Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package disk-encryption-tool for
openSUSE:Factory checked in at 2024-08-23 22:26:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/disk-encryption-tool (Old)
and /work/SRC/openSUSE:Factory/.disk-encryption-tool.new.2698 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "disk-encryption-tool"
Fri Aug 23 22:26:08 2024 rev:10 rq:1195566 version:1+git20240821.f98edd6
Changes:
--------
---
/work/SRC/openSUSE:Factory/disk-encryption-tool/disk-encryption-tool.changes
2024-08-18 18:19:27.744933749 +0200
+++
/work/SRC/openSUSE:Factory/.disk-encryption-tool.new.2698/disk-encryption-tool.changes
2024-08-23 22:26:08.747597207 +0200
@@ -1,0 +2,9 @@
+Thu Aug 22 14:22:23 UTC 2024 - [email protected]
+
+- Update to version 1+git20240821.f98edd6:
+ * CI: Pass -cpu host to QEMU
+ * Fix CI
+ * Add basic automated testing
+ * Remove cat of issue file
+
+-------------------------------------------------------------------
Old:
----
disk-encryption-tool-1+git20240816.42c8565.obscpio
New:
----
disk-encryption-tool-1+git20240821.f98edd6.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ disk-encryption-tool.spec ++++++
--- /var/tmp/diff_new_pack.hhVa0S/_old 2024-08-23 22:26:09.687636298 +0200
+++ /var/tmp/diff_new_pack.hhVa0S/_new 2024-08-23 22:26:09.687636298 +0200
@@ -28,7 +28,7 @@
%endif
Name: disk-encryption-tool
-Version: 1+git20240816.42c8565%{git_version}
+Version: 1+git20240821.f98edd6%{git_version}
Release: 0
Summary: Tool to reencrypt kiwi raw images
License: MIT
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.hhVa0S/_old 2024-08-23 22:26:09.739638460 +0200
+++ /var/tmp/diff_new_pack.hhVa0S/_new 2024-08-23 22:26:09.739638460 +0200
@@ -3,6 +3,6 @@
<param
name="url">https://github.com/lnussel/disk-encryption-tool.git</param>
<param
name="changesrevision">702dff62d37b74244b58b41f78b41cd2befe581b</param></service><service
name="tar_scm">
<param
name="url">https://github.com/openSUSE/disk-encryption-tool.git</param>
- <param
name="changesrevision">42c8565529d7f4f4aa3d0e35f9f488f16fd37e42</param></service></servicedata>
+ <param
name="changesrevision">f98edd637bbae2da72098b6b8ee859e789cdd2d8</param></service></servicedata>
(No newline at EOF)
++++++ disk-encryption-tool-1+git20240816.42c8565.obscpio ->
disk-encryption-tool-1+git20240821.f98edd6.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240816.42c8565/.github/workflows/test.yml
new/disk-encryption-tool-1+git20240821.f98edd6/.github/workflows/test.yml
--- old/disk-encryption-tool-1+git20240816.42c8565/.github/workflows/test.yml
1970-01-01 01:00:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20240821.f98edd6/.github/workflows/test.yml
2024-08-21 15:39:04.000000000 +0200
@@ -0,0 +1,22 @@
+name: MicroOS in QEMU
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - name: Install dependencies
+ run: |
+ sudo apt update
+ sudo apt install -y qemu-system-x86 ovmf
+ # Normally setfacl -m u:$USER:rw /dev/kvm should work, but for some
+ # reason this only sticks around for a single QEMU run. udev?
+ sudo usermod -a -G kvm "$USER"
+ - name: Test
+ run: |
+ # Needed to activate the new kvm group membership
+ sudo -u "$USER" bash test/test.sh
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240816.42c8565/disk-encryption-tool-enroll
new/disk-encryption-tool-1+git20240821.f98edd6/disk-encryption-tool-enroll
--- old/disk-encryption-tool-1+git20240816.42c8565/disk-encryption-tool-enroll
2024-08-16 18:01:12.000000000 +0200
+++ new/disk-encryption-tool-1+git20240821.f98edd6/disk-encryption-tool-enroll
2024-08-21 15:39:04.000000000 +0200
@@ -34,7 +34,6 @@
fi
issue-generator
- cat "$issuefile"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240816.42c8565/jeos-firstboot-enroll
new/disk-encryption-tool-1+git20240821.f98edd6/jeos-firstboot-enroll
--- old/disk-encryption-tool-1+git20240816.42c8565/jeos-firstboot-enroll
2024-08-16 18:01:12.000000000 +0200
+++ new/disk-encryption-tool-1+git20240821.f98edd6/jeos-firstboot-enroll
2024-08-21 15:39:04.000000000 +0200
@@ -113,7 +113,6 @@
fi
run issue-generator
- [ -n "$dry" ] || cat "$issuefile"
}
enroll_post() {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240816.42c8565/test/config.ign
new/disk-encryption-tool-1+git20240821.f98edd6/test/config.ign
--- old/disk-encryption-tool-1+git20240816.42c8565/test/config.ign
1970-01-01 01:00:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20240821.f98edd6/test/config.ign
2024-08-21 15:39:04.000000000 +0200
@@ -0,0 +1,36 @@
+{
+ "ignition": {
+ "version": "3.2.0"
+ },
+ "passwd": {
+ "users": [
+ {
+ "name": "root",
+ "passwordHash":
"$2a$10$IGzLVVX6jfMoe4Qoog2v.e24woQJiys9Doe8.taWrqdDkZyrXiGZu"
+ }
+ ]
+ },
+ "storage": {
+ "filesystems": [
+ {
+ "device": "/dev/disk/by-label/ROOT",
+ "format": "btrfs",
+ "mountOptions": [
+ "subvol=/@/home"
+ ],
+ "path": "/home",
+ "wipeFilesystem": false
+ }
+ ],
+ "files": [
+ {
+ "path": "/etc/locale.conf",
+ "mode": 420,
+ "overwrite": true,
+ "contents": {
+ "source": "data:,LANG=en_US.UTF-8"
+ }
+ }
+ ]
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240816.42c8565/test/test.sh
new/disk-encryption-tool-1+git20240821.f98edd6/test/test.sh
--- old/disk-encryption-tool-1+git20240816.42c8565/test/test.sh 1970-01-01
01:00:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20240821.f98edd6/test/test.sh 2024-08-21
15:39:04.000000000 +0200
@@ -0,0 +1,109 @@
+#!/bin/bash
+set -euxo pipefail
+
+# Some basic combustion testing:
+# 1. Download the latest MicroOS image
+# 2. Use its combustion to install the disk-encryption-tool to test and
transfer kernel + initrd to the host using 9pfs
+# 3. Revert the image to the original state and perform tests using the
generated kernel + initrd
+
+# Skip the generation of a new initrd with the changed disk-encryption-tool.
+# Only useful when iterating this test script.
+reuseinitrd=
+if [ "${1-}" = "--reuseinitrd" ]; then
+ reuseinitrd=1
+ shift
+fi
+
+# Working dir which is also exposed to the VM through 9pfs.
+# If not specified, create a temporary directory which is deleted on exit.
+if [ -n "${1-}" ]; then
+ tmpdir="$(realpath "$1")"
+else
+ tmpdir="$(mktemp -d)"
+ cleanup() {
+ rm -rf "$tmpdir"
+ }
+ trap cleanup EXIT
+fi
+
+QEMU_BASEARGS=(
+ # -accel tcg was here after -accel kvm but the fallback hid a weird bug
+ # that in GH actions only the first instance of QEMU was able to access
/dev/kvm.
+ -accel kvm -cpu host -nographic -m 1024
+ # Reading from stdin doesn't work, configure serial and monitor
appropriately.
+ -chardev null,id=serial,logfile=/dev/stdout,logappend=on -serial
chardev:serial -monitor none
+ -virtfs "local,path=${tmpdir},mount_tag=tmpdir,security_model=none")
+
+if [ -e /usr/share/qemu/ovmf-x86_64-code.bin ]; then
+ QEMU_BASEARGS+=(-bios /usr/share/qemu/ovmf-x86_64-code.bin)
+elif [ -e /usr/share/qemu/OVMF.fd ]; then
+ QEMU_BASEARGS+=(-bios /usr/share/qemu/OVMF.fd)
+else
+ echo "No OVMF found"
+ exit 1
+fi
+
+# Prepare the temporary dir: Install disk-encryption-tool and copy resources.
+testdir="$(dirname "$0")"
+# TODO: Use a Makefile for this and in the .spec file.
+mkdir -p "${tmpdir}/install/usr/lib/dracut/modules.d/95disk-encryption-tool"
+for i in disk-encryption-tool{,-dracut,-dracut.service} module-setup.sh
generate-recovery-key; do
+ cp "${testdir}/../${i}"
"${tmpdir}/install/usr/lib/dracut/modules.d/95disk-encryption-tool/${i}"
+done
+cp "${testdir}/"{testscript,config.ign} "${tmpdir}"
+cd "$tmpdir"
+
+# Download latest MicroOS image
+if ! [ -f openSUSE-MicroOS.x86_64-kvm-and-xen-sdboot.qcow2 ]; then
+ wget --progress=bar:force:noscroll
https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-kvm-and-xen-sdboot.qcow2
+ qemu-img snapshot -c initial
openSUSE-MicroOS.x86_64-kvm-and-xen-sdboot.qcow2
+else
+ qemu-img snapshot -a initial
openSUSE-MicroOS.x86_64-kvm-and-xen-sdboot.qcow2
+fi
+
+# First step: Use combustion in the downloaded image to generate an initrd
with the new disk-encryption-tool.
+if ! [ -n "${reuseinitrd}" ] || ! [ -e "${tmpdir}/vmlinuz" ] || ! [ -e
"${tmpdir}/initrd" ]; then
+ rm -f "${tmpdir}/done"
+ cat >create-initrd <<'EOF'
+#!/bin/bash
+set -euxo pipefail
+exec &>/dev/ttyS0
+trap '[ $? -eq 0 ] || poweroff -f' EXIT
+mount -t 9p -o trans=virtio tmpdir /mnt
+# Install new disk-encryption-tool, make sure the old remnants are gone
+rpm -e --nodeps --noscripts disk-encryption-tool
+cp -av /mnt/install/usr /
+cp /usr/lib/modules/$(uname -r)/vmlinuz /mnt/vmlinuz
+dracut -f --no-hostonly /mnt/initrd
+touch /mnt/done
+umount /mnt
+SYSTEMD_IGNORE_CHROOT=1 poweroff -f
+EOF
+
+ timeout 300 qemu-system-x86_64 "${QEMU_BASEARGS[@]}" -drive
if=virtio,file=openSUSE-MicroOS.x86_64-kvm-and-xen-sdboot.qcow2 \
+ -fw_cfg
name=opt/org.opensuse.combustion/script,file=create-initrd
+
+ if ! [ -e "${tmpdir}/done" ]; then
+ echo "Initrd generation failed"
+ exit 1
+ fi
+fi
+
+# Test using a config drive
+rm -f "${tmpdir}/done"
+qemu-img snapshot -a initial openSUSE-MicroOS.x86_64-kvm-and-xen-sdboot.qcow2
+
+mkdir -p configdrv/combustion/
+cp testscript configdrv/combustion/script
+#mkdir -p configdrv/ignition/
+#cp config.ign configdrv/ignition/config.ign
+/sbin/mkfs.ext4 -F -d configdrv -L ignition combustion.raw 16M
+
+timeout 300 qemu-system-x86_64 "${QEMU_BASEARGS[@]}" -drive
if=virtio,file=openSUSE-MicroOS.x86_64-kvm-and-xen-sdboot.qcow2 \
+ -kernel vmlinuz -initrd initrd -append "root=LABEL=ROOT console=ttyS0
quiet systemd.show_status=1 systemd.log_target=console
systemd.journald.forward_to_console=1 rd.emergency=poweroff rd.shell=0" \
+ -drive if=virtio,file=combustion.raw
+
+if ! [ -e "${tmpdir}/done" ]; then
+ echo "Test failed"
+ exit 1
+fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240816.42c8565/test/testscript
new/disk-encryption-tool-1+git20240821.f98edd6/test/testscript
--- old/disk-encryption-tool-1+git20240816.42c8565/test/testscript
1970-01-01 01:00:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20240821.f98edd6/test/testscript
2024-08-21 15:39:04.000000000 +0200
@@ -0,0 +1,91 @@
+#!/bin/bash
+# combustion: prepare
+set -euxo pipefail
+exec &>/dev/ttyS0
+
+# Poweroff immediately on any failure to avoid unnecessary waiting.
+trap '[ $? -eq 0 ] || poweroff -f' EXIT
+
+if [ "${1-}" = "--prepare" ]; then
+ # We set disk-encryption-tool-dracut.encryption credential to
+ # "force". This will make disk-encryption-tool-dracut force the
+ # encryption, ignoring that Combusion configured the system, and
+ # will skip the permission countdown
+ #
+ # After the encryption the recovery key is registered in the
+ # kernel keyring %user:cryptenroll
+ mkdir -p /run/credstore
+ echo "force" > /run/credstore/disk-encryption-tool-dracut.encrypt
+ exit 0
+fi
+
+# Create a valid machine-id, as this will be required to create later
+# the host secret
+systemd-machine-id-setup
+
+# We want to persist the host secret key created via systemd-cred
+# (/var/lib/systemd/credential.secret)
+mount /var
+
+mkdir -p /etc/credstore.encrypted
+credential="$(mktemp disk-encryption-tool.XXXXXXXXXX)"
+
+# Enroll extra password
+# echo "SECRET_PASSWORD" > "$credential"
+echo "linux" > "$credential"
+systemd-creds encrypt --name=disk-encryption-tool-enroll.pw "$credential" \
+ /etc/credstore.encrypted/disk-encryption-tool-enroll.pw
+
+# # Enroll TPM2 with secret PIN
+# echo "SECRET_PIN" > "$credential"
+# systemd-creds encrypt --name=disk-encryption-tool-enroll.tpm2+pin
"$credential" \
+# /etc/credstore.encrypted/disk-encryption-tool-enroll.tpm2+pin
+
+# # Enroll TPM2
+# echo "1" > "$credential"
+# systemd-creds encrypt --name=disk-encryption-tool-enroll.tpm2 "$credential" \
+# /etc/credstore.encrypted/disk-encryption-tool-enroll.tpm2
+
+# # Enroll FIDO2
+# echo "1" > "$credential"
+# systemd-creds encrypt --name=disk-encryption-tool-enroll.fido2 "$credential"
\
+# /etc/credstore.encrypted/disk-encryption-tool-enroll.fido2
+
+shred -u "$credential"
+
+# Umount back /var to not confuse tukit later
+umount /var
+
+# Keyboard
+systemd-firstboot --force --keymap=es
+
+# Make sure that the system comes up good, leave a marker in the shared FS
+# and power off the VM.
+cat >>/usr/bin/combustion-validate <<'EOF'
+#!/bin/bash
+set -euxo pipefail
+exec &>/dev/ttyS0
+trap '[ $? -eq 0 ] || poweroff -f' EXIT
+findmnt
+lsblk
+if [ "$(findmnt -nrvo SOURCE /)" != "/dev/mapper/cr_root" ]; then
+ echo "Not encrypted?"
+ exit 1
+fi
+mount -t 9p -o trans=virtio tmpdir /mnt
+touch /mnt/done
+umount /mnt
+poweroff -f
+EOF
+chmod a+x /usr/bin/combustion-validate
+
+cat >>/etc/systemd/system/combustion-validate.service <<'EOF'
+[Service]
+ExecStart=/usr/bin/combustion-validate
+[Install]
+RequiredBy=default.target
+EOF
+systemctl enable combustion-validate.service
+
+# Leave a marker
+echo "Configured with combustion" > /etc/issue.d/combustion
++++++ disk-encryption-tool.obsinfo ++++++
--- /var/tmp/diff_new_pack.hhVa0S/_old 2024-08-23 22:26:09.835642452 +0200
+++ /var/tmp/diff_new_pack.hhVa0S/_new 2024-08-23 22:26:09.835642452 +0200
@@ -1,5 +1,5 @@
name: disk-encryption-tool
-version: 1+git20240816.42c8565
-mtime: 1723824072
-commit: 42c8565529d7f4f4aa3d0e35f9f488f16fd37e42
+version: 1+git20240821.f98edd6
+mtime: 1724247544
+commit: f98edd637bbae2da72098b6b8ee859e789cdd2d8
