From Fedora Project Wiki
No edit summary
(updating change proposal)
 
(23 intermediate revisions by 7 users not shown)
Line 2: Line 2:
= Ostree Native Container (Phase 2, stable) =
= Ostree Native Container (Phase 2, stable) =


{{Change_Proposal_Banner}}
== Summary ==


== Summary ==
{{Change_Rejected_Banner}}


Continue the work done in https://fedoraproject.org/wiki/Changes/OstreeNativeContainer but in an officially stable format, and expanded to cover more OSTree-based editions.  This goes "all in" on being container-native and significantly changes the technology and user emphasis.
Continue the work done in https://fedoraproject.org/wiki/Changes/OstreeNativeContainer but in an officially stable format, and expanded to cover more OSTree-based editions.  This goes "all in" on being container-native and significantly changes the technology and user emphasis.
Line 10: Line 10:
== Owner ==
== Owner ==


* Name: [[User:walters| Colin Walters]]
* Name: [[User:walters| Colin Walters]], [[User:jmarrero| Joseph Marrero]], [[User:baude| Brent Baude]]
 
* Email: walters@verbum.org, jmarrero@fedoraproject.org, baude@fedoraproject.org
* Email: walters@verbum.org
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
-->
-->


== Current status ==
== Current status ==
Line 28: Line 26:
[[Category:SystemWideChange]]
[[Category:SystemWideChange]]


* Targeted release: [[Releases/38 | Fedora Linux 38 ]]  
* Targeted release: [[Releases/NN | Fedora Linux NN]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 36: Line 34:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3XZON2H73E7VH4O3HBI5N7U6DYIIYHWH/ devel thread]
* Tracker bug: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2883 #2883]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2151321 #2151321]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/933 #933]


== Detailed Description ==
== Detailed Description ==


 
* rpm-ostree's functionality to [https://coreos.github.io/rpm-ostree/container/ boot and upgrade from Docker/OCI container images] is declared stable
* rpm-ostree's functionality to [boot and upgrade from Docker/OCI container images](https://coreos.github.io/rpm-ostree/container/) is declared stable
* Introduce [https://github.com/containers/bootc bootc] as a fresh new interface solely dedicated to this
* Rework Fedora editions and spins (CoreOS, IoT, Silverblue, Kinoite, etc) that use ostree to instead deliver via Docker/OCI container images
* Rework Fedora editions and spins (CoreOS, IoT, Silverblue, Kinoite, etc) that use ostree to instead deliver via Docker/OCI container images
* `rpm-ostree` is reworked to gain strong CLI compatibility with `yum/dnf` commands (cliwrap)
* `rpm-ostree` is reworked to gain strong CLI compatibility with `yum/dnf` commands (cliwrap)
* The new container native functionality is exposed via `dnf image`
* The new container native functionality is exposed via `bootc` (and `dnf image`)
* (TBD: Rebranding of rpm-ostree itself to `dnf-image` or something else)
* (TBD: Rebranding of rpm-ostree itself to `dnf-image` or something else)
* It is strongly encouraged to *build custom derivative container images* instead of per-machine state
* Support and documentation for generating derived images
* Support in Anaconda and other tools
* Support in Anaconda and other tools
* Support for generating bootable images
* Support for generating bootable images
Line 62: Line 61:
=== Stable Bootable OCI ===
=== Stable Bootable OCI ===


More information about this is available in [the rpm-ostree documentation](https://coreos.github.io/rpm-ostree/container/).  This Change highlights that this functionality is planned to be officially stable.
More information about this is available in [https://coreos.github.io/rpm-ostree/container/ the rpm-ostree documentation].  This Change highlights that this functionality is planned to be officially stable.


=== Changing to OCI over the wire ===
=== Changing to OCI over the wire ===
Line 68: Line 67:
Today Fedora has an OSTree repository that contains updates for editions such as Fedora CoreOS and Fedora Silverblue.
Today Fedora has an OSTree repository that contains updates for editions such as Fedora CoreOS and Fedora Silverblue.


These editions instead will become [OCI base images](https://github.com/opencontainers), available at e.g.
These editions instead will become [https://github.com/opencontainers OCI base images], available at e.g.


`quay.io/fedora/fedora-coreos:stable` ([this exists today](https://quay.io/repository/fedora/fedora-coreos)!)
* `quay.io/fedora/fedora-coreos:stable` ([https://quay.io/repository/fedora/fedora-coreos this exists today]!)
`quay.io/fedora/fedora-silverblue:stable`
* `quay.io/fedora/fedora-silverblue:38` (does not exist, but can soon)


An update will be shipped that will cause existing systems tracking the production ostree branches to be switched to the corresponding container image.  Concretely for example, a system running `fedora:fedora/36/x86_64/silverblue` will execute `rpm-ostree rebase ostree-remote-registry:fedora:quay.io/fedora/fedora-silverblue:36`.
An update will be shipped that will cause existing systems tracking the production ostree branches to be switched to the corresponding container image.  Concretely for example, a system running `fedora:fedora/36/x86_64/silverblue` will execute `rpm-ostree rebase ostree-remote-registry:fedora:quay.io/fedora/fedora-silverblue:36`.


Note that at the current time, Fedora does not sign container images.  This should change (likely to something based on [cosign](https://github.com/containers/skopeo/pull/1701)), but in the mean time, the ostree-container flow supports verifying the embedded ostree-baesd GPG signatures and this will continue to be used.
Note that at the current time, Fedora does not sign container images.  This should change (likely to something based on [https://github.com/containers/skopeo/pull/1701 cosign]), but in the mean time, the ostree-container flow supports verifying the embedded ostree-baesd GPG signatures and this will continue to be used.


The Fedora OSTree repository will become read-only and stop receiving updates.
The Fedora OSTree repository will become read-only and stop receiving updates.
Line 81: Line 80:
Note that for Fedora CoreOS specifically, there is some outstanding design discussion around the intersection with Cincinnati: https://github.com/coreos/fedora-coreos-tracker/issues/1263  
Note that for Fedora CoreOS specifically, there is some outstanding design discussion around the intersection with Cincinnati: https://github.com/coreos/fedora-coreos-tracker/issues/1263  


=== dnf/yum CLI compatibility ===
==== Wire efficiency ====


rpm-ostree has a feature called [cliwrap](https://coreos.github.io/rpm-ostree/cliwrap/) today.  A key motivation here is that in the switch to using containers as the frontend, the project name "rpm-ostree" (which is very literal) no longer makes sense.  A further emphasis on "container native" will strongly encourage writing e.g. a `Dockerfile` like this:
Today the container images generated by rpm-ostree are "chunked" in a reproducible fashion; for more information on this, see


* https://github.com/ostreedev/ostree-rs-ext/issues/69
* https://coreos.github.io/rpm-ostree/container/


```
However, longer term (as that first issue notes) we do want to add [https://github.com/containers/image/pull/902 container deltas].  Doing so will benefit non-host containers too.
 
 
=== bootc ===
 
[https://github.com/containers/bootc bootc] is a new project which provides a fresh new CLI (and soon, API) dedicated to managing bootable container images.  It does not depend on RPM (or policykit, etc.) and can be used on dedicated image-based systems.
 
=== rpm-ostree dnf/yum CLI compatibility ===
 
rpm-ostree has a feature called [https://coreos.github.io/rpm-ostree/cliwrap/ cliwrap] today.  A key motivation here is that in the switch to using containers as the frontend, the project name "rpm-ostree" (which is very literal) no longer makes sense.  A further emphasis on "container native" will strongly encourage writing e.g. a `Dockerfile` like this:
 
 
<pre>
FROM quay.io/fedora/fedora-silverblue:stable
FROM quay.io/fedora/fedora-silverblue:stable
RUN dnf -y install sway && ostree container commit
RUN dnf -y install sway && ostree container commit
```
</pre>


*Today*, one can spell this as `RUN rpm-ostree install -y sway && ostree container commit` - but a toplevel goal here is to allow host system customization using the same patterns and tools one uses to build application containers, and to de-emphasize the "ostree backend" aspect.
*Today*, one can spell this as `RUN rpm-ostree install -y sway && ostree container commit` - but a toplevel goal here is to allow host system customization using the same patterns and tools one uses to build application containers, and to de-emphasize the "ostree backend" aspect.
Line 97: Line 110:
For example:
For example:


```
 
<pre>
$ dnf image rebase quay.io/examplecorp/customos:latest
$ dnf image rebase quay.io/examplecorp/customos:latest
```
</pre>


As well as other offline/"image based" functionality such as `dnf image rollback` and `dnf image apply-live`.
As well as other offline/"image based" functionality such as `dnf image rollback` and `dnf image apply-live`.
Line 111: Line 125:
=== Rebranding of rpm-ostree ===
=== Rebranding of rpm-ostree ===


This is a fundamental change in technology *and* positioning for rpm-ostree (and for the projects that use it).  The terminology of "immutable" gets even fuzzier now (see also [this blog](https://blog.verbum.org/2020/08/22/immutable-%E2%86%92-reprovisionable-anti-hysteresis/)).
This is a fundamental change in technology *and* positioning for rpm-ostree (and for the projects that use it).  The terminology of "immutable" gets even fuzzier now (see also [https://blog.verbum.org/2020/08/22/immutable-%E2%86%92-reprovisionable-anti-hysteresis/ this blog]).


It would make sense to rebrand the project due to this.  No decision has been made on this, but the choices are:
It would make sense to rebrand the project due to this.  No decision has been made on this, but the choices are:
 
* Keep as is
- Keep as is
* Rebrand to dnf-image (or, reviving a past name, yum-image)
- Rebrand to dnf-image (or, reviving a past name, yum-image)
* Rebrand to something else
- Rebrand to something else


More: https://github.com/coreos/rpm-ostree/issues/405
More: https://github.com/coreos/rpm-ostree/issues/405


=== Encouraging building derivative containers ===
=== Support for building derivative containers ===


Until now, the model for systems like Fedora CoreOS and Silverblue etc. has included an emphasis on containerization, but avoiding extensive customization of the host system.  This will be weakened somewhat - it will be fully supported to build derivative operating system  images that in turn contain software which itself should run directly on the host system, and not in a container.
Until now, the model for systems like Fedora CoreOS and Silverblue etc. has included an emphasis on containerization, but avoiding extensive customization of the host system.  This will be weakened somewhat - it will be fully supported to build derivative operating system  images that in turn contain software which itself should run directly on the host system, and not in a container.
Line 133: Line 146:
It is not supported upstream to run the kubelet in a container image itself.  Today, for OpenShift 4 we embed the kubelet as part of the CoreOS builds.  The [https://www.okd.io/ OKD] project [https://github.com/openshift/okd-machine-os/blob/fa2248d332abc9926e68428dc6658e55ec6f350b/Dockerfile#L25 already installs kubelet during a container build] deriving from the base `fedora-coreos` image.  It is possible that RHEL CoreOS will make [https://github.com/openshift/os/issues/799 a similar split].
It is not supported upstream to run the kubelet in a container image itself.  Today, for OpenShift 4 we embed the kubelet as part of the CoreOS builds.  The [https://www.okd.io/ OKD] project [https://github.com/openshift/okd-machine-os/blob/fa2248d332abc9926e68428dc6658e55ec6f350b/Dockerfile#L25 already installs kubelet during a container build] deriving from the base `fedora-coreos` image.  It is possible that RHEL CoreOS will make [https://github.com/openshift/os/issues/799 a similar split].


=== Example 2: Agent software
=== Example 2: Agent software ===


Many organizations require agents (cloud agents, security scanners, antivirus) which are not ready to be containerized.  Often too, these tools come in e.g. RPM form, and also expect to be configured (remote logging server, etc.).  This tooling allows to `dnf install` these *and* embed the configuration, generating a standard Docker/OCI container image which can then be booted as an atomic unit.
Many organizations require agents (cloud agents, security scanners, antivirus) which are not ready to be containerized.  Often too, these tools come in e.g. RPM form, and also expect to be configured (remote logging server, etc.).  This tooling allows to `dnf install` these *and* embed the configuration, generating a standard container image which can then be booted as an atomic unit.


(Note that in the OpenShift context, we expect this to chain with the first example - users instead derive from a `okd-node-base` image which itself derives from `fedora-coreos`).
(Note that in the OpenShift context, we expect this to chain with the first example - users instead derive from a `okd-node-base` image which itself derives from `fedora-coreos`).


## Support in Anaconda and other tools
=== Example 3: Podman machine ===
 
The `[http://podman.io Podman]` project has a function called `[https://github.com/containers/podman/blob/main/docs/source/markdown/podman-machine.1.md machine]` where it creates a virtual machine and boots standard CoreOS builds. Podman developers and users has long desired a custom FCOS image that is focused on container deployment using Podman, including certain QEMU packages that allow for cross-architecture development. This approach will solve a series of problems including but not limited to getting more timely release alignment between Podman and FCOS.
 
We also have a user base that wants to customize the VM image based on restrictive environments ... bring your own virtual machine image.
 
=== Support in Anaconda and other tools ===


Anaconda support for custom images is tracked in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2125655
Anaconda support for custom images is tracked in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2125655

Latest revision as of 11:19, 18 September 2024

Ostree Native Container (Phase 2, stable)

Summary

This is a rejected Change proposal for Fedora Linux.
This document represents a proposed Change that has been rejected or withdrawn as part of the Changes process. This page is preserved for historical record.

Continue the work done in https://fedoraproject.org/wiki/Changes/OstreeNativeContainer but in an officially stable format, and expanded to cover more OSTree-based editions. This goes "all in" on being container-native and significantly changes the technology and user emphasis.

Owner

Current status

Detailed Description

  • rpm-ostree's functionality to boot and upgrade from Docker/OCI container images is declared stable
  • Introduce bootc as a fresh new interface solely dedicated to this
  • Rework Fedora editions and spins (CoreOS, IoT, Silverblue, Kinoite, etc) that use ostree to instead deliver via Docker/OCI container images
  • rpm-ostree is reworked to gain strong CLI compatibility with yum/dnf commands (cliwrap)
  • The new container native functionality is exposed via bootc (and dnf image)
  • (TBD: Rebranding of rpm-ostree itself to dnf-image or something else)
  • Support and documentation for generating derived images
  • Support in Anaconda and other tools
  • Support for generating bootable images


A top level goal is that users should not need to know or understand ostree (or rpm-ostree); they only need to know containers and most key functionality is exposed via the yum/dnf frontend with a few extensions.


Backwards compatibility

If you're a user of ostree today: no need to worry. Everything that works today in ostree and rpm-ostree will continue to work for years to come (it's shipped in RHEL9). However, it's expected that most users will find the new model sufficiently compelling to switch fairly quickly.

Stable Bootable OCI

More information about this is available in the rpm-ostree documentation. This Change highlights that this functionality is planned to be officially stable.

Changing to OCI over the wire

Today Fedora has an OSTree repository that contains updates for editions such as Fedora CoreOS and Fedora Silverblue.

These editions instead will become OCI base images, available at e.g.

  • quay.io/fedora/fedora-coreos:stable (this exists today!)
  • quay.io/fedora/fedora-silverblue:38 (does not exist, but can soon)

An update will be shipped that will cause existing systems tracking the production ostree branches to be switched to the corresponding container image. Concretely for example, a system running fedora:fedora/36/x86_64/silverblue will execute rpm-ostree rebase ostree-remote-registry:fedora:quay.io/fedora/fedora-silverblue:36.

Note that at the current time, Fedora does not sign container images. This should change (likely to something based on cosign), but in the mean time, the ostree-container flow supports verifying the embedded ostree-baesd GPG signatures and this will continue to be used.

The Fedora OSTree repository will become read-only and stop receiving updates.

Note that for Fedora CoreOS specifically, there is some outstanding design discussion around the intersection with Cincinnati: https://github.com/coreos/fedora-coreos-tracker/issues/1263

Wire efficiency

Today the container images generated by rpm-ostree are "chunked" in a reproducible fashion; for more information on this, see

However, longer term (as that first issue notes) we do want to add container deltas. Doing so will benefit non-host containers too.


bootc

bootc is a new project which provides a fresh new CLI (and soon, API) dedicated to managing bootable container images. It does not depend on RPM (or policykit, etc.) and can be used on dedicated image-based systems.

rpm-ostree dnf/yum CLI compatibility

rpm-ostree has a feature called cliwrap today. A key motivation here is that in the switch to using containers as the frontend, the project name "rpm-ostree" (which is very literal) no longer makes sense. A further emphasis on "container native" will strongly encourage writing e.g. a Dockerfile like this:


FROM quay.io/fedora/fedora-silverblue:stable
RUN dnf -y install sway && ostree container commit
  • Today*, one can spell this as RUN rpm-ostree install -y sway && ostree container commit - but a toplevel goal here is to allow host system customization using the same patterns and tools one uses to build application containers, and to de-emphasize the "ostree backend" aspect.

To complete this story on the client side, what is today called "ostree native containers" will be exposed via a new dnf image subcommand on the client system.

For example:


$ dnf image rebase quay.io/examplecorp/customos:latest

As well as other offline/"image based" functionality such as dnf image rollback and dnf image apply-live.

However, as many people know, rpm-ostree does today support "per-machine" package layering/overrides - and *that will continue to work*. So users are not *required* to do builds on a remote server even in "image mode".

Concretely, it will also work to sudo dnf -y install sway inside a root terminal on a Fedora Workstation for example. This will still be a transactional operation.

More: https://github.com/coreos/rpm-ostree/issues/2883

Rebranding of rpm-ostree

This is a fundamental change in technology *and* positioning for rpm-ostree (and for the projects that use it). The terminology of "immutable" gets even fuzzier now (see also this blog).

It would make sense to rebrand the project due to this. No decision has been made on this, but the choices are:

  • Keep as is
  • Rebrand to dnf-image (or, reviving a past name, yum-image)
  • Rebrand to something else

More: https://github.com/coreos/rpm-ostree/issues/405

Support for building derivative containers

Until now, the model for systems like Fedora CoreOS and Silverblue etc. has included an emphasis on containerization, but avoiding extensive customization of the host system. This will be weakened somewhat - it will be fully supported to build derivative operating system images that in turn contain software which itself should run directly on the host system, and not in a container.

A key aspect of this is that by generating a custom build, one binds together the code and configuration as a transactionally updatable unit.

The role of things like Kickstart, cloud-init, and Ignition and other system config management shrinks significantly.

Example 1: Kubernetes and kubelet

It is not supported upstream to run the kubelet in a container image itself. Today, for OpenShift 4 we embed the kubelet as part of the CoreOS builds. The OKD project already installs kubelet during a container build deriving from the base fedora-coreos image. It is possible that RHEL CoreOS will make a similar split.

Example 2: Agent software

Many organizations require agents (cloud agents, security scanners, antivirus) which are not ready to be containerized. Often too, these tools come in e.g. RPM form, and also expect to be configured (remote logging server, etc.). This tooling allows to dnf install these *and* embed the configuration, generating a standard container image which can then be booted as an atomic unit.

(Note that in the OpenShift context, we expect this to chain with the first example - users instead derive from a okd-node-base image which itself derives from fedora-coreos).

Example 3: Podman machine

The Podman project has a function called machine where it creates a virtual machine and boots standard CoreOS builds. Podman developers and users has long desired a custom FCOS image that is focused on container deployment using Podman, including certain QEMU packages that allow for cross-architecture development. This approach will solve a series of problems including but not limited to getting more timely release alignment between Podman and FCOS.

We also have a user base that wants to customize the VM image based on restrictive environments ... bring your own virtual machine image.

Support in Anaconda and other tools

Anaconda support for custom images is tracked in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2125655

But, as part of this Change, it should also work to generate an Anaconda ISO which allows *user choice* for whether to install in "image mode" or "traditional".

Support for generating bootable images

Instead of using an existing disk image/ISO (Anaconda, AWS AMI, etc.) and then doing an in-place update to a generated container image, in many cases will want to generate disk images using their container image as input.

For example, generating an ISO that embeds that container image as input and will install it.

In this proposal, we plan to ship a container image as part of Fedora CoreOS that will do this: https://github.com/coreos/fedora-coreos-tracker/issues/1151

But, it also makes sense to have a tool that e.g. does this and generates an Anaconda ISO (we will inherently be doing this as part of generating ostree-based Anaconda ISOs already!) - this would just be supporting that in a clear external way too. One likely target for this is osbuild and RHEL Image Builder.


Feedback

Benefit to Fedora

The need to understand ostree goes away for most users; they understand RPMs and containers. While retaining all the current (rpm-)ostree features.

Scope

  • Proposal owners:
  • Other developers:

May affect e.g. gnome-software and similar tools that talk to rpm-ostree.

  • Release engineering: [1]
  • Policies and guidelines: None.
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: None

Upgrade/compatibility impact

We will ship a systemd unit that transitions systems currently using OSTree on the wire over to tracking the corresponding container images. Note again, all features of rpm-ostree continue to work! For example, if you have layered packages, that will continue to be applied.

How To Test

Build container images, boot them.

User Experience

Users will not need to understand ostree (at least at a superficial level), only container images.

Dependencies

Needs improvements in Anaconda in some cases, also would like to increase alignment with dnf. Fetching container images uses skopeo, maintained by containers team.

Contingency Plan

  • Contingency mechanism: Continue to ship things the way we ship them today
  • Contingency deadline: Dunno
  • Blocks release? No

Documentation

https://coreos.github.io/rpm-ostree/container/ and https://github.com/coreos/coreos-layering-examples etc.

Release Notes