-
Notifications
You must be signed in to change notification settings - Fork 307
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
checkout: Only verify digest if repo requires fsverity #3331
Conversation
For the record apparently the reason this got through FCOS CI is because #3326 landed literally just before the switch to f41 where composefs is enabled by default there. But CI on this PR should run through with composefs enabled for FCOS. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like still we are not good:
[2024-10-30T16:39:36.656Z] Oct 30 16:39:35 qemu0 systemd[1]: kola-runext.service: Consumed 4.882s CPU time, 221.3M memory peak.
[2024-10-30T16:39:39.904Z] --- FAIL: ext.ostree.destructive.bootupd-static.sh (38.60s)
[2024-10-30T16:39:39.904Z] cluster.go:151: Error: Unit kola-runext.service exited with code 1
[2024-10-30T16:39:39.904Z] cluster.go:151: 2024-10-30T16:39:36Z cli: Unit kola-runext.service exited with code 1
[2024-10-30T16:39:39.904Z] harness.go:1265: kolet failed: : kolet run-test-unit failed: Process exited with status 1
[2024-10-30T16:51:46.499Z] Fetching status failed: ssh: handshake failed: read tcp 127.0.0.1:54814->127.0.0.1:42069: read: connection reset by peer
[2024-10-30T16:51:47.853Z] --- FAIL: ext.ostree.destructive-rs.composefs::itest_composefs (766.37s)
[2024-10-30T16:51:47.853Z] harness.go:1265: kolet failed: : Waiting for reboot: machine "6ad0c746-e827-4c63-9459-30dceb402826" failed to start: ssh journalctl failed: time limit exceeded
[2024-10-30T16:51:47.853Z] harness.go:106: TIMEOUT[10m0s]: ssh: journalctl -t kola-runext-composefs::itest_composefs
[2024-10-30T16:51:47.853Z] FAIL, output in /home/jenkins/agent/workspace/ostree_PR-3331/tmp/kola-b9ma7/kola/rerun
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code lgtm, but still test is complaining.
Some of the test failures here are unrelated to this PR, it just also happens to be the first one after the FCOS default switch. I put one test update in #3332 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, lgtm. Looking at the test next.
7f9da52
to
c0be5bf
Compare
Fixes a regression from the previous commit; in the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either. The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled. Closes: ostreedev#3330 Signed-off-by: Colin Walters <[email protected]>
c0be5bf
to
6ed1f83
Compare
Fixes a regression from the previous commit; in
the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either.
The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled.
Closes: #3330