91c6b1a6d2
Let's describe the state of things at a high level, independent of the tracking issue which has a lot more detail (and hence noise). This document keeps things at a high level and describes how to enable things today.
1.6 KiB
| nav_order |
|---|
| 10 |
Using composefs with OSTree
{: .no_toc }
- TOC {:toc}
composefs
The composefs project is a new hybrid Linux stacking filesystem that provides many benefits when used for bootable host systems, such as a strong story for integrity.
At the current time, integration of composefs and ostree is experimental. This issue tracks the latest status.
Enabling composefs (unsigned)
When building a disk image or to transition an existing system, run:
ostree config --repo=/ostree/repo set ex-integrity.composefs yes
This will ensure that any future deployments (e.g. created by ostree admin upgrade)
have a .ostree.cfs file in the deployment directory which is a mountable
composefs metadata file, with a "backing store" directory also shared with the current /ostree/repo/objects.
IMPORTANT The integration with composefs is experimental and subject to change. Please try it and report issues but do not deploy to production systems yet.
Comparison with other approaches
There is also support for using IMA with ostree. In short, composefs provides much stronger and more efficient integrity:
- composefs validates an entire filesystem tree, not just individual files
- composefs makes files actually read-only, whereas IMA does not by default
- composefs uses fs-verity which does on-demand verification