From Fedora Project Wiki
m (Update)
m (Add Fedora IoT mention)
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
= Enable read only `/sysroot` for Fedora Silverblue & Kinoite =
= Enable read only `/sysroot` for Fedora Silverblue & Kinoite =


== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
 
This change is about enabling an opt-in ostree feature that re-mounts `/sysroot` as read only to avoid accidental changes.
 
Users and administrators are not expected to directly interact with the content available there and should instead use the interface offered by rpm-ostree, GNOME Software or (soon) Plasma Discover to manage their system.
 
This change applies to new and existing installations of Fedora Silverblue and Kinoite and only to new installations of Fedora IoT.


== Owner ==
== Owner ==
* Name: [[User:Siosm| Timothée Ravier]], [[User:Tpopela| Tomáš Popela]]
 
* Email: siosm@fedoraproject.org, tpopela@fedoraproject.org
* Name: [[User:Siosm| Timothée Ravier]], [[User:Tpopela| Tomáš Popela]], [[User:jkonecny| Jiří Konečný]]
* Email: siosm@fedoraproject.org, tpopela@fedoraproject.org, jkonecny@redhat.com
* FESCo shepherd: [[User:Ngompa| Neal Gompa]] ngompa@fedoraproject.org
* FESCo shepherd: [[User:Ngompa| Neal Gompa]] ngompa@fedoraproject.org


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
 
<!-- When your change proposal page is completed and ready for review and announcement -->
[[Category:ChangeAcceptedF37]]
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->  
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
Line 29: Line 32:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HRLDI5XSHXASSD7PMSGZQ4GLYJRRANNB/ devel thread]
* Tracker bug: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2767 #2767]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2060976 #2060976]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/811 #811]


== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->


https://github.com/fedora-silverblue/issue-tracker/issues/232
On rpm-ostree based systems, the real root (the root directory of the root partition on the disk) is mounted under the `/sysroot` path. By default it contains the state of the system (the content of `var` and `etc`) as well as the system versions themselves (each versioned copy of `/usr`) in the ostree repository (`/ostree/repo`).
 
Example of issue: https://github.com/fedora-silverblue/issue-tracker/issues/232
 
This change replicates for Fedora Silverblue/Kinoite what has been done in Fedora CoreOS in a previous release.


== Feedback ==
== Feedback ==
None so far.
<!-- Summarize the feedback from the community and address why you chose not to accept proposed alternatives. This section is optional for all change proposals but is strongly suggested. Incorporating feedback here as it is raised gives FESCo a clearer view of your proposal and leaves a good record for the future. If you get no feedback, that is useful to note in this section as well. For innovative or possibly controversial ideas, consider collecting feedback before you file the change proposal. -->
<!-- Summarize the feedback from the community and address why you chose not to accept proposed alternatives. This section is optional for all change proposals but is strongly suggested. Incorporating feedback here as it is raised gives FESCo a clearer view of your proposal and leaves a good record for the future. If you get no feedback, that is useful to note in this section as well. For innovative or possibly controversial ideas, consider collecting feedback before you file the change proposal. -->


Line 47: Line 57:
== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
** Work on the changes requires for new installations (potentially Anaconda configuration changes) and support for in place updates for existing installations (requires a two step process).
 
* Other developers:
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** Potential Anaconda changes required.
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
* Release engineering: N/A
 
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
 
* Policies and guidelines: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
Line 61: Line 66:


== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
We will create a systemd unit that perform the updates in place for existing systems. This will require a two step process:
 
# Append `rw` to kernel arguments
# Enable the `sysroot.readonly` ostree feature
 
Once the feature is enabled, user won't be able to rollback to previous deployments where the kernel argument is not set. We will have to clearly document that in the documentation for easier troubleshooting.


To avoid that we can either:


== How To Test ==
* unconditionally add the argument to all deployments. Slightly more risky as we won't benefit from the protection offered by rpm-ostree.
* or have the transition script wait until all deployments have been updated. This will likely happen over one or two update for most users as we have two deployments by default.


Only try the following if you are confortable debugging an un-bootable system and have made backups!
Fedora Silverblue and Kinoite will update existing installations to read only. This script is not included in Fedora IoT thus only new installations will be set read only.


`$ sudo rpm-ostree kargs --append-if-missing=rw`
== How To Test ==


`$ sudo ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true"`
Only try the following if you are comfortable debugging an un-bootable system and have made backups!


`$ sudo systemctl reboot`
# `$ sudo rpm-ostree kargs --append-if-missing=rw`
# `$ sudo ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true"`
# `$ sudo systemctl reboot`


Note that you can not "rollback" to the previous deployment to undo this change. You will have to boot into a Live ISO and edit the config file in the ostree repo to remove this config option.
Note that you can not "rollback" to the previous deployment to undo this change. You will have to either manually append `rw` to the kernel command line if missing or boot into a Live ISO and edit the config file in the ostree repo to remove this config option.


== User Experience ==
== User Experience ==
Line 84: Line 97:
== Dependencies ==
== Dependencies ==


Requires changes in Anaconda (config?) to set default kargs and property on ostree repo.
Requires changes in Anaconda to set default kargs and property on ostree repo for new installations.


== Contingency Plan ==
== Contingency Plan ==

Latest revision as of 15:13, 21 August 2022

Enable read only /sysroot for Fedora Silverblue & Kinoite

Summary

This change is about enabling an opt-in ostree feature that re-mounts /sysroot as read only to avoid accidental changes.

Users and administrators are not expected to directly interact with the content available there and should instead use the interface offered by rpm-ostree, GNOME Software or (soon) Plasma Discover to manage their system.

This change applies to new and existing installations of Fedora Silverblue and Kinoite and only to new installations of Fedora IoT.

Owner

Current status

Detailed Description

On rpm-ostree based systems, the real root (the root directory of the root partition on the disk) is mounted under the /sysroot path. By default it contains the state of the system (the content of var and etc) as well as the system versions themselves (each versioned copy of /usr) in the ostree repository (/ostree/repo).

Example of issue: https://github.com/fedora-silverblue/issue-tracker/issues/232

This change replicates for Fedora Silverblue/Kinoite what has been done in Fedora CoreOS in a previous release.

Feedback

None so far.


Benefit to Fedora

This will make Fedora Silverblue/Kinoite more robust to accidental damage from users.

Scope

  • Proposal owners:
    • Work on the changes requires for new installations (potentially Anaconda configuration changes) and support for in place updates for existing installations (requires a two step process).
  • Other developers:
    • Potential Anaconda changes required.
  • Release engineering: N/A
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

We will create a systemd unit that perform the updates in place for existing systems. This will require a two step process:

  1. Append rw to kernel arguments
  2. Enable the sysroot.readonly ostree feature

Once the feature is enabled, user won't be able to rollback to previous deployments where the kernel argument is not set. We will have to clearly document that in the documentation for easier troubleshooting.

To avoid that we can either:

  • unconditionally add the argument to all deployments. Slightly more risky as we won't benefit from the protection offered by rpm-ostree.
  • or have the transition script wait until all deployments have been updated. This will likely happen over one or two update for most users as we have two deployments by default.

Fedora Silverblue and Kinoite will update existing installations to read only. This script is not included in Fedora IoT thus only new installations will be set read only.

How To Test

Only try the following if you are comfortable debugging an un-bootable system and have made backups!

  1. $ sudo rpm-ostree kargs --append-if-missing=rw
  2. $ sudo ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true"
  3. $ sudo systemctl reboot

Note that you can not "rollback" to the previous deployment to undo this change. You will have to either manually append rw to the kernel command line if missing or boot into a Live ISO and edit the config file in the ostree repo to remove this config option.

User Experience

There should be no visible change in user experience.

Dependencies

Requires changes in Anaconda to set default kargs and property on ostree repo for new installations.

Contingency Plan

Revert the change before the release.

Documentation

N/A (not a System Wide Change)

Release Notes

TODO


Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/Silverblue_Kinoite_readonly_sysroot&oldid=653166"