ostree/man/ostree-prepare-root.xml

179 lines
9.0 KiB
XML
Raw Normal View History

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
SPDX-License-Identifier: LGPL-2.0+
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library. If not, see <https://www.gnu.org/licenses/>.
-->
<refentry id="ostree">
<refentryinfo>
<title>ostree prepare-root</title>
<productname>OSTree</productname>
<authorgroup>
<author>
<contrib>Developer</contrib>
<firstname>Colin</firstname>
<surname>Walters</surname>
<email>walters@verbum.org</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>ostree prepare-root</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>ostree-prepare-root</refname>
<refpurpose>Change the view of a mounted root filesystem to an ostree deployment</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>ostree prepare-root</command> <arg choice="req">TARGET</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
At its core, ostree operates on an existing mounted filesystem. Tooling such
as <literal>ostree admin deploy</literal> will create a new directory that can be
used as a bootable target. This tool is designed to run in an initramfs and
set up "remapping" mounts as a view into that filesystem.
</para>
<para>
As of more recently, this tool also has optional support for composefs, which
creates a distinct mount point layered on top of the underlying filesystem.
</para>
<para>
The most common pattern today is to use systemd in an initramfs. The systemd
unit shipped upstream is ordered in this way:
<literal>After=sysroot.mount</literal> and <literal>Before=initrd-root-fs.target</literal>
</para>
<para>
When it runs, the mounted filesystem at the provided <literal>TARGET</literal> (usually <literal>/sysroot</literal>)
will be changed such that what appears at <literal>/sysroot</literal> is actually the
"deployment root" - i.e. a particular versioned subdirectory. What was formerly the
"physical root" i.e. the real root of the filesystem will appear as <literal>/sysroot/sysroot</literal>.
</para>
<para>
For <literal>/var</literal>, by default a bind mount is created from the deployment root to <literal>/sysroot/var</literal>.
</para>
<para>
A read-only bind mount is created over <literal>/sysroot/usr</literal>. The immutable bit (see chattr(1)) is set on the deployment
root, so this provides basic protection for filesystem mutation. If the <literal>sysroot.readonly</literal>
option is enabled, then <literal>/sysroot/sysroot</literal> is mounted read-only to provide further protection and a writable bind mount for
<literal>/sysroot/etc</literal> is created.
</para>
<para>
Finally, when higher level tooling such as systemd performs a switch-root operation, what
was <literal>/sysroot</literal> becomes <literal>/</literal> and after the transition into
the real root, the system will be booted into the "deployment", which is a versioned immutable
filesystem tree. The ostree tooling running in the real root thereafter performs further changes
by operating on <literal>/sysroot</literal> which is now the "physical root".
</para>
</refsect1>
<refsect1>
<title>Configuration</title>
<para>
The <literal>/usr/lib/ostree/prepare-root.conf</literal> (or <literal>/etc/ostree/prepare-root.conf</literal>) config file is parsed by <literal>ostree-prepare-root</literal>. This file must
be present in the initramfs. The default dracut module will copy it from the real root if present.
</para>
<variablelist>
<varlistentry>
<term><varname>sysroot.readonly</varname></term>
<listitem><para>A boolean value; the default is <literal>false</literal> unless composefs is enabled. If this is set to <literal>true</literal>, then the <literal>/sysroot</literal> mount point is mounted read-only.</para></listitem>
</varlistentry>
<varlistentry>
Support transient /etc If the `prepare-root.conf` file contains: ``` [etc] transient=yes ``` Then during prepare-root, an overlayfs is mounted as /etc, with the upper dir being in /run. If composefs is used, the lower dir is `usr/etc` from the composefs image , or it is the deployed `$deploydir/usr/etc`. Note that for this to work with selinux, the commit must have been built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise the lowerdir (/usr/etc) will have the wrong selinux contexts for the final location of the mount (/etc). We also set the transient-etc key in the ostree-booted file, pointing it to the directory that is used for the overlayfs. There are some additional work happening in ostree-remount, mostly related to selinux (as this needs to happen post selinux policy load): * Recent versions of selinux-poliy have issues with the overlayfs mount being kernel_t, and that is not allowed to manage files as needed. This is fixed in https://github.com/fedora-selinux/selinux-policy/pull/1893 * Any /etc files created in the initramfs will not be labeled, because the selinux policy has not been loaded. In addition, the upper dir is on a tmpfs, and any manually set xattr-based selinux labels on those are reset during policy load. To work around this ostree-remount will relabel all files on /etc that have corresponding files in overlayfs upper dir. * During early boot, systemd mounts /run/machine-id on top of /etc/machine-id (as /etc is readonly). Later during boot, when etc is readwrite, systemd-machine-id-commit.service will remove the mount and update the real file under it with the right content. To ensure that this keeps working, we need to ensure that when we relabel /etc/machine-id we relabel the real (covered) file, not the temporary bind-mount. * ostree-remount no longer needs to remount /etc read-only in the transient-etc case. Signed-off-by: Alexander Larsson <alexl@redhat.com>
2023-09-29 13:37:22 +02:00
<term><varname>etc.transient</varname></term>
<listitem><para>A boolean value; the default is <literal>false</literal>. If this is set to <literal>true</literal>, then the <literal>/etc</literal> mount point is mounted transiently i.e. a non-persistent location.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>root.transient</varname></term>
<listitem><para>A boolean value; the default is <literal>false</literal>.
If this is set to <literal>true</literal>, then the <literal>/</literal> filesystem will be a writable <literal>overlayfs</literal>,
with the upper directory being a hidden directory (in the underlying system root filesystem) that will persist across reboots by default.
However, changes will <emphasis>be discarded</emphasis> on OS updates!
</para>
<para>
Enabling this option can be very useful for cases such as packages (dpkg/rpm/etc) that write content into <literal>/opt</literal>,
particularly where they expect the target to be writable at runtime. To make that work, ensure that your <literal>/opt</literal>
directory is *not* a symlink to <literal>/var/opt</literal>, but is just an empty directory.
</para>
<para>
Note the <literal>/usr</literal> mount point remains read-only by default. This option is independent of <literal>etc.transient</literal> and <literal>sysroot.readonly</literal>;
it is supported for example to have <literal>root.transient=true</literal> but <literal>etc.transient=false</literal> in which case changes to <literal>/etc</literal> continue
to persist across updates, with the default OSTree 3-way merge applied.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>composefs.enabled</varname></term>
<listitem><para>This can be <literal>yes</literal>, <literal>no</literal>. <literal>maybe</literal> or
<literal>signed</literal>. The default is <literal>maybe</literal>. If set to <literal>yes</literal> or
<literal>signed</literal>, then composefs is always used, and the boot fails if it is not
available. Additionally if set to <literal>signed</literal>, boot will fail if the image cannot be
validated by a public key. If set to <literal>maybe</literal>, then composefs is used if supported.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>composefs.keypath</varname></term>
<listitem><para>Path to a file with Ed25519 public keys in the initramfs, used if
<literal>composefs.enabled</literal> is set to <literal>signed</literal>. The default value for this is
<literal>/etc/ostree/initramfs-root-binding.key</literal>. For a valid signed boot the target OSTree
commit must be signed by at least one public key in this file, and the commitfs digest listed in the
commit must match the target composefs image.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>systemd</title>
<para>
As mentioned above, this tool comes with a systemd unit file <literal>ostree-prepare-root.service</literal>
and it is primarily expected to be invoked this way.
</para>
</refsect1>
<refsect1>
<title>Composefs</title>
<para>
The default for ostree is to create a plain hardlinked filesystem tree.
composefs support is currently experimental; see the upstream <literal>doc/composefs.md</literal>
for more information on using it.
</para>
</refsect1>
</refentry>