From Fedora Project Wiki

Enable read only /sysroot for Fedora Silverblue & Kinoite


This change is about enabling an opt-in ostree feature that re-mounts /sysroot as read only to avoid accidental changes.

Users and administrators are not expected to directly interact with the content available there and should instead use the interface offered by rpm-ostree, GNOME Software or (soon) Plasma Discover to manage their system.

This change applies to new and existing installations of Fedora Silverblue and Kinoite and only to new installations of Fedora IoT.


Current status

Detailed Description

On rpm-ostree based systems, the real root (the root directory of the root partition on the disk) is mounted under the /sysroot path. By default it contains the state of the system (the content of var and etc) as well as the system versions themselves (each versioned copy of /usr) in the ostree repository (/ostree/repo).

Example of issue:

This change replicates for Fedora Silverblue/Kinoite what has been done in Fedora CoreOS in a previous release.


None so far.

Benefit to Fedora

This will make Fedora Silverblue/Kinoite more robust to accidental damage from users.


  • Proposal owners:
    • Work on the changes requires for new installations (potentially Anaconda configuration changes) and support for in place updates for existing installations (requires a two step process).
  • Other developers:
    • Potential Anaconda changes required.
  • Release engineering: N/A
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

We will create a systemd unit that perform the updates in place for existing systems. This will require a two step process:

  1. Append rw to kernel arguments
  2. Enable the sysroot.readonly ostree feature

Once the feature is enabled, user won't be able to rollback to previous deployments where the kernel argument is not set. We will have to clearly document that in the documentation for easier troubleshooting.

To avoid that we can either:

  • unconditionally add the argument to all deployments. Slightly more risky as we won't benefit from the protection offered by rpm-ostree.
  • or have the transition script wait until all deployments have been updated. This will likely happen over one or two update for most users as we have two deployments by default.

Fedora Silverblue and Kinoite will update existing installations to read only. This script is not included in Fedora IoT thus only new installations will be set read only.

How To Test

Only try the following if you are comfortable debugging an un-bootable system and have made backups!

  1. $ sudo rpm-ostree kargs --append-if-missing=rw
  2. $ sudo ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true"
  3. $ sudo systemctl reboot

Note that you can not "rollback" to the previous deployment to undo this change. You will have to either manually append rw to the kernel command line if missing or boot into a Live ISO and edit the config file in the ostree repo to remove this config option.

User Experience

There should be no visible change in user experience.


Requires changes in Anaconda to set default kargs and property on ostree repo for new installations.

Contingency Plan

Revert the change before the release.


N/A (not a System Wide Change)

Release Notes