Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable composefs #3009

Merged
merged 4 commits into from
Aug 30, 2024
Merged

Enable composefs #3009

merged 4 commits into from
Aug 30, 2024

Commits on Aug 30, 2024

  1. Enable composefs for 41+ 

    Enabling composefs allow an increase in security by making the
filesystem truly read-only.

It's also a cornerstone towards a truly sealed system with full
integrity checks at runtime.

It will also allow storage deduplication between the host filesystem
and the containers storage in the long run, which is a huge win: faster
downloads and faster container startup times.

A thing that this is known to break is the "chattr -i" hack for new
toplevel dirs (xref coreos/rpm-ostree#337).

Basically if you want that, you either need to make a derived image,
or enable transient root.

Ref: https://fedoraproject.org/wiki/Changes/ComposefsAtomicCoreOSIoT

Co-authored-by: jbtrystram <jbtrystram@redhat.com>
    @cgwalters @jbtrystram @jlebon
    2 people authored and jlebon committed Aug 30, 2024
    Configuration menu
    Copy the full SHA
    1fa2771 View commit details
    Browse the repository at this point in the history

  2. denylist: add kdump.crash for rawhide 

    We are trying to enable composeFS in rawhide and there is an issue
where kdump fails to generate the initrd from boot.
Manually trigerring the rebuild works but requires the extra manual
step.
Snoozing this test to let some time for the kdump team to
investigate.

Note that the kdump over SSH test works so we still have some
coverage for kdump.
    @jbtrystram @jlebon
    jbtrystram authored and jlebon committed Aug 30, 2024
    Configuration menu
    Copy the full SHA
    5c31da0 View commit details
    Browse the repository at this point in the history

  3. tests: adapt for composefs 

    On composefs, / is now an overlay, so some of the commands that query
`/` don't quite work. Tweak them to instead query `/sysroot`, which
should still be the actual storage layer underneath the composefs mount
that we really care about for these tests.
    @jlebon
    jlebon committed Aug 30, 2024
    Configuration menu
    Copy the full SHA
    22af0ad View commit details
    Browse the repository at this point in the history

  4. overlay/05core: disable composefs for the live ISO 

    In the composefs path, ostree-prepare-root want to mount /etc/ and /var
as writeable, which cannot in the live iso environnement.

Override the kernel command line to disable composefs in that case.

See ostreedev/ostree#1921
and coreos#3009 (comment)
    @jbtrystram @jlebon
    jbtrystram authored and jlebon committed Aug 30, 2024
    Configuration menu
    Copy the full SHA
    3f3d65b View commit details
    Browse the repository at this point in the history