rpm-ostree: Setup readonly sysroot for ostree & rw karg

[travier]

• Enable read only sysroot in the ostree repo config.
• Add rw to the kernel arguments to keep statefull parts of the system
  (/var & /etc) writable.

See: https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2086489

[travier]

Updated to try to fix unit tests.

[VladimirSlavik]

/kickstart-test --testtype smoke

[travier]

The failures here do not seem to be related to this PR.

[travier]

I'm sorry for the late PR. I'd like to get this one into F37. Let me know how I can help.

[VladimirSlavik]

Thank you, this looks good. We usually change tests in the same commit as code, otherwise I don't see anything that could need changing.

For getting this into 37, that should be no problem.

[travier]

Thanks! I've merged the commits into a single one.

[travier]

One thing I'm wondering here is about Fedora IoT. Is IoT using Anaconda for installations? Does it want to opt-out of this change?
What do you think @nullr0ute?

[jkonecny12]

Looks great to me. Thanks for solving this problematic issue @travier !

[jkonecny12]

/kickstart-test --testtype smoke

[jkonecny12]

@travier, can you please change the commit message bug link to:

rpm-ostree: Setup readonly sysroot for ostree & rw karg (#2086489)

- Enable read only sysroot in the ostree repo config.
- Add `rw` to the kernel arguments to keep statefull parts of the system
  (/var & /etc) writable.
- Update units tests to account for the new rw karg

See: https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
Resolves: rhbz#2086489

[travier]

Updated. Thanks

[VladimirSlavik]

Thank you, perfect!

[VladimirSlavik]

/kickstart-test --testtype smoke

[jkonecny12]

Manually tested:

• installation went fine
• system booted
• can't write to /sysroot

$ mount
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=4096k,nr_inodes=1048576,mode=755,inode64)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=609368k,nr_inodes=819200,mode=755,inode64)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
/dev/vda2 on /sysroot type btrfs (ro,relatime,seclabel,compress=zstd:1,space_cache=v2,subvolid=258,subvol=/root)
/dev/vda2 on / type btrfs (rw,relatime,seclabel,compress=zstd:1,space_cache=v2,subvolid=258,subvol=/root)
/dev/vda2 on /etc type btrfs (rw,relatime,seclabel,compress=zstd:1,space_cache=v2,subvolid=258,subvol=/root)
/dev/vda2 on /usr type btrfs (ro,relatime,seclabel,compress=zstd:1,space_cache=v2,subvolid=258,subvol=/root)
/dev/vda2 on /sysroot/ostree/deploy/fedora/var type btrfs (rw,relatime,seclabel,compress=zstd:1,space_cache=v2,subvolid=258,subvol=/root)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=43,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=1713)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
ramfs on /run/credentials/systemd-sysusers.service type ramfs (ro,nosuid,nodev,noexec,relatime,seclabel,mode=700)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,size=1523416k,nr_inodes=1048576,inode64)
/dev/vda2 on /var type btrfs (rw,relatime,seclabel,compress=zstd:1,space_cache=v2,subvolid=256,subvol=/var)
/dev/vda2 on /var/home type btrfs (rw,relatime,seclabel,compress=zstd:1,space_cache=v2,subvolid=257,subvol=/home)
/dev/vda1 on /boot type ext4 (rw,relatime,seclabel)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=304680k,nr_inodes=76170,mode=700,uid=1000,gid=1000,inode64)
gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
/dev/sr0 on /run/media/test/Fedora-SB-ostree-x86_64-rawh type iso9660 (ro,nosuid,nodev,relatime,nojoliet,check=s,map=n,blocksize=2048,uid=1000,gid=1000,dmode=500,fmode=400,iocharset=utf8,uhelper=udisks2)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

Everything seems to be working just as expected.

[jkonecny12]

@travier this PR is ready to be merged but I guess we are waiting for @nullr0ute reaction?

[travier]

@travier this PR is ready to be merged but I guess we are waiting for @nullr0ute reaction?

Yes, I'd prefer we get an ack from him before we merge.

---

Can you also check that the content of /sysroot/ostree/repo/config is:

[core]
repo_version=1
mode=bare

[sysroot]
readonly=true

Thanks!

[jkonecny12]

Correct:

$ cat /sysroot/ostree/repo/config/
[core]
repo_version=1
mode=bare
 
[sysroot]
readonly=true

[jkonecny12]

Hi @travier I would like to get this merge rather sooner than later. Do we want to wait for @nullr0ute or maybe we can ask someone else?

[nullr0ute]

One thing I'm wondering here is about Fedora IoT. Is IoT using Anaconda for installations? Does it want to opt-out of this change? What do you think @nullr0ute?

Yes, we do use the anaconda installer (and in RHEL for Edge)

[nullr0ute]

Hi @travier I would like to get this merge rather sooner than later. Do we want to wait for @nullr0ute or maybe we can ask someone else?

Apologies for the late reply, got lost in my inbox, it's been a busy week.

[jkonecny12]

One thing I'm wondering here is about Fedora IoT. Is IoT using Anaconda for installations? Does it want to opt-out of this change? What do you think @nullr0ute?

Yes, we do use the anaconda installer (and in RHEL for Edge)

Hi @nullr0ute, thanks for reply but the main question is if you want to be opted-out from this change or you agree to have /sysroot as ro? Honestly, I think it is a good practice to have it as ro it could prevent breakages.

[nullr0ute]

Hi @nullr0ute, thanks for reply but the main question is if you want to be opted-out from this change or you agree to have /sysroot as ro? Honestly, I think it is a good practice to have it as ro it could prevent breakages.

Agreed, we do not want to opt out, the more RO the better :)

[travier]

Great! I'll add IoT in the Fedora change description and to the Fedora release notes.

[jkonecny12]

In that case I'm merging this now. Thanks @travier and @nullr0ute for your input.
And mainly thanks for this change so I won't break my system again with restorecon -RFv / next time :D.