Enabling composefs by default for Atomic Desktops, CoreOS and IoT
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
We want to enable composefs by default for Fedora Atomic Desktops, Fedora CoreOS and Fedora IoT. This makes the root mount of the system (/
) a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full at runtime verification of filesystem integrity.
This change will be enabled only for the Bootable Container images of Fedora Atomic Desktops and not the classic ostree ones.
Owner
- Jean-Baptiste Trystram, jbtrystram@redhat.com
- Timothée Ravier, siosm@fedoraproject.org
- Paul Whalen, pwhalen@fedoraproject.org
Detailed Description
Ostree based systems currently have /usr
mounted as read-only and managed by ostree/rpm-ostree. The integrity of the content of /usr
is only validated by ostree/rpm-ostree during updates and deployment operations, but not at âruntimeâ. If a file is corrupted on disk (maliciously or not), it will only be detected if a full check is performed using ostree fsck
.
On those systems, the runtime root (/
) of the system is currently mounted as read-write but with the immutable
bit set (chattr +i /
) to prevent accidental modifications.
composefs is a new project that combines several existing filesystems (overlayfs, EROFS) to provide a very flexible mechanism to support read-only mountable filesystem trees, stacking on top of an underlying âlowerâ Linux filesystem.
Using composefs, it will no longer be possible to mutate the underlying file content that is part of the system (/usr
) nor the layout of the root directory. It will result in I/O errors at the kernel level.
The content in /etc
and /var
will remain writable as it is today.
This change is part of the Fedora Bootable Containers Initiative. The bootc
container images already enable composefs, thus this change is to align existing variants to the new Bootable Containers defaults.
It is tracked in:
- Fedora Atomic Desktops: Use composefs by default for Bootable Containers (#35) · Issues · fedora / Fedora Atomic Desktops / SIG Issue Tracker · GitLab
- Fedora CoreOS: Complete composefs integration in Fedora CoreOS · Issue #1718 · coreos/fedora-coreos-tracker · GitHub
- Fedora IoT: Enabling composefs by default in IoT (Fedora 41 Change) · Issue #52 · fedora-iot/iot-distro · GitHub
This is the first step toward a full boot chain integrity, that will require signing the composefs metadata during composes and using Unified Kernel Images (UKI). See: document and support creating "sealed" base images (#14) · Issues · fedora / bootc / Issue Tracker · GitLab
As podman also uses composefs to store container layers, this enables deduplication of files between containers and host. This will result in less disk usage but also faster container startup and less memory use. See Add shared library/tool for managing backing store files · Issue #125 · containers/composefs · GitHub
Feedback
Nothing specific so far.
We have the following âknown issuesâ:
- Conflicts with
ostree-grub2
, which impacts Dual Boot support:- grub2-mkconfig fail with composefs enabled · Issue #3198 · ostreedev/ostree · GitHub
- We will remove ostree-grub2 from Fedora Atomic Desktops bootable container images
- Related to: Changes/FedoraSilverblueBootupd - Fedora Project Wiki
- We can do this now for the container images as they are not officially released for Fedora, and generally newer, so itâs more likely that the bootloader on those systems are already BLS capable.
- We can not do this for âclassic ostreeâ Atomic Desktops yet as we need a transition period with bootupd enabled by default before removing ostree-grub2.
- However with the recent Secure Boot issue (Boot fails with "vmlinuz has invalid signature" or "bad shim signature, you need to load the kernel first" · Issue #543 · fedora-silverblue/issue-tracker · GitHub) forcing everybody to manually update their bootloader, we might be able to shorten this transition period.
- See for Dual Boot: Dual boot support for bootupd with static GRUB config installations · Issue #530 · fedora-silverblue/issue-tracker · GitHub
- No longer possible to create root level direcotries (
chattr -i
workaround):- Requires derivation, thus the container flow
- Support empty toplevel mount points · Issue #337 · coreos/rpm-ostree · GitHub
- Alternative: prepare-root: Add support for root.transient by cgwalters · Pull Request #3114 · ostreedev/ostree · GitHub
- Might impact Podman Desktop for Fedora CoreOS. They will likely disable it until a solution is found.
- Issues with kdump:
Benefit to Fedora
This will increase the robustness of image based Fedora systems and prepare them for future increased security guarantees.
This will align the existing image based variants of Fedora (Atomic Desktops, CoreOS, IoT) with the work that is done as part of the Bootable Containers Initiative.
Scope
-
Proposal owners:
- Enable composefs in Atomic Desktops (bootable containers only)
- Enable composefs in CoreOS
- Enable composefs in IoT
-
Other developers:
- Applications doing disk-full checks on
/
will have to be updated to look at other places as/
will be small (a few MB) and full (100% used).
- Applications doing disk-full checks on
-
Release engineering: N/A (not needed for this Change)
-
Policies and guidelines: N/A (not needed for this Change)
-
Trademark approval: N/A (not needed for this Change)
-
Alignment with the Fedora Strategy 2028:
- Aligns with the goal: âImmutable variants are the majority of Fedora Linux in useâ
Upgrade/compatibility impact
To be fleshed out
Early Testing (Optional)
Do you require âQA Blueprintâ support? N
How To Test
- Make sure that you do not rely on Dual Boot support
- Make sure that your bootloader is recent enough to support BLS configs
- If you donât know, update it using the instructions from Boot fails with "vmlinuz has invalid signature" or "bad shim signature, you need to load the kernel first" · Issue #543 · fedora-silverblue/issue-tracker · GitHub first
- Remove
ostree-grub2
from the upcoming deployment:rpm-ostree override remove ostree-grub2
- Enable composefs:
sudo ostree config set ex-integrity.composefs yes
- Update your system to a new version:
rpm-ostree update
- Or do a manual (re)deploy of the current version:
sudo ostree admin deploy fedora/39/x86_64/silverblue
- Or do a manual (re)deploy of the current version:
- Reboot into the new deployment
User Experience
The main visible change will be that the root filesystem (/
) is now small and full (a few MB, 100% used). The real root is mounted in /sysroot
and most of the data is stored in /var
.
Dependencies
For the Atomic Desktops, this change depends on:
- Bootupd support:
CoreOS and IoT already do not depends on ostree-grub2
.
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) Undo the change. Itâs a single line change in a configuration file.
- Contingency deadline: Beta Freeze / Release Freeze
- Blocks release? No
Documentation
To be written.
Release Notes
To be written once the change is accepted.
Last edited by @boredsquirrel 2024-06-27T23:23:17Z