WIP: composefs backend

Signed-off-by: Pragyan Poudyal <[email protected]>
Signed-off-by: Colin Walters <[email protected]>

Author: Johan-Liebert1

crates/lib/src/bls_config.rs

@@ -0,0 +1,88 @@
+use anyhow::Result;
+use serde::de::Error;
+use serde::{Deserialize, Deserializer};
+use std::collections::HashMap;
+
+#[derive(Debug, Deserialize, Eq)]
+pub(crate) struct BLSConfig {
+    pub(crate) title: Option<String>,
+    #[serde(deserialize_with = "deserialize_version")]
+    pub(crate) version: u32,
+    pub(crate) linux: String,
+    pub(crate) initrd: String,
+    pub(crate) options: String,
+
+    #[serde(flatten)]
+    pub(crate) extra: HashMap<String, String>,
+}
+
+impl PartialEq for BLSConfig {
+    fn eq(&self, other: &Self) -> bool {
+        self.version == other.version
+    }
+}
+
+impl PartialOrd for BLSConfig {
+    fn partial_cmp(&self, other: &Self) -> Option<std::cmp::Ordering> {
+        self.version.partial_cmp(&other.version)
+    }
+}
+
+impl Ord for BLSConfig {
+    fn cmp(&self, other: &Self) -> std::cmp::Ordering {
+        self.version.cmp(&other.version)
+    }
+}
+
+impl BLSConfig {
+    pub(crate) fn to_string(&self) -> String {
+        let mut out = String::new();
+
+        if let Some(title) = &self.title {
+            out += &format!("title {}\n", title);
+        }
+
+        out += &format!("version {}\n", self.version);
+        out += &format!("linux {}\n", self.linux);
+        out += &format!("initrd {}\n", self.initrd);
+        out += &format!("options {}\n", self.options);
+
+        for (key, value) in &self.extra {
+            out += &format!("{} {}\n", key, value);
+        }
+
+        out
+    }
+}
+
+fn deserialize_version<'de, D>(deserializer: D) -> Result<u32, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let s: Option<String> = Option::deserialize(deserializer)?;
+
+    match s {
+        Some(s) => Ok(s.parse::<u32>().map_err(D::Error::custom)?),
+        None => Err(D::Error::custom("Version not found")),
+    }
+}
+
+pub(crate) fn parse_bls_config(input: &str) -> Result<BLSConfig> {
+    let mut map = HashMap::new();
+
+    for line in input.lines() {
+        let line = line.trim();
+        if line.is_empty() || line.starts_with('#') {
+            continue;
+        }
+
+        if let Some((key, value)) = line.split_once(' ') {
+            map.insert(key.to_string(), value.trim().to_string());
+        }
+    }
+
+    let value = serde_json::to_value(map)?;
+    let parsed: BLSConfig = serde_json::from_value(value)?;
+
+    Ok(parsed)
+}

crates/lib/src/bootloader.rs

@@ -16,20 +16,25 @@ pub(crate) fn install_via_bootupd(
     device: &PartitionTable,
     rootfs: &Utf8Path,
     configopts: &crate::install::InstallConfigOpts,
-    deployment_path: &str,
+    deployment_path: Option<&str>,
 ) -> Result<()> {
     let verbose = std::env::var_os("BOOTC_BOOTLOADER_DEBUG").map(|_| "-vvvv");
     // bootc defaults to only targeting the platform boot method.
     let bootupd_opts = (!configopts.generic_image).then_some(["--update-firmware", "--auto"]);
 
-    let srcroot = rootfs.join(deployment_path);
+    let abs_deployment_path = deployment_path.map(|v| rootfs.join(v));
+    let src_root_arg = if let Some(p) = abs_deployment_path.as_deref() {
+        vec!["--src-root", p.as_str()]
+    } else {
+        vec![]
+    };
     let devpath = device.path();
     println!("Installing bootloader via bootupd");
     Command::new("bootupctl")
         .args(["backend", "install", "--write-uuid"])
         .args(verbose)
         .args(bootupd_opts.iter().copied().flatten())
-        .args(["--src-root", srcroot.as_str()])
+        .args(src_root_arg)
         .args(["--device", devpath.as_str(), rootfs.as_str()])
         .log_debug()
         .run_inherited_with_cmd_context()

crates/lib/src/cli.rs

@@ -21,17 +21,22 @@ use ostree_ext::composefs::fsverity;
 use ostree_ext::composefs::fsverity::FsVerityHashValue;
 use ostree_ext::composefs::splitstream::SplitStreamWriter;
 use ostree_ext::container as ostree_container;
-use ostree_ext::container_utils::ostree_booted;
+use ostree_ext::container_utils::{composefs_booted, ostree_booted};
 use ostree_ext::keyfileext::KeyFileExt;
 use ostree_ext::ostree;
 use schemars::schema_for;
 use serde::{Deserialize, Serialize};
 
-use crate::deploy::RequiredHostSpec;
+use crate::deploy::{composefs_rollback, RequiredHostSpec};
+use crate::install::{
+    pull_composefs_repo, setup_composefs_bls_boot, setup_composefs_uki_boot, write_composefs_state,
+    BootSetupType, BootType,
+};
 use crate::lints;
 use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
 use crate::spec::Host;
 use crate::spec::ImageReference;
+use crate::status::composefs_deployment_status;
 use crate::utils::sigpolicy_from_opt;
 
 /// Shared progress options
@@ -778,6 +783,53 @@ fn prepare_for_write() -> Result<()> {
     Ok(())
 }
 
+#[context("Upgrading composefs")]
+async fn upgrade_composefs(_opts: UpgradeOpts) -> Result<()> {
+    // TODO: IMPORTANT Have all the checks here that `bootc upgrade` has for an ostree booted system
+
+    let host = composefs_deployment_status()
+        .await
+        .context("Getting composefs deployment status")?;
+
+    // TODO: IMPORTANT We need to check if any deployment is staged and get the image from that
+    let imgref = host
+        .spec
+        .image
+        .as_ref()
+        .ok_or_else(|| anyhow::anyhow!("No image source specified"))?;
+
+    // let booted_image = host
+    //     .status
+    //     .booted
+    //     .ok_or(anyhow::anyhow!("Could not find booted image"))?
+    //     .image
+    //     .ok_or(anyhow::anyhow!("Could not find booted image"))?;
+
+    // tracing::debug!("booted_image: {booted_image:#?}");
+    // tracing::debug!("imgref: {imgref:#?}");
+
+    // let digest = booted_image
+    //     .digest()
+    //     .context("Getting digest for booted image")?;
+
+    let (repo, entries, id) = pull_composefs_repo(&imgref.transport, &imgref.image).await?;
+
+    let Some(entry) = entries.into_iter().next() else {
+        anyhow::bail!("No boot entries!");
+    };
+
+    let boot_type = BootType::from(&entry);
+
+    match boot_type {
+        BootType::Bls => setup_composefs_bls_boot(BootSetupType::Upgrade, repo, &id, entry),
+        BootType::Uki => setup_composefs_uki_boot(BootSetupType::Upgrade, repo, &id, entry),
+    }?;
+
+    write_composefs_state(&Utf8PathBuf::from("/sysroot"), id, imgref, true, boot_type)?;
+
+    Ok(())
+}
+
 /// Implementation of the `bootc upgrade` CLI command.
 #[context("Upgrading")]
 async fn upgrade(opts: UpgradeOpts) -> Result<()> {
@@ -891,9 +943,7 @@ async fn upgrade(opts: UpgradeOpts) -> Result<()> {
     Ok(())
 }
 
-/// Implementation of the `bootc switch` CLI command.
-#[context("Switching")]
-async fn switch(opts: SwitchOpts) -> Result<()> {
+fn imgref_for_switch(opts: &SwitchOpts) -> Result<ImageReference> {
     let transport = ostree_container::Transport::try_from(opts.transport.as_str())?;
     let imgref = ostree_container::ImageReference {
         transport,
@@ -902,6 +952,63 @@ async fn switch(opts: SwitchOpts) -> Result<()> {
     let sigverify = sigpolicy_from_opt(opts.enforce_container_sigpolicy);
     let target = ostree_container::OstreeImageReference { sigverify, imgref };
     let target = ImageReference::from(target);
+
+    return Ok(target);
+}
+
+#[context("Composefs Switching")]
+async fn switch_composefs(opts: SwitchOpts) -> Result<()> {
+    let target = imgref_for_switch(&opts)?;
+    // TODO: Handle in-place
+
+    let host = composefs_deployment_status()
+        .await
+        .context("Getting composefs deployment status")?;
+
+    let new_spec = {
+        let mut new_spec = host.spec.clone();
+        new_spec.image = Some(target.clone());
+        new_spec
+    };
+
+    if new_spec == host.spec {
+        println!("Image specification is unchanged.");
+        return Ok(());
+    }
+
+    let Some(target_imgref) = new_spec.image else {
+        anyhow::bail!("Target image is undefined")
+    };
+
+    let (repo, entries, id) = pull_composefs_repo(&"docker".into(), &target_imgref.image).await?;
+
+    let Some(entry) = entries.into_iter().next() else {
+        anyhow::bail!("No boot entries!");
+    };
+
+    let boot_type = BootType::from(&entry);
+
+    match boot_type {
+        BootType::Bls => setup_composefs_bls_boot(BootSetupType::Upgrade, repo, &id, entry),
+        BootType::Uki => setup_composefs_uki_boot(BootSetupType::Upgrade, repo, &id, entry),
+    }?;
+
+    write_composefs_state(
+        &Utf8PathBuf::from("/sysroot"),
+        id,
+        &target_imgref,
+        true,
+        boot_type,
+    )?;
+
+    Ok(())
+}
+
+/// Implementation of the `bootc switch` CLI command.
+#[context("Switching")]
+async fn switch(opts: SwitchOpts) -> Result<()> {
+    let target = imgref_for_switch(&opts)?;
+
     let prog: ProgressWriter = opts.progress.try_into()?;
 
     // If we're doing an in-place mutation, we shortcut most of the rest of the work here
@@ -966,8 +1073,12 @@ async fn switch(opts: SwitchOpts) -> Result<()> {
 /// Implementation of the `bootc rollback` CLI command.
 #[context("Rollback")]
 async fn rollback(opts: RollbackOpts) -> Result<()> {
-    let sysroot = &get_storage().await?;
-    crate::deploy::rollback(sysroot).await?;
+    if composefs_booted()? {
+        composefs_rollback().await?
+    } else {
+        let sysroot = &get_storage().await?;
+        crate::deploy::rollback(sysroot).await?;
+    };
 
     if opts.apply {
         crate::reboot::reboot()?;
@@ -1117,8 +1228,20 @@ impl Opt {
 async fn run_from_opt(opt: Opt) -> Result<()> {
     let root = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
     match opt {
-        Opt::Upgrade(opts) => upgrade(opts).await,
-        Opt::Switch(opts) => switch(opts).await,
+        Opt::Upgrade(opts) => {
+            if composefs_booted()? {
+                upgrade_composefs(opts).await
+            } else {
+                upgrade(opts).await
+            }
+        }
+        Opt::Switch(opts) => {
+            if composefs_booted()? {
+                switch_composefs(opts).await
+            } else {
+                switch(opts).await
+            }
+        }
         Opt::Rollback(opts) => rollback(opts).await,
         Opt::Edit(opts) => edit(opts).await,
         Opt::UsrOverlay => usroverlay().await,
@@ -1259,8 +1382,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 FsverityOpts::Enable { path } => {
                     let fd =
                         std::fs::File::open(&path).with_context(|| format!("Reading {path}"))?;
-                    // Note this is not robust to forks, we're not using the _maybe_copy variant
-                    fsverity::enable_verity_with_retry::<fsverity::Sha256HashValue>(&fd)?;
+                    fsverity::enable_verity_raw::<fsverity::Sha256HashValue>(&fd)?;
                     Ok(())
                 }
             },