Make ostree aware of live environments #1921
Comments
|
We could "standardize" |
|
#1995 is a WIP PR for this. |
Support read-only queries, but deny any attempts to make changes with a clear error. Now...in the future, we probably do want to support making "transient" overlays. See: coreos/fedora-coreos-tracker#354 (comment) Closes: ostreedev#1921
Support read-only queries, but deny any attempts to make changes with a clear error. Now...in the future, we probably do want to support making "transient" overlays. See: coreos/fedora-coreos-tracker#354 (comment) Closes: ostreedev#1921
Support read-only queries, but deny any attempts to make changes with a clear error. Now...in the future, we probably do want to support making "transient" overlays. See: coreos/fedora-coreos-tracker#354 (comment) Closes: ostreedev#1921
Support read-only queries, but deny any attempts to make changes with a clear error. Now...in the future, we probably do want to support making "transient" overlays. See: coreos/fedora-coreos-tracker#354 (comment) Closes: ostreedev#1921
Support read-only queries, but deny any attempts to make changes with a clear error. Now...in the future, we probably do want to support making "transient" overlays. See: coreos/fedora-coreos-tracker#354 (comment) Closes: ostreedev#1921
|
This oddly works now in a locally built FCOS live ISO and PXE artifacts: |
jlebon
changed the title
|
Repurposing this card now to just generalize it to having ostree be "live system-aware". |
in the composeFS path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Overriding the kernel command line to disable composeFS in that case. See ostreedev/ostree#1921 And coreos#3009 (comment)
In the composefs path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Override the kernel command line to disable composefs in that case. See ostreedev/ostree#1921 and coreos#3009 (comment)
In the composefs path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Override the kernel command line to disable composefs in that case. See ostreedev/ostree#1921 and coreos#3009 (comment)
|
Moving this comment over coreos/fedora-coreos-config#3009 (comment)
Just for reference I don't think that's the right fix. I still think it makes sense to use composefs in this scenario...yes, there are "two layers" of read-only but IMO that's still fine. For example I would actually argue for example that we should enable fsverity by default for our ISOs...it obsoletes things like the anaconda "sha256 the whole filesystem before you run it" thing. The messy thing here is the intersection between who sets up the filesystem writable portions. On the ostree side we already have the The good thing about this is that from ostree's PoV then we could look at the block device underlying the target rootfs, and if that is physically |
In the composefs path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Override the kernel command line to disable composefs in that case. See ostreedev/ostree#1921 and #3009 (comment)
|
That sounds fine to me overall, but that seems like more of a follow-up to this? I'd be happy if we can just drop the |
Ahh, I think the reason this works now is that we're literally shipping a We have #1920 tracking the |
Currently, when building the squashfs, we drop the `sysroot.readonly` flag from the ostree config because `ostree-prepare-root` doesn't know how to handle it in the setup we have in our live environments. But now inheriting from tier-x, we also inherited the move of that knob to `/usr/lib/ostree/prepare-root.conf`, which is then included in the initramfs. That's much harder to override during the build process because we don't want to rebuild the initramfs. We could probably instead just append a CPIO to the live initramfs that shadows it but the real fix anyway is to adapt libostree to work in live environments.[^1] So for now, just undo this bit to go back to how it was set up before inheriting from tier-x, where the only sysroot.readonly knob lives in the ostree repo config. [^1]: ostreedev/ostree#1921
Currently, when building the squashfs, we drop the `sysroot.readonly` flag from the ostree config because `ostree-prepare-root` doesn't know how to handle it in the setup we have in our live environments. But now inheriting from tier-x, we also inherited the move of that knob to `/usr/lib/ostree/prepare-root.conf`, which is then included in the initramfs. That's much harder to override during the build process because we don't want to rebuild the initramfs. We could probably instead just append a CPIO to the live initramfs that shadows it but the real fix anyway is to adapt libostree to work in live environments.[^1] So for now, just undo this bit to go back to how it was set up before inheriting from tier-x, where the only sysroot.readonly knob lives in the ostree repo config. [^1]: ostreedev/ostree#1921
Currently, when building the squashfs, we drop the `sysroot.readonly` flag from the ostree config because `ostree-prepare-root` doesn't know how to handle it in the setup we have in our live environments. But now inheriting from tier-x, we also inherited the move of that knob to `/usr/lib/ostree/prepare-root.conf`, which is then included in the initramfs. That's much harder to override during the build process because we don't want to rebuild the initramfs. We could probably instead just append a CPIO to the live initramfs that shadows it but the real fix anyway is to adapt libostree to work in live environments.[^1] So for now, just undo this bit to go back to how it was set up before inheriting from tier-x, where the only sysroot.readonly knob lives in the ostree repo config. [^1]: ostreedev/ostree#1921
Currently, when building the squashfs, we drop the `sysroot.readonly` flag from the ostree config because `ostree-prepare-root` doesn't know how to handle it in the setup we have in our live environments. But now inheriting from tier-x, we also inherited the move of that knob to `/usr/lib/ostree/prepare-root.conf`, which is then included in the initramfs. That's much harder to override during the build process because we don't want to rebuild the initramfs. We could probably instead just append a CPIO to the live initramfs that shadows it but the real fix anyway is to adapt libostree to work in live environments.[^1] So for now, just undo this bit to go back to how it was set up before inheriting from tier-x, where the only sysroot.readonly knob lives in the ostree repo config. [^1]: ostreedev/ostree#1921
When Fedora CoreOS is booted as a live PXE system, ostree would ideally function in read-only mode, where it refuses to deploy updates (since that isn't a meaningful operation on a live system) but still provides read-only status info.
rpm-ostreed currently refuses to start on such systems because ostree is unhappy:
Live PXE systems don't need anything in
/boot, since the kernel and initramfs are provided externally. Fedora CoreOS could generate a fake BLS entry if needed, though note that/proc/cmdlinedoesn't contain anostreeargument so we'd need to deal with that also (#1920).What's the best way to proceed here?
The text was updated successfully, but these errors were encountered: