How to address error when layering twingate package?

Hello, I am trying to install twingate on my Fedora Silverblue dekstop that I use for $work.

Here are the steps I followed:

$ rpm-ostree install -y 'dnf-command(config-manager)'

# reboot into new update

$ sudo dnf4 config-manager --add-repo https://packages.twingate.com/rpm/
# Adding repo from: https://packages.twingate.com/rpm/ 
$ sudo dnf4 config-manager --save --setopt=packages.twingate.com_rpm_.gpgcheck=0 
$ cat /etc/yum.repos.d/packages.twingate.com_rpm_.repo 
[packages.twingate.com_rpm_] 
name=created by dnf config-manager from https://packages.twingate.com/rpm/ 
baseurl=https://packages.twingate.com/rpm/ 
enabled=1 
gpgcheck=0 


# clear cached information 
$ rpm-ostree cleanup -m  

But at the last step things go wrong:

$ rpm-ostree install twingate
Checking out tree 018187f... done
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora copr:copr.fedorainfracloud.org:phracek:PyCharm rpmfusion-nonfree-nvidia-driver rpmfusion-nonfree-steam cursor windsurf packages.twingate.com_rpm_ updates-archive
Updating metadata for 'fedora-cisco-openh264'... done
Updating metadata for 'updates'... done
Updating metadata for 'fedora'... done
Updating metadata for 'copr:copr.fedorainfracloud.org:phracek:PyCharm'... done
Updating metadata for 'rpmfusion-nonfree-nvidia-driver'... done
Updating metadata for 'rpmfusion-nonfree-steam'... done
Updating metadata for 'cursor'... done
Updating metadata for 'windsurf'... done
Updating metadata for 'packages.twingate.com_rpm_'... done
Updating metadata for 'updates-archive'... done
Importing rpm-md... done
rpm-md repo 'fedora-cisco-openh264'; generated: 2025-03-05T10:45:56Z solvables: 6
rpm-md repo 'updates'; generated: 2026-01-21T01:07:22Z solvables: 20975
rpm-md repo 'fedora'; generated: 2025-10-23T03:37:20Z solvables: 77664
rpm-md repo 'copr:copr.fedorainfracloud.org:phracek:PyCharm'; generated: 2026-01-03T12:40:14Z solvables: 5
rpm-md repo 'rpmfusion-nonfree-nvidia-driver'; generated: 2025-12-19T13:26:34Z solvables: 17
rpm-md repo 'rpmfusion-nonfree-steam'; generated: 2025-12-15T14:49:42Z solvables: 1
rpm-md repo 'cursor'; generated: 2026-01-22T03:43:51Z solvables: 352
rpm-md repo 'windsurf'; generated: 2026-01-16T05:41:54Z solvables: 1
rpm-md repo 'packages.twingate.com_rpm_'; generated: 2026-01-13T18:55:09Z solvables: 364
rpm-md repo 'updates-archive'; generated: 2026-01-22T01:27:28Z solvables: 26236
Resolving dependencies... done
Will download: 1 package (9.9 MB)
Downloading from 'packages.twingate.com_rpm_'... done
Importing packages... done
Applying 2 overrides and 66 overlays
Processing packages... done
Running systemd-sysusers... done
Running pre scripts... done
Running post scripts... done
error: Running %post for twingate: bwrap(/bin/sh): Child process exited with code 1; run `journalctl -t 'rpm-ostree(twingate.post)'` for more information
$ journalctl -t 'rpm-ostree(twingate.post)'
Jan 22 13:07:59 fedora rpm-ostree(twingate.post)[12846]: mkdir: cannot create directory ‘/var/lib/twingate’: Read-only file system
Jan 22 13:07:59 fedora rpm-ostree(twingate.post)[12847]: chmod: cannot access '/var/lib/twingate': No such file or directory
Jan 22 13:07:59 fedora rpm-ostree(twingate.post)[12848]: mkdir: cannot create directory ‘/var/lib/twingate’: Read-only file system
Jan 22 13:07:59 fedora rpm-ostree(twingate.post)[12849]: chmod: cannot access '/var/lib/twingate/profiles': No such file or directory
Jan 22 13:07:59 fedora rpm-ostree(twingate.post)[12850]: chown: cannot access '/var/lib/twingate': No such file or directory
$ ls -la /var/lib/ | grep twingate
$

Any idea how to resolve this issue?

I’m not familiar with this package and don’t know what it’s supposed to be used for, but you could try installing it in a Toolbx container and see if it works as expected.

I have already looked into that. This package needs to be layered to work. No other installation method will work.

One thing that comes to mind is to build a sysext for it. See GitHub - fedora-sysexts/community: Sysexts built from various sources from the community.

This looks too experimental and at first glance I can’t even see how it would relate to my problem.

The twingate package appears to make some post installation changes that are incompatible with rpm-ostree systems. I am looking for a way to address that and successfully layer the package.

The /var directory is writable in Silverblue, these subdirectories can be created. So I’m not quite sure what the problem is with this package.

I m not sure the problem is with package. Though it is the first one to give me this problem. But it doesn’t install with the above error messages!

I m just looking for a way to address this. I ‘ve tried many things I m not mentioning here to keep context relevant but they were either totally wrong things to try or didn’t work.

Any package from the official Fedora repositories can be installed on Silverblue. We have an example of how to install a third-party package. You can try it if you haven’t already, but I don’t know if it will make any difference in this particular case.

Isn’t the process I followed equivalent to the one in the docs?

I guess so, it’s just the recommended way to add external package repositories.

On Atomic Desktops it is generally better to prefer using Toolbx/Podman containers over layering software. As I mentioned, I am not familiar with this software and I don’t know what it is supposed to be used for, nor if this container image is the same application you want to layer, but you can try twingate/connector - Docker Image.

It’s most likely not the one from my previous post, but rather this one:

It looks like the twingate RPM is using mkdir commands to create the directories it needs during the postinstall phase:

$ rpm -qp --scripts twingate-x86_64.rpm 
postinstall scriptlet (using /bin/sh): 
                                               
#!/bin/sh                                                                                      
                                               
if [ $1 -eq 1 ] ; then                                                                         
    # Initial installation
    systemctl --no-reload preset twingate.service &>/dev/null || :
elif [ $1 -eq 2 ] ; then                                                                       
    echo "Upgrading Twingate package..."                                                                                                                                                      
                                                                                                                                                                                              
    # Check if service is running before migration
    SERVICE_WAS_RUNNING=0
    if systemctl is-active --quiet twingate.service; then
        SERVICE_WAS_RUNNING=1
        twingate service-stop
    fi                                                                                                                                                                                        
                                                                                               
    twingate account migrate || echo "Warning: Migration failed, but continuing installation"
                                                                                               
    # Restart service if it was running before migration
    if [ "$SERVICE_WAS_RUNNING" -eq 1 ]; then
        twingate service-start
    fi
fi                    
                                               
# Create Twingate directories with proper permissions                                                                                                                                         
mkdir -p /var/lib/twingate                                                                     
chmod 0711 /var/lib/twingate                                                                   
mkdir -p /var/lib/twingate/profiles
chmod 01777 /var/lib/twingate/profiles   
chown -R root:root /var/lib/twingate
...

I believe I have seen issues with using mkdir in this phase of RPM installs on Atomic Desktops, but I can’t find any exact examples of this problem…

Regardless, you can try to pre-create this directories before you run rpm-ostree install to see if that would alleviate the problem. Ideally, the packaging of the RPM would be updated to use systemd tmpfiles.d snippets, but given the package appears to be closed-source, I’m not sure how receptive they would be to that kind of request.

I would second the suggestion from @hricky to experiment with the sysext approach. It can be use successfully to address problems with RPMs that do not install cleanly on Atomic Desktops. YMMV.

Indeed it is those commands that create the problem.

What I ended up doing was to use rpmrebuild and remove (comment out) those instructions. Then the package installed and after next boot I manually run the commands to create said folders.

ChatGPT said that /var/lib is read only in the compose sandbox, though I haven’t heard that term before to know if it’s real or hallucination.

I will keep in mind the sys-extensions thing but to be honest I m hesitant because it look like it is something that it’s in its early stages (ie more bleeding edge than leading edge) which mean higher maintenance burden. Will read up on it though to at least better understand what it is and what it provides.

I made a PR to make the syext: twingate: Add initial sysext by travier · Pull Request #31 · fedora-sysexts/community · GitHub. Not tested however.