2014-11-13 22:13:23 +03:00
Treefile
--------
2016-03-09 18:58:13 +03:00
A "treefile" is a made up term for a JSON-formatted specification used
as input to `rpm-ostree compose tree` to bind "set of RPMs with
configuration" to "OSTree commit".
It's recommended to keep them in git, and set up a CI system like
Jenkins to operate on them as it changes.
It supports the following parameters:
2014-11-13 22:13:23 +03:00
* `ref` : string, mandatory: Holds a string which will be the name of
the branch for the content.
2019-03-01 20:49:47 +03:00
* `gpg-key` (or `gpg_key` ): string, optional: Key ID for GPG signing; the
secret key must be in the home directory of the building user. Defaults to
2014-11-13 22:13:23 +03:00
none.
2020-04-14 23:44:08 +03:00
* `repos` : array of strings, mandatory: Names of yum repositories to
2015-02-04 21:58:47 +03:00
use, from any files that end in `.repo` , in the same directory as
the treefile. `rpm-ostree compose tree` does not use the system
`/etc/yum.repos.d` , because it's common to want to compose a target
system distinct from the one the host sytem is running.
2014-11-13 22:13:23 +03:00
* `selinux` : boolean, optional: Defaults to `true` . If `false` , then
no SELinux labeling will be performed on the server side.
2019-03-07 03:36:44 +03:00
* `boot-location` (or `boot_location` ): string, optional:
There are 2 possible values:
* "new": A misnomer, this value is no longer "new". Kernel data
goes in `/usr/lib/ostree-boot` in addition to `/usr/lib/modules` .
This is the default; use it if you have a need to care about
upgrading from very old versions of libostree.
* "modules": Kernel data goes just in `/usr/lib/modules` . Use
this for new systems, and systems that don't need to be upgraded
from very old libostree versions.
2014-11-13 22:13:23 +03:00
2014-11-17 19:52:20 +03:00
* `etc-group-members` : Array of strings, optional: Unix groups in this
list will be stored in `/etc/group` instead of `/usr/lib/group` . Use
this option for groups for which humans should be a member.
2014-11-14 04:39:42 +03:00
* `install-langs` : Array of strings, optional. This sets the RPM
_install_langs macro. Set this to e.g. `["en_US", "fr_FR"]` .
2016-11-30 17:56:32 +03:00
* `mutate-os-release` : String, optional. This causes rpm-ostree to
change the `VERSION` and `PRETTY_NAME` fields to include the ostree
version, and adds a specific `OSTREE_VERSION` key that can be easier
2019-02-01 21:40:01 +03:00
for processes to query than looking via ostree. The actual value of
this key represents the baked string that gets substituted out for
the final OSTree version.
2016-11-30 17:56:32 +03:00
2015-01-14 07:38:17 +03:00
* `documentation` : boolean, optional. If this is set to false it sets the RPM
transaction flag "nodocs" which makes yum/rpm not install files marked as
documentation. The default is true.
2014-11-13 22:13:23 +03:00
* `packages` : Array of strings, mandatory: Set of installed packages.
2015-12-12 00:11:31 +03:00
comps groups are currently not supported due to walters having issues with libcomp:
https://github.com/cgwalters/fedora-atomic-work/commit/36d18b490529fec91b74ca9b464adb73ef0ab462
2014-11-13 22:13:23 +03:00
2016-06-07 05:01:09 +03:00
* `packages-$basearch` : Array of strings, optional: Set of installed packages, used
only if $basearch matches the target architecture name.
2020-02-05 06:22:08 +03:00
* `exclude-packages` : Array of strings, optional: Each entry in this list is a package name
which will be filtered out. If a package listed in the manifest ("manifest package") indirectly hard depends
on one of these packages, it will be a fatal error. If a manifest package recommends one
of these packages, the recommended package will simply be omitted. It is also a fatal
error to include a package both as a manifest package and in the blacklist.
An example use case for this is for Fedora CoreOS, which will blacklist the `python` and `python3`
packages to ensure that nothing included in the OS starts depending on it in the future.
2019-05-07 15:20:56 +03:00
* `ostree-layers` : Array of strings, optional: After all packages are unpacked,
check out these OSTree refs, which must already be in the destination repository.
Any conflicts with packages will be an error.
* `ostree-override-layers` : Array of strings, optional: Like above, but any
files present in packages and prior layers will be silently overriden.
This is useful for development builds to replace parts of the base tree.
2016-03-29 18:00:26 +03:00
* `bootstrap_packages` : Array of strings, optional: Deprecated; you should
now just include this set in the main `packages` array.
2018-08-22 16:02:25 +03:00
* `recommends` : boolean, optional: Install `Recommends` , defaults to `true` .
2014-11-13 22:13:23 +03:00
* `units` : Array of strings, optional: Systemd units to enable by default
2019-03-01 20:49:47 +03:00
* `default-target` (or `default_target` ): String, optional: Set the default
systemd target.
2014-11-13 22:13:23 +03:00
2014-12-03 01:06:06 +03:00
* `initramfs-args` : Array of strings, optional. Passed to the
initramfs generation program (presently `dracut` ). An example use
case for this with Dracut is `--filesystems xfs,ext4` to ensure
2017-10-21 16:56:46 +03:00
specific filesystem drivers are included. If not specified,
`--no-hostonly` will be used.
2014-12-03 01:06:06 +03:00
2020-09-10 03:33:11 +03:00
* `rpmdb` : String, optional: The RPM database backend. Can be one of
`bdb` , `ndb` , or `sqlite` . If unspecified, defaults to `bdb` for
compatibility.
2019-02-23 21:46:59 +03:00
* `cliwrap` : boolean, optional. Defaults to `false` . If enabled,
rpm-ostree will replace binaries such as `/usr/bin/rpm` with
wrappers that intercept unsafe operations, or adjust functionality.
The default is `false` out of conservatism; you likely want to enable this.
2020-05-06 23:59:39 +03:00
* `readonly-executables` : boolean, optional. Defaults to `false` (for backcompat).
If enabled, rpm-ostree will remove the write bit from all executables.
The default is `false` out of conservatism; you likely want to enable this.
2016-12-09 01:31:20 +03:00
* `remove-files` : Array of files to delete from the generated tree.
2014-11-13 22:19:06 +03:00
2014-11-14 04:07:40 +03:00
* `remove-from-packages` : Array, optional: Delete from specified packages
files which match the provided array of regular expressions.
This is safer than `remove-files` as it allows finer grained control
with less risk of too-wide regular expressions.
Each array element is an array, whose first member is a package name,
and subsequent members are regular expressions (compatible with JavaScript).
Example: `remove-from-packages: [["cpio", "/usr/share/.*"], ["dhclient", "/usr/lib/.*", "/usr/share/.*"]]`
Note this does not alter the RPM database, so `rpm -V` will complain.
2014-12-24 00:28:53 +03:00
* `preserve-passwd` : boolean, optional: Defaults to `true` . If enabled,
2015-01-20 09:37:22 +03:00
and `check-passwd` has a type other than file, copy the `/etc/passwd` (and
`/usr/lib/passwd` ) files from the previous commit if they exist. If
check-passwd has the file type, then the data is preserved from that file to
`/usr/lib/passwd` .
This helps ensure consistent uid/gid allocations across builds. However, it
does mean that removed users will exist in the `passwd` database forever.
2014-12-24 00:28:53 +03:00
2014-11-20 17:40:35 +03:00
* `check-passwd` : Object, optional: Checks to run against the new passwd file
before accepting the tree. All the entries specified should exist (unless
ignored) and have the same values or the compose will fail. There are four
types: none (for no checking), previous (to check against the passwd file in
the previous commit), file (to check against another passwd file), and data
to specify the relevant passwd data in the json itself.
2015-01-20 09:37:22 +03:00
Note that if you choose file, and preserve-passwd is true then the data will
be copied from the referenced file and not the previous commit.
2014-11-20 17:40:35 +03:00
Example: `check-passwd: { "type": "none" }`
Example: `check-passwd: { "type": "previous" }`
Example: `check-passwd: { "type": "file", "filename": "local-passwd" }`
Example: `check-passwd: { "type": "data", "entries": { "bin": 1, "adm": [3, 4] } }`
See also: `ignore-remove-users`
* `check-groups` : Object, optional: Checks to run against the new group file
before accepting the tree. All the entries specified should exist (unless
ignored) and have the same values or the compose will fail. There are four
types: none (for no checking), previous (to check against the group file in
the previous commit), file (to check against another group file), and data
to specify the relevant group data in the json itself.
2015-01-20 09:37:22 +03:00
Note that if you choose file, and preserve-passwd is true then the data will
be copied from the referenced file and not the previous commit.
2014-11-20 17:40:35 +03:00
Example: `check-groups: { "type": "none" }`
Example: `check-groups: { "type": "previous" }`
Example: `check-groups: { "type": "file", "filename": "local-group" }`
Example: `check-groups: { "type": "data", "entries": { "bin": 1, "adm": 4 } }`
See also: `ignore-remove-groups`
2015-01-31 02:04:11 +03:00
* `ignore-removed-users` : Array, optional: Users to ignore if they are missing
2014-11-20 17:40:35 +03:00
in the new passwd file. If an entry of `*` is specified then any user can be
removed without failing the compose.
2015-01-31 02:04:11 +03:00
Example: `ignore-removed-users: ["avahi-autoipd", "tss"]`
2014-11-20 17:40:35 +03:00
2015-01-31 02:04:11 +03:00
* `ignore-removed-groups` : Array, optional: Groups to ignore if they are missing
2014-11-20 17:40:35 +03:00
in the new group file. If an entry of `*` is specified then any group can be
removed without failing the compose.
2015-01-31 02:04:11 +03:00
Example: `ignore-removed-groups: ["avahi"]`
2014-11-20 17:40:35 +03:00
Add releasever opt, avoid opening up host's rpmdb in treecompose
Closes: https://github.com/projectatomic/rpm-ostree/issues/546
Previously, we'd open up the host's rpmdb for both `compose tree`
and `ex container`. In the first case, because we require root, we'd
succeed. For `ex container`, we'd spew an error.
Fixing this was trickier than I thought. First because there was
*also* a libdnf bug here: https://github.com/rpm-software-management/libdnf/pull/307
Second, there's a compatibility hazard here for anyone using `.repo` files that
reference `$releasever`. This actually happened to me with `ex container` as I'd
just done a `ln -s /etc/yum.repos.d/fedora.repo rpmmd.repos.d`. I fixed
that first by doing a `sed -i -e 's,$releasever,26,' rpmmd.repos.d/*.repo`.
As far as I can see today, none of Fedora Atomic or CentOS AH rely on this. But
in order to enhance compatibility, let's add a "releasever" option. This makes
it easier again to reuse stock `.repo` files if we wanted to do so.
(Also, I realized we can just use `/usr/share/empty` as *the* canonical immutable
empty directory)
Closes: #875
Approved by: jlebon
2017-07-13 19:37:41 +03:00
* `releasever` : String, optional: Used to set the librepo `$releasever` variable,
commonly used in yum repo files.
Example: `releasever: "26"`
2019-03-01 20:49:47 +03:00
* `automatic-version-prefix` (or `automatic_version_prefix` ): String, optional:
Set the prefix for versions on the commits. The idea is that if the previous
commit on the branch to the doesn't match the prefix, or doesn't have a
version, then the new commit will have the version as specified. If the
prefix matches exactly, then we append ".1". Otherwise we parse the number
after the prefix and increment it by one and then append that to the prefix.
2015-01-12 08:17:15 +03:00
2019-03-01 20:49:47 +03:00
A current date/time may also be passed through `automatic-version-prefix` ,
2019-01-08 02:45:05 +03:00
by including a date tag in the prefix as such: `<date:format>` , where
`format` is a string with date formats such as `%Y` (year), `%m` (month), etc.
The full list of supported formats is [found in the GLib API ](https://developer.gnome.org/glib/stable/glib-GDateTime.html#g-date-time-format ).
Including a date/time format will automatically append a `.0` to
the version, if not present in the prefix, which resets to `.0` if
the date (or prefix) changes.
2019-03-01 20:49:47 +03:00
This means that on an empty branch with an `automatic-version-prefix`
2019-01-08 02:45:05 +03:00
of `"22"` the first three commits would get the versions: "22", "22.1",
"22.2". Some example progressions are shown:
2019-03-01 20:49:47 +03:00
| `automatic-version-prefix` | version progression |
2019-01-08 02:45:05 +03:00
| -------------------------- | ------------------------------------------ |
| `22` | 22, 22.1, 22.2, ... |
| `22.1` | 22.1.1, 22.1.2, 22.1.3, ... |
| `22.<date:%Y>` | 22.2019.0, 22.2019.1, 22.2020.0, ... |
| `22.<date:%Y>.1` | 22.2019.1.0, 22.2019.1.1, 22.2020.1.0, ... |
2015-01-12 08:17:15 +03:00
2019-03-01 20:49:47 +03:00
Example: `automatic-version-prefix: "22.0"`
2015-01-12 08:17:15 +03:00
2019-12-13 00:08:51 +03:00
* `automatic-version-suffix` : String, optional: This must be a single ASCII
character. The default value is `.` . Used by `automatic-version-prefix` .
For example, if you set this to `-` then `22` will become `22-1` , `22-2` etc.
2019-07-08 17:34:59 +03:00
* `add-commit-metadata` : Map< String , Object > , optional: Metadata to inject as
part of composed commits. Keys inserted here can still be overridden at the
command line with `--add-metadata-string` or `--add-metadata-from-json` .
2014-11-14 19:53:21 +03:00
* `postprocess-script` : String, optional: Full filesystem path to a script
that will be executed in the context of the target tree. The script
will be copied into the target into `/tmp` , and run as a container
(a restricted chroot, with no network access). After execution is
complete, it will be deleted.
It is *strongly recommended* to avoid using this except as a last resort.
Having the system generated through RPMs allows administrators to understand
the inputs to the system. Any new files created through this mechanism will
not have the versioning inherent in RPM.
Only the script file will be copied in; thus if it has any dependencies,
on data beyond what is in the target tree, you must embed them in the binary
itself.
An example use for this is working around bugs in the input RPMs that are
hard to fix in stable releases.
Note this does not alter the RPM database, so `rpm -V` will complain.
2018-09-05 17:53:03 +03:00
If you want to depend on network access, or tools not in the target host,
you can use the split-up `rpm-ostree compose install`
and `rpm-ostree compose postprocess/commit` commands.
* `postprocess` : array of string, optional: This is an *inline* script
variant of `postprocess-script` that is also an array, so it works
correctly with inheritance. If both `postprocess-script` and `postprocess`
are provided, then `postprocess-script` will be executed after all
other `postprocess` .
2019-07-14 21:09:41 +03:00
* `include` : string or array of string, optional: Path(s) to treefiles which will be
2014-11-13 22:13:23 +03:00
used as an inheritance base. The semantics for inheritance are:
Non-array values in child values override parent values. Array
values are concatenated. Filenames will be resolved relative to
2019-07-14 21:09:41 +03:00
the including treefile. Since rpm-ostree 2019.5, this value may
also be an array of strings. Including the same file multiple times
is an error.
2015-05-21 17:15:43 +03:00
2019-08-21 22:25:08 +03:00
* `arch-include` : object (`Map< String , include > `), optional: Each member of this
object should be the name of a base architecture (`$basearch`), and the `include` value
functions the same as the `include` key above - it can be either
a single string, or an array of strings - and it has the same semantics.
Entries which match `arch-include` are processed after `include` .
Example (in YAML):
```yaml
arch-include:
x86_64: bootloader-x86_64.yaml
s390x:
- bootloader-s390x.yaml
- tweaks-s390x.yaml
```
2015-05-21 17:15:43 +03:00
* `container` : boolean, optional: Defaults to `false` . If `true` , then
rpm-ostree will not do any special handling of kernel, initrd or the
/boot directory. This is useful if the target for the tree is some kind
of container which does not have its own kernel.
2016-03-30 16:35:52 +03:00
2016-12-08 06:30:43 +03:00
* `add-files` : Array, optional: Copy external files to the rootfs.
2016-03-30 16:35:52 +03:00
Each array element is an array, whose first member is the source
file name, and the second element is the destination name. The
source file must be in the same directory as the treefile.
2018-10-26 19:44:14 +03:00
Example: `"add-files": [["bar", "/usr/share/bar"], ["foo", "/lib/foo"]]`
Note that in the OSTree model, not all directories are managed by OSTree. In
short, only files in `/usr` (or UsrMove symlinks into `/usr` ) and `/etc` are
supported. For more details, see the OSTree manual:
https://ostree.readthedocs.io/en/latest/manual/deployment/
compose: Add `tmp-is-dir` option to make `/tmp` a directory
There are a few reasons to do this. First, systemd changed to refuse mounts on
symlinks, and hence if one *wants* "/tmp-on-tmpfs", one would need to write a
different `sysroot-tmp.mount` unit.
Second, the original rationale for having this symlink was that if you had
multiple ostree stateroots ("osnames"), it's nicer if they had the same `/tmp`
to avoid duplication. But in practice today that's already an issue due to
`/var/tmp`, and further the multiple-stateroot case is pretty unusual. And that
case is *further* broken by SELinux (if one wanted to have e.g. an Ubuntu and
Fedora) stateroots. So let's fully decouple this and make `/tmp` a plain
old directory by default, so systemd's `tmp.mount` can become useful.
Now, things get interesting for the case where someone wants a physical `/tmp`
that *does* persist across reboots. Right now, if one just did a `systemctl mask
tmp.mount` as we do in Fedora Atomic Host's cloud images, you'd get a semantic
where `/tmp` stays per-deployment, which is weird. Our recommendation for
that should likely be to set up a bind mount for `/tmp` → `/var/tmp`.
For now, this stays an option to ensure compatibility; if FAH Cloud images
want to stay with "physical /tmp", then we'd have to change the kickstart.
Closes: https://github.com/projectatomic/rpm-ostree/issues/669
Closes: #778
Approved by: jlebon
2017-05-17 21:48:48 +03:00
* `tmp-is-dir` : boolean, optional: Defaults to `false` . By default,
2018-03-26 20:07:09 +03:00
rpm-ostree creates symlink `/tmp` → `sysroot/tmp` . When set to `true` ,
`/tmp` will be a regular directory, which allows the `systemd` unit
`tmp.mount` to mount it as `tmpfs` . It's more flexible to leave it
as a directory, and further, we don't want to encourage `/sysroot`
to be writable. For host system composes, we recommend turning this on;
it's left off by default to ease the transition.
2017-12-21 07:11:24 +03:00
2018-06-22 22:15:04 +03:00
* `machineid-compat` : boolean, optional: Defaults to `true` . By default,
rpm-ostree creates `/usr/etc/machine-id` as an empty file for historical
reasons. Set this to `false` to ensure it's not present at all. This
will cause systemd to execute `ConditionFirstBoot=` , which implies
2018-08-03 17:03:00 +03:00
running `systemctl preset-all` for example. This requires booting the system
with `rw` so that systemd can properly populate `/etc/machine-id` and execute
2018-08-03 18:14:03 +03:00
the presets at switchroot. When this is enabled, the `units`
directive will no longer function. Instead, create a
`/usr/lib/systemd/system-presets/XX-example.preset` file as part of a package
or in the postprocess script.
2018-06-22 22:15:04 +03:00
2017-12-21 07:11:24 +03:00
Experimental options
--------
All options listed here are subject to change or removal in a future
version of `rpm-ostree` .
2018-07-27 21:16:05 +03:00
* `rojig` : Object, optional. Sub-keys are `name` , `summary` , `license` ,
and `description` . Of those, `name` and `license` are mandatory.
2020-04-14 23:44:08 +03:00
* `lockfile-repos` : array of strings, optional: Semantically similar to
`repo` , but these repos will only be used to fetch packages locked
via lockfiles. This is useful when locked packages are kept
separately from the primary repos and one wants to ensure that
rpm-ostree will otherwise not select unlocked packages from them.