Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Factory
microos-tools
microos-tools-4.0+git6.obscpio
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File microos-tools-4.0+git6.obscpio of Package microos-tools
07070100000000000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000001F00000000microos-tools-4.0+git6/.github07070100000001000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000002900000000microos-tools-4.0+git6/.github/workflows07070100000002000081A400000000000000000000000167360DF80000023F000000000000000000000000000000000000003200000000microos-tools-4.0+git6/.github/workflows/test.ymlname: MicroOS in QEMU on: push: branches: [ master ] pull_request: branches: [ master ] jobs: build: runs-on: ubuntu-latest container: image: opensuse/tumbleweed options: --privileged steps: - uses: actions/checkout@v4 - name: Install dependencies run: | zypper in -y autoconf automake e2fsprogs gcc make dracut qemu-img qemu-x86 rpm-devel wget - name: Build run: | ./autogen.sh ./configure --sysconfdir=/etc make -j$(nproc) - name: Test run: | bash test/test.sh 07070100000003000081A400000000000000000000000167360DF80000016D000000000000000000000000000000000000002200000000microos-tools-4.0+git6/.gitignoreMakefile.in autom4te.cache aclocal.m4 compile configure depcomp install-sh missing stamp-h1 # files generated by configure .deps .libs Makefile config.h *.o *.lo *.la *.a *~ *.rej *.orig core config.log config.status test-driver test-suite.log check-output.* firstboot/MicroOS-firstboot.service microos-tools-*.tar.* locale-check/locale-check devel-tools/rpmorphan 07070100000004000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000001C00000000microos-tools-4.0+git6/.obs07070100000005000081A400000000000000000000000167360DF8000001AB000000000000000000000000000000000000002A00000000microos-tools-4.0+git6/.obs/workflows.ymlci_workflow: steps: - branch_package: source_project: devel:microos:ci:microos-tools source_package: microos-tools target_project: devel:microos:ci:microos-tools filters: event: pull_request master_workflow: steps: - trigger_services: project: devel:microos:ci:microos-tools package: microos-tools filters: event: push branches: only: - master 07070100000006000081A400000000000000000000000167360DF80000467E000000000000000000000000000000000000001F00000000microos-tools-4.0+git6/COPYING GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., <http://fsf.org/> 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. {description} Copyright (C) {year} {fullname} This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. {signature of Ty Coon}, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. 07070100000007000081A400000000000000000000000167360DF80000010B000000000000000000000000000000000000002300000000microos-tools-4.0+git6/Makefile.amAUTOMAKE_OPTIONS = 1.6 foreign check-news dist-xz SUBDIRS = systemd-proxy-env systemd-printenv tmpfs \ selinux devel-tools CLEANFILES = *~ EXTRA_DIST = README.md profile_DATA = man-online.sh profiledir = $(prefix)$(sysconfdir)/profile.d bin_SCRIPTS = man-online 07070100000008000081A400000000000000000000000167360DF800000C54000000000000000000000000000000000000001C00000000microos-tools-4.0+git6/NEWSVersion 4.0: - Some refactoring of the SELinux relabelling code - The SELinux relabelling code is now usable on non-transactional systems as well - Split SELinux relabelling code into separate package - Add automated testing of SELinux relabelling functionality - Use multiple threads for SELinux relabelling - Don't relabel in the zipl initrd "initgrub" mode - 98selinux-microos: Avoid "/sysroot-selinux: not mounted" on new util-linux - Install man-online alias only for bash - Add man-online command - Drop support for sle15 builds - Add OBS CI workflow - 98selinux-microos: Set mount propagation properly - 98selinux-microos: Convert tabs to spaces - 98selinux-microos: Don't include setenforce unnecessarily - Add spec file - systemd-proxy-env: fix typos in setup-systemd-proxy-env - Bump version to 4.0 to have a higher version than the previous selinux-autorelabel Version 2.21: - 98selinux-microos: Work around overlayfs bug [bsc#1210690] - 98selinux-microos: Create .relabelled marker before relabelling - Drop extra sysctl file for coredumps [boo#1091684] Version 2.20: - 98selinux-microos: Don't load the policy to label the system Version 2.19: - Clean up selinux-autorelabel-generator and make it compatible with systemd 253 Version 2.18 - Add TMPDIR to tukit binddirs for Salt - 98selinux-microos: Add chroot as dependency - Fix spelling error in warning Version 2.17 - selinux-autorelabel-generator: Don't cross partition boundaries for /.snapshots when relabeling [issue#11] Version 2.16 - 98selinux-microos: Make the btrfs subvolume writable temporarily [boo#1202395] Version 2.15 - 98selinux-microos: Add grep as dependency Version 2.14 - Fix Makefile for devel-tools Version 2.13 - 98selinux-microos: Don't rely on selinux=1 [bsc#1202449] - Add sysext-add-debug - Make sure /var/lib/overlay exists before relabeling Version 2.12 - Remove locale-check, aaa_base has now an own solution - Remove old CaaSP stuff - Remove systemd firstboot overwrite Version 2.11 - Fix unwritable /var / /etc after SELinux relabel [bsc#1186563] Version 2.10 - Fixes and improvements for SELinux support - Add devel tools Version 2.9 - Use absolute path for selinuxenabled in systemd generator Version 2.8 - Don't propagate umounts into the real root - Use content of .autorelabel only if it exists Version 2.7 - Add workaround if /.autorelabel is used, don't ignore it. - Use content of .autorelabel as additional restorecon argument Version 2.6 - Don't delete autorelabel file in initrd Version 2.5 - Remove tmpfiles.d/tmp.conf, now handled by filesystem package Version 2.4 - Don't override tmp.mount options but use tmpfiles.d/tmp.conf to set the labels [bsc#1175379] Version 2.3 - override tmp.mount option to set correct SELinux label for /tmp - Prepare "noexec" for tmp.mount - Override TMPDIR for salt to not exec things in /tmp - Add selinux dracut module to relabel system at bootup - Add locale-check to reset locale to system default if the one set by SSH does not exist [bsc#1156175] Version 2.2 - tmp.mount is provided now by systemd Version 2.1 - Use tmpfs for /tmp Version 2.0 - change to autotools 07070100000009000081A400000000000000000000000167360DF8000005CC000000000000000000000000000000000000002100000000microos-tools-4.0+git6/README.md# MicroOS Tools Files and scripts for openSUSE MicroOS ## /tmp on tmpfs with noexec flag MicroOS will use tmpfs for /tmp with noexec flag set in the future. For this reasons, salt-minion will write it's temporary files into /run/salt-tmp. In general, daemons should use private disk space for their data and not shared one in /tmp. ## SELinux MicroOS has support for SELinux. If the file `/etc/selinux/.autorelabel` exists, the dracut module `98selinux-microos` will label the root filesystem including `/etc` and `/var`. The selinux-autorelabel-generator will generate services to relabel other mountpoints during boot. There is a script for automated testing of this in test/test.sh. ## locale-check MicroOS supports only a limited number of locales (C, C.utf8, en_US.utf8, POSIX). If you login via SSH, the locale settings will be verified that they exist on this system. If not, locale is reset to the system default. ## systemd services ### setup-systemd-proxy-env.service The `setup-systemd-proxy-env.service` makes the proxy variables from `/etc/sysconfig/proxy` available to all systemd units. ### printenv.service The `printenv.service` is to debug which environment variables exist by default. It just calls `printenv`. ## development tools * microos-rw: switches the root file system to read-write * microos-ro: resets btrfs property to read-only again. * rpmorphan: display files not owned by rpm * rpm-sortbysize: list all installed packages sorted by size 0707010000000A000081ED00000000000000000000000167360DF800000091000000000000000000000000000000000000002200000000microos-tools-4.0+git6/autogen.sh#!/bin/sh -x rm -fv ltmain.sh config.sub config.guess config.h.in aclocal automake --add-missing --copy --force autoreconf chmod 755 configure 0707010000000B000081A400000000000000000000000167360DF800000506000000000000000000000000000000000000002400000000microos-tools-4.0+git6/configure.acdnl Process this file with autoconf to produce a configure script. AC_INIT([microos-tools], [4.0]) AM_INIT_AUTOMAKE AC_PREFIX_DEFAULT(/usr) AC_SUBST(PACKAGE) AC_SUBST(VERSION) PKG_CHECK_VAR([systemdsystemunitdir], [systemd], [systemdsystemunitdir], [], [AC_MSG_ERROR([Could not determine value for 'systemdsystemunitdir' - is the 'systemd.pc' file installed?])]) PKG_CHECK_VAR([tmpfilesdir], [systemd], [tmpfilesdir], [], [AC_MSG_ERROR([Could not determine value for 'tmpfilesdir' - is the 'systemd.pc' file installed?])]) PKG_CHECK_VAR([systemdgeneratordir], [systemd], [systemdsystemgeneratordir], [], [AC_MSG_ERROR([Could not determine value for 'systemdsystemgeneratordir' - is the 'systemd.pc' file installed?])]) PKG_CHECK_VAR([dracutmodulesdir], [dracut], [dracutmodulesdir], [], [AC_MSG_ERROR([Could not determine value for 'dracutmodulesdir' - is the 'dracut.pc' file installed?])]) PKG_CHECK_MODULES([RPM], [rpm]) if test "${exec_prefix}" = "NONE" then SYSCTLDIR=${prefix}/lib/sysctl.d else SYSCTLDIR=${exec_prefix}/lib/sysctl.d fi AC_SUBST(SYSCTLDIR) AC_PROG_CC AC_PROG_INSTALL AC_PROG_LN_S AC_CONFIG_FILES([Makefile systemd-proxy-env/Makefile systemd-printenv/Makefile \ tmpfs/Makefile selinux/Makefile \ devel-tools/Makefile]) AC_OUTPUT 0707010000000C000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000002300000000microos-tools-4.0+git6/devel-tools0707010000000D000081A400000000000000000000000167360DF800000108000000000000000000000000000000000000002F00000000microos-tools-4.0+git6/devel-tools/Makefile.amsystemddir = $(systemdsystemunitdir) systemd_DATA = microos-ro.service sbin_SCRIPTS = microos-rw microos-ro rpm-sortbysize sysext-add-debug sbin_PROGRAMS = rpmorphan rpmorphan_LDADD = $(RPM_LIBS) rpmorphan_CFLAGS = $(RPM_CFLAGS) EXTRA_DIST = $(SCRIPTS) $(DATA) 0707010000000E000081A400000000000000000000000167360DF8000000DA000000000000000000000000000000000000002E00000000microos-tools-4.0+git6/devel-tools/microos-ro#!/bin/bash btrfs prop set -t s / ro true # can't do that, would remount all subvolumes :-( #mount -o remount,ro / systemctl disable --runtime microos-ro.service systemctl unmask --runtime transactional-update.service 0707010000000F000081A400000000000000000000000167360DF8000000D3000000000000000000000000000000000000003600000000microos-tools-4.0+git6/devel-tools/microos-ro.service[Unit] Description=Switch root FS to read-only again Before=systemd-reboot.service DefaultDependencies=no [Service] ExecStart=/usr/sbin/microos-ro Type=oneshot [Install] WantedBy=reboot.target shutdown.target 07070100000010000081A400000000000000000000000167360DF800000167000000000000000000000000000000000000002E00000000microos-tools-4.0+git6/devel-tools/microos-rw#!/bin/bash # make sure we switch back to ro on shutdown systemctl enable --runtime microos-ro.service systemctl mask --runtime transactional-update.service mount -o remount,rw / btrfs prop set -t s / ro false cat <<EOF ########################## # Root FS switches to RW # # Operating out of spec, # # be careful! # ########################## EOF 07070100000011000081A400000000000000000000000167360DF800000039000000000000000000000000000000000000003200000000microos-tools-4.0+git6/devel-tools/rpm-sortbysize#!/usr/bin/sh rpm -qa --qf '%{SIZE} %{NAME}\n' | sort -n 07070100000012000081A400000000000000000000000167360DF800000FEC000000000000000000000000000000000000002F00000000microos-tools-4.0+git6/devel-tools/rpmorphan.c/* Copyright (c) 2019,2020 SUSE LLC Author: Adam Majer Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #include <rpm/rpmts.h> #include <rpm/rpmdb.h> #include <rpm/rpmlib.h> #include <fcntl.h> #include <rpm/rpmcli.h> #include <rpm/header.h> #include <rpm/rpmfiles.h> #include <dirent.h> #include <stdlib.h> #include <string.h> static int check_list(const char * const * known_list, size_t known_list_size, const char *p) { int pos = known_list_size / 2; int top = known_list_size; int bot = 0; for (;;) { // fprintf(stderr, "checking vs: %s @ %d\n", known_list[pos], pos); int c = strcmp(p, known_list[pos]); if (c == 0) return pos; if (c < 0) top = pos; if (c > 0) { if (bot == pos) break; bot = pos; } if (bot + (top - bot)/2 == pos) break; pos = bot + (top - bot)/2; } return -1; } static void scan_subdirs(const char *dir, const char * const * filters, const char ** known_list, size_t known_list_size) { char fullpath[10240]; DIR *d = opendir(dir); if (d == NULL) return; struct dirent *e; while ((e = readdir(d)) != NULL) { if (strcmp(e->d_name, ".") == 0 || strcmp(e->d_name, "..") == 0) continue; switch (e->d_type) { case DT_DIR: case DT_LNK: case DT_REG: { if (strlen(dir) + strlen(e->d_name) + 2 > 10240) abort(); strcpy(fullpath, dir); strcat(fullpath, "/"); strcat(fullpath, e->d_name); if (check_list(known_list, known_list_size, fullpath) == -1) { puts(fullpath); } if (e->d_type == DT_DIR) { const char * const *f = filters; while (*f != NULL && strcmp(*f, fullpath) != 0) f++; if (*f == NULL) scan_subdirs(fullpath, filters, known_list, known_list_size); } } } } closedir(d); } static int str_sort(const void *a, const void *b) { return strcmp(*(const char**)a, *(const char**)b); } int main() { rpmcliConfigured(); rpmts dbts = rpmtsCreate(); if (!dbts) { printf("ERROR\n:"); return -1; } if (rpmtsOpenDB(dbts, O_RDONLY) != 0) { printf("BAD BAD\n"); return -3; } size_t paths_size = 1024 * 128, count = 0; char **known_paths = malloc(sizeof(char*) * paths_size); rpmdbMatchIterator iter = rpmtsInitIterator(dbts, RPMDBI_PACKAGES, NULL, 0); Header hdr; while ((hdr = rpmdbNextIterator(iter)) != NULL) { rpmfiles files = rpmfilesNew(NULL, hdr, 0, 0); rpmfi fi = rpmfilesIter(files, 0); while (rpmfiNext(fi) >= 0) { if (count >= paths_size) { paths_size *= 2; known_paths = realloc(known_paths, sizeof(char*) * paths_size); } known_paths[count++] = strdup(rpmfiFN(fi)); } rpmfiFree(fi); rpmfilesFree(files); } // sort the known list qsort(known_paths, count, sizeof(char*), str_sort); // Iterate over /usr (!/usr/local) and /lib, /lib64, /sbin // and find things not in the database const char *dirs[] = { "/usr", "/lib", "/lib64", "/sbin", NULL }; const char *filter_dirs[] = { "/usr/local", NULL }; for (const char * const * dir = dirs; *dir != NULL; ++dir) scan_subdirs(*dir, filter_dirs, (const char**)known_paths, count); return 0; } 07070100000013000081ED00000000000000000000000167360DF8000003FE000000000000000000000000000000000000003400000000microos-tools-4.0+git6/devel-tools/sysext-add-debug#!/bin/bash -e if [ "$#" = 0 -o "$1" = "--help" ]; then echo "Usage: $0 PACKAGE..." echo "Downloads gdb and debuginfo for specified packages to /var/lib/extensions/" echo "Uses systemd-sysext(8) to temporarily overlay them into the system." exit 0 fi pkgs=('gdb') for i in "$@"; do if [ "${i%-debuginfo}" = "$i" ] && [ "${i%-debugsource}" = "$i" ]; then pkgs+=("$i-debuginfo" "$i-debugsource") else pkgs+=("$i") fi done . /usr/lib/os-release ext_base=/var/lib/extensions/debug-"$VERSION_ID" mkdir -p "$ext_base/download" echo "getting ${pkgs[@]}" zypper --pkg-cache-dir="$ext_base/download" --plus-content debug in --dry-run --download-only "${pkgs[@]}" while read pkg; do echo "adding ${pkg##*/}" rpm2cpio "$pkg" | cpio -idD "$ext_base" rm "$pkg" done < <(find "$ext_base/download" -type f -name '*.rpm') mkdir -p "$ext_base"/usr/lib/extension-release.d cat > "$ext_base"/usr/lib/extension-release.d/extension-release.debug-"$VERSION_ID" <<EOF ID=$ID VERSION_ID=$VERSION_ID EOF systemd-sysext merge 07070100000014000081ED00000000000000000000000167360DF8000003B4000000000000000000000000000000000000002200000000microos-tools-4.0+git6/man-online#!/bin/bash -e section= helpandquit() { cat <<-EOF Usage: $0 [man options] [[section] page ...] ... OPTIONS: -h, --help help screen EOF exit 0 } cleanup() { [ -z "$tmpdir" ] || rm -rf "$tmpdir" } show() { local topic="${1:?}" if ! curl -s -f -o "$tmpdir/$topic".gz -f -L https://manpages.opensuse.org/"$topic${section:+.}$section".gz; then echo "Failed to fetch $topic" >&2 return 0 fi mandoc -l "$tmpdir/$topic.gz" } getopttmp=$(getopt -o hs: --long help -n "${0##*/}" -- "$@") eval set -- "$getopttmp" while true ; do case "$1" in -h|--help) helpandquit ;; -s) section="$2"; shift 2 ;; --) shift ; break ;; *) echo "Internal error!" ; exit 1 ;; esac done [ -z "$1" ] && helpandquit tmpdir=$(mktemp -d -t addimageencryption.XXXXXX) trap cleanup EXIT if [ -z "$section" ] && [ "${1/#[0-9]/}" != "$1" ]; then section="$1" shift fi for i in "$@"; do show "$i" done 07070100000015000081A400000000000000000000000167360DF800000081000000000000000000000000000000000000002500000000microos-tools-4.0+git6/man-online.sh# install alias if no local man is installed if [ "$is" = 'bash' ] && ! type -P man >/dev/null; then alias man=man-online fi 07070100000016000081A400000000000000000000000167360DF800001023000000000000000000000000000000000000002A00000000microos-tools-4.0+git6/microos-tools.spec# # spec file for package microos-tools # # Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %{!?_distconfdir: %global _distconfdir %{_prefix}%{_sysconfdir}} Name: microos-tools Version: 4.0 Release: 0 Summary: Files and Scripts for openSUSE MicroOS License: GPL-2.0-or-later Group: Development/Tools/Other URL: https://github.com/openSUSE/microos-tools Source: microos-tools-%{version}.tar.xz BuildRequires: automake BuildRequires: distribution-release BuildRequires: pkgconfig BuildRequires: pkgconfig(dracut) BuildRequires: pkgconfig(rpm) BuildRequires: pkgconfig(systemd) Requires: read-only-root-fs Requires: selinux-autorelabel = %{version} # for man-online Requires: mandoc-bin %description Files, scripts and directories for openSUSE MicroOS. %package -n selinux-autorelabel Summary: Automatic SELinux relabelling during early boot Requires: /usr/bin/findmnt Requires: policycoreutils %description -n selinux-autorelabel This package contains a dracut module and systemd generator for relabelling the system during early boot. %package -n microos-devel-tools Summary: Tools to develop MicroOS %description -n microos-devel-tools This package contains tools to make developing of MicroOS easier. %prep %autosetup -p1 %build ./autogen.sh %configure %make_build %install %make_install %pre %service_add_pre setup-systemd-proxy-env.service setup-systemd-proxy-env.path printenv.service %preun %service_del_preun setup-systemd-proxy-env.service setup-systemd-proxy-env.path printenv.service %post %service_add_post setup-systemd-proxy-env.service setup-systemd-proxy-env.path printenv.service %postun %service_del_postun setup-systemd-proxy-env.service setup-systemd-proxy-env.path printenv.service %pre -n microos-devel-tools %service_add_pre microos-ro.service %post -n microos-devel-tools %service_add_post microos-ro.service %preun -n microos-devel-tools %service_del_preun microos-ro.service %postun -n microos-devel-tools %service_del_postun microos-ro.service %pre -n selinux-autorelabel %service_add_pre systemd-tmpfiles-setup-sys.service %post -n selinux-autorelabel %{regenerate_initrd_post} %service_add_post systemd-tmpfiles-setup-sys.service %preun -n selinux-autorelabel %service_del_preun systemd-tmpfiles-setup-sys.service %postun -n selinux-autorelabel %{regenerate_initrd_post} %service_del_postun systemd-tmpfiles-setup-sys.service %posttrans -n selinux-autorelabel %{regenerate_initrd_posttrans} %files %dir %{_sysconfdir}/selinux %config %{_sysconfdir}/selinux/fixfiles_exclude_dirs %{_unitdir}/printenv.service %{_unitdir}/setup-systemd-proxy-env.path %{_unitdir}/setup-systemd-proxy-env.service %dir %{_unitdir}/salt-minion.service.d %{_unitdir}/salt-minion.service.d/TMPDIR.conf %{_tmpfilesdir}/salt-minion-tmpdir.conf %dir %{_distconfdir}/tukit.conf.d %{_distconfdir}/tukit.conf.d/salt-tukit.conf %{_sbindir}/setup-systemd-proxy-env %{_bindir}/man-online %{_distconfdir}/profile.d/man-online.sh %files -n selinux-autorelabel %license COPYING %dir %{_prefix}/lib/dracut %dir %{_prefix}/lib/dracut/modules.d %{_prefix}/lib/dracut/modules.d/98selinux-microos %{_systemdgeneratordir}/selinux-autorelabel-generator %{_unitdir}/systemd-tmpfiles-setup-sys.service %files -n microos-devel-tools %{_unitdir}/microos-ro.service %{_sbindir}/microos-ro %{_sbindir}/microos-rw %{_sbindir}/rpm-sortbysize %{_sbindir}/rpmorphan %{_sbindir}/sysext-add-debug %changelog 07070100000017000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000001F00000000microos-tools-4.0+git6/selinux07070100000018000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000003100000000microos-tools-4.0+git6/selinux/98selinux-microos07070100000019000081ED00000000000000000000000167360DF80000046F000000000000000000000000000000000000004100000000microos-tools-4.0+git6/selinux/98selinux-microos/module-setup.sh#!/bin/bash # called by dracut check() { test -f /etc/selinux/config || return 1 # Relabelling /etc and /var from the initrd needs support for mounting, # "chroot mount /..." still loads modules from the initrd. # Dracut handles /etc already, but for /var we need to DIY. if [[ -f $dracutsysrootdir/etc/fstab ]]; then _dev="$(findmnt --fstab --noheadings --output SOURCE /var --tab-file "$dracutsysrootdir/etc/fstab")" if [[ -n $_dev ]]; then _fstype="$(findmnt --fstab --noheadings --output FSTYPE /var --tab-file "$dracutsysrootdir/etc/fstab")" _dev="$(expand_persistent_dev "$_dev")" _dev="$(readlink -f "$_dev")" if [[ -b $_dev ]]; then push_host_devs "$_dev" if [[ -z ${host_fs_types["$_dev"]} ]]; then host_fs_types["$_dev"]="$_fstype" fi fi fi fi return 0 } # called by dracut depends() { return 0 } # called by dracut install() { inst_hook pre-pivot 50 "$moddir/selinux-microos-relabel.sh" inst_multiple chroot cut findmnt grep } 0707010000001A000081ED00000000000000000000000167360DF8000015C3000000000000000000000000000000000000004C00000000microos-tools-4.0+git6/selinux/98selinux-microos/selinux-microos-relabel.sh#!/bin/sh type ismounted > /dev/null 2>&1 || . /lib/dracut-lib.sh # In this mode, the zipl initrd uses grub2-emu to kexec the real kernel # and initrd. Don't run there, only in the real initrd (s.a. bsc#1218065). if getargbool 0 'initgrub'; then # This script gets sourced, so must use return here instead of exit return 0 fi rd_is_selinux_enabled() { # If SELinux is not enabled exit now grep -qw selinux /sys/kernel/security/lsm || return 1 SELINUX="enforcing" [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config" if [ "$SELINUX" = "disabled" ]; then return 1; fi return 0 } rd_microos_relabel() { info "SELinux: relabeling root filesystem" root_is_btrfs= if [ "$(findmnt --noheadings --output FSTYPE --target "$NEWROOT")" = "btrfs" ]; then root_is_btrfs=y fi etc_is_overlay= if [ "$(findmnt --fstab --noheadings --output FSTYPE /etc --tab-file "${NEWROOT}/etc/fstab")" = "overlay" ]; then etc_is_overlay=y fi # If this doesn't exist because e.g. it's not mounted yet due to a bug # (boo#1197309), the exclusion is ignored. If it gets mounted during # the relabel, it gets wrong labels assigned. if [ -n "$etc_is_overlay" ] && ! [ -d "$NEWROOT/var/lib/overlay" ]; then warn "ERROR: /var/lib/overlay doesn't exist - /var not mounted (yet)?" return 1 fi # Use alternate mount point to prevent overwriting subvolume options (bsc#1186563) ROOT_SELINUX="${NEWROOT}-selinux" mkdir -p "${ROOT_SELINUX}" # Don't let mounts propagate into other namespaces mount --bind --make-private "${ROOT_SELINUX}" "${ROOT_SELINUX}" mount --rbind --make-rslave "${NEWROOT}" "${ROOT_SELINUX}" ret=0 for sysdir in /proc /sys /dev; do # Don't let recursive umounts propagate into the bind source if ! mount --rbind --make-rslave "${sysdir}" "${ROOT_SELINUX}${sysdir}" ; then warn "ERROR: mounting ${sysdir} failed!" ret=1 fi done if [ $ret -eq 0 ]; then # Mount /var and /etc, need to be relabelled as well for booting. for mp in /var /etc; do if ! findmnt "${ROOT_SELINUX}${mp}" >/dev/null \ && findmnt --fstab --output TARGET --tab-file "${ROOT_SELINUX}/etc/fstab" "$mp" >/dev/null; then chroot "$ROOT_SELINUX" mount "$mp" || ret=1 fi done fi if [ $ret -eq 0 ]; then info "SELinux: mount root read-write and relabel" mount -o remount,rw "${ROOT_SELINUX}" if [ -n "$root_is_btrfs" ]; then oldrovalue="$(btrfs prop get "${ROOT_SELINUX}" ro | cut -d= -f2)" btrfs prop set "${ROOT_SELINUX}" ro false fi FORCE= [ -e "${ROOT_SELINUX}"/etc/selinux/.autorelabel ] && FORCE="$(cat "${ROOT_SELINUX}"/etc/selinux/.autorelabel)" . "${ROOT_SELINUX}"/etc/selinux/config # Marker when we had relabelled the filesystem. This is relabelled as well. > "${ROOT_SELINUX}"/etc/selinux/.relabelled if [ -n "$etc_is_overlay" ]; then LANG=C chroot "$ROOT_SELINUX" /sbin/setfiles $FORCE -T 0 -e /var/lib/overlay -e /proc -e /sys -e /dev -e /etc "/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts" $(chroot "$ROOT_SELINUX" cut -d" " -f2 /proc/mounts) # On overlayfs, st_dev isn't consistent so setfiles thinks it's a different mountpoint, ignoring it. # st_dev changes also on copy-up triggered by setfiles itself, so the only way to relabel properly # is to list every file explicitly. # That's not all: There's a kernel bug that security.selinux of parent directories is lost on copy-up (bsc#1210690). # Work around that by visiting children first and only then the parent directories. LANG=C chroot "$ROOT_SELINUX" find /etc -depth -exec /sbin/setfiles $FORCE "/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts" \{\} + else LANG=C chroot "$ROOT_SELINUX" /sbin/setfiles $FORCE -T 0 -e /proc -e /sys -e /dev "/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts" $(chroot "$ROOT_SELINUX" cut -d" " -f2 /proc/mounts) fi if [ -n "$root_is_btrfs" ]; then btrfs prop set "${ROOT_SELINUX}" ro "${oldrovalue}" fi fi umount -R "${ROOT_SELINUX}" # In some versions of util-linux, ^ does not umount stacked mounts # (https://github.com/util-linux/util-linux/issues/2551) # so take care of the private bind on itself separately: if ismounted "${ROOT_SELINUX}"; then umount "${ROOT_SELINUX}" fi return $ret } if [ -e "$NEWROOT"/.autorelabel ] && [ "$NEWROOT"/.autorelabel -nt "$NEWROOT"/etc/selinux/.relabelled ]; then mount -o remount,rw "$NEWROOT" || return 1 cp -a "$NEWROOT"/.autorelabel "$NEWROOT"/etc/selinux/.autorelabel || return 1 rm -f "$NEWROOT"/.autorelabel 2>/dev/null fi if rd_is_selinux_enabled; then if [ -f "$NEWROOT"/etc/selinux/.autorelabel ] || getarg "autorelabel" > /dev/null; then if ! rd_microos_relabel; then warn "SELinux autorelabelling failed!" return 1 fi fi elif test -e "$NEWROOT"/etc/selinux/.relabelled; then # SELinux is off but looks like some labeling took place before. # So probably a boot with manually disabled SELinux. Make sure # the system gets relabelled next time SELinux is on. > "$NEWROOT"/etc/selinux/.autorelabel warn "SELinux is off in labelled system!" fi return 0 0707010000001B000081A400000000000000000000000167360DF800000192000000000000000000000000000000000000002B00000000microos-tools-4.0+git6/selinux/Makefile.ammodulesdir = @dracutmodulesdir@/98selinux-microos selinuxdir = @sysconfdir@/selinux systemddir = $(systemdsystemunitdir) modules_SCRIPTS = 98selinux-microos/selinux-microos-relabel.sh \ 98selinux-microos/module-setup.sh selinux_DATA = fixfiles_exclude_dirs systemdgenerator_SCRIPTS = selinux-autorelabel-generator systemd_DATA = systemd-tmpfiles-setup-sys.service EXTRA_DIST = $(SCRIPTS) $(DATA) 0707010000001C000081A400000000000000000000000167360DF800000011000000000000000000000000000000000000003500000000microos-tools-4.0+git6/selinux/fixfiles_exclude_dirs/var/lib/overlay 0707010000001D000081ED00000000000000000000000167360DF8000008F5000000000000000000000000000000000000003D00000000microos-tools-4.0+git6/selinux/selinux-autorelabel-generator#!/bin/bash set -euo pipefail # This systemd.generator(7) detects if SELinux is running and if the # user requested an autorelabel. If so, services will be enabled to # run after subvolumes and partitions are mounted before local-fs.target # is reached. # If invoked with no arguments (for testing) write to /tmp. generatordir="/tmp" if [ -n "${1-}" ]; then generatordir="$1" fi enable_units() { mkdir -p "${generatordir}"/local-fs.target.requires relabel_unit_list="" while read -r realdir; do # Skip non-fs (swap) mounts, /, /var, /etc (already done in the initrd) and mountpoints with noauto if [ "${realdir:0:1}" != "/" ] \ || [ "${realdir}" = "/" ] || [ "${realdir}" = "/var" ] || [ "${realdir}" = "/etc" ] \ || findmnt --fstab --noheadings --output OPTIONS --target "${realdir}" | grep -qw noauto; then continue fi mountunit=$(systemd-escape --path "${realdir}") unitfile="${mountunit}-relabel.service" relabel_unit_list="$unitfile $relabel_unit_list" opts="-T 0" [ "${realdir}" == "/.snapshots" ] && opts="${opts} -x" cat >"${generatordir}/${unitfile}" <<-EOF [Unit] Description=Relabel ${realdir} DefaultDependencies=no Requires=systemd-tmpfiles-setup-sys.service After=systemd-tmpfiles-setup-sys.service RequiresMountsFor=${realdir} Before=local-fs.target ConditionSecurity=selinux [Service] Type=oneshot ExecStart=/sbin/restorecon -R ${opts} ${realdir} RemainAfterExit=true EOF ln -sf ../"${unitfile}" "${generatordir}"/local-fs.target.requires/"${unitfile}" done < <(findmnt --fstab --noheadings --output TARGET) unitfile="mark-autorelabel-done.service" cat >"${generatordir}/${unitfile}" <<-EOF [Unit] Description=Mark autorelabel as done DefaultDependencies=no Before=local-fs.target After=${relabel_unit_list} Requires=${relabel_unit_list} ConditionSecurity=selinux ConditionPathExists=/etc/selinux/.autorelabel [Service] Type=oneshot ExecStart=/usr/bin/rm /etc/selinux/.autorelabel RemainAfterExit=true EOF ln -sf "../${unitfile}" "${generatordir}/local-fs.target.requires/${unitfile}" } if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then if [ -f /etc/selinux/.autorelabel ] || grep -wq autorelabel /proc/cmdline; then enable_units fi fi 0707010000001E000081A400000000000000000000000167360DF8000003D2000000000000000000000000000000000000004200000000microos-tools-4.0+git6/selinux/systemd-tmpfiles-setup-sys.service# Workaround for bsc#1232709 # # SELinux labels need to be set for certain /sys entries # before restorecon -T0 can be run by the selinux-autorelabel # generated unit files. # # The /sys entries that need to be labeled in advance are defined in: # /usr/lib/tmpfiles.d/selinux-policy.conf # # This can be removed in case systemd upstream adds /sys # to their mount_setup: # https://github.com/systemd/systemd/blob/bdf75118bade008b6a465173c02933eb377aef0d/src/shared/mount-setup.c#L407 [Unit] Description=Set correct SELinux labels in /sys Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8) DefaultDependencies=no Before=sysinit.target local-fs-pre.target systemd-udevd.service Wants=local-fs-pre.target Conflicts=shutdown.target initrd-switch-root.target Before=shutdown.target initrd-switch-root.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=systemd-tmpfiles --prefix=/sys --create --boot SuccessExitStatus=DATAERR CANTCREAT ImportCredential=tmpfiles.* 0707010000001F000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000002800000000microos-tools-4.0+git6/systemd-printenv07070100000020000081A400000000000000000000000167360DF80000005C000000000000000000000000000000000000003400000000microos-tools-4.0+git6/systemd-printenv/Makefile.amsystemddir = $(systemdsystemunitdir) systemd_DATA = printenv.service EXTRA_DIST = $(DATA) 07070100000021000081A400000000000000000000000167360DF80000009B000000000000000000000000000000000000003900000000microos-tools-4.0+git6/systemd-printenv/printenv.service[Unit] Description=Print systemd environment Wants=local-fs.target [Service] Type=oneshot ExecStart=/usr/bin/printenv [Install] WantedBy=default.target 07070100000022000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000002900000000microos-tools-4.0+git6/systemd-proxy-env07070100000023000081A400000000000000000000000167360DF8000000BA000000000000000000000000000000000000003500000000microos-tools-4.0+git6/systemd-proxy-env/Makefile.amsystemddir = $(systemdsystemunitdir) sbin_SCRIPTS = setup-systemd-proxy-env systemd_DATA = setup-systemd-proxy-env.path setup-systemd-proxy-env.service EXTRA_DIST = $(DATA) $(SCRIPTS) 07070100000024000081ED00000000000000000000000167360DF8000007B5000000000000000000000000000000000000004100000000microos-tools-4.0+git6/systemd-proxy-env/setup-systemd-proxy-env#!/bin/bash # Look at /etc/sysconfig/proxy and make the proxy configuration # available as environment variable in systemd services CFG=/etc/sysconfig/proxy SYSTEMD_CFG=/etc/systemd/system.conf.d/proxy.conf test -f ${CFG} || exit 0 DefaultEnvironment="" while read line ; do case "$line" in \#*|"") continue ;; esac eval val=${line#*=} test -z "$val" && continue case "$line" in PROXY_ENABLED=*) test "$val" = "yes" && continue if [ -f $SYSTEMD_CFG ]; then rm $SYSTEMD_CFG systemctl daemon-reload fi exit 0 ;; HTTP_PROXY=*) DefaultEnvironment="$DefaultEnvironment \"HTTP_PROXY=${val}\" \"http_proxy=${val}\"" ;; HTTPS_PROXY=*) DefaultEnvironment="$DefaultEnvironment \"HTTPS_PROXY=${val}\" \"https_proxy=${val}\"" ;; FTP_PROXY=*) DefaultEnvironment="$DefaultEnvironment \"FTP_PROXY=${val}\" \"ftp_proxy=${val}\"" ;; GOPHER_PROXY=*) DefaultEnvironment="$DefaultEnvironment \"GOPHER_PROXY=${val}\" \"gopher_proxy=${val}\"" ;; SOCKS_PROXY=*) DefaultEnvironment="$DefaultEnvironment \"SOCKS_PROXY=${val}\" \"socks_proxy=${val}\"" ;; SOCKS5_SERVER=*) DefaultEnvironment="$DefaultEnvironment \"SOCKS5_SERVER=${val}\" \"socks5_server=${val}\"" ;; NO_PROXY=*) DefaultEnvironment="$DefaultEnvironment \"NO_PROXY=${val}\" \"no_proxy=${val}\"" ;; esac done < $CFG test -z "$DefaultEnvironment" && exit 0 if [ ! -d /etc/systemd/system.conf.d ]; then mkdir -p /etc/systemd/system.conf.d || exit 1 fi TMPCFGFILE=`mktemp ${SYSTEMD_CFG}.XXXXXXXXXX` || exit 1 echo -e "[Manager]\nDefaultEnvironment=${DefaultEnvironment}" > ${TMPCFGFILE} cmp -s ${TMPCFGFILE} ${SYSTEMD_CFG} if [ $? -ne 0 ]; then chmod 0644 ${TMPCFGFILE} mv ${TMPCFGFILE} ${SYSTEMD_CFG} systemctl daemon-reload else rm -f $TMPCFGFILE fi exit 0 07070100000025000081A400000000000000000000000167360DF8000000C4000000000000000000000000000000000000004600000000microos-tools-4.0+git6/systemd-proxy-env/setup-systemd-proxy-env.path[Unit] Description=Watch for changes in proxy configuration After=local-fs.target [Path] Unit=setup-systemd-proxy-env.service PathChanged=/etc/sysconfig/proxy [Install] WantedBy=default.target 07070100000026000081A400000000000000000000000167360DF8000000C5000000000000000000000000000000000000004900000000microos-tools-4.0+git6/systemd-proxy-env/setup-systemd-proxy-env.service[Unit] Description=Update system wide proxy setup for systemd services Wants=local-fs.target [Service] Type=oneshot ExecStart=/usr/sbin/setup-systemd-proxy-env [Install] WantedBy=default.target 07070100000027000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000001C00000000microos-tools-4.0+git6/test07070100000028000081A400000000000000000000000167360DF800000DD6000000000000000000000000000000000000002400000000microos-tools-4.0+git6/test/test.sh#!/bin/bash set -euxo pipefail # Some basic testing, mostly for the SELinux relabelling on first boot: # 1. Download the latest MicroOS image # 2. Use combustion to install microos-selinux, regenerate the initrd # and transfer kernel + initrd to the host using 9pfs # 3. Revert the image to the original state # 4. Boot the image with the new initrd and use combustion to perform # some tests to ensure the system booted correctly and was properly # labelled. # Skip the generation of a new initrd with the changed combustion. # Only useful when iterating this test script. reuseinitrd= if [ "${1-}" = "--reuseinitrd" ]; then reuseinitrd=1 shift fi # Working dir which is also exposed to the VM through 9pfs. # If not specified, create a temporary directory which is deleted on exit. if [ -n "${1-}" ]; then tmpdir="$(realpath "$1")" else tmpdir="$(mktemp -d)" cleanup() { rm -rf "$tmpdir" } trap cleanup EXIT fi QEMU_BASEARGS=( # -accel tcg was here after -accel kvm but the fallback hid a weird bug # that in GH actions only the first instance of QEMU was able to access /dev/kvm. -accel kvm -nographic -m 1024 -smp 4 # Reading from stdin doesn't work, configure serial and monitor appropriately. -chardev null,id=serial,logfile=/dev/stdout,logappend=on -serial chardev:serial -monitor none -virtfs "local,path=${tmpdir},mount_tag=tmpdir,security_model=mapped-xattr") # Prepare the temporary dir: Install microos-tools and copy resources. testdir="$(dirname "$0")" make -C "${testdir}/.." install "DESTDIR=${tmpdir}/install" cp "${testdir}/testscript" "${tmpdir}" cd "$tmpdir" # Download latest MicroOS image if ! [ -f openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 ]; then wget --progress=bar:force:noscroll https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 qemu-img snapshot -c initial openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 else qemu-img snapshot -a initial openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 fi # First step: Use combustion in the downloaded image to generate an initrd with the new 98selinux-microos. if ! [ -n "${reuseinitrd}" ] || ! [ -e "${tmpdir}/vmlinuz" ] || ! [ -e "${tmpdir}/initrd" ]; then rm -f "${tmpdir}/done" cat >create-initrd <<'EOF' #!/bin/bash set -euxo pipefail exec &>/dev/ttyS0 trap '[ $? -eq 0 ] || poweroff -f' EXIT mount -t 9p -o trans=virtio tmpdir /mnt cp -av /mnt/install/usr / cp /usr/lib/modules/$(uname -r)/vmlinuz /mnt/vmlinuz dracut -f --no-hostonly /mnt/initrd touch /mnt/done umount /mnt SYSTEMD_IGNORE_CHROOT=1 poweroff -f EOF timeout 300 qemu-system-x86_64 "${QEMU_BASEARGS[@]}" -drive if=virtio,file=openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 \ -fw_cfg name=opt/org.opensuse.combustion/script,file=create-initrd if ! [ -e "${tmpdir}/done" ]; then echo "Initrd generation failed" exit 1 fi fi # Test using a config drive rm -f "${tmpdir}/done" qemu-img snapshot -a initial openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 mkdir -p configdrv/combustion/ cp testscript configdrv/combustion/script /sbin/mkfs.ext4 -F -d configdrv -L ignition combustion.raw 16M timeout 300 qemu-system-x86_64 "${QEMU_BASEARGS[@]}" -drive if=virtio,file=openSUSE-MicroOS.x86_64-kvm-and-xen.qcow2 \ -kernel vmlinuz -initrd initrd -append "root=LABEL=ROOT console=ttyS0 security=selinux selinux=1 quiet systemd.show_status=1 systemd.log_target=console systemd.journald.forward_to_console=1 rd.emergency=poweroff rd.shell=0" \ -drive if=virtio,file=combustion.raw if ! [ -e "${tmpdir}/done" ]; then echo "Test failed" exit 1 fi 07070100000029000081A400000000000000000000000167360DF800000545000000000000000000000000000000000000002700000000microos-tools-4.0+git6/test/testscript#!/bin/bash set -euxo pipefail exec &>/dev/ttyS0 # Poweroff immediately on any failure to avoid unnecessary waiting. trap '[ $? -eq 0 ] || poweroff -f' EXIT # Remove old microos-tools rpm -e --nodeps --noscripts --nodb microos-tools # Install microos-tools mount -t 9p -o trans=virtio tmpdir /mnt chown -R root:root /mnt/install/usr cp -av /mnt/install/usr / umount /mnt # Make sure that the system comes up good, leave a marker in the shared FS # and power off the VM. cat >>/usr/bin/combustion-validate <<'EOF' #!/bin/bash set -euxo pipefail trap '[ $? -eq 0 ] || poweroff -f' EXIT # Print a list of files which have SELinux label mismatches if restorecon -nvR -e /.snapshots -e /run / | grep -v wtmpdb | grep "Would relabel"; then echo "Some labels aren't correct?" exit 1 fi # Check that there are no SELinux denials. # Can't use ausearch here, that would miss initial boot events. if journalctl -b | grep -w avc | grep -w denied; then echo "SELinux denials found" exit 1 fi mount -t 9p -o trans=virtio tmpdir /mnt touch /mnt/done umount /mnt poweroff -f EOF chmod a+x /usr/bin/combustion-validate cat >>/etc/systemd/system/combustion-validate.service <<'EOF' [Service] Type=oneshot StandardOutput=journal+console ExecStart=/usr/bin/combustion-validate [Install] RequiredBy=default.target EOF systemctl enable combustion-validate.service 0707010000002A000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000001D00000000microos-tools-4.0+git6/tmpfs0707010000002B000081A400000000000000000000000167360DF800000113000000000000000000000000000000000000002900000000microos-tools-4.0+git6/tmpfs/Makefile.amsaltminiondir = $(systemdsystemunitdir)/salt-minion.service.d tukitconfdir = $(prefix)$(sysconfdir)/tukit.conf.d tmpfiles_DATA = salt-minion/salt-minion-tmpdir.conf saltminion_DATA = salt-minion/TMPDIR.conf tukitconf_DATA = salt-minion/salt-tukit.conf EXTRA_DIST = $(DATA) 0707010000002C000041ED00000000000000000000000267360DF800000000000000000000000000000000000000000000002900000000microos-tools-4.0+git6/tmpfs/salt-minion0707010000002D000081A400000000000000000000000167360DF80000002E000000000000000000000000000000000000003500000000microos-tools-4.0+git6/tmpfs/salt-minion/TMPDIR.conf[Service] Environment="TMPDIR=/run/salt-tmp/" 0707010000002E000081A400000000000000000000000167360DF80000001F000000000000000000000000000000000000004100000000microos-tools-4.0+git6/tmpfs/salt-minion/salt-minion-tmpdir.confd /run/salt-tmp 0750 root root 0707010000002F000081A400000000000000000000000167360DF80000002F000000000000000000000000000000000000003900000000microos-tools-4.0+git6/tmpfs/salt-minion/salt-tukit.confBINDDIRS["salt-minion-tmpdir"]="/run/salt-tmp" 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!124 blocks
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor