resolve the merge conflicts. |
cgwalters
force-pushed
the
checkout-labeling
branch
from
a76b8ee
to
8aefb93
Compare
|
Let's land #807 first before merging this one. |
|
🚄 @rh-atomic-bot r+ 8aefb93 |
rh-atomic-bot
pushed a commit
that referenced
this pull request
Apr 25, 2017
This is a variant of the efforts in #741 Working on `rpm-ostree livefs`, I realized though I needed to just check out *new* files directly into the live `/etc` (and possibly delete obsolete files). The way the current `/etc` merge works is fundamentally different from that. So my plan currently is to probably do something like: - Compute diff - Check out each *new* file individually (as a copy) - Optionally delete obsolete files Also, a few other things become more important - in the current deploy code, we copy all of the files, then relabel them. But we shouldn't expose to *live* systems the race conditions of doing that, plus we should only relabel files we checked out. By converting the deploy's /etc code to use this, we fix the same TODO item there around atomically having the label set up as we create files. And further, if we kill the `/var` relabeling which I think is unnecessary since Anaconda does it, we could delete large chunks of code there. In the implementation, there are two types of things: regular files, and symlinks. For regular files, in the `O_TMPFILE` case, we have the ability to do *everything* atomically (including SELinux labeling) before linking it into place. So let's just use that. For symlinks, we use `setfscreatecon()`. Closes: #797 Approved by: jlebon
This is a variant of the efforts in ostreedev#741 Working on `rpm-ostree livefs`, I realized though I needed to just check out *new* files directly into the live `/etc` (and possibly delete obsolete files). The way the current `/etc` merge works is fundamentally different from that. So my plan currently is to probably do something like: - Compute diff - Check out each *new* file individually (as a copy) - Optionally delete obsolete files Also, a few other things become more important - in the current deploy code, we copy all of the files, then relabel them. But we shouldn't expose to *live* systems the race conditions of doing that, plus we should only relabel files we checked out. By converting the deploy's /etc code to use this, we fix the same TODO item there around atomically having the label set up as we create files. And further, if we kill the `/var` relabeling which I think is unnecessary since Anaconda does it, we could delete large chunks of code there. In the implementation, there are two types of things: regular files, and symlinks. For regular files, in the `O_TMPFILE` case, we have the ability to do *everything* atomically (including SELinux labeling) before linking it into place. So let's just use that. For symlinks, we use `setfscreatecon()`.
cgwalters
force-pushed
the
checkout-labeling
branch
from
8aefb93
to
2048b88
Compare
|
Weird, the status did get reported. |
|
@rh-atomic-bot retry |
|
Ohh I see. |
|
☀️ Test successful - status-atomicjenkins |
cgwalters
added a commit
to cgwalters/ostree
that referenced
this pull request
Apr 26, 2017
This fixes a regression from: ostreedev#797 which is really due to an underlying bug in libselinux which we're working around: http://marc.info/?l=selinux&m=149323809332417&w=2 We drop the per-policy instance variable, since the SELinux state is *really* per-kernel.
cgwalters
added a commit
to cgwalters/ostree
that referenced
this pull request
Apr 26, 2017
This fixes a regression from: ostreedev#797 which is really due to an underlying bug in libselinux which we're working around: http://marc.info/?l=selinux&m=149323809332417&w=2 We drop the per-policy instance variable, since the SELinux state is *really* per-kernel. Closes: ostreedev#814
stephensmalley
pushed a commit
to SELinuxProject/selinux
that referenced
this pull request
Apr 27, 2017
This breaks every further call to e.g. `is_selinux_enabled()` after a policy root has been set. This tripped up some code landed in libostree: ostreedev/ostree#797 Since in some cases we initialize a policy twice in process, and we'd call `is_selinux_enabled()` each time. More info in: http://marc.info/?l=selinux&m=149323809332417&w=2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
rh-atomic-bot
pushed a commit
that referenced
this pull request
Apr 27, 2017
This fixes a regression from: #797 which is really due to an underlying bug in libselinux which we're working around: http://marc.info/?l=selinux&m=149323809332417&w=2 We drop the per-policy instance variable, since the SELinux state is *really* per-kernel. Closes: #814 Closes: #815 Approved by: jlebon
cgwalters
added a commit
to cgwalters/ostree
that referenced
this pull request
Apr 27, 2017
Rather than `g_output_stream_splice()`, where the input is a regular file. See GNOME/libglnx#44 for some more information. I didn't try to measure the performance difference, but seeing the read()/write() to/from userspace mixed in with the pointless `poll()` annoyed me when reading strace. As a bonus, we will again start using reflinks (if available) for `/etc`, which is a regression from the ostreedev#797 changes (which before used `glnx_file_copy_at()`). Also, for the first time we'll use reflinks when doing commits from file-backed content. This happens in `rpm-ostree compose tree` today for example.
bachradsusi
pushed a commit
to fedora-selinux/selinux
that referenced
this pull request
Apr 28, 2017
This breaks every further call to e.g. `is_selinux_enabled()` after a policy root has been set. This tripped up some code landed in libostree: ostreedev/ostree#797 Since in some cases we initialize a policy twice in process, and we'd call `is_selinux_enabled()` each time. More info in: http://marc.info/?l=selinux&m=149323809332417&w=2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from SELinuxProject commit f3a264c)
cgwalters
added a commit
to cgwalters/ostree
that referenced
this pull request
May 1, 2017
Rather than `g_output_stream_splice()`, where the input is a regular file. See GNOME/libglnx#44 for some more information. I didn't try to measure the performance difference, but seeing the read()/write() to/from userspace mixed in with the pointless `poll()` annoyed me when reading strace. As a bonus, we will again start using reflinks (if available) for `/etc`, which is a regression from the ostreedev#797 changes (which before used `glnx_file_copy_at()`). Also, for the first time we'll use reflinks when doing commits from file-backed content. This happens in `rpm-ostree compose tree` today for example. Update submodule: libglnx
cgwalters
added a commit
to cgwalters/ostree
that referenced
this pull request
May 1, 2017
Rather than `g_output_stream_splice()`, where the input is a regular file. See GNOME/libglnx#44 for some more information. I didn't try to measure the performance difference, but seeing the read()/write() to/from userspace mixed in with the pointless `poll()` annoyed me when reading strace. As a bonus, we will again start using reflinks (if available) for `/etc`, which is a regression from the ostreedev#797 changes (which before used `glnx_file_copy_at()`). Also, for the first time we'll use reflinks when doing commits from file-backed content. This happens in `rpm-ostree compose tree` today for example. Update submodule: libglnx
cgwalters
added a commit
to cgwalters/ostree
that referenced
this pull request
May 1, 2017
Rather than `g_output_stream_splice()`, where the input is a regular file. See GNOME/libglnx#44 for some more information. I didn't try to measure the performance difference, but seeing the read()/write() to/from userspace mixed in with the pointless `poll()` annoyed me when reading strace. As a bonus, we will again start using reflinks (if available) for `/etc`, which is a regression from the ostreedev#797 changes (which before used `glnx_file_copy_at()`). Also, for the first time we'll use reflinks when doing commits from file-backed content. This happens in `rpm-ostree compose tree` today for example. Update submodule: libglnx
rh-atomic-bot
pushed a commit
that referenced
this pull request
May 10, 2017
Rather than `g_output_stream_splice()`, where the input is a regular file. See GNOME/libglnx#44 for some more information. I didn't try to measure the performance difference, but seeing the read()/write() to/from userspace mixed in with the pointless `poll()` annoyed me when reading strace. As a bonus, we will again start using reflinks (if available) for `/etc`, which is a regression from the #797 changes (which before used `glnx_file_copy_at()`). Also, for the first time we'll use reflinks when doing commits from file-backed content. This happens in `rpm-ostree compose tree` today for example. Update submodule: libglnx Closes: #817 Approved by: jlebon
bachradsusi
pushed a commit
to fedora-selinux/selinux
that referenced
this pull request
Jul 28, 2017
This breaks every further call to e.g. `is_selinux_enabled()` after a policy root has been set. This tripped up some code landed in libostree: ostreedev/ostree#797 Since in some cases we initialize a policy twice in process, and we'd call `is_selinux_enabled()` each time. More info in: http://marc.info/?l=selinux&m=149323809332417&w=2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from SELinuxProject commit f3a264c)
chenyt9
pushed a commit
to MotorolaMobilityLLC/external-selinux
that referenced
this pull request
Jul 6, 2018
This breaks every further call to e.g. `is_selinux_enabled()` after a policy root has been set. This tripped up some code landed in libostree: ostreedev/ostree#797 Since in some cases we initialize a policy twice in process, and we'd call `is_selinux_enabled()` each time. More info in: http://marc.info/?l=selinux&m=149323809332417&w=2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a variant of the efforts in #741
Working on
rpm-ostree livefs, I realized though I needed to justcheck out new files directly into the live
/etc(and possiblydelete obsolete files).
The way the current
/etcmerge works is fundamentally different fromthat. So my plan currently is to probably do something like:
Also, a few other things become more important - in the current deploy code, we
copy all of the files, then relabel them. But we shouldn't expose to live
systems the race conditions of doing that, plus we should only relabel files we
checked out.
By converting the deploy's /etc code to use this, we fix the same TODO item
there around atomically having the label set up as we create files. And further,
if we kill the
/varrelabeling which I think is unnecessary since Anacondadoes it, we could delete large chunks of code there.