From Fedora Project Wiki
mNo edit summary
mNo edit summary
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Enabling composefs by default for Atomic Desktops, CoreOS and IoT =
= Enabling composefs by default for CoreOS and IoT =


{{Change_Proposal_Banner}}


== Summary ==
== Summary ==


We want to enable composefs by default for Fedora Atomic Desktops, Fedora CoreOS and Fedora IoT. This makes the root mount of the system (`/`) a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full ''at runtime'' verification of filesystem integrity.
We want to enable composefs by default for Fedora CoreOS and Fedora IoT. This makes the root mount of the system (`/`) a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full ''at runtime'' verification of filesystem integrity.


This change will be enabled only for the Bootable Container images of Fedora Atomic Desktops and not the classic ostree ones.
<s>This change will be enabled only for the Bootable Container images of Fedora Atomic Desktops and not the classic ostree ones.</s>
 
This change is deferred to Fedora 42 for the Atomic Desktops. See the [https://fedoraproject.org/wiki/Changes/ComposefsAtomicDesktops new change page] and the [https://gitlab.com/fedora/ostree/sig/-/issues/35 tracking issue] for details.


== Owner ==
== Owner ==
Line 17: Line 18:
== Current status ==
== Current status ==


[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF41]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 33: Line 34:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* [Announced]
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/QXNKZD24XDKMTMQC3V6S4SDRHSUVCZJJ/ Announced]
* [<will be assigned by the Wrangler> Discussion thread]
* [https://discussion.fedoraproject.org/t/f41-change-proposal-enabling-composefs-by-default-for-atomic-desktops-coreos-and-iot-self-contained/123166 Discussion thread]
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/3240 #3240]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2305772 #2305772]
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>


Line 67: Line 68:


We have the following "known issues":
We have the following "known issues":
* Conflicts with `ostree-grub2`, which impacts Dual Boot support:
** https://github.com/ostreedev/ostree/issues/3198
** We will remove ostree-grub2 from Fedora Atomic Desktops bootable container images
** Related to: https://fedoraproject.org/wiki/Changes/FedoraSilverblueBootupd
** We can do this ''now'' for the container images as they are not officially released for Fedora, and generally ''newer'', so it's more likely that the bootloader on those systems are already BLS capable.
** We can not do this for "classic ostree" Atomic Desktops yet as we need a transition period with bootupd enabled by default before removing ostree-grub2.
** However with the recent Secure Boot issue (https://github.com/fedora-silverblue/issue-tracker/issues/543) forcing everybody to manually update their bootloader, we might be able to shorten this transition period.
** See for Dual Boot: https://github.com/fedora-silverblue/issue-tracker/issues/530
* No longer possible to create root level direcotries (`chattr -i` workaround):
* No longer possible to create root level direcotries (`chattr -i` workaround):
** Requires derivation, thus the container flow
** Requires derivation, thus the container flow
Line 90: Line 83:
This will increase the robustness of image based Fedora systems and prepare them for future increased security guarantees.
This will increase the robustness of image based Fedora systems and prepare them for future increased security guarantees.


This will align the existing image based variants of Fedora (Atomic Desktops, CoreOS, IoT) to the work that is done as part of the Bootable Containers Initiative.
This will align the existing image based variants of Fedora (<s>Atomic Desktops</s>, CoreOS, IoT) to the work that is done as part of the Bootable Containers Initiative.


<!-- What is the benefit to the distribution?  Will the software we generate be improved? How will the process of creating Fedora releases be improved?
<!-- What is the benefit to the distribution?  Will the software we generate be improved? How will the process of creating Fedora releases be improved?
Line 123: Line 116:


* Proposal owners:
* Proposal owners:
** Enable composefs in Atomic Desktops (bootable containers only)
** <s>Enable composefs in Atomic Desktops (bootable containers only)</s>
** Enable composefs in CoreOS
** Enable composefs in CoreOS
** Enable composefs in IoT
** Enable composefs in IoT
Line 160: Line 153:
* Make sure that you do not rely on Dual Boot support
* Make sure that you do not rely on Dual Boot support
* Make sure that you bootloader is recent enough to support BLS configs
* Make sure that you bootloader is recent enough to support BLS configs
** If you don't know, update it using the instructions from https://github.com/fedora-silverblue/issue-tracker/issues/543#issuecomment-2048350047 first
** If you don't know, update it using the instructions from https://fedoramagazine.org/manual-action-needed-to-resolve-boot-failure-for-fedora-atomic-desktops-and-fedora-iot/ first
* Remove `ostree-grub2` from the upcoming deployment: `rpm-ostree override remove ostree-grub2`
* Once your bootloader is updated and you have validated that you have "double" entries in the GRUB menu, follow the instructions from https://gitlab.com/fedora/ostree/sig/-/issues/35#note_1986555833
* Atomic Desktops only: Remove `ostree-grub2` from the upcoming deployment: `rpm-ostree override remove ostree-grub2`
* Enable composefs: `sudo ostree config set ex-integrity.composefs yes`
* Enable composefs: `sudo ostree config set ex-integrity.composefs yes`
* Update your system to a new version: `rpm-ostree update`
* Update your system to a new version: `rpm-ostree update`
Line 198: Line 192:
== Dependencies ==
== Dependencies ==


For the Atomic Desktops, this change depends on:
<s>For the Atomic Desktops, this change depends on:
* Bootupd support:
* Bootupd support:
** https://gitlab.com/fedora/ostree/sig/-/issues/1
** https://gitlab.com/fedora/ostree/sig/-/issues/1
** https://fedoraproject.org/wiki/Changes/FedoraSilverblueBootupd
** https://fedoraproject.org/wiki/Changes/FedoraSilverblueBootupd</s>


CoreOS and IoT already do not depends on `ostree-grub2`.
CoreOS and IoT already do not depends on `ostree-grub2`.

Revision as of 16:23, 26 August 2024

Enabling composefs by default for CoreOS and IoT

Summary

We want to enable composefs by default for Fedora CoreOS and Fedora IoT. This makes the root mount of the system (/) a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full at runtime verification of filesystem integrity.

This change will be enabled only for the Bootable Container images of Fedora Atomic Desktops and not the classic ostree ones.

This change is deferred to Fedora 42 for the Atomic Desktops. See the new change page and the tracking issue for details.

Owner

Current status

Detailed Description

Ostree based systems currently have /usr mounted as read-only and managed by ostree/rpm-ostree. The integrity of the content of /usr is only validated by ostree/rpm-ostree during updates and deployment operations, but not at "runtime". If a file is corrupted on disk (maliciously or not), it will only be detected if a full check is performed using ostree fsck.

On those systems, the runtime root (/) of the system is currently mounted as read-write but with the immutable bit set (chattr +i /) to prevent accidental modifications.

composefs is a new project that combines several existing filesystems (overlayfs, EROFS) to provide a very flexible mechanism to support read-only mountable filesystem trees, stacking on top of an underlying "lower" Linux filesystem.

Using composefs, it will no longer be possible to mutate the underlaying file content that is part of the system (/usr) nor the layout of the root directory. It will result in I/O errors at the kernel level.

The content is /etc and /var will remain writtable as it is today.

This change is part of the Fedora Bootable Containers Initiative. The bootc container images already enable composefs thus this change is to align existing variants to the new Bootable Containers defaults.

It is tracked in:

This is the first step toward a full boot chain integrity, that will requiring signing the composefs metadata during composes and using Unified Kernel Images (UKI). See: https://gitlab.com/fedora/bootc/tracker/-/issues/14

As podman also use composefs to store containers layers, this enable deduplication of files between containers and host. This will result in less disk usage but also faster container startup and less memory use. See https://github.com/containers/composefs/issues/125

Feedback

Nothing specific so far.

We have the following "known issues":


Benefit to Fedora

This will increase the robustness of image based Fedora systems and prepare them for future increased security guarantees.

This will align the existing image based variants of Fedora (Atomic Desktops, CoreOS, IoT) to the work that is done as part of the Bootable Containers Initiative.


Scope

  • Proposal owners:
    • Enable composefs in Atomic Desktops (bootable containers only)
    • Enable composefs in CoreOS
    • Enable composefs in IoT
  • Other developers:
    • Applications doing disk-full checks on / will have to be updated to look at other places as / will be small (a few MB) and full (100% used).
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with the Fedora Strategy 2028:
    • Aligns with the goal: "Immutable variants are the majority of Fedora Linux in use"

Upgrade/compatibility impact

To be fleshed out


Early Testing (Optional)

Do you require 'QA Blueprint' support? N

How To Test


User Experience

The main visible change will be that the root filesystem (/) is now small and full (a few MB, 100% used). The real root is mounted in /sysroot and most of the data is stored in /var.


Dependencies

For the Atomic Desktops, this change depends on:

CoreOS and IoT already do not depends on ostree-grub2.


Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) Undo the change. It's a single line change in a configuration file.
  • Contingency deadline: Beta Freeze / Release Freeze
  • Blocks release? No

Documentation

To be written.


Release Notes

To be written once the change is accepted.