Move Fedora CoreOS updates from OSTree to OCI
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Change Fedora CoreOS to receive updates from Quay instead of the Fedora OSTree repository.
Owner
- Name/Email: Jean-Baptiste Trystram, jbtrystram@redhat.com
- Name/Email: Timothée Ravier, siosm@fedoraproject.org
- Name/Email: Jonathan Lebon, jonathan@jlebon.com
- Name/Email: Dusty Mabe, dusty@dustymabe.com
Detailed Description
Currently, Fedora CoreOS hosts pull updates from the OSTree repository. With this change, the hosts will pull updates from the Quay.io container registry instead. At first, this should be a transparent change. We will notably keep using rpm-ostree for updates (and not yet bootc).
This is preliminary work to switching to bootc to manage the system and will enable us to deliver the following changes in the future:
- Moving from rpm-ostree to bootc, which only supports OCI.
- Better support for mirroring updates in disconnected setups.
- Moving away from maintaining a Cincinnati server towards having the graph live in an OCI registry alongside the update payload. This also allows users to maintain their own update graphs.
- Users will be able to create their own customized versions of Fedora CoreOS by building a derived container image.
Feedback
None yet.
Benefit to Fedora
Alignment with the work happening in the Bootable Containers initiative.
Scope
-
Proposal owners:
- Publish an upgrade graph containing the digest pullspec for each FCOS release. This mirrors the current update graph containing the same information, but pointing at OSTree commit checksums.
- Change new nodes on
nextto use OCI from the start. - After a number of FCOS releases, ship a migration script to switch existing
nextnodes to use OCI. - Repeat the last two steps for
testing, and thenstable. - Down the line, stop publishing new OSTree commits to the OSTree repo. This will not happen until at least f43.
-
Other developers: N/A (not needed for this Change)
-
Release engineering: N/A (not needed for this Change)
-
Policies and guidelines: N/A (not needed for this Change)
-
Trademark approval: N/A (not needed for this Change)
-
Alignment with the Fedora Strategy:
- Part of the work to align with Bootable Containers
Upgrade/compatibility impact
We will issue a barrier release to migrate users to switch to OCI images.
How To Test
Once the changes are ready, it will be possible to test it on the next stream before it gets rolled out there. This can be done by switching a next node from the OSTree remote to the OCI remote:
rpm-ostree rebase ostree-remote-image:fedora:registry:quay.io/fedora/fedora-coreos:$NEXT_VERSION
where $NEXT_VERSION is a tag for a next release that’s not the latest. Then, watch Zincati fetch the latest next release using OCI.
User Experience
This change won’t be visible to users running auto-updates, except cosmetic changes in rpm-ostree status output.
Contingency Plan
Revert the change to switch back to the OSTree repo. Both will be active until the Fedora 43 release.
Documentation
We will update the Fedora CoreOS documentation alongside the transition. This is currently tracked in: Move from OSTree to OCI for updates · Issue #1823 · coreos/fedora-coreos-tracker · GitHub.
Release Notes
Last edited by @amoloney 2025-01-15T22:37:28Z
Last edited by @amoloney 2025-01-15T22:37:28Z
instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.