finalize: skip the checksum when updating to an OCI release

coreos · Jan 13, 2025 · c8fc51c · c8fc51c
1 parent f10a80c
commit c8fc51c
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 8 deletions.
diff --git a/src/cincinnati/client.rs b/src/cincinnati/client.rs
@@ -124,6 +124,10 @@ pub struct Client {
 impl Client {
     /// Fetch an update-graph from Cincinnati.
     pub fn fetch_graph(&self) -> impl Future<Output = Result<Graph, CincinnatiError>> {
+        log::debug!(
+            "fetching the cincinnati graph with options: {:?}",
+            self.query_params
+        );
         let req = self
             .new_request(Method::GET, V1_GRAPH_PATH)
             .map_err(|e| CincinnatiError::FailedRequest(e.to_string()));
@@ -160,6 +164,7 @@ impl Client {
             let graph = response.json::<Graph>().await.map_err(|e| {
                 CincinnatiError::FailedJsonDecoding(format!("failed to decode graph: {}", e))
             })?;
+            log::trace!("debug graph:\n {:?}", graph);
             return Ok(graph);
         }
 

diff --git a/src/cincinnati/mod.rs b/src/cincinnati/mod.rs
@@ -227,6 +227,7 @@ fn find_update(
         graph.edges.len()
     );
 
+    log::trace!("booted deploy is : \n{:?}", booted_depl);
     // Find booted deployment in graph.
     let (cur_position, cur_node) = match graph
         .nodes
@@ -281,6 +282,7 @@ fn find_update(
             .map_err(|e| CincinnatiError::FailedNodeParsing(e.to_string()))?;
         updates.insert(release);
     }
+    log::trace!("update targets: {:?}", updates);
 
     // Exclude targets in denylist.
     let new_updates = updates.difference(&denylisted_releases);
@@ -302,6 +304,8 @@ fn find_update(
         None => return Ok(None),
     };
 
+    log::debug!("Picked {:?} as the update target", next);
+
     // Check for downgrades.
     if next <= cur_release {
         log::warn!("downgrade hint towards target release '{}'", next.version);
@@ -338,6 +342,8 @@ fn find_denylisted_releases(graph: &client::Graph, depls: BTreeSet<Release>) ->
 fn is_same_checksum(node: &Node, checksum: &str) -> bool {
     let payload_type = node.metadata.get(SCHEME_KEY);
 
+    log::debug!("{}", node.version);
+    log::debug!("node payload {}", node.payload);
     if let Some(scheme) = payload_type {
         (scheme.as_str() == OCI_SCHEME || scheme.as_str() == CHECKSUM_SCHEME)
             && node.payload == checksum

diff --git a/src/identity/mod.rs b/src/identity/mod.rs
@@ -162,6 +162,7 @@ impl Identity {
                 version: "0.0.0-mock".to_string(),
                 checksum: "sha-mock".to_string(),
                 age_index: None,
+                is_oci: false,
             },
             group: "mock-workers".to_string(),
             node_uuid: id128::Id128::parse_str("e0f3745b108f471cbd4883c6fbed8cdd").unwrap(),

diff --git a/src/rpm_ostree/cli_finalize.rs b/src/rpm_ostree/cli_finalize.rs
@@ -18,18 +18,27 @@ lazy_static::lazy_static! {
 /// Unlock and finalize the new deployment.
 pub fn finalize_deployment(release: Release) -> Result<Release> {
     FINALIZE_ATTEMPTS.inc();
-    let cmd = std::process::Command::new("rpm-ostree")
-        .arg("finalize-deployment")
-        .arg(&release.checksum)
-        .env("RPMOSTREE_CLIENT_ID", "zincati")
-        .output()
-        .context("failed to run 'rpm-ostree' binary")?;
+    let mut cmd = std::process::Command::new("rpm-ostree");
+    cmd.env("RPMOSTREE_CLIENT_ID", "zincati")
+        .arg("finalize-deployment");
 
-    if !cmd.status.success() {
+    // XXX for OCI image, we don't know the checksum until we deployed it.
+    // Currently, rpm-ostree do not return the resulting ostree commit
+    // when rebasing to an OCI image. We could query the deployements and
+    // get the latest commit but that would be racy, so let's finalize the latest
+    // commit.
+    if release.is_oci {
+        cmd.arg("--allow-missing-checksum")
+    } else {
+        cmd.arg(&release.checksum)
+    };
+
+    let cmd_result = cmd.output().context("failed to run 'rpm-ostree' binary")?;
+    if !cmd_result.status.success() {
         FINALIZE_FAILURES.inc();
         anyhow::bail!(
             "rpm-ostree finalize-deployment failed:\n{}",
-            String::from_utf8_lossy(&cmd.stderr)
+            String::from_utf8_lossy(&cmd_result.stderr)
         );
     }
 

diff --git a/src/rpm_ostree/cli_status.rs b/src/rpm_ostree/cli_status.rs
@@ -85,6 +85,7 @@ impl Deployment {
             checksum: self.base_revision(),
             version: self.version,
             age_index: None,
+            is_oci: self.container_image_reference.is_some(),
         }
     }
 

diff --git a/src/rpm_ostree/mod.rs b/src/rpm_ostree/mod.rs
@@ -29,6 +29,8 @@ pub struct Release {
     pub checksum: String,
     /// Release age (Cincinnati `age_index`).
     pub age_index: Option<u64>,
+    /// If the release is shipped within an OCI image
+    pub is_oci: bool,
 }
 
 impl std::cmp::Ord for Release {
@@ -90,6 +92,7 @@ impl Release {
             version: node.version,
             checksum: node.payload,
             age_index: Some(age),
+            is_oci: { scheme == OCI_SCHEME },
         };
         Ok(rel)
     }
@@ -158,11 +161,13 @@ mod tests {
                 version: "v0".to_string(),
                 checksum: "p0".to_string(),
                 age_index: Some(0),
+                is_oci: false,
             };
             let n1 = Release {
                 version: "v1".to_string(),
                 checksum: "p1".to_string(),
                 age_index: Some(1),
+                is_oci: false,
             };
             assert!(n0 < n1);
             assert!(n0 == n0);
@@ -174,11 +179,13 @@ mod tests {
                 version: "v0".to_string(),
                 checksum: "p0".to_string(),
                 age_index: Some(0),
+                is_oci: false,
             };
             let n1 = Release {
                 version: "v1".to_string(),
                 checksum: "p1".to_string(),
                 age_index: Some(0),
+                is_oci: false,
             };
             assert!(n0 < n1);
             assert!(!(n0 < n0));
@@ -189,11 +196,13 @@ mod tests {
                 version: "v0".to_string(),
                 checksum: "p0".to_string(),
                 age_index: Some(0),
+                is_oci: false,
             };
             let n1 = Release {
                 version: "v0".to_string(),
                 checksum: "p1".to_string(),
                 age_index: Some(0),
+                is_oci: false,
             };
             assert!(n0 < n1);
             assert!(!(n0 < n0));

diff --git a/src/update_agent/actor.rs b/src/update_agent/actor.rs
@@ -597,6 +597,7 @@ mod tests {
             version: "v1".to_string(),
             checksum: "ostree-checksum".to_string(),
             age_index: None,
+            is_oci: false,
         };
 
         // Transition between states with different discriminants.

diff --git a/src/update_agent/mod.rs b/src/update_agent/mod.rs
@@ -620,6 +620,7 @@ mod tests {
             version: "v1".to_string(),
             checksum: "ostree-checksum".to_string(),
             age_index: None,
+            is_oci: false,
         };
         machine.update_available(update.clone());
         assert_eq!(
@@ -656,6 +657,7 @@ mod tests {
             version: "v1".to_string(),
             checksum: "ostree-checksum".to_string(),
             age_index: None,
+            is_oci: false,
         };
         let mut machine = UpdateAgentMachineState::NoNewUpdate;
 
@@ -690,6 +692,7 @@ mod tests {
             version: "v1".to_string(),
             checksum: "ostree-checksum".to_string(),
             age_index: None,
+            is_oci: false,
         };
         let mut machine = UpdateAgentMachineState::UpdateAvailable((update.clone(), 0));
         let (delay, should_jitter) = machine.get_refresh_delay(steady_interval);