Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
signing: ed25519 can now be backed by openssl
If ostree is compiled with OpenSSL support (as it is on e.g. Fedora derivatives), this also enables an OpenSSL-backed implementation of the ed25519 signature support. Previously, this required libsodium - which can still be used if desired instead of openssl.
composefs changes
Now enabled at build time (but disabled at runtime) by default
On systems with sufficiently new glibc and fsverity, ostree enables support for composefs at build time. It continues to be disabled by default at runtime.
composefs now supports signature verification
There is support for an "initramfs root binding key" that can be injected into the initramfs, and used to verify the ostree commit (including its embedded composefs checksum). One suggested model is to follow how e.g. Fedora signs kernel modules with a transient throwaway key. For more, please see the ostree/composefs doc.
Note that composefs continues to be classified as experimental.
Configuration format has changed
The old
ot-composefs
kernel argument is no longer honored in favor of a configuration file that should be present in the initramfs.ostree-prepare-root other changes
/etc/ostree/prepare-root.conf
sysroot.readonly
flag can now also be configured from here, and this is recommended/run/ostree-booted
is now non-empty, and contains serialized state (this is an implementation detail)ostree-prepare-root
has a new man page which documents the previous state, along with the aboveostree admin set-default
A long-overdue CLI verb to change the default deployment for the next boot.
sysroot other bugfixes and changes
/usr/etc
with an empty/etc
. This is preparatory for supporting a transient/etc
.sync
timeout at shutdownostree admin deploy
now honors--stateroot
as we prefer that term over--os
trivial-httpd
The remnants of the deprecated
ostree trivial-httpd
CLI are now completely gone.