diff --git a/docs/composefs.md b/docs/composefs.md new file mode 100644 index 00000000..800103fa --- /dev/null +++ b/docs/composefs.md @@ -0,0 +1,50 @@ +--- +nav_order: 10 +--- + +# Using composefs with OSTree +{: .no_toc } + +1. TOC +{:toc} + +## composefs + +The [composefs](github.com/containers/composefs) project is a new +hybrid Linux stacking filesystem that provides many benefits when +used for bootable host systems, such as a strong story for integrity. + +At the current time, integration of composefs and ostree is experimental. +[This issue](https://github.com/ostreedev/ostree/issues/2867) tracks the latest status. + +### Enabling composefs (unsigned) + +When building a disk image *or* to transition an existing system, run: + +``` +ostree config --repo=/ostree/repo set ex-integrity.composefs yes +``` + +This will ensure that any future deployments (e.g. created by `ostree admin upgrade`) +have a `.ostree.cfs` file in the deployment directory which is a mountable +composefs metadata file, with a "backing store" directory also shared with the current `/ostree/repo/objects`. + +**IMPORTANT** The integration with composefs is experimental and subject to change. Please +try it and report issues but do not deploy to production systems yet. + +## Comparison with other approaches + +There is also support for using [IMA](ima.md) with ostree. In short, composefs +provides much stronger and more efficient integrity: + +- composefs validates an entire filesystem tree, not just individual files +- composefs makes files actually read-only, whereas IMA does not by default +- composefs uses fs-verity which does on-demand verification + +## Further references + +- https://github.com/containers/composefs +- https://www.kernel.org/doc/html/next/filesystems/fsverity.html + + + diff --git a/man/ostree.repo-config.xml b/man/ostree.repo-config.xml index 5e6d9d89..086829a2 100644 --- a/man/ostree.repo-config.xml +++ b/man/ostree.repo-config.xml @@ -425,7 +425,16 @@ License along with this library. If not, see . + + + [ex-integrity] Section Options + + + The "ex-" prefix here signifies experimental options. The ex-integrity section + contains options related to system integrity. Information about experimental + options is canonically found in upstream tracking issues. +