prepare-root: Add support for root.transient #3114
Conversation
This function doesn't exist anymore.
This doesn't matter at all, but I just noticed this while working on the code.
Closes: ostreedev#3113 It'd greatly improve compatibility with things like RPMs that install in `/opt` if we supported a full "original docker" style model where `/` is a transient overlayfs. We'd still keep our semantics for `/etc` and `/var` by default, but e.g. we'd stop recommending `/opt` ➡️ `/var/opt`, in this model, so `/opt` would be on the overlayfs. Note this all aligns with composefs, where we'd actually be making `/` a *read-only* overlayfs by default; it'd be really nice of course to *implement* this by just making the composefs overlayfs writable, but I am not sure we can hard require composefs for this right now. So this change adds support for `root.transient = true` in `/usr/lib/ostree/prepare-root.conf`. The major downside is that people could be surprised if files they write to e.g. `/opt` don't persist across upgrades. But, that's already again how it works since Docker started. Note as part of the implementation of this, we need to add a whole new "backing" directory distinct from the deployment directories. (Tangentially related to this, it's tempting to switch to always using a *read-only* overlay mount by default.
|
Skipping CI for Draft Pull Request. |
github-actions
bot
added
the
area/prepare-root
|
So this seems to work well: Then I did A next step here is to change rpm-ostree to detect this configuration and stop doing the opt ➡️ var/opt link (edit: done in coreos/rpm-ostree#4719 ) |
This pairs with ostreedev/ostree#3114 Basically we want to detect the case where the OS has opted-in to this new mode and *not* symlink things. I originally thought we could implement this by just moving all the toplevel directories, but then I hit on the fact that because the `filesystem` package is creating all the toplevel directories in lua script which we ignore...that doesn't work. So we need to keep making them by hand.
This pairs with ostreedev/ostree#3114 Basically if ostree has an overlayfs (whether writable or a readonly composefs), we're safe to handle non-`/usr` content. However, we still *always* drop content from the "API filesystems" like `/run`, `/dev` etc. Because really, no one should be adding stuff there.
|
This also wants ostreedev/ostree-rs-ext#570 |
This turns on the functionality added in ostreedev/ostree#3114
|
BTW this change also requires coreos/coreos-installer#1203 for FCOS for the same reason as composefs. |
|
LGTM |
| @@ -3360,6 +3407,9 @@ sysroot_finalize_deployment (OstreeSysroot *self, OstreeDeployment *deployment, | |||
| if (!selinux_relabel_var_if_needed (self, sepolicy, os_deploy_dfd, cancellable, error)) | |||
| return FALSE; | |||
|
|
|||
| if (!sysroot_initialize_deployment_backing (self, deployment, sepolicy, error)) | |||
There was a problem hiding this comment.
Shouldn't this be gated on root.transient?
There was a problem hiding this comment.
You're right to call this out, but this was semi-intentional because one thing I want to do is change usroverlay to write here instead of the /var/tmp it does today - because that would just be better; the content would be clearly "lifecycle bound" to the deployment and we wouldn't need that hacky tmpfiles.d snippet we carry:
# https://github.com/ostreedev/ostree/issues/393
R! /var/tmp/ostree-unlock-ovl.*
(That said to do that note we'd need to also change some logic to ensure the overlay content for it is actually removed on reboot by default)
This all said, yes we could still create it dynamically in either case. I think we actually should have logic here in ostree to do what is being replicated in ostree-rs-ext and rpm-ostree around querying the initramfs config. Then we could drop the ex-integrity.composefs repo config.
| @@ -3078,6 +3078,10 @@ sysroot_initialize_deployment (OstreeSysroot *self, const char *osname, const ch | |||
| if (!require_stateroot (self, osname, error)) | |||
| return FALSE; | |||
|
|
|||
| g_autofree char *stateroot_backing = g_strdup_printf ("ostree/deploy/%s/backing", osname); | |||
| if (!glnx_shutil_mkdir_p_at (self->sysroot_fd, stateroot_backing, 0700, cancellable, error)) | |||
This pairs with ostreedev/ostree#3114 Basically we want to detect the case where the OS has opted-in to this new mode and *not* symlink things. I originally thought we could implement this by just moving all the toplevel directories, but then I hit on the fact that because the `filesystem` package is creating all the toplevel directories in lua script which we ignore...that doesn't work. So we need to keep making them by hand.
This pairs with ostreedev/ostree#3114 Basically if ostree has an overlayfs (whether writable or a readonly composefs), we're safe to handle non-`/usr` content. However, we still *always* drop content from the "API filesystems" like `/run`, `/dev` etc. Because really, no one should be adding stuff there.
This builds on top of the test image using ostreedev/ostree#3114 and related PRs.
This builds on top of the test image using ostreedev/ostree#3114 and related PRs.
This pairs with ostreedev/ostree#3114 Basically we want to detect the case where the OS has opted-in to this new mode and *not* symlink things. I originally thought we could implement this by just moving all the toplevel directories, but then I hit on the fact that because the `filesystem` package is creating all the toplevel directories in lua script which we ignore...that doesn't work. So we need to keep making them by hand.
This pairs with ostreedev/ostree#3114 Basically we want to detect the case where the OS has opted-in to this new mode and *not* symlink things. I originally thought we could implement this by just moving all the toplevel directories, but then I hit on the fact that because the `filesystem` package is creating all the toplevel directories in lua script which we ignore...that doesn't work. So we need to keep making them by hand.
|
BTW for people seeing this now, it's also worth looking at #3120 |
|
It's unclear to me reading the commit message and the issues here what exactly happens when we turn this knob on. Could you write a bit of docs about it? Thanks |
sysroot: Drop unused prototype
This function doesn't exist anymore.
prepare-root: Add an autofree
This doesn't matter at all, but I just noticed this while working
on the code.
prepare-root: Add support for root.transient
Closes: #3113
It'd greatly improve compatibility with things like RPMs that install
in
/optif we supported a full "original docker" style model where/is a transient overlayfs. We'd still keep our semantics for/etcand
/varby default, but e.g. we'd stop recommending/opt➡️/var/opt, in this model,so
/optwould be on the overlayfs.Note this all aligns with composefs, where we'd actually be making
/a read-only overlayfs by default; it'd be really nice of courseto implement this by just making the composefs overlayfs writable,
but I am not sure we can hard require composefs for this right now.
So this change adds support for
root.transient = truein
/usr/lib/ostree/prepare-root.conf.The major downside is that people could be surprised if files they
write to e.g.
/optdon't persist across upgrades. But, that'salready again how it works since Docker started.
Note as part of the implementation of this, we need to add a whole
new "backing" directory distinct from the deployment directories.
(Tangentially related to this, it's tempting to switch to always
using a read-only overlay mount by default.