ostree/man/ostree-prepare-root.xml
2024-12-17 15:53:54 +00:00

196 lines
10 KiB
XML

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
SPDX-License-Identifier: LGPL-2.0+
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library. If not, see <https://www.gnu.org/licenses/>.
-->
<refentry id="ostree">
<refentryinfo>
<title>ostree prepare-root</title>
<productname>OSTree</productname>
<authorgroup>
<author>
<contrib>Developer</contrib>
<firstname>Colin</firstname>
<surname>Walters</surname>
<email>walters@verbum.org</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>ostree prepare-root</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>ostree-prepare-root</refname>
<refpurpose>Change the view of a mounted root filesystem to an ostree deployment</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>ostree prepare-root</command> <arg choice="req">TARGET</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
At its core, ostree operates on an existing mounted filesystem. Tooling such
as <literal>ostree admin deploy</literal> will create a new directory that can be
used as a bootable target. This tool is designed to run in an initramfs and
set up "remapping" mounts as a view into that filesystem.
</para>
<para>
As of more recently, this tool also has optional support for composefs, which
creates a distinct mount point layered on top of the underlying filesystem.
</para>
<para>
The most common pattern today is to use systemd in an initramfs. The systemd
unit shipped upstream is ordered in this way:
<literal>After=sysroot.mount</literal> and <literal>Before=initrd-root-fs.target</literal>
</para>
<para>
When it runs, the mounted filesystem at the provided <literal>TARGET</literal> (usually <literal>/sysroot</literal>)
will be changed such that what appears at <literal>/sysroot</literal> is actually the
"deployment root" - i.e. a particular versioned subdirectory. What was formerly the
"physical root" i.e. the real root of the filesystem will appear as <literal>/sysroot/sysroot</literal>.
</para>
<para>
For <literal>/var</literal>, by default a bind mount is created from the deployment root to <literal>/sysroot/var</literal>.
</para>
<para>
A read-only bind mount is created over <literal>/sysroot/usr</literal>. The immutable bit (see chattr(1)) is set on the deployment
root, so this provides basic protection for filesystem mutation. If the <literal>sysroot.readonly</literal>
option is enabled, then <literal>/sysroot/sysroot</literal> is mounted read-only to provide further protection and a writable bind mount for
<literal>/sysroot/etc</literal> is created.
</para>
<para>
Finally, when higher level tooling such as systemd performs a switch-root operation, what
was <literal>/sysroot</literal> becomes <literal>/</literal> and after the transition into
the real root, the system will be booted into the "deployment", which is a versioned immutable
filesystem tree. The ostree tooling running in the real root thereafter performs further changes
by operating on <literal>/sysroot</literal> which is now the "physical root".
</para>
</refsect1>
<refsect1>
<title>Configuration</title>
<para>
The <literal>/usr/lib/ostree/prepare-root.conf</literal> (or <literal>/etc/ostree/prepare-root.conf</literal>) config file is parsed by <literal>ostree-prepare-root</literal>. This file must
be present in the initramfs. The default dracut module will copy it from the real root if present.
</para>
<variablelist>
<varlistentry>
<term><varname>sysroot.readonly</varname></term>
<listitem><para>A boolean value; the default is <literal>false</literal> unless composefs is enabled. If this is set to <literal>true</literal>, then the <literal>/sysroot</literal> mount point is mounted read-only.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>etc.transient</varname></term>
<listitem><para>A boolean value; the default is <literal>false</literal>. If this is set to <literal>true</literal>, then the <literal>/etc</literal> mount point is mounted transiently i.e. a non-persistent location.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>root.transient</varname></term>
<listitem><para>A boolean value; the default is <literal>false</literal>.
If this is set to <literal>true</literal>, then the <literal>/</literal> filesystem will be a writable <literal>overlayfs</literal>,
with the upper directory being a hidden directory (in the underlying system root filesystem) that will persist across reboots by default.
However, changes will <emphasis>be discarded</emphasis> on OS updates!
</para>
<para>
Enabling this option can be very useful for cases such as packages (dpkg/rpm/etc) that write content into <literal>/opt</literal>,
particularly where they expect the target to be writable at runtime. To make that work, ensure that your <literal>/opt</literal>
directory is *not* a symlink to <literal>/var/opt</literal>, but is just an empty directory.
</para>
<para>
Note the <literal>/usr</literal> mount point remains read-only by default. This option is independent of <literal>etc.transient</literal> and <literal>sysroot.readonly</literal>;
it is supported for example to have <literal>root.transient=true</literal> but <literal>etc.transient=false</literal> in which case changes to <literal>/etc</literal> continue
to persist across updates, with the default OSTree 3-way merge applied.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>composefs.enabled</varname></term>
<listitem><para>This can be <literal>yes</literal>, <literal>no</literal>, <literal>maybe</literal>,
<literal>signed</literal>, or <literal>verity</literal>. The default is <literal>no</literal>.
If set to <literal>yes</literal>, <literal>signed</literal>, or <literal>verity</literal>,
then composefs is always used, and the boot fails if it is not available.
If set to <literal>signed</literal> or <literal>verity</literal>,
before the content of a file is read,
the integrity of its backing OSTree object is validated by the digest stored in the image.
Additionally, if set to <literal>signed</literal>, boot will fail if the image cannot be
validated by a public key.
Setting this to <literal>maybe</literal> is currently equivalent to <literal>no</literal>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>composefs.keypath</varname></term>
<listitem><para>Path to a file with Ed25519 public keys in the initramfs, used if
<literal>composefs.enabled</literal> is set to <literal>signed</literal>. The default value for this is
<literal>/etc/ostree/initramfs-root-binding.key</literal>. For a valid signed boot the target OSTree
commit must be signed by at least one public key in this file, and the commitfs digest listed in the
commit must match the target composefs image.</para></listitem>
</varlistentry>
</variablelist>
<para>
The following kernel commandline parameters are also parsed:
</para>
<variablelist>
<varlistentry>
<term><varname>ostree.prepare-root.composefs</varname></term>
<listitem><para>This accepts the same values as <literal>composefs.enabled</literal> above, and overrides the config file (if present).
For example, specifying <literal>ostree.prepare-root.composefs=0</literal> will disable composefs, even if it is enabled by default in the initrd config.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>systemd</title>
<para>
As mentioned above, this tool comes with a systemd unit file <literal>ostree-prepare-root.service</literal>
and it is primarily expected to be invoked this way.
</para>
</refsect1>
<refsect1>
<title>Composefs</title>
<para>
The default for ostree is to create a plain hardlinked filesystem tree.
composefs support is currently experimental; see the upstream <literal>doc/composefs.md</literal>
for more information on using it.
</para>
</refsect1>
</refentry>