Changing post-processing in treefile.json

There are some things being done by treefile.json in the postprocess section that I want to change. It seems I can’t edit the treefile.json directly.

What is the recommended process to either make changes to this file or add my own post-processing steps?

You’ll have to modify the source treefile.json and use it to build a customized OSTree image, instead of using the prebuilt one. See this blog post:

Custom OSTree images

Thank you fo the link! So what I glean from that blog is that I create a custom treefile.json and run rpm-ostree compose tree against it to replace the old treefile?

Also, from what I understand, we are not supposed to call rpm-ostree directly since all this is managed by Zincati in FCOS. Will installing a new treefile mess up Zincati?

Thank you!

Hmm. Those are all excellent questions… that I do not know the answer to. That you even knew to ask them shows that your knowledge of the subject surpasses my own. :grinning:

I will offer this quote, from the CoreOS FAQ (which seems to be discouraging the practice of treefile manipulation/customization in general, as I read it — though I’m not sure what sort of changes you were thinking of making to the treefile, for your particular situation):

How do I run custom applications on Fedora CoreOS?

On Fedora CoreOS, containers are the way to install and configure any software not provided by the base operating system. The package layering mechanism provided by rpm-ostree will continue to exist for use in debugging a Fedora CoreOS machine, but we strongly discourage its use. For more about this, please refer to documentation.

Thanks @ferdnyc and @dans for the discussion here.

The /usr/share/rpm-ostree/treefile.json that is on the Fedora CoreOS nodes is copied in during the build process when composing the original Fedora CoreOS artifacts. It is not used at all during upgrades. It simply represents the input to rpm-ostree compose tree when originally built.

I’ll break my answer into two parts:

  1. Composing a custom tree
  2. I don’t think you actually want a custom tree. Looks like you just want to enable password auth via SSH Is that correct?

I don’t think you actually want a custom tree. Looks like you just want to enable password auth via SSH Is that correct?

That is the immediate concern, but in general, it seems when a new tree is built the system runs those post-processing scripts. So the general question is, is there a way for me to either modify or run my own post-processing to prevent or undo post-processing actions.

I’m basing this on the observation when my system upgraded to the latest FCOS version, I got locked out of SSH via password auth.

Perhaps it was caused by something else. I will have to do some additional testing to nail down the cause.

Yes. When a compose happens in our build system those post-processing scripts are executed before the OSTree is committed into the repo. However, if you make any changes to files in /etc/ they persist. If you run sudo ostree admin config-diff you’ll see all the files that differ between /etc/ and /usr/etc (which represents what was delivered by the tree). If files are shown as modified in the output of config-diff then they won’t get changed even if the OSTree delivers a different version of that file.

Yeah I’d be interested in more investigation on that to understand exactly what is causing you to get locked out. I assume you’re modifying a file in /etc/, right?