diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-06-09 17:19:15 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-08-17 10:09:04 +0200 |
| commit | c40d82abf7b23803aa7394a7a7e24c40c32af851 (patch) | |
| tree | 3b5ded27e3f43491361f507571f139c6951b2126 /src/import/pull-raw.c | |
| parent | d32a5841fb1aabc0e2fd138d78b5f66d31b3ba77 (diff) | |
| download | systemd-c40d82abf7b23803aa7394a7a7e24c40c32af851.tar.gz | |
pull: add --direct mode + make various eatures optional + explicit checksum verification
This does what the previous commit did for systemd-import the same way
for systemd-pull.
It also adds one more thing: the checksum validation is extended, in
addition of doing SHA256SUMS/gpg verification it is now possible to
immediately specify a hash value on the command line that the download
needs to match. This is particularly useful in --direct mode as we can
download/decompress/unpack arbitrary files and check the hash of the
downloaded file on-the-fly.
Diffstat (limited to 'src/import/pull-raw.c')
| -rw-r--r-- | src/import/pull-raw.c | 469 |
1 files changed, 303 insertions, 166 deletions
diff --git a/src/import/pull-raw.c b/src/import/pull-raw.c index 56c99a690e..c071e134f2 100644 --- a/src/import/pull-raw.c +++ b/src/import/pull-raw.c @@ -15,6 +15,7 @@ #include "hostname-util.h" #include "import-common.h" #include "import-util.h" +#include "install-file.h" #include "macro.h" #include "mkdir.h" #include "path-util.h" @@ -46,6 +47,8 @@ struct RawPull { ImportVerify verify; char *image_root; + uint64_t offset; + PullJob *raw_job; PullJob *checksum_job; PullJob *signature_job; @@ -57,7 +60,8 @@ struct RawPull { RawPullFinished on_finished; void *userdata; - char *local; + char *local; /* In PULL_DIRECT mode the path we are supposed to place things in, otherwise the + * machine name of the final copy we make */ char *final_path; char *temp_path; @@ -73,6 +77,8 @@ struct RawPull { char *verity_path; char *verity_temp_path; + + char *checksum; }; RawPull* raw_pull_unref(RawPull *i) { @@ -103,6 +109,7 @@ RawPull* raw_pull_unref(RawPull *i) { free(i->verity_path); free(i->image_root); free(i->local); + free(i->checksum); return mfree(i); } @@ -148,6 +155,7 @@ int raw_pull_new( .image_root = TAKE_PTR(root), .event = TAKE_PTR(e), .glue = TAKE_PTR(g), + .offset = UINT64_MAX, }; i->glue->on_finished = pull_job_curl_on_finished; @@ -230,12 +238,20 @@ static void raw_pull_report_progress(RawPull *i, RawProgress p) { } static int raw_pull_maybe_convert_qcow2(RawPull *i) { + _cleanup_(unlink_and_freep) char *t = NULL; _cleanup_close_ int converted_fd = -1; - _cleanup_free_ char *t = NULL; + _cleanup_free_ char *f = NULL; int r; assert(i); assert(i->raw_job); + assert(!FLAGS_SET(i->flags, PULL_DIRECT)); + + if (!FLAGS_SET(i->flags, PULL_CONVERT_QCOW2)) + return 0; + + assert(i->final_path); + assert(i->raw_job->close_disk_fd); r = qcow2_detect(i->raw_job->disk_fd); if (r < 0) @@ -244,32 +260,35 @@ static int raw_pull_maybe_convert_qcow2(RawPull *i) { return 0; /* This is a QCOW2 image, let's convert it */ - r = tempfn_random(i->final_path, NULL, &t); + r = tempfn_random(i->final_path, NULL, &f); if (r < 0) return log_oom(); - converted_fd = open(t, O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC, 0664); + converted_fd = open(f, O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC, 0664); if (converted_fd < 0) - return log_error_errno(errno, "Failed to create %s: %m", t); + return log_error_errno(errno, "Failed to create %s: %m", f); + + t = TAKE_PTR(f); (void) import_set_nocow_and_log(converted_fd, t); log_info("Unpacking QCOW2 file."); r = qcow2_convert(i->raw_job->disk_fd, converted_fd); - if (r < 0) { - (void) unlink(t); + if (r < 0) return log_error_errno(r, "Failed to convert qcow2 image: %m"); - } - (void) unlink(i->temp_path); - free_and_replace(i->temp_path, t); + unlink_and_free(i->temp_path); + i->temp_path = TAKE_PTR(t); CLOSE_AND_REPLACE(i->raw_job->disk_fd, converted_fd); return 1; } -static int raw_pull_determine_path(RawPull *i, const char *suffix, char **field) { +static int raw_pull_determine_path( + RawPull *i, + const char *suffix, + char **field /* input + output (!) */) { int r; assert(i); @@ -290,7 +309,7 @@ static int raw_pull_determine_path(RawPull *i, const char *suffix, char **field) static int raw_pull_copy_auxiliary_file( RawPull *i, const char *suffix, - char **path) { + char **path /* input + output (!) */) { const char *local; int r; @@ -305,7 +324,14 @@ static int raw_pull_copy_auxiliary_file( local = strjoina(i->image_root, "/", i->local, suffix); - r = copy_file_atomic(*path, local, 0644, 0, 0, COPY_REFLINK | (FLAGS_SET(i->flags, PULL_FORCE) ? COPY_REPLACE : 0)); + r = copy_file_atomic( + *path, + local, + 0644, + 0, 0, + COPY_REFLINK | + (FLAGS_SET(i->flags, PULL_FORCE) ? COPY_REPLACE : 0) | + (FLAGS_SET(i->flags, PULL_SYNC) ? COPY_FSYNC_FULL : 0)); if (r == -EEXIST) log_warning_errno(r, "File %s already exists, not replacing.", local); else if (r == -ENOENT) @@ -319,13 +345,15 @@ static int raw_pull_copy_auxiliary_file( } static int raw_pull_make_local_copy(RawPull *i) { - _cleanup_free_ char *tp = NULL; + _cleanup_(unlink_and_freep) char *tp = NULL; + _cleanup_free_ char *f = NULL; _cleanup_close_ int dfd = -1; const char *p; int r; assert(i); assert(i->raw_job); + assert(!FLAGS_SET(i->flags, PULL_DIRECT)); if (!i->local) return 0; @@ -342,6 +370,7 @@ static int raw_pull_make_local_copy(RawPull *i) { /* We freshly downloaded the image, use it */ assert(i->raw_job->disk_fd >= 0); + assert(i->offset == UINT64_MAX); if (lseek(i->raw_job->disk_fd, SEEK_SET, 0) == (off_t) -1) return log_error_errno(errno, "Failed to seek to beginning of vendor image: %m"); @@ -349,38 +378,38 @@ static int raw_pull_make_local_copy(RawPull *i) { p = strjoina(i->image_root, "/", i->local, ".raw"); - if (FLAGS_SET(i->flags, PULL_FORCE)) - (void) rm_rf(p, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME); - - r = tempfn_random(p, NULL, &tp); + r = tempfn_random(p, NULL, &f); if (r < 0) return log_oom(); - dfd = open(tp, O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC, 0664); + dfd = open(f, O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC, 0664); if (dfd < 0) return log_error_errno(errno, "Failed to create writable copy of image: %m"); + tp = TAKE_PTR(f); + /* Turn off COW writing. This should greatly improve performance on COW file systems like btrfs, * since it reduces fragmentation caused by not allowing in-place writes. */ (void) import_set_nocow_and_log(dfd, tp); r = copy_bytes(i->raw_job->disk_fd, dfd, UINT64_MAX, COPY_REFLINK); - if (r < 0) { - (void) unlink(tp); + if (r < 0) return log_error_errno(r, "Failed to make writable copy of image: %m"); - } (void) copy_times(i->raw_job->disk_fd, dfd, COPY_CRTIME); (void) copy_xattr(i->raw_job->disk_fd, dfd, 0); dfd = safe_close(dfd); - r = rename(tp, p); - if (r < 0) { - r = log_error_errno(errno, "Failed to move writable image into place: %m"); - (void) unlink(tp); - return r; - } + r = install_file(AT_FDCWD, tp, + AT_FDCWD, p, + (i->flags & PULL_FORCE ? INSTALL_REPLACE : 0) | + (i->flags & PULL_READ_ONLY ? INSTALL_READ_ONLY : 0) | + (i->flags & PULL_SYNC ? INSTALL_FSYNC_FULL : 0)); + if (r < 0) + return log_error_errno(errno, "Failed to move local image into place '%s': %m", p); + + tp = mfree(tp); log_info("Created new local image '%s'.", i->local); @@ -442,9 +471,10 @@ static int raw_pull_rename_auxiliary_file( int r; assert(i); + assert(path); assert(temp_path); + assert(*temp_path); assert(suffix); - assert(path); /* Regenerate final name for this auxiliary file, we might know the etag of the file now, and we should * incorporate it in the file name if we can */ @@ -453,61 +483,78 @@ static int raw_pull_rename_auxiliary_file( if (r < 0) return r; - r = import_make_read_only(*temp_path); + r = install_file( + AT_FDCWD, *temp_path, + AT_FDCWD, *path, + INSTALL_READ_ONLY| + (i->flags & PULL_SYNC ? INSTALL_FSYNC_FULL : 0)); if (r < 0) - return r; - - r = rename_noreplace(AT_FDCWD, *temp_path, AT_FDCWD, *path); - if (r < 0) - return log_error_errno(r, "Failed to rename file %s to %s: %m", *temp_path, *path); + return log_error_errno(r, "Failed to move '%s' into place: %m", *path); *temp_path = mfree(*temp_path); - return 1; } static void raw_pull_job_on_finished(PullJob *j) { RawPull *i; + PullJob *jj; int r; assert(j); assert(j->userdata); i = j->userdata; - if (j == i->settings_job) { - if (j->error != 0) + + if (j->error != 0) { + /* Only the main job and the checksum job are fatal if they fail. The other fails are just + * "decoration", that we'll download if we can. The signature job isn't fatal here because we + * might not actually need it in case Suse style signatures are used, that are inline in the + * checksum file. */ + + if (j == i->raw_job) { + if (j->error == ENOMEDIUM) /* HTTP 404 */ + r = log_error_errno(j->error, "Failed to retrieve image file. (Wrong URL?)"); + else + r = log_error_errno(j->error, "Failed to retrieve image file."); + goto finish; + } else if (j == i->checksum_job) { + r = log_error_errno(j->error, "Failed to retrieve SHA256 checksum, cannot verify. (Try --verify=no?)"); + goto finish; + } else if (j == i->signature_job) + log_debug_errno(j->error, "Signature job for %s failed, proceeding for now.", j->url); + else if (j == i->settings_job) log_info_errno(j->error, "Settings file could not be retrieved, proceeding without."); - } else if (j == i->roothash_job) { - if (j->error != 0) + else if (j == i->roothash_job) log_info_errno(j->error, "Root hash file could not be retrieved, proceeding without."); - } else if (j == i->roothash_signature_job) { - if (j->error != 0) + else if (j == i->roothash_signature_job) log_info_errno(j->error, "Root hash signature file could not be retrieved, proceeding without."); - } else if (j == i->verity_job) { - if (j->error != 0) - log_info_errno(j->error, "Verity integrity file could not be retrieved, proceeding without. %s", j->url); - } else if (j->error != 0 && j != i->signature_job) { - if (j == i->checksum_job) - log_error_errno(j->error, "Failed to retrieve SHA256 checksum, cannot verify. (Try --verify=no?)"); + else if (j == i->verity_job) + log_info_errno(j->error, "Verity integrity file could not be retrieved, proceeding without."); else - log_error_errno(j->error, "Failed to retrieve image file. (Wrong URL?)"); - - r = j->error; - goto finish; + assert_not_reached(); } /* This is invoked if either the download completed successfully, or the download was skipped because * we already have the etag. In this case ->etag_exists is true. * - * We only do something when we got all three files */ + * We only do something when we got all files */ if (!raw_pull_is_done(i)) return; if (i->signature_job && i->signature_job->error != 0) { VerificationStyle style; + PullJob *verify_job; + + /* The signature job failed. Let's see if we actually need it */ + + verify_job = i->checksum_job ?: i->raw_job; /* if the checksum job doesn't exist this must be + * because the main job is the checksum file + * itself */ + + assert(verify_job); - r = verification_style_from_url(i->checksum_job->url, &style); + r = verification_style_from_url(verify_job->url, &style); if (r < 0) { log_error_errno(r, "Failed to determine verification style from checksum URL: %m"); goto finish; @@ -517,32 +564,21 @@ static void raw_pull_job_on_finished(PullJob *j) { * in per-directory verification mode, since only * then the signature is detached, and thus a file * of its own. */ - log_error_errno(j->error, "Failed to retrieve signature file, cannot verify. (Try --verify=no?)"); - r = i->signature_job->error; + r = log_error_errno(i->signature_job->error, + "Failed to retrieve signature file, cannot verify. (Try --verify=no?)"); goto finish; } } - if (i->settings_job) - i->settings_job->disk_fd = safe_close(i->settings_job->disk_fd); - if (i->roothash_job) - i->roothash_job->disk_fd = safe_close(i->roothash_job->disk_fd); - if (i->roothash_signature_job) - i->roothash_signature_job->disk_fd = safe_close(i->roothash_signature_job->disk_fd); - if (i->verity_job) - i->verity_job->disk_fd = safe_close(i->verity_job->disk_fd); - - r = raw_pull_determine_path(i, ".raw", &i->final_path); - if (r < 0) - goto finish; + /* Let's close these auxiliary files now, we don't need access to them anymore. */ + FOREACH_POINTER(jj, i->settings_job, i->roothash_job, i->roothash_signature_job, i->verity_job) + pull_job_close_disk_fd(jj); if (!i->raw_job->etag_exists) { - /* This is a new download, verify it, and move it into place */ - assert(i->raw_job->disk_fd >= 0); - raw_pull_report_progress(i, RAW_VERIFYING); r = pull_verify(i->verify, + i->checksum, i->raw_job, i->checksum_job, i->signature_job, @@ -552,50 +588,91 @@ static void raw_pull_job_on_finished(PullJob *j) { i->verity_job); if (r < 0) goto finish; + } - raw_pull_report_progress(i, RAW_UNPACKING); + if (i->flags & PULL_DIRECT) { + assert(!i->settings_job); + assert(!i->roothash_job); + assert(!i->roothash_signature_job); + assert(!i->verity_job); + + raw_pull_report_progress(i, RAW_FINALIZING); - r = raw_pull_maybe_convert_qcow2(i); + if (i->local) { + r = install_file(AT_FDCWD, i->local, + AT_FDCWD, NULL, + ((i->flags & PULL_READ_ONLY) && i->offset == UINT64_MAX ? INSTALL_READ_ONLY : 0) | + (i->flags & PULL_SYNC ? INSTALL_FSYNC_FULL : 0)); + if (r < 0) { + log_error_errno(r, "Failed to finalize raw file to '%s': %m", i->local); + goto finish; + } + } + } else { + r = raw_pull_determine_path(i, ".raw", &i->final_path); if (r < 0) goto finish; - raw_pull_report_progress(i, RAW_FINALIZING); + if (!i->raw_job->etag_exists) { + /* This is a new download, verify it, and move it into place */ + + assert(i->temp_path); + assert(i->final_path); - if (i->raw_job->etag) { - /* Only make a read-only copy if ETag header is set. */ - r = import_make_read_only_fd(i->raw_job->disk_fd); + raw_pull_report_progress(i, RAW_UNPACKING); + + r = raw_pull_maybe_convert_qcow2(i); if (r < 0) goto finish; - r = rename_noreplace(AT_FDCWD, i->temp_path, AT_FDCWD, i->final_path); + raw_pull_report_progress(i, RAW_FINALIZING); + + r = install_file(AT_FDCWD, i->temp_path, + AT_FDCWD, i->final_path, + INSTALL_READ_ONLY| + (i->flags & PULL_SYNC ? INSTALL_FSYNC_FULL : 0)); if (r < 0) { - log_error_errno(r, "Failed to rename raw file to %s: %m", i->final_path); + log_error_errno(r, "Failed to move raw file to '%s': %m", i->final_path); goto finish; } - } - i->temp_path = mfree(i->temp_path); + i->temp_path = mfree(i->temp_path); - if (i->roothash_job && - i->roothash_job->error == 0) { - r = raw_pull_rename_auxiliary_file(i, ".roothash", &i->roothash_temp_path, &i->roothash_path); - if (r < 0) - goto finish; - } + if (i->settings_job && + i->settings_job->error == 0) { + r = raw_pull_rename_auxiliary_file(i, ".nspawn", &i->settings_temp_path, &i->settings_path); + if (r < 0) + goto finish; + } - if (i->settings_job && - i->settings_job->error == 0) { - r = raw_pull_rename_auxiliary_file(i, ".nspawn", &i->settings_temp_path, &i->settings_path); - if (r < 0) - goto finish; + if (i->roothash_job && + i->roothash_job->error == 0) { + r = raw_pull_rename_auxiliary_file(i, ".roothash", &i->roothash_temp_path, &i->roothash_path); + if (r < 0) + goto finish; + } + + if (i->roothash_signature_job && + i->roothash_signature_job->error == 0) { + r = raw_pull_rename_auxiliary_file(i, ".roothash.p7s", &i->roothash_signature_temp_path, &i->roothash_signature_path); + if (r < 0) + goto finish; + } + + if (i->verity_job && + i->verity_job->error == 0) { + r = raw_pull_rename_auxiliary_file(i, ".verity", &i->verity_temp_path, &i->verity_path); + if (r < 0) + goto finish; + } } - } - raw_pull_report_progress(i, RAW_COPYING); + raw_pull_report_progress(i, RAW_COPYING); - r = raw_pull_make_local_copy(i); - if (r < 0) - goto finish; + r = raw_pull_make_local_copy(i); + if (r < 0) + goto finish; + } r = 0; @@ -610,7 +687,7 @@ static int raw_pull_job_on_open_disk_generic( RawPull *i, PullJob *j, const char *extra, - char **temp_path) { + char **temp_path /* input + output */) { int r; @@ -619,6 +696,8 @@ static int raw_pull_job_on_open_disk_generic( assert(extra); assert(temp_path); + assert(!FLAGS_SET(i->flags, PULL_DIRECT)); + if (!*temp_path) { r = tempfn_random_child(i->image_root, extra, temp_path); if (r < 0) @@ -643,12 +722,34 @@ static int raw_pull_job_on_open_disk_raw(PullJob *j) { i = j->userdata; assert(i->raw_job == j); + assert(j->disk_fd < 0); - r = raw_pull_job_on_open_disk_generic(i, j, "raw", &i->temp_path); - if (r < 0) - return r; + if (i->flags & PULL_DIRECT) { + + if (!i->local) { /* If no local name specified, the pull job will write its data to stdout */ + j->disk_fd = STDOUT_FILENO; + j->close_disk_fd = false; + return 0; + } + + (void) mkdir_parents_label(i->local, 0700); + + j->disk_fd = open(i->local, O_RDWR|O_NOCTTY|O_CLOEXEC|(i->offset == UINT64_MAX ? O_TRUNC|O_CREAT : 0), 0664); + if (j->disk_fd < 0) + return log_error_errno(errno, "Failed to open destination '%s': %m", i->local); + + if (i->offset == UINT64_MAX) + (void) import_set_nocow_and_log(j->disk_fd, i->local); + + } else { + r = raw_pull_job_on_open_disk_generic(i, j, "raw", &i->temp_path); + if (r < 0) + return r; + + assert(i->offset == UINT64_MAX); + (void) import_set_nocow_and_log(j->disk_fd, i->temp_path); + } - (void) import_set_nocow_and_log(j->disk_fd, i->temp_path); return 0; } @@ -715,20 +816,29 @@ int raw_pull_start( RawPull *i, const char *url, const char *local, + uint64_t offset, + uint64_t size_max, PullFlags flags, - ImportVerify verify) { + ImportVerify verify, + const char *checksum) { + PullJob *j; int r; assert(i); - assert(verify < _IMPORT_VERIFY_MAX); - assert(verify >= 0); + assert(url); + assert(verify == _IMPORT_VERIFY_INVALID || verify < _IMPORT_VERIFY_MAX); + assert(verify == _IMPORT_VERIFY_INVALID || verify >= 0); + assert((verify < 0) || !checksum); assert(!(flags & ~PULL_FLAGS_MASK_RAW)); + assert(offset == UINT64_MAX || FLAGS_SET(flags, PULL_DIRECT)); + assert(!(flags & (PULL_SETTINGS|PULL_ROOTHASH|PULL_ROOTHASH_SIGNATURE|PULL_VERITY)) || !(flags & PULL_DIRECT)); + assert(!(flags & (PULL_SETTINGS|PULL_ROOTHASH|PULL_ROOTHASH_SIGNATURE|PULL_VERITY)) || !checksum); if (!http_url_is_valid(url)) return -EINVAL; - if (local && !hostname_is_valid(local, 0)) + if (local && !pull_validate_local(local, flags)) return -EINVAL; if (i->raw_job) @@ -738,6 +848,10 @@ int raw_pull_start( if (r < 0) return r; + r = free_and_strdup(&i->checksum, checksum); + if (r < 0) + return r; + i->flags = flags; i->verify = verify; @@ -748,98 +862,121 @@ int raw_pull_start( i->raw_job->on_finished = raw_pull_job_on_finished; i->raw_job->on_open_disk = raw_pull_job_on_open_disk_raw; - i->raw_job->on_progress = raw_pull_job_on_progress; - i->raw_job->calc_checksum = verify != IMPORT_VERIFY_NO; - - r = pull_find_old_etags(url, i->image_root, DT_REG, ".raw-", ".raw", &i->raw_job->old_etags); - if (r < 0) - return r; - - r = pull_make_verification_jobs(&i->checksum_job, &i->signature_job, verify, url, i->glue, raw_pull_job_on_finished, i); - if (r < 0) - return r; - - if (FLAGS_SET(flags, PULL_SETTINGS)) { - r = pull_make_auxiliary_job(&i->settings_job, url, raw_strip_suffixes, ".nspawn", i->glue, raw_pull_job_on_finished, i); - if (r < 0) - return r; - i->settings_job->on_open_disk = raw_pull_job_on_open_disk_settings; - i->settings_job->on_progress = raw_pull_job_on_progress; - i->settings_job->calc_checksum = verify != IMPORT_VERIFY_NO; - } + if (checksum) + i->raw_job->calc_checksum = true; + else if (verify != IMPORT_VERIFY_NO) { + /* Calculate checksum of the main download unless the users asks for a SHA256SUM file or its + * signature, which we let gpg verify instead. */ - if (FLAGS_SET(flags, PULL_ROOTHASH)) { - r = pull_make_auxiliary_job(&i->roothash_job, url, raw_strip_suffixes, ".roothash", i->glue, raw_pull_job_on_finished, i); + r = pull_url_needs_checksum(url); if (r < 0) return r; - i->roothash_job->on_open_disk = raw_pull_job_on_open_disk_roothash; - i->roothash_job->on_progress = raw_pull_job_on_progress; - i->roothash_job->calc_checksum = verify != IMPORT_VERIFY_NO; + i->raw_job->calc_checksum = r; + i->raw_job->force_memory = true; /* make sure this is both written to disk if that's + * requested and into memory, since we need to verify it */ } - if (FLAGS_SET(flags, PULL_ROOTHASH_SIGNATURE)) { - r = pull_make_auxiliary_job(&i->roothash_signature_job, url, raw_strip_suffixes, ".roothash.p7s", i->glue, raw_pull_job_on_finished, i); - if (r < 0) - return r; - - i->roothash_signature_job->on_open_disk = raw_pull_job_on_open_disk_roothash_signature; - i->roothash_signature_job->on_progress = raw_pull_job_on_progress; - i->roothash_signature_job->calc_checksum = verify != IMPORT_VERIFY_NO; - } + if (size_max != UINT64_MAX) + i->raw_job->uncompressed_max = size_max; + if (offset != UINT64_MAX) + i->raw_job->offset = i->offset = offset; - if (FLAGS_SET(flags, PULL_VERITY)) { - r = pull_make_auxiliary_job(&i->verity_job, url, raw_strip_suffixes, ".verity", i->glue, raw_pull_job_on_finished, i); + if (!FLAGS_SET(flags, PULL_DIRECT)) { + r = pull_find_old_etags(url, i->image_root, DT_REG, ".raw-", ".raw", &i->raw_job->old_etags); if (r < 0) return r; - - i->verity_job->on_open_disk = raw_pull_job_on_open_disk_verity; - i->verity_job->on_progress = raw_pull_job_on_progress; - i->verity_job->calc_checksum = verify != IMPORT_VERIFY_NO; } - r = pull_job_begin(i->raw_job); + r = pull_make_verification_jobs( + &i->checksum_job, + &i->signature_job, + verify, + i->checksum, + url, + i->glue, + raw_pull_job_on_finished, + i); if (r < 0) return r; - if (i->checksum_job) { - i->checksum_job->on_progress = raw_pull_job_on_progress; - i->checksum_job->on_not_found = pull_job_restart_with_sha256sum; - - r = pull_job_begin(i->checksum_job); + if (FLAGS_SET(flags, PULL_SETTINGS)) { + r = pull_make_auxiliary_job( + &i->settings_job, + url, + raw_strip_suffixes, + ".nspawn", + verify, + i->glue, + raw_pull_job_on_open_disk_settings, + raw_pull_job_on_finished, + i); if (r < 0) return r; } - if (i->signature_job) { - i->signature_job->on_progress = raw_pull_job_on_progress; - - r = pull_job_begin(i->signature_job); + if (FLAGS_SET(flags, PULL_ROOTHASH)) { + r = pull_make_auxiliary_job( + &i->roothash_job, + url, + raw_strip_suffixes, + ".roothash", + verify, + i->glue, + raw_pull_job_on_open_disk_roothash, + raw_pull_job_on_finished, + i); if (r < 0) return r; } - if (i->settings_job) { - r = pull_job_begin(i->settings_job); + if (FLAGS_SET(flags, PULL_ROOTHASH_SIGNATURE)) { + r = pull_make_auxiliary_job( + &i->roothash_signature_job, + url, + raw_strip_suffixes, + ".roothash.p7s", + verify, + i->glue, + raw_pull_job_on_open_disk_roothash_signature, + raw_pull_job_on_finished, + i); if (r < 0) return r; } - if (i->roothash_job) { - r = pull_job_begin(i->roothash_job); + if (FLAGS_SET(flags, PULL_VERITY)) { + r = pull_make_auxiliary_job( + &i->verity_job, + url, + raw_strip_suffixes, + ".verity", + verify, + i->glue, + raw_pull_job_on_open_disk_verity, + raw_pull_job_on_finished, + i); if (r < 0) return r; } - if (i->roothash_signature_job) { - r = pull_job_begin(i->roothash_signature_job); - if (r < 0) - return r; - } + FOREACH_POINTER(j, + i->raw_job, + i->checksum_job, + i->signature_job, + i->settings_job, + i->roothash_job, + i->roothash_signature_job, + i->verity_job) { + + if (!j) + continue; + + j->on_progress = raw_pull_job_on_progress; + j->sync = FLAGS_SET(flags, PULL_SYNC); - if (i->verity_job) { - r = pull_job_begin(i->verity_job); + r = pull_job_begin(j); if (r < 0) return r; } |