5a0d3356ef
In FCOS we have a kola test that basically does `rpm -q python`. It's...a bit silly to spawn a whole VM for this. Ensuring that some specific packages don't get included has come up in a few cases. I think FCOS/RHCOS at least will want to blacklist `dnf` for example. And as noted above, FCOS could blacklist `python`. One major benefit of doing this inside rpm-ostree is that one gets the full "libsolv error message experience" when dependency resolution fails, e.g. blacklisting `glibc` I get: ``` Problem 79: conflicting requests - package coreos-installer-systemd-0.1.2-1.fc31.x86_64 requires coreos-installer = 0.1.2-1.fc31, but none of the providers can be installed - package coreos-installer-0.1.2-1.fc31.x86_64 requires rtld(GNU_HASH), but none of the providers can be installed - package glibc-2.30-10.fc31.x86_64 is filtered out by exclude filtering - package glibc-2.30-7.fc31.x86_64 is filtered out by exclude filtering - package glibc-2.30-8.fc31.x86_64 is filtered out by exclude filtering - package glibc-2.30-5.fc31.i686 is filtered out by exclude filtering - package glibc-2.30-5.fc31.x86_64 is filtered out by exclude filtering - package glibc-2.30-10.fc31.i686 is filtered out by exclude filtering ``` |
||
|---|---|---|
| .github | ||
| api-doc | ||
| bindgen | ||
| buildutil | ||
| ci | ||
| completion | ||
| design | ||
| docs | ||
| experiments-and-demos/skopeo2ostree | ||
| libdnf@4a7ab081ec | ||
| libglnx@5f3d352aa4 | ||
| man | ||
| packaging | ||
| rust | ||
| scripts | ||
| src | ||
| tests | ||
| vagrant | ||
| .cci.jenkinsfile | ||
| .dir-locals.el | ||
| .editorconfig | ||
| .gitmodules | ||
| .vimrc | ||
| autogen.sh | ||
| configure.ac | ||
| CONTRIBUTING.md | ||
| COPYING.GPL | ||
| COPYING.LGPL | ||
| git.mk | ||
| HACKING.md | ||
| LICENSE | ||
| Makefile-bash.am | ||
| Makefile-daemon.am | ||
| Makefile-decls.am | ||
| Makefile-extra.inc | ||
| Makefile-lib-defines.am | ||
| Makefile-lib.am | ||
| Makefile-libdnf.am | ||
| Makefile-libpriv.am | ||
| Makefile-man.am | ||
| Makefile-rpm-ostree.am | ||
| Makefile-tests.am | ||
| Makefile.am | ||
| mkdocs.yml | ||
| OWNERS | ||
| README.md | ||
| Vagrantfile | ||
rpm-ostree: A true hybrid image/package system
rpm-ostree combines libostree (an image system), with libdnf (a package system), bringing many of the benefits of both together.
+-----------------------------------------+
| |
| rpm-ostree (daemon + CLI) |
+------> <---------+
| | status, upgrade, rollback, | |
| | pkg layering, initramfs --enable | |
| | | |
| +-----------------------------------------+ |
| |
| |
| |
+-----------------|-------------------------+ +-----------------------|-----------------+
| | | |
| libostree (image system) | | libdnf (pkg system) |
| | | |
| C API, hardlink fs trees, system repo, | | ties together libsolv (SAT solver) |
| commits, atomic bootloader swap | | with librepo (RPM repo downloads) |
| | | |
+-------------------------------------------+ +-----------------------------------------+
For more information, see the online manual: Read The Docs (rpm-ostree)
Features:
- Transactional, background image-based (versioned/checksummed) upgrades
- OS rollback without affecting user data (
/usrbut not/etc,/var) via libostree - Client-side package layering (and overrides)
- Easily make your own:
rpm-ostree compose treeand CoreOS Assembler
Projects using rpm-ostree
The OSTree project is independent of distributions and agnostic to how content is delivered and managed; it's used today by e.g. Debian, Fedora, and OpenEmbedded derived systems among others. There are some examples in the OSTree github.
In contrast, rpm-ostree is intended to be tightly integrated with the Fedora ecosystem. Today it is the underlying update mechanism of Fedora CoreOS as well as its derivative RHEL CoreOS. It is also used by Fedora IoT and Fedora Silverblue.
Originally, it was productized as part of Project Atomic.
Why?
Package systems such as apt and yum are highly prevalent in Linux-based operating systems. The core premise of rpm-ostree is that image-based updates should be the default. This provides a high degree of predictability and resiliency. However, where rpm-ostree is fairly unique in the ecosystem is supporting client-side package layering and overrides; deeply integrating RPM as an (optional) layer on top of OSTree.
A good way to think of package layering is recasting RPMs as "operating system extensions", similar to how browser extensions work (although before those were sandboxed). One can use package layering for components not easily containerized, such as PAM modules, custom shells, etc.
Further, one can easily use rpm-ostree override replace to override the kernel or userspace components with the very same RPMs shipped to traditional systems. The Fedora project for example continues to only have one kernel build.
Layering and overrides are still built on top of the default OSTree engine - installing and updating client-side packages constructs a new filesystem root, it does not by default affect your booted root. This preserves the "image" nature of the system.
Manual
For more information, see the online manual: Read The Docs (rpm-ostree)
Talks and media
A number of Project Atomic talks are available; see for example this post which has a bigger collection that also includes talks on containers.
rpm-ostree specific talks:
- devconf.cz 2018: Colin Walters: Hybrid image/package OS updates with rpm-ostree slides
- devconf.cz 2018: Peter Robinson: Using Fedora and OSTree for IoT
License
rpm-ostree includes code licensed under GPLv2+, LGPLv2+, (Apache 2.0 OR MIT). For more information, see LICENSE.