shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-01-06 17:18:25 +03:00
Code Issues Projects Releases Wiki Activity
f617a341f3
ostree/man/ostree-prepare-root.xml
Alexander Larsson f617a341f3 Support transient /etc 
If the `prepare-root.conf` file contains:
```
[etc]
transient=yes
```

Then during prepare-root, an overlayfs is mounted as /etc, with the
upper dir being in /run. If composefs is used, the lower dir is
`usr/etc` from the composefs image , or it is the deployed
`$deploydir/usr/etc`.

Note that for this to work with selinux, the commit must have been
built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise
the lowerdir (/usr/etc) will have the wrong selinux contexts for the
final location of the mount (/etc).

We also set the transient-etc key in the ostree-booted file, pointing it
to the directory that is used for the overlayfs.

There are some additional work happening in ostree-remount, mostly
related to selinux (as this needs to happen post selinux policy
load):

 * Recent versions of selinux-poliy have issues with the overlayfs
   mount being kernel_t, and that is not allowed to manage files as
   needed. This is fixed in
   https://github.com/fedora-selinux/selinux-policy/pull/1893

 * Any /etc files created in the initramfs will not be labeled,
   because the selinux policy has not been loaded. In addition, the
   upper dir is on a tmpfs, and any manually set xattr-based selinux
   labels on those are reset during policy load. To work around this
   ostree-remount will relabel all files on /etc that have
   corresponding files in overlayfs upper dir.

 * During early boot, systemd mounts /run/machine-id on top of
   /etc/machine-id (as /etc is readonly). Later during boot, when etc
   is readwrite, systemd-machine-id-commit.service will remove the
   mount and update the real file under it with the right content. To
   ensure that this keeps working, we need to ensure that when we
   relabel /etc/machine-id we relabel the real (covered) file, not the
   temporary bind-mount.

 * ostree-remount no longer needs to remount /etc read-only in the
   transient-etc case.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
2023-10-12 17:03:22 +02:00

161 lines
7.3 KiB
XML
Raw Blame History

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
SPDX-License-Identifier: LGPL-2.0+
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library. If not, see <https://www.gnu.org/licenses/>.
-->
<refentry id="ostree">
<refentryinfo>
<title>ostree prepare-root</title>
<productname>OSTree</productname>
<authorgroup>
<author>
<contrib>Developer</contrib>
<firstname>Colin</firstname>
<surname>Walters</surname>
<email>walters@verbum.org</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>ostree prepare-root</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>ostree-prepare-root</refname>
<refpurpose>Change the view of a mounted root filesystem to an ostree deployment</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>ostree prepare-root</command> <arg choice="req">TARGET</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
At its core, ostree operates on an existing mounted filesystem. Tooling such
as <literal>ostree admin deploy</literal> will create a new directory that can be
used as a bootable target. This tool is designed to run in an initramfs and
set up "remapping" mounts as a view into that filesystem.
</para>
<para>
As of more recently, this tool also has optional support for composefs, which
creates a distinct mount point layered on top of the underlying filesystem.
</para>
<para>
The most common pattern today is to use systemd in an initramfs. The systemd
unit shipped upstream is ordered in this way:
<literal>After=sysroot.mount</literal> and <literal>Before=initrd-root-fs.target</literal>
</para>
<para>
When it runs, the mounted filesystem at the provided <literal>TARGET</literal> (usually <literal>/sysroot</literal>)
will be changed such that what appears at <literal>/sysroot</literal> is actually the
"deployment root" - i.e. a particular versioned subdirectory. What was formerly the
"physical root" i.e. the real root of the filesystem will appear as <literal>/sysroot/sysroot</literal>.
</para>
<para>
For <literal>/var</literal>, by default a bind mount is created from the deployment root to <literal>/sysroot/var</literal>.
</para>
<para>
A read-only bind mount is created over <literal>/sysroot/usr</literal>. The immutable bit is set on the deployment
root, so this provides basic protection for filesystem mutation. If the <literal>sysroot.readonly</literal>
option is enabled, instead a writable bind mount for <literal>/sysroot/etc</literal>, and everything else
is mounted read-only.
</para>
<para>
Finally, when higher level tooling such as systemd performs a switch-root operation, what
was <literal>/sysroot</literal> becomes <literal>/</literal> and after the transition into
the real root, the system will be booted into the "deployment", which is a versioned immutable
filesystem tree. The ostree tooling running in the real root thereafter performs further changes
by operating on <literal>/sysroot</literal> which is now the "physical root".
</para>
</refsect1>
<refsect1>
<title>Configuration</title>
<para>
The <literal>/usr/lib/ostree/prepare-root.conf</literal> (or <literal>/etc/ostree/prepare-root.conf</literal>) config file is parsed by <literal>ostree-prepare-root</literal>. This file must
be present in the initramfs. The default dracut module will copy it from the real root if present.
</para>
<variablelist>
<varlistentry>
<term><varname>sysroot.readonly</varname></term>
<listitem><para>A boolean value; the default is <literal>false</literal>. If this is set to <literal>true</literal>, then the <literal>/sysroot</literal> mount point is mounted read-only.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>etc.transient</varname></term>
<listitem><para>A boolean value; the default is <literal>false</literal>. If this is set to <literal>true</literal>, then the <literal>/etc</literal> mount point is mounted transiently i.e. a non-persistent location.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>composefs.enabled</varname></term>
<listitem><para>This can be <literal>yes</literal>, <literal>no</literal>. <literal>maybe</literal> or
<literal>signed</literal>. The default is <literal>maybe</literal>. If set to <literal>yes</literal> or
<literal>signed</literal>, then composefs is always used, and the boot fails if it is not
available. Additionally if set to <literal>signed</literal>, boot will fail if the image cannot be
validated by a public key. If set to <literal>maybe</literal>, then composefs is used if supported.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>composefs.keypath</varname></term>
<listitem><para>Path to a file with Ed25519 public keys in the initramfs, used if
<literal>composefs.enabled</literal> is set to <literal>signed</literal>. The default value for this is
<literal>/etc/ostree/initramfs-root-binding.key</literal>. For a valid signed boot the target OSTree
commit must be signed by at least one public key in this file, and the commitfs digest listed in the
commit must match the target composefs image.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>systemd</title>
<para>
As mentioned above, this tool comes with a systemd unit file <literal>ostree-prepare-root.service</literal>
and it is primarily expected to be invoked this way.
</para>
</refsect1>
<refsect1>
<title>Composefs</title>
<para>
The default for ostree is to create a plain hardlinked filesystem tree.
composefs support is currently experimental; see the upstream <literal>doc/composefs.md</literal>
for more information on using it.
</para>
</refsect1>
</refentry>
Reference in New Issue View Git Blame Copy Permalink