Skip to content

Commit

Permalink
sysusers: add a treefile option in rpm-ostree to turn off
Browse files Browse the repository at this point in the history
`nss-altfiles` support and the `passwd / group` files migration to
`/usr/lib`
  • Loading branch information
HuijingHei committed Oct 30, 2023
1 parent 3060372 commit 3fbf784
Show file tree
Hide file tree
Showing 6 changed files with 36 additions and 7 deletions.
5 changes: 5 additions & 0 deletions docs/treefile.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,11 @@ It supports the following parameters:
* `selinux`: boolean, optional: Defaults to `true`. If `false`, then
no SELinux labeling will be performed on the server side.

* `sysusers`: boolean, optional: Defaults to `false`.
Enable generation of systemd `sysusers.d` entries.
If `true`, this turns off `altfiles` and disable the `passwd` / `group`
files migration to `/usr/lib`.

* `ima`: boolean, optional: Defaults to `false`. Propagate any
IMA signatures in input RPMs into the final OSTree commit.

Expand Down
10 changes: 10 additions & 0 deletions rpmostree-cxxrs.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -1749,6 +1749,7 @@ struct Treefile final : public ::rust::Opaque
bool get_recommends () const noexcept;
bool get_selinux () const noexcept;
::std::uint32_t get_selinux_label_version () const noexcept;
bool get_sysusers () const noexcept;
::rust::String get_gpg_key () const noexcept;
::rust::String get_automatic_version_suffix () const noexcept;
bool get_container () const noexcept;
Expand Down Expand Up @@ -2592,6 +2593,9 @@ extern "C"
::std::uint32_t rpmostreecxx$cxxbridge1$Treefile$get_selinux_label_version (
::rpmostreecxx::Treefile const &self) noexcept;

bool
rpmostreecxx$cxxbridge1$Treefile$get_sysusers (::rpmostreecxx::Treefile const &self) noexcept;

void rpmostreecxx$cxxbridge1$Treefile$get_gpg_key (::rpmostreecxx::Treefile const &self,
::rust::String *return$) noexcept;

Expand Down Expand Up @@ -5143,6 +5147,12 @@ Treefile::get_selinux_label_version () const noexcept
return rpmostreecxx$cxxbridge1$Treefile$get_selinux_label_version (*this);
}

bool
Treefile::get_sysusers () const noexcept
{
return rpmostreecxx$cxxbridge1$Treefile$get_sysusers (*this);
}

::rust::String
Treefile::get_gpg_key () const noexcept
{
Expand Down
1 change: 1 addition & 0 deletions rpmostree-cxxrs.h
Original file line number Diff line number Diff line change
Expand Up @@ -1531,6 +1531,7 @@ struct Treefile final : public ::rust::Opaque
bool get_recommends () const noexcept;
bool get_selinux () const noexcept;
::std::uint32_t get_selinux_label_version () const noexcept;
bool get_sysusers () const noexcept;
::rust::String get_gpg_key () const noexcept;
::rust::String get_automatic_version_suffix () const noexcept;
bool get_container () const noexcept;
Expand Down
1 change: 1 addition & 0 deletions rust/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -608,6 +608,7 @@ pub mod ffi {
fn get_recommends(&self) -> bool;
fn get_selinux(&self) -> bool;
fn get_selinux_label_version(&self) -> u32;
fn get_sysusers(&self) -> bool;
fn get_gpg_key(&self) -> String;
fn get_automatic_version_suffix(&self) -> String;
fn get_container(&self) -> bool;
Expand Down
7 changes: 7 additions & 0 deletions rust/src/treefile.rs
Original file line number Diff line number Diff line change
Expand Up @@ -417,6 +417,7 @@ fn treefile_merge(dest: &mut TreeComposeConfig, src: &mut TreeComposeConfig) {
rojig,
selinux,
selinux_label_version,
sysusers,
ima,
gpg_key,
include,
Expand Down Expand Up @@ -1337,6 +1338,10 @@ impl Treefile {
self.parsed.base.selinux_label_version.unwrap_or_default()
}

pub(crate) fn get_sysusers(&self) -> bool {
self.parsed.base.sysusers.unwrap_or(false)
}

pub(crate) fn get_gpg_key(&self) -> String {
self.parsed.base.gpg_key.clone().unwrap_or_default()
}
Expand Down Expand Up @@ -2484,6 +2489,8 @@ pub(crate) struct BaseComposeConfigFields {
#[serde(skip_serializing_if = "Option::is_none")]
pub(crate) selinux_label_version: Option<u32>,
#[serde(skip_serializing_if = "Option::is_none")]
pub(crate) sysusers: Option<bool>,
#[serde(skip_serializing_if = "Option::is_none")]
pub(crate) ima: Option<bool>,
#[serde(skip_serializing_if = "Option::is_none")]
pub(crate) gpg_key: Option<String>,
Expand Down
19 changes: 12 additions & 7 deletions src/libpriv/rpmostree-postprocess.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -406,16 +406,21 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un

auto container = treefile.get_container ();

g_print ("Migrating /usr/etc/passwd to /usr/lib/\n");
ROSCXX_TRY (migrate_passwd_except_root (rootfs_dfd), error);
bool sysusers = treefile.get_sysusers ();

rust::Vec<rust::String> preserve_groups_set = treefile.get_etc_group_members ();
if (!sysusers)
{
g_print ("Migrating /usr/etc/passwd to /usr/lib/\n");
ROSCXX_TRY (migrate_passwd_except_root (rootfs_dfd), error);

rust::Vec<rust::String> preserve_groups_set = treefile.get_etc_group_members ();

g_print ("Migrating /usr/etc/group to /usr/lib/\n");
ROSCXX_TRY (migrate_group_except_root (rootfs_dfd, preserve_groups_set), error);
g_print ("Migrating /usr/etc/group to /usr/lib/\n");
ROSCXX_TRY (migrate_group_except_root (rootfs_dfd, preserve_groups_set), error);

/* NSS configuration to look at the new files */
ROSCXX_TRY (composepost_nsswitch_altfiles (rootfs_dfd), error);
/* NSS configuration to look at the new files */
ROSCXX_TRY (composepost_nsswitch_altfiles (rootfs_dfd), error);
}

if (selinux)
{
Expand Down

0 comments on commit 3fbf784

Please sign in to comment.