Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package transactional-update for openSUSE:Factory checked in at 2023-09-22 21:46:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/transactional-update (Old) and /work/SRC/openSUSE:Factory/.transactional-update.new.1770 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "transactional-update" Fri Sep 22 21:46:37 2023 rev:101 rq:1111543 version:4.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/transactional-update/transactional-update.changes 2023-06-29 17:27:56.110121121 +0200 +++ /work/SRC/openSUSE:Factory/.transactional-update.new.1770/transactional-update.changes 2023-09-22 21:46:42.667329112 +0200 @@ -1,0 +2,18 @@ +Mon Sep 11 13:55:40 UTC 2023 - Ignaz Forster <ifors...@suse.com> + +- Version 4.4.0 + - t-u: Introduce setup-fips command [jsc#SMO-194] + - libtukit: Always set a cleanup algorithm for snapshots - when + using API, D-Bus interface or tukit the snapshots will be + automatically cleaned up by snapper after some time now; in the + past only snapshots created by the transactional-update shell + script would be cleanup after, and only after a `t-u cleanup` + run. + - tukit: enable kexec's syscall detection feature + - tukit: Don't throw exceptions from the child process after fork + - tukitd: Rename service file to org.opensuse.tukit.service + - tukitd: Allow querying DBus Properties [boo#1214707] + - t-u: Add support for fully written-out update commands + - t-u: Improve detection of existing kernel parameters + +------------------------------------------------------------------- Old: ---- transactional-update-4.3.0.tar.gz New: ---- transactional-update-4.4.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ transactional-update.spec ++++++ --- /var/tmp/diff_new_pack.JTXN4I/_old 2023-09-22 21:46:43.779369481 +0200 +++ /var/tmp/diff_new_pack.JTXN4I/_new 2023-09-22 21:46:43.783369627 +0200 @@ -26,7 +26,7 @@ %{!?_distconfdir: %global _distconfdir %{_prefix}%{_sysconfdir}} Name: transactional-update -Version: 4.3.0 +Version: 4.4.0 Release: 0 Summary: Transactional Updates with btrfs and snapshots License: GPL-2.0-or-later AND LGPL-2.1-or-later @@ -306,7 +306,7 @@ %license COPYING gpl-2.0.txt %{_sbindir}/tukitd %{_unitdir}/tukitd.service -%{_prefix}/share/dbus-1/system-services/tukitd.d-bus.service +%{_prefix}/share/dbus-1/system-services/org.opensuse.tukit.service %{_prefix}/share/dbus-1/system.d/org.opensuse.tukit.conf %{_prefix}/share/dbus-1/interfaces/org.opensuse.tukit.Snapshot.xml %{_prefix}/share/dbus-1/interfaces/org.opensuse.tukit.Transaction.xml ++++++ transactional-update-4.3.0.tar.gz -> transactional-update-4.4.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/NEWS new/transactional-update-4.4.0/NEWS --- old/transactional-update-4.3.0/NEWS 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/NEWS 2023-09-11 15:49:37.000000000 +0200 @@ -2,6 +2,20 @@ Copyright (C) 2016-2022 Thorsten Kukuk, Ignaz Forster et al. +Version 4.4.0 +* t-u: Introduce setup-fips command [jsc#SMO-194] +* libtukit: Always set a cleanup algorithm for snapshots - when using API, + D-Bus interface or tukit the snapshots will be automatically cleaned up + by snapper after some time now; in the past only snapshots created by + the transactional-update shell script would be cleanup after, and only + after a `t-u cleanup` run. +* tukit: enable kexec's syscall detection feature +* tukit: Don't throw exceptions from the child process after fork +* tukitd: Rename service file to org.opensuse.tukit.service +* tukitd: Allow querying DBus Properties [boo#1214707] +* t-u: Add support for fully written-out update commands +* t-u: Improve detection of existing kernel parameters + Version 4.3.0 * Replace custom tu-rebuild-kdump-initrd with call to mkdumprd [gh#openSUSE/transactional-update#107]. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/configure.ac new/transactional-update-4.4.0/configure.ac --- old/transactional-update-4.3.0/configure.ac 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/configure.ac 2023-09-11 15:49:37.000000000 +0200 @@ -1,11 +1,11 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT(transactional-update, 4.3.0) +AC_INIT(transactional-update, 4.4.0) # Increase on any interface change and reset revision LIBTOOL_CURRENT=4 # On interface change increase if backwards compatible, reset otherwise LIBTOOL_AGE=0 # Increase on *any* C/C++ library code change, reset at interface change -LIBTOOL_REVISION=6 +LIBTOOL_REVISION=7 AC_CANONICAL_SYSTEM AM_INIT_AUTOMAKE([foreign]) AC_CONFIG_FILES([tukit.pc]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/dbus/Makefile.am new/transactional-update-4.4.0/dbus/Makefile.am --- old/transactional-update-4.3.0/dbus/Makefile.am 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/dbus/Makefile.am 2023-09-11 15:49:37.000000000 +0200 @@ -9,7 +9,7 @@ dbusconfdir = @DBUSCONFDIR@ dbusconf_DATA = org.opensuse.tukit.conf dbussystembusservicedir = @DBUSSYSTEMBUSSERVICEDIR@ -dbussystembusservice_DATA = tukitd.d-bus.service +dbussystembusservice_DATA = org.opensuse.tukit.service dbusinterfacesdir = @DBUSINTERFACESDIR@ dbusinterfaces_DATA = org.opensuse.tukit.Transaction.xml org.opensuse.tukit.Snapshot.xml systemdsystemunitdir = @SYSTEMDDIR@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/dbus/org.opensuse.tukit.conf new/transactional-update-4.4.0/dbus/org.opensuse.tukit.conf --- old/transactional-update-4.3.0/dbus/org.opensuse.tukit.conf 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/dbus/org.opensuse.tukit.conf 2023-09-11 15:49:37.000000000 +0200 @@ -3,7 +3,7 @@ <policy user="root"> <allow own="org.opensuse.tukit"/> <allow send_destination="org.opensuse.tukit" send_interface="org.opensuse.tukit.Transaction"/> - <allow send_destination="org.opensuse.tukit" send_interface="org.freedesktop.DBus.Introspectable"/> + <allow send_destination="org.opensuse.tukit" send_interface="org.freedesktop.DBus.Properties"/> </policy> <policy context="default"> <deny own="org.opensuse.tukit"/> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/dbus/org.opensuse.tukit.service new/transactional-update-4.4.0/dbus/org.opensuse.tukit.service --- old/transactional-update-4.3.0/dbus/org.opensuse.tukit.service 1970-01-01 01:00:00.000000000 +0100 +++ new/transactional-update-4.4.0/dbus/org.opensuse.tukit.service 2023-09-11 15:49:37.000000000 +0200 @@ -0,0 +1,5 @@ +[D-BUS Service] +Name=org.opensuse.tukit +Exec=/usr/sbin/tukitd +User=root +SystemdService=tukitd.service \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/dbus/tukitd.d-bus.service new/transactional-update-4.4.0/dbus/tukitd.d-bus.service --- old/transactional-update-4.3.0/dbus/tukitd.d-bus.service 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/dbus/tukitd.d-bus.service 1970-01-01 01:00:00.000000000 +0100 @@ -1,5 +0,0 @@ -[D-BUS Service] -Name=org.opensuse.tukit -Exec=/usr/sbin/tukitd -User=root -SystemdService=tukitd.service \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/lib/Reboot.cpp new/transactional-update-4.4.0/lib/Reboot.cpp --- old/transactional-update-4.3.0/lib/Reboot.cpp 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/lib/Reboot.cpp 2023-09-11 15:49:37.000000000 +0200 @@ -37,7 +37,7 @@ } else if (method == "kured") { command = "touch /var/run/reboot-required"; } else if (method == "kexec") { - command = "kexec -l /boot/vmlinuz --initrd=/boot/initrd --reuse-cmdline;"; + command = "kexec --kexec-syscall-auto -l /boot/vmlinuz --initrd=/boot/initrd --reuse-cmdline;"; command += "sync;"; command += "systemctl kexec;"; } else if (method == "none") { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/lib/Snapshot/Snapper.cpp new/transactional-update-4.4.0/lib/Snapshot/Snapper.cpp --- old/transactional-update-4.3.0/lib/Snapshot/Snapper.cpp 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/lib/Snapshot/Snapper.cpp 2023-09-11 15:49:37.000000000 +0200 @@ -17,7 +17,7 @@ std::unique_ptr<Snapshot> Snapper::create(std::string base, std::string description) { if (! std::filesystem::exists("/.snapshots/" + base + "/snapshot")) throw std::invalid_argument{"Base snapshot '" + base + "' does not exist."}; - snapshotId = callSnapper("create --from " + base + " --read-write --print-number --description '" + description + "' --userdata 'transactional-update-in-progress=yes'"); + snapshotId = callSnapper("create --from " + base + " --read-write --cleanup-algorithm number --print-number --description '" + description + "' --userdata 'transactional-update-in-progress=yes'"); Util::rtrim(snapshotId); return std::make_unique<Snapper>(snapshotId); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/lib/Transaction.cpp new/transactional-update-4.4.0/lib/Transaction.cpp --- old/transactional-update-4.3.0/lib/Transaction.cpp 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/lib/Transaction.cpp 2023-09-11 15:49:37.000000000 +0200 @@ -370,15 +370,18 @@ if (output != nullptr) { ret = dup2(pipefd[1], STDOUT_FILENO); if (ret < 0) { - throw std::runtime_error{"Redirecting stdout failed: " + std::string(strerror(errno))}; + tulog.error("Redirecting stdout failed: " + std::string(strerror(errno))); + _exit(errno); } ret = dup2(pipefd[1], STDERR_FILENO); if (ret < 0) { - throw std::runtime_error{"Redirecting stderr failed: " + std::string(strerror(errno))}; + tulog.error("Redirecting stderr failed: " + std::string(strerror(errno))); + _exit(errno); } ret = close(pipefd[0]); if (ret < 0) { - throw std::runtime_error{"Closing pipefd failed: " + std::string(strerror(errno))}; + tulog.error("Closing pipefd failed: " + std::string(strerror(errno))); + _exit(errno); } } @@ -387,28 +390,34 @@ tulog.info("Warning: Couldn't set working directory: ", std::string(strerror(errno))); } if (chroot(bindDir.c_str()) < 0) { - throw std::runtime_error{"Chrooting to " + bindDir + " failed: " + std::string(strerror(errno))}; + tulog.error("Chrooting to " + bindDir + " failed: " + std::string(strerror(errno))); + _exit(errno); } // Prevent mounts from within the chroot environment influence the tukit organized mounts if (unshare(CLONE_NEWNS) < 0) { - throw std::runtime_error{"Creating new mount namespace failed: " + std::string(strerror(errno))}; + tulog.error("Creating new mount namespace failed: " + std::string(strerror(errno))); + _exit(errno); } if (mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) < 0) { - throw std::runtime_error{"Setting private mount for command execution failed: " + std::string(strerror(errno))}; + tulog.error("Setting private mount for command execution failed: " + std::string(strerror(errno))); + _exit(errno); } } // Set indicator for RPM pre/post sections to detect whether we run in a // transactional update if (setenv("TRANSACTIONAL_UPDATE", "true", 1) < 0) { - throw std::runtime_error{"Setting environment variable TRANSACTIONAL_UPDATE failed: " + std::string(strerror(errno))}; + tulog.error("Setting environment variable TRANSACTIONAL_UPDATE failed: " + std::string(strerror(errno))); + _exit(errno); } if (setenv("TRANSACTIONAL_UPDATE_ROOT", snapshot->getRoot().c_str(), 1)) { - throw std::runtime_error{"Setting environment variable TRANSACTIONAL_UPDATE_ROOT failed: " + std::string(strerror(errno))}; + tulog.error("Setting environment variable TRANSACTIONAL_UPDATE_ROOT failed: " + std::string(strerror(errno))); + _exit(errno); } if (execvp(argv[0], (char* const*)argv) < 0) { - throw std::runtime_error{"Calling " + std::string(argv[0]) + " failed: " + std::string(strerror(errno))}; + tulog.error("Calling " + std::string(argv[0]) + " failed: " + std::string(strerror(errno))); + _exit(errno); } ret = -1; } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/man/transactional-update.8.xml new/transactional-update-4.4.0/man/transactional-update.8.xml --- old/transactional-update-4.3.0/man/transactional-update.8.xml 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/man/transactional-update.8.xml 2023-09-11 15:49:37.000000000 +0200 @@ -290,6 +290,20 @@ </listitem> </varlistentry> <varlistentry> + <term><option>setup-fips</option></term> + <listitem> + <para> + Install the FIPS pattern package and configure the kernel command + line parameter to activate FIPS mode. + </para> + <para> + This command can not be combined with any + <link linkend='pkg_commands'>Package Command</link> other than + <option>install</option>. + </para> + </listitem> + </varlistentry> + <varlistentry> <term><option>setup-kdump</option> <optional>--crashkernel=<replaceable>low</replaceable>,<replaceable>high</replaceable></optional></term> <listitem> <para> @@ -359,6 +373,7 @@ <refsect3 id='ni_pkg_commands'><title>Non-interactive Package Commands</title> <variablelist> <varlistentry> + <term><option>dist-upgrade</option></term> <term><option>dup</option></term> <listitem> <para> @@ -370,6 +385,7 @@ </listitem> </varlistentry> <varlistentry> + <term><option>update</option></term> <term><option>up</option></term> <listitem> <para> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/transactional-update-4.3.0/sbin/transactional-update.in new/transactional-update-4.4.0/sbin/transactional-update.in --- old/transactional-update-4.3.0/sbin/transactional-update.in 2023-06-28 16:55:05.000000000 +0200 +++ new/transactional-update-4.4.0/sbin/transactional-update.in 2023-09-11 15:49:37.000000000 +0200 @@ -47,6 +47,7 @@ REBOOT_METHOD="auto" RUN_CMD="" RUN_SHELL=0 +SETUP_FIPS=0 SETUP_KDUMP=0 SETUP_SELINUX=0 USE_TELEMETRICS=0 @@ -150,18 +151,19 @@ echo "shell Open rw shell in new snapshot before exiting" echo "reboot Reboot after update" echo "run <cmd> Run a command in a new snapshot" + echo "setup-fips Install and enable FIPS pattern package" echo "setup-kdump [--crashkernel=<low>,<high>] Configure and enable kdump" echo "setup-selinux Install targeted SELinux policy and enable it" echo "" echo "Package Commands:" echo "Defaults: (i) interactive command; (n) non-interactive command" - echo "dup Call 'zypper dup' (n)" - echo "up Call 'zypper up' (n)" + echo "dist-upgrade, dup Call 'zypper dup' (n)" + echo "update, up Call 'zypper up' (n)" echo "patch Call 'zypper patch' (n)" echo "migration Updates systems registered via SCC / SMT (i)" - echo "pkg install ... Install individual packages (i)" - echo "pkg remove ... Remove individual packages (i)" - echo "pkg update ... Updates individual packages (i)" + echo "pkg install|in ... Install individual packages (i)" + echo "pkg remove|rm ... Remove individual packages (i)" + echo "pkg update|up ... Updates individual packages (i)" echo "register ... Register system via SUSEConnect (implies -d)" echo "" echo "Standalone Commands:" @@ -871,13 +873,13 @@ DO_CLEANUP_OVERLAYS=1 shift ;; - dup) + dist-upgrade|dup) DO_DUP=1 ZYPPER_ARG="--no-cd dup" shift TELEM_CLASS="upgrade" ;; - up) + update|up) ZYPPER_ARG=up shift TELEM_CLASS="update" @@ -1011,6 +1013,11 @@ RUN_CMD=("$@") break ;; + setup-fips) + test -z "$TELEM_CLASS" && TELEM_CLASS="fips" + SETUP_FIPS=1 + shift + ;; setup-kdump) test -z "$TELEM_CLASS" && TELEM_CLASS="setup-kdump" SETUP_KDUMP=1 @@ -1125,6 +1132,24 @@ fi fi +# Setup FIPS +if [ "${SETUP_FIPS}" -eq 1 ]; then + if [ -n "${ZYPPER_ARG}" -a "${ZYPPER_ARG}" != "install" ]; then + log_error "ERROR: Cannot combine 'setup-fips' with zypper command '${ZYPPER_ARG}'" + exit 1 + fi + # Check if we need to install packages + fipspattern="$(rpm -q --whatprovides 'pattern()' --provides | grep '^pattern() = fips$')" + if [ -z "${fipspattern}" ]; then + ZYPPER_ARG_PKGS+=("pattern() = fips") + fi + if [ ${#ZYPPER_ARG_PKGS[@]} -ne 0 ]; then + ZYPPER_ARG="install" + fi + REWRITE_INITRD=1 + REBUILD_KDUMP_INITRD=1 +fi + # Setup SELinux if [ "${SETUP_SELINUX}" -eq 1 ]; then # Setting up SELinux requires several steps: @@ -1539,11 +1564,19 @@ else ETC_BASE="${SNAPSHOT_DIR}" fi + if [ ${SETUP_FIPS} -eq 1 ]; then + # Adjust grub configuration + + # Check if we don't have selinux already enabled. + grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub | grep -q -w fips || \ + tukit ${TUKIT_OPTS} call "${SNAPSHOT_ID}" sed -i -e 's|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1 fips=1"|g' "/etc/default/grub" + REWRITE_GRUB_CFG=1 + fi if [ ${SETUP_SELINUX} -eq 1 ]; then # Adjust grub configuration # Check if we don't have selinux already enabled. - grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub | grep -q security=selinux || \ + grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub | grep -q -w security=selinux || \ tukit ${TUKIT_OPTS} call "${SNAPSHOT_ID}" sed -i -e 's|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1 security=selinux selinux=1"|g' "/etc/default/grub" REWRITE_GRUB_CFG=1