Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 821568 - make stages compatible with machinectl/nspawn
Summary: make stages compatible with machinectl/nspawn
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Release Media
Classification: Unclassified
Component: Stages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Release Team
URL:
Whiteboard:
Keywords:
Depends on: 787194
Blocks:
  Show dependency tree
 
Reported: 2021-11-04 03:22 UTC by Georgy Yakovlev
Modified: 2022-10-02 19:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Georgy Yakovlev archtester gentoo-dev 2021-11-04 03:22:18 UTC
Currently there are 1 major and 2 minor problems that prevent using stages directly in machinectl.

1. https://bugs.gentoo.org/787194
   https://github.com/systemd/systemd/issues/16605
 since our stages are pixz compressed and it adds an index - it confuses machinectl, because internally it passes --ignore-zeros

it's almost fixed.
https://github.com/dol-sen/pyDeComp/commit/e60dffe2043a1b963e9ba6325e32795d3aa6993c landed and we have it in 3.0-r2

I'm testing on ppc64le right now.

2. machnectl pull-tar expects  a *.sha256 file that contains a checksum, that can be used to verify the image.
  some code needs to be added to catalyst to create those files.
  probably base/genbase.py, it already handles other digests.

  doc: https://www.freedesktop.org/software/systemd/man/machinectl.html#pull-tar%20URL%20[NAME]

3. signing above sha256 files. they are expected to be ascii-armoured by infra.
  that code is in https://gitweb.gentoo.org/infra/mastermirror-scripts.git/tree/sign-autobuilds.sh
  and it already contains logic for inline signing, so should be easy to plug.

4. machinectl also looks for .nspawn file matching image name, this file is optional but can be used to provide some initial configuration, like maybe bind-mounting distfiles from host.
  doc: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html
Comment 1 Larry the Git Cow gentoo-dev 2021-11-25 02:43:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=7457cd3b1a5f3ed4a566bbf23e36c939af06967c

commit 7457cd3b1a5f3ed4a566bbf23e36c939af06967c
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-11-05 02:14:00 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-11-25 02:43:21 +0000

    catalyst: generate .sha256 file if any digest is enabled
    
    checksum format is simple one, identical to one
    sha256sum from coreutils produces, lines starting with # are ignored.
    
    example:[1]
    
    # SHA256 HASH
    xxxx.....  stage3-....tar.xz
    
    systemd upstream calls it suse-style .sha256 files.[0]
    infra already supports inline signing of files.
    
    Bug: https://bugs.gentoo.org/821568
    [0] https://github.com/systemd/systemd/blob/aedec452b9e5dd197881f2164fb205dfe8bfdcec/src/import/pull-common.c#L236
    [1] https://mirrors.edge.kernel.org/opensuse/distribution/leap/15.0/iso/openSUSE-Leap-15.0-DVD-x86_64.iso.sha256
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 catalyst/base/genbase.py  | 3 +++
 doc/catalyst-config.5.txt | 7 ++++---
 2 files changed, 7 insertions(+), 3 deletions(-)
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2022-03-26 14:42:02 UTC
> Currently there are 1 major and 2 minor problems that prevent using stages
> directly in machinectl.
> 
> 1. https://bugs.gentoo.org/787194
>    https://github.com/systemd/systemd/issues/16605
>  since our stages are pixz compressed and it adds an index - it confuses
> machinectl, because internally it passes --ignore-zeros
> 
> it's almost fixed.
> https://github.com/dol-sen/pyDeComp/commit/
> e60dffe2043a1b963e9ba6325e32795d3aa6993c landed and we have it in 3.0-r2
> 
> I'm testing on ppc64le right now.

This is stable now, so 1 should be done.

> 2. machnectl pull-tar expects  a *.sha256 file that contains a checksum,
> that can be used to verify the image.
>   some code needs to be added to catalyst to create those files.
>   probably base/genbase.py, it already handles other digests.
> 
>   doc:
> https://www.freedesktop.org/software/systemd/man/machinectl.html#pull-
> tar%20URL%20[NAME]

This is done as per comment #1.

> 3. signing above sha256 files. they are expected to be ascii-armoured by
> infra.
>   that code is in
> https://gitweb.gentoo.org/infra/mastermirror-scripts.git/tree/sign-
> autobuilds.sh
>   and it already contains logic for inline signing, so should be easy to
> plug.
> 
> 4. machinectl also looks for .nspawn file matching image name, this file is
> optional but can be used to provide some initial configuration, like maybe
> bind-mounting distfiles from host.
>   doc: https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html

Still need to be done. Should be easy enough though.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2022-04-30 22:21:17 UTC
All done, at least for the hosts running git-master catalyst. 
The rest will eventually follow.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-12 13:51:32 UTC
I'm going to reopen this as it seems this has not make it into a catalyst release, and thus machinectl cannot be used in this way yet for Gentoo.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2022-10-02 19:22:54 UTC
(In reply to John Helmert III from comment #4)
> I'm going to reopen this as it seems this has not make it into a catalyst
> release, and thus machinectl cannot be used in this way yet for Gentoo.

In catalyst-3.0.22