daemon: Add new ModifyYumRepo DBus API #1780
Conversation
| <!-- Set options in yum .repo files --> | ||
| <method name="ModifyYumRepo"> | ||
| <arg type="s" name="repo_id" direction="in"/> | ||
| <arg type="a{ss}" name="repo_options" direction="in"/> |
There was a problem hiding this comment.
Hm, I called it repo_options to avoid confusing it with options such as "dry-run" that other DBus API has. Not sure it's a huge problem :) Happy to change it if you think it's best.
There was a problem hiding this comment.
settings or parameters could work too? Just writing the polkit messages and "Authentication is required to modify repository settings" is what I have right now and "settings" seems to work well in that sentence.
There was a problem hiding this comment.
Sure, settings sounds good to me!
|
bot, retest this please |
|
Thanks for working on this! I'm a bit uncertain though long term about exposing every configuration option via DBus. An obvious 🐘 in the room here is that we don't expose a DBus API to configure the OSTree repositories either. In the end if one can configure arbitrary yum repos it's equivalent to arbitrary code execution on the host, not going to be easy to wrap it in anything that constrains it with polkit. For example, while it looks like systemd does have a DBus API to set unit file properties, in the end the vast majority of tooling to configure systemd just ends up writing unit files, symlinks to I'm not saying we shouldn't do a PR like this - but let's at least consider the (IMO far simpler) alternative of just having gnome-software basically run |
|
I originally only wanted to add an API to enable and disable repos, I don't need to edit any of the other properties. Only did the more generic version because jlebon thought it would make sense :) I'd be happy to change the API to EnableYumRepo with Sure, implementing a new dbus privilage separation daemon that can edit the .repo files for gnome-software is certainly an option if you don't want it in rpm-ostreed. It would be easier to have it in rpm-ostreed, but anything really works. |
That's true, though Also the proposed API here is essentially the same PackageKit already offers with So focusing more on whether rpm-ostree should be in the business of editing config files. I agree we want to avoid that and not proactively add APIs that do this, though I can imagine situations where it'd be useful, esp. in scenarios where rpm-ostree is essentially part of the "host API" (an easy one that comes to mind is containers talking to rpm-ostree over D-Bus). So I guess my opinion is: ideally no, but if necessary yes? :)
That's... pretty cool. Hadn't looked at
I think what @cgwalters is suggesting (do correct me if not!) is GNOME Software copies the yum repos to some user owned space, does whatever modifications it wants, then literally spawns |
|
Not sure I like the pkexec idea. There's no way to customize the polkit message there for starters. |
|
Sorry I'd glossed over the fact that this was originally only about enabling/disabling repos. I had thought we were scoping in adding/removing.
Talking about the machine-config-operator is a perfect example here because we have the host rootfs mounted. When we go to write systemd units it's directly via the filesystem. If we were to add an (Partly because DBus in golang is...eh, but a lot just because it's simple and works) |
|
Alright, I tested this now and seems to work fine :) Pushed a fixup with jlebon's review comments and added the missing polkit support. The API questions are still open though: 1) should it be generic ModifyYumRepo or just EnableYumRepo? |
I think if a container can do this, it's clearly better. Though the MCD is basically a super-SPC (well, that's redundant, let's say mega-SPC). Not to say mounting D-Bus isn't equally dangerous if the container is also running as root.
Hmm, yeah I do see this in Though I think that'd mean you have to (1) ship a little helper in e.g. This is somewhat related to the discussions we've had in #1768. Unless PackageKit grows some kind of rpm-ostree backend, then it sorta falls on rpm-ostree to provide some of the same basic APIs. The alternative is e.g. GNOME Software and Discover having to learn a whole new way of asking for privileged actions. |
One hybrid option is keeping as |
|
Ahh, I think that makes sense. Pushed a commit that changes it to only accept |
There was a problem hiding this comment.
This looks good to me, just some minor nits! Could you also just squash all your commits into one?
Will let @cgwalters take a look at the final approach here.
| <!-- Set options in yum .repo files --> | ||
| <method name="ModifyYumRepo"> | ||
| <arg type="s" name="repo_id" direction="in"/> | ||
| <arg type="a{ss}" name="repo_options" direction="in"/> |
There was a problem hiding this comment.
Sure, settings sounds good to me!
This allows clients such as gnome-software to enable and disable yum repositories. The API is generic, but for now we only allow changing the 'enabled' key. If needed, it's easy to allow changing other settings in the future. See the discussion in the PR for the reasoning. Closes: coreos#1771
|
Squashed all commits and fixed the two nits! Thanks! |
|
☀️ Test successful - status-atomicjenkins |
This allows clients such as gnome-software to enable and disable
yum repositories.
Closes: #1771
(Note that this is completely untested, ran out of time today and going to be offline the whole weekend. I'll just put it up in case someone wants to have an early look. Will test it and fix things up on Monday.)