Skip to content

Commit

Permalink
Avoid fixing labels while deploying new updates
Browse files Browse the repository at this point in the history 
In 2e355fd we added a coreos-fix-selinux-labels.service to fix
labels on some known files that were unlabeled or mislabeled.
We've seen some upgrade tests where the labeling fixes were
running at the same time new deployments were getting written
into the OSTree repo:

```
Oct 22 11:16:18.923371 kola-runext.service[5408]: Rebasing to fedora-compose:fedora/x86_64/coreos/next
Oct 22 11:16:18.926185 kola-runext.service[5408]: Resolving version '41.20241020.1.0'
Oct 22 11:16:20.877155 rpm-ostreed.service[1053]: Writing objects: 1
Oct 22 11:16:20.914326 rpm-ostreed.service[1053]: libostree pull from 'fedora-compose' for fedora/x86_64/coreos/next complete
                                                  security: GPG: commit
                                                  security: SIGN: disabled http: TLS
                                                  non-delta: meta: 2 content: 0
                                                  transfer: secs: 1 size: 19.0\u00a0kB
Oct 22 11:16:20.968177 kola-runext.service[5408]: 2 metadata, 0 content objects fetched; 18 KiB transferred in 1 seconds; 0 bytes content written
Oct 22 11:16:20.972130 kola-runext.service[5408]: Writing objects: 1...done
Oct 22 11:16:31.630763 coreos-fix-selinux-labels.service[1019]: Relabeled 5582 files to system_u:object_r:root_t:s0
```

Let's try to avoid writing into the OSTree repo and fixing
labels at the same time.
  • Loading branch information
@dustymabe @jlebon
dustymabe authored and jlebon committed Oct 22, 2024
1 parent e1e6396 commit b182027
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
3 changes: 3 additions & 0 deletions overlay.d/07fix-selinux-labels/usr/lib/systemd/system/coreos-fix-selinux-labels.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ ExecStartPre=/bin/touch /var/lib/coreos-fix-selinux-labels.stamp
ExecStart=/usr/libexec/coreos-fix-selinux-labels
RemainAfterExit=yes
MountFlags=slave
# Run before zincati so we're not creating new files on the filesystem
# while we are fixing labels on existing files.
Before=zincati.service

[Install]
WantedBy=multi-user.target
13 changes: 12 additions & 1 deletion tests/kola/upgrade/extended/test.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,11 +154,18 @@ move-to-cgroups-v2() {
fi
}

selinux-sanity-check() {
# A helper to wait for the fix-selinux-labels script to finish
wait-for-coreos-fix-selinux-labels() {
# First make sure the migrations/fix script has finished (if it is going
# to run) before doing the checks
systemd-run --wait --property=After=coreos-fix-selinux-labels.service \
echo "Waited for coreos-fix-selinux-labels.service to finish"
}

selinux-sanity-check() {
# First make sure the migrations/fix script has finished if this is the boot
# where the fixes are taking place.
wait-for-coreos-fix-selinux-labels
# Verify SELinux labels are sane. Migration scripts should have cleaned
# up https://github.com/coreos/fedora-coreos-tracker/issues/1772
unlabeled="$(find /sysroot -context '*unlabeled_t*' -print0 | xargs --null -I{} ls -ldZ '{}')"
Expand Down Expand Up @@ -267,6 +274,10 @@ esac
# version, which should be in the compose OSTree repo.
if vereq $version $last_release; then
systemctl stop zincati
# In case the SELinux fix script is running this boot let's wait for it to
# finish before initiating an `rpm-ostree rebase` so we aren't writing at the
# same time it's fixing.
wait-for-coreos-fix-selinux-labels
rpm-ostree rebase "fedora-compose:fedora/$(arch)/coreos/${target_stream}" $target_version
/tmp/autopkgtest-reboot $version # execute the reboot
sleep infinity
Expand Down

0 comments on commit b182027

Please sign in to comment.