Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RHEL 9: Filesystem customizations for edge-raw-image #255

Merged
merged 3 commits into from
Dec 13, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions internal/pathpolicy/policies.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,16 @@ var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{
"/etc/passwd": {Deny: true},
"/etc/group": {Deny: true},
})

// MountpointPolicies for ostree
var OstreeMountpointPolicies = NewPathPolicies(map[string]PathPolicy{
"/": {},
"/ostree": {Deny: true},
"/home": {Deny: true},
"/var/home": {Deny: true},
"/var/opt": {Deny: true},
"/var/srv": {Deny: true},
"/var/roothome": {Deny: true},
"/var/usrlocal": {Deny: true},
"/var/mnt": {Deny: true},
})
33 changes: 33 additions & 0 deletions internal/pathpolicy/policies_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,3 +78,36 @@ func TestMountpointPolicies(t *testing.T) {
})
}
}

func TestOstreeMountpointPolicies(t *testing.T) {
type testCase struct {
path string
allowed bool
}

testCases := []testCase{
{"/ostree", false},
{"/ostree/foo", false},

{"/foo", true},
{"/foo/bar", true},

{"/var", true},
{"/var/myfiles", true},
{"/var/roothome", false},

{"/home", false},
{"/home/shadowman", false},
}

for _, tc := range testCases {
t.Run(tc.path, func(t *testing.T) {
err := OstreeMountpointPolicies.Check(tc.path)
if err != nil && tc.allowed {
t.Errorf("expected %s to be allowed, but got error: %v", tc.path, err)
} else if err == nil && !tc.allowed {
t.Errorf("expected %s to be denied, but got no error", tc.path)
}
})
}
}
6 changes: 3 additions & 3 deletions pkg/distro/rhel9/distro_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -671,7 +671,7 @@ func TestDistro_CustomFileSystemManifestError(t *testing.T) {
imgType, _ := arch.GetImageType(imgTypeName)
_, _, err := imgType.Manifest(&bp, distro.ImageOptions{}, nil, 0)
if imgTypeName == "edge-commit" || imgTypeName == "edge-container" {
assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types")
assert.EqualError(t, err, "Custom mountpoints are not supported for edge-container and edge-commit")
} else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" || imgTypeName == "edge-ami" || imgTypeName == "edge-vsphere" {
continue
} else {
Expand Down Expand Up @@ -699,7 +699,7 @@ func TestDistro_TestRootMountPoint(t *testing.T) {
imgType, _ := arch.GetImageType(imgTypeName)
_, _, err := imgType.Manifest(&bp, distro.ImageOptions{}, nil, 0)
if imgTypeName == "edge-commit" || imgTypeName == "edge-container" {
assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types")
assert.EqualError(t, err, "Custom mountpoints are not supported for edge-container and edge-commit")
} else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" || imgTypeName == "edge-ami" || imgTypeName == "edge-vsphere" {
continue
} else {
Expand Down Expand Up @@ -829,7 +829,7 @@ func TestDistro_CustomUsrPartitionNotLargeEnough(t *testing.T) {
imgType, _ := arch.GetImageType(imgTypeName)
_, _, err := imgType.Manifest(&bp, distro.ImageOptions{}, nil, 0)
if imgTypeName == "edge-commit" || imgTypeName == "edge-container" {
assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types")
assert.EqualError(t, err, "Custom mountpoints are not supported for edge-container and edge-commit")
} else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" || imgTypeName == "edge-ami" || imgTypeName == "edge-vsphere" {
continue
} else {
Expand Down
21 changes: 10 additions & 11 deletions pkg/distro/rhel9/imagetype.go
Original file line number Diff line number Diff line change
Expand Up @@ -167,12 +167,7 @@ func (t *imageType) getPartitionTable(
partitioningMode := options.PartitioningMode
if t.rpmOstree {
// Edge supports only LVM, force it.
// Raw is not supported, return an error if it is requested
// TODO Need a central location for logic like this
if partitioningMode == disk.RawPartitioningMode {
return nil, fmt.Errorf("partitioning mode raw not supported for %s on %s", t.Name(), t.arch.Name())
}

partitioningMode = disk.LVMPartitioningMode
}

Expand Down Expand Up @@ -308,7 +303,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
}

if t.name == "edge-simplified-installer" {
allowed := []string{"InstallationDevice", "FDO", "Ignition", "Kernel", "User", "Group", "FIPS"}
allowed := []string{"InstallationDevice", "FDO", "Ignition", "Kernel", "User", "Group", "FIPS", "Filesystem"}
if err := customizations.CheckAllowed(allowed...); err != nil {
return warnings, fmt.Errorf("unsupported blueprint customizations found for boot ISO image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", "))
}
Expand Down Expand Up @@ -358,8 +353,7 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
if options.OSTree == nil || options.OSTree.URL == "" {
return warnings, fmt.Errorf("%q images require specifying a URL from which to retrieve the OSTree commit", t.name)
}

allowed := []string{"Ignition", "Kernel", "User", "Group", "FIPS"}
allowed := []string{"Ignition", "Kernel", "User", "Group", "FIPS", "Filesystem"}
if err := customizations.CheckAllowed(allowed...); err != nil {
return warnings, fmt.Errorf("unsupported blueprint customizations found for image type %q: (allowed: %s)", t.name, strings.Join(allowed, ", "))
}
Expand All @@ -386,9 +380,14 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
}

mountpoints := customizations.GetFilesystems()

if mountpoints != nil && t.rpmOstree {
return warnings, fmt.Errorf("Custom mountpoints are not supported for ostree types")
if mountpoints != nil && t.rpmOstree && (t.name == "edge-container" || t.name == "edge-commit") {
return warnings, fmt.Errorf("Custom mountpoints are not supported for edge-container and edge-commit")
} else if mountpoints != nil && t.rpmOstree && !(t.name == "edge-container" || t.name == "edge-commit") {
//customization allowed for edge-raw-image,edge-ami,edge-vsphere,edge-simplified-installer
err := blueprint.CheckMountpointsPolicy(mountpoints, pathpolicy.OstreeMountpointPolicies)
if err != nil {
return warnings, err
}
}

err := blueprint.CheckMountpointsPolicy(mountpoints, pathpolicy.MountpointPolicies)
Expand Down
13 changes: 13 additions & 0 deletions test/config-map.json
Original file line number Diff line number Diff line change
Expand Up @@ -193,5 +193,18 @@
"image-types": [
"ec2-sap"
]
},
"./configs/ostree-filesystem-customizations.json": {
"image-types": [
"edge-raw-image",
"edge-ami",
"edge-vsphere",
"simplified-installer"
],
"distros": [
"rhel-92",
"rhel-93",
"rhel-94"
]
achilleas-k marked this conversation as resolved.
Show resolved Hide resolved
}
}
53 changes: 53 additions & 0 deletions test/configs/ostree-filesystem-customizations.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"name": "ostree-filesystem-customizations",
"ostree": {
"url": "http://example.com/repo"
},
"blueprint": {
"customizations": {
"user": [
{
"groups": [
"wheel"
],
"key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNebAh6SjpAn8wB53K4695cGnHGuCtl4RdaX3futZgJUultHyzeYHnzMO7d4++qnRL+Rworew62LKP560uvtncc= github.com/osbuild/images",
"name": "osbuild"
}
],
"filesystem": [
{
"mountpoint": "/foo",
"minsize": "2147483648"
},
{
"mountpoint": "/foo/bar",
"minsize": "2 GiB"
},
{
"mountpoint": "/root",
"minsize": "1 GiB"
},
{
"mountpoint": "/mnt",
"minsize": "3 GiB"
},
{
"mountpoint": "/srv",
"minsize": "4 GiB"
},
{
"mountpoint": "/opt",
"minsize": "1 GiB"
},
{
"mountpoint": "/var/mydata",
"minsize": "1 GiB"
}
say-paul marked this conversation as resolved.
Show resolved Hide resolved
]
}
},
"depends": {
"image-type": "edge-container",
"config": "empty.json"
}
}
1 change: 1 addition & 0 deletions test/scripts/boot-image
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ def boot_ami(distro, arch, image_type, image_path):
"--username", "osbuild",
"--ssh-privkey", privkey,
"--ssh-pubkey", pubkey,
"--boot-mode" , "uefi",
achilleas-k marked this conversation as resolved.
Show resolved Hide resolved
raw_image_path, "test/scripts/base-host-check.sh"]
runcmd(cmd)

Expand Down
Loading