Enable read only /sysroot for Fedora Silverblue & Kinoite

Summary

This change is about enabling an opt-in ostree feature that re-mounts /sysroot as read only to avoid accidental changes.

Users and administrators are not expected to directly interact with the content available there and should instead use the interface offered by rpm-ostree, GNOME Software or (soon) Plasma Discover to manage their system.

Owner

• Name: Timothée Ravier, Tomáš Popela, Jiří Konečný
• Email: siosm@fedoraproject.org, tpopela@fedoraproject.org, jkonecny@redhat.com
• FESCo shepherd: Neal Gompa ngompa@fedoraproject.org

Current status

• Targeted release: Fedora Linux 37
• Last updated: 2022-01-25
• FESCo issue: <will be assigned by the Wrangler>
• Tracker bug: <will be assigned by the Wrangler>
• Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

On rpm-ostree based systems, the real root (the root directory of the root partition on the disk) is mounted under the /sysroot path. By default it contains the state of the system (the content of var and etc) as well as the system versions themselves (each versioned copy of /usr) in the ostree repository (/ostree/repo).

This change is about enabling an opt-in ostree feature that re-mounts /sysroot as read only to avoid accidental changes.

Users and administrators are not expected to directly interact with the content available there and should instead use the interface offered by rpm-ostree, GNOME Software or (soon) Plasma Discover to manage their system.

Example of issue: https://github.com/fedora-silverblue/issue-tracker/issues/232

This change replicates for Fedora Silverblue/Kinoite what has been done in Fedora CoreOS in a previous release.

Feedback

None so far.

Benefit to Fedora

This will make Fedora Silverblue/Kinoite more robust to accidental damage from users.

Scope

• Proposal owners:
  • Work on the changes requires for new installations (potentially Anaconda configuration changes) and support for in place updates for existing installations (requires a two step process).
• Other developers:
  • Potential Anaconda changes required.
• Release engineering: N/A
• Policies and guidelines: N/A (not needed for this Change)
• Trademark approval: N/A (not needed for this Change)
• Alignment with Objectives: N/A

Upgrade/compatibility impact

We will create a systemd unit that perform the updates in place for existing systems. This will require a two step process (changing the existing kernel arguments, and then enabling the ostree feature). Once the feature is enabled, user won't be able to rollback to previous deployments where the kernel argument is not set. We will have to clearly document that in the documentation for easier troubleshooting.

How To Test

Only try the following if you are confortable debugging an un-bootable system and have made backups!

$ sudo rpm-ostree kargs --append-if-missing=rw

$ sudo ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true"

$ sudo systemctl reboot

Note that you can not "rollback" to the previous deployment to undo this change. You will have to boot into a Live ISO and edit the config file in the ostree repo to remove this config option.

User Experience

There should be no visible change in user experience.

Dependencies

Requires changes in Anaconda (maybe just config?) to set default kargs and property on ostree repo for new installations.

Contingency Plan

Revert the change before the release.

Documentation

N/A (not a System Wide Change)

Release Notes

TODO