From Fedora Project Wiki

Revision as of 16:23, 26 August 2024 by Siosm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Enabling composefs by default for CoreOS and IoT

Summary

We want to enable composefs by default for Fedora CoreOS and Fedora IoT. This makes the root mount of the system (/) a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full at runtime verification of filesystem integrity.

This change will be enabled only for the Bootable Container images of Fedora Atomic Desktops and not the classic ostree ones.

This change is deferred to Fedora 42 for the Atomic Desktops. See the new change page and the tracking issue for details.

Owner

Current status

Detailed Description

Ostree based systems currently have /usr mounted as read-only and managed by ostree/rpm-ostree. The integrity of the content of /usr is only validated by ostree/rpm-ostree during updates and deployment operations, but not at "runtime". If a file is corrupted on disk (maliciously or not), it will only be detected if a full check is performed using ostree fsck.

On those systems, the runtime root (/) of the system is currently mounted as read-write but with the immutable bit set (chattr +i /) to prevent accidental modifications.

composefs is a new project that combines several existing filesystems (overlayfs, EROFS) to provide a very flexible mechanism to support read-only mountable filesystem trees, stacking on top of an underlying "lower" Linux filesystem.

Using composefs, it will no longer be possible to mutate the underlaying file content that is part of the system (/usr) nor the layout of the root directory. It will result in I/O errors at the kernel level.

The content is /etc and /var will remain writtable as it is today.

This change is part of the Fedora Bootable Containers Initiative. The bootc container images already enable composefs thus this change is to align existing variants to the new Bootable Containers defaults.

It is tracked in:

This is the first step toward a full boot chain integrity, that will requiring signing the composefs metadata during composes and using Unified Kernel Images (UKI). See: https://gitlab.com/fedora/bootc/tracker/-/issues/14

As podman also use composefs to store containers layers, this enable deduplication of files between containers and host. This will result in less disk usage but also faster container startup and less memory use. See https://github.com/containers/composefs/issues/125

Feedback

Nothing specific so far.

We have the following "known issues":


Benefit to Fedora

This will increase the robustness of image based Fedora systems and prepare them for future increased security guarantees.

This will align the existing image based variants of Fedora (Atomic Desktops, CoreOS, IoT) to the work that is done as part of the Bootable Containers Initiative.


Scope

  • Proposal owners:
    • Enable composefs in Atomic Desktops (bootable containers only)
    • Enable composefs in CoreOS
    • Enable composefs in IoT
  • Other developers:
    • Applications doing disk-full checks on / will have to be updated to look at other places as / will be small (a few MB) and full (100% used).
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with the Fedora Strategy 2028:
    • Aligns with the goal: "Immutable variants are the majority of Fedora Linux in use"

Upgrade/compatibility impact

To be fleshed out


Early Testing (Optional)

Do you require 'QA Blueprint' support? N

How To Test


User Experience

The main visible change will be that the root filesystem (/) is now small and full (a few MB, 100% used). The real root is mounted in /sysroot and most of the data is stored in /var.


Dependencies

For the Atomic Desktops, this change depends on:

CoreOS and IoT already do not depends on ostree-grub2.


Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) Undo the change. It's a single line change in a configuration file.
  • Contingency deadline: Beta Freeze / Release Freeze
  • Blocks release? No

Documentation

To be written.


Release Notes

To be written once the change is accepted.