Merge pull request commontorizon#38 from rborn-tx/TOR-3391

Make /etc transient on the secure boot image
EdTheBearded · Mar 8, 2024 · 953aacb · 953aacb
2 parents 1c82b87 + ee5b76b
commit 953aacb
Show file tree

Hide file tree

Showing 17 changed files with 34 additions and 85 deletions.
diff --git a/classes/image_type_torizon.bbclass b/classes/image_type_torizon.bbclass
@@ -133,9 +133,6 @@ generate_diff_file () {
     fi
 }
 
-# Enable composefs on the generated ostree repo (part of the Tezi image).
-OSTREE_OTA_REPO_CONFIG:append:cfs-support = " ex-integrity.composefs:true"
-
 IMAGE_DATETIME_FILES ??= " \
     ${sysconfdir}/issue \
     ${sysconfdir}/issue.net \

diff --git a/conf/distro/include/torizon.inc b/conf/distro/include/torizon.inc
@@ -105,5 +105,5 @@ PREFERRED_VERSION_libcurl ?= "${CURLVERSION}"
 # would be the case on a secure-boot image. Otherwise, the older battle-tested
 # version is selected.
 OSTREEVERSION ?= "2021.6"
-OSTREEVERSION:cfs-support ?= "2024.1"
+OSTREEVERSION:cfs-support ?= "2024.4"
 PREFERRED_VERSION_ostree ?= "${OSTREEVERSION}"
diff --git a/recipes-core/initramfs-framework/initramfs-framework_1.0.bbappend b/recipes-core/initramfs-framework/initramfs-framework_1.0.bbappend
@@ -51,17 +51,7 @@ do_install:append() {
     install -m 0755 ${WORKDIR}/kmod ${D}/init.d/01-kmod
 }
 
-# Configuration that goes into prepare-root.conf (see ostree-prepare-root manual):
-# - PREP_ROOT_ETC_TRANSIENT: whether /etc is transient ("true" or "false")
-# - PREP_ROOT_CFS_ENABLED: enabling of composefs ("yes", "no", "maybe" or "signed")
-#
-# TODO: Set PREP_ROOT_ETC_TRANSIENT to true; at the time of writing this wasn't
-# working correctly: /etc does become transient but "ostree admin status" fails
-# to detect the current deployment (this may have been solved on newer versions
-# of ostree).
-PREP_ROOT_ETC_TRANSIENT ?= "false"
-PREP_ROOT_CFS_ENABLED ?= "maybe"
-PREP_ROOT_CFS_ENABLED:cfs-signed ?= "signed"
+require recipes-extended/ostree/ostree-prepare-root.inc
 
 do_install:append:cfs-support() {
     # Bundled into initramfs-module-kmod package:
@@ -72,13 +62,7 @@ do_install:append:cfs-support() {
     install -m 0755 ${WORKDIR}/composefs ${D}/init.d/94-composefs
     install -d ${D}${nonarch_libdir}/ostree/
     install -m 0644 /dev/null ${D}${nonarch_libdir}/ostree/prepare-root.conf
-    cat >${D}${nonarch_libdir}/ostree/prepare-root.conf <<EOF
-[etc]
-transient = ${PREP_ROOT_ETC_TRANSIENT}
-
-[composefs]
-enabled = ${PREP_ROOT_CFS_ENABLED}
-EOF
+    write_prepare_root_config ${D}${nonarch_libdir}/ostree/prepare-root.conf
 }
 
 # Adding modules so plymouth can show the splash screen during boot

diff --git a/...tended/ostree/ostree-2024.1/0001-Expose-MOUNT_ATTR_IDMAP-detection-result-to-C-code.patch b/...tended/ostree/ostree-2024.1/0001-Expose-MOUNT_ATTR_IDMAP-detection-result-to-C-code.patch
diff --git a/...ing-when-macro-MOUNT_ATTR_IDMAP-is-.patch → ...ing-when-macro-MOUNT_ATTR_IDMAP-is-.patch b/...ing-when-macro-MOUNT_ATTR_IDMAP-is-.patch → ...ing-when-macro-MOUNT_ATTR_IDMAP-is-.patch
diff --git a/...001-ostree-pull-set-request-timeout.patch → ...001-ostree-pull-set-request-timeout.patch b/...001-ostree-pull-set-request-timeout.patch → ...001-ostree-pull-set-request-timeout.patch
diff --git a/...0001-update-default-grub-cfg-header.patch → ...0001-update-default-grub-cfg-header.patch b/...0001-update-default-grub-cfg-header.patch → ...0001-update-default-grub-cfg-header.patch
diff --git a/...or-the-fdtfile-variable-in-uEnv.txt.patch → ...or-the-fdtfile-variable-in-uEnv.txt.patch b/...or-the-fdtfile-variable-in-uEnv.txt.patch → ...or-the-fdtfile-variable-in-uEnv.txt.patch
diff --git a/...ing-when-macro-LOOP_CONFIGURE-is-no.patch → ...ing-when-macro-LOOP_CONFIGURE-is-no.patch b/...ing-when-macro-LOOP_CONFIGURE-is-no.patch → ...ing-when-macro-LOOP_CONFIGURE-is-no.patch
diff --git a/...r-curl-set-max-parallel-connections.patch → ...r-curl-set-max-parallel-connections.patch b/...r-curl-set-max-parallel-connections.patch → ...r-curl-set-max-parallel-connections.patch
diff --git a/...s-extended/ostree/ostree-2024.1/run-ptest → ...s-extended/ostree/ostree-2024.4/run-ptest b/...s-extended/ostree/ostree-2024.1/run-ptest → ...s-extended/ostree/ostree-2024.4/run-ptest
diff --git a/recipes-extended/ostree/ostree-prepare-root.inc b/recipes-extended/ostree/ostree-prepare-root.inc
@@ -0,0 +1,21 @@
+# Configuration that goes into prepare-root.conf (see ostree-prepare-root manual):
+#
+# - PREP_ROOT_ETC_TRANSIENT: whether /etc is transient ("true" or "false")
+# - PREP_ROOT_CFS_ENABLED: enabling of composefs ("yes", "no", "maybe" or "signed")
+#
+PREP_ROOT_ETC_TRANSIENT ?= "true"
+PREP_ROOT_CFS_ENABLED ?= "no"
+PREP_ROOT_CFS_ENABLED:cfs-support ?= "yes"
+PREP_ROOT_CFS_ENABLED:cfs-signed ?= "signed"
+
+write_prepare_root_config() {
+    local outfile="${1?Output file name required}"
+
+    cat >${outfile} <<EOF
+[etc]
+transient = ${PREP_ROOT_ETC_TRANSIENT}
+
+[composefs]
+enabled = ${PREP_ROOT_CFS_ENABLED}
+EOF
+}
diff --git a/recipes-extended/ostree/ostree-torizon.inc b/recipes-extended/ostree/ostree-torizon.inc
@@ -53,3 +53,10 @@ do_install:append () {
     install -m 0644 ${WORKDIR}/ostree-pending-reboot.service ${D}${systemd_system_unitdir}
     install -m 0644 ${WORKDIR}/ostree-pending-reboot.path ${D}${systemd_system_unitdir}
 }
+
+require ostree-prepare-root.inc
+
+do_install:append:cfs-support() {
+    install -m 0644 /dev/null ${D}${nonarch_libdir}/ostree/prepare-root.conf
+    write_prepare_root_config ${D}${nonarch_libdir}/ostree/prepare-root.conf
+}
diff --git a/recipes-extended/ostree/ostree_2024.1.bb → recipes-extended/ostree/ostree_2024.4.bb b/recipes-extended/ostree/ostree_2024.1.bb → recipes-extended/ostree/ostree_2024.4.bb
@@ -22,7 +22,7 @@ SRC_URI = " \
     gitsm://github.com/ostreedev/ostree;branch=main;protocol=https \
     file://run-ptest \
 "
-SRCREV = "3b4f5e36ee6b83313d4a4afc8dacb5bb9367ee2b"
+SRCREV = "2d2e0bddf3d4b662ef7f9a3eddb7814b57716cee"
 
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+)"
 

diff --git a/...es-extended/ostree/ostree_2024.1.bbappend → ...es-extended/ostree/ostree_2024.4.bbappend b/...es-extended/ostree/ostree_2024.1.bbappend → ...es-extended/ostree/ostree_2024.4.bbappend
@@ -13,7 +13,6 @@ SRC_URI:append = " \
     file://0001-update-default-grub-cfg-header.patch \
     file://0002-Add-support-for-the-fdtfile-variable-in-uEnv.txt.patch \
     file://0003-ostree-fetcher-curl-set-max-parallel-connections.patch \
-    file://0001-Expose-MOUNT_ATTR_IDMAP-detection-result-to-C-code.patch \
     file://0001-mount-Allow-building-when-macro-MOUNT_ATTR_IDMAP-is-.patch \
     file://0002-mount-Allow-building-when-macro-LOOP_CONFIGURE-is-no.patch \
 "

diff --git a/recipes-support/composefs-tools/composefs-tools_git.bb b/recipes-support/composefs-tools/composefs-tools_git.bb
@@ -21,11 +21,10 @@ SRC_URI = "\
     git://github.com/containers/composefs.git;protocol=https;branch=main \
     file://0001-mount-Allow-building-when-macro-MOUNT_ATTR_IDMAP-is-.patch \
     file://0002-mount-Allow-building-when-macro-LOOP_CONFIGURE-is-no.patch \
-    file://0001-configure.ac-disable-Werror-unused-result-temporaril.patch \
 "
 
-SRCREV = "cca8be49843385ce556fccf51f75821f70fb7769"
-PV = "0.1.4+git${SRCPV}"
+SRCREV = "2d5cdcb9176cfe4ccf1761ef6d78e1c48de35649"
+PV = "1.0.3+git${SRCPV}"
 
 S = "${WORKDIR}/git"
 

diff --git a/...ort/composefs-tools/files/0001-configure.ac-disable-Werror-unused-result-temporaril.patch b/...ort/composefs-tools/files/0001-configure.ac-disable-Werror-unused-result-temporaril.patch