mNo edit summary |
mNo edit summary |
||
(16 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
= Enabling composefs by default for | = Enabling composefs by default for CoreOS and IoT = | ||
== Summary == | == Summary == | ||
We want to enable composefs by default for Fedora | We want to enable composefs by default for Fedora CoreOS and Fedora IoT. This makes the root mount of the system (`/`) a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full ''at runtime'' verification of filesystem integrity. | ||
This change will be enabled only for the Bootable Container images of Fedora Atomic Desktops and not the classic ostree ones. | <s>This change will be enabled only for the Bootable Container images of Fedora Atomic Desktops and not the classic ostree ones.</s> | ||
This change is deferred to Fedora 42 for the Atomic Desktops. See the [https://fedoraproject.org/wiki/Changes/ComposefsAtomicDesktops new change page] and the [https://gitlab.com/fedora/ostree/sig/-/issues/35 tracking issue] for details. | |||
== Owner == | == Owner == | ||
Line 13: | Line 14: | ||
* [[User:jbtrystram| Jean-Baptiste Trystram]], jbtrystram@redhat.com | * [[User:jbtrystram| Jean-Baptiste Trystram]], jbtrystram@redhat.com | ||
* [[User:Siosm| Timothée Ravier]], siosm@fedoraproject.org | * [[User:Siosm| Timothée Ravier]], siosm@fedoraproject.org | ||
* [[User: pwhalen| Paul Whalen]], pwhalen@fedoraproject.org | |||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAcceptedF41]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Line 32: | Line 34: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* [Announced] | * [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/QXNKZD24XDKMTMQC3V6S4SDRHSUVCZJJ/ Announced] | ||
* [ | * [https://discussion.fedoraproject.org/t/f41-change-proposal-enabling-composefs-by-default-for-atomic-desktops-coreos-and-iot-self-contained/123166 Discussion thread] | ||
* FESCo issue: | * FESCo issue: [https://pagure.io/fesco/issue/3240 #3240] | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2305772 #2305772] | ||
* Release notes tracker: | * Release notes tracker: [https://gitlab.com/fedora/docs/fedora-linux-documentation/release-notes/-/issues/125 #125] | ||
== Detailed Description == | == Detailed Description == | ||
Line 55: | Line 57: | ||
* Fedora Atomic Desktops: https://gitlab.com/fedora/ostree/sig/-/issues/35 | * Fedora Atomic Desktops: https://gitlab.com/fedora/ostree/sig/-/issues/35 | ||
* Fedora CoreOS: https://github.com/coreos/fedora-coreos-tracker/issues/1718 | * Fedora CoreOS: https://github.com/coreos/fedora-coreos-tracker/issues/1718 | ||
* Fedora IoT: | * Fedora IoT: https://github.com/fedora-iot/iot-distro/issues/52 | ||
This is the first step toward a full boot chain integrity, that will requiring signing the composefs metadata during composes and using Unified Kernel Images (UKI). See: https://gitlab.com/fedora/bootc/tracker/-/issues/14 | This is the first step toward a full boot chain integrity, that will requiring signing the composefs metadata during composes and using Unified Kernel Images (UKI). See: https://gitlab.com/fedora/bootc/tracker/-/issues/14 | ||
Line 66: | Line 68: | ||
We have the following "known issues": | We have the following "known issues": | ||
* No longer possible to create root level direcotries (`chattr -i` workaround): | * No longer possible to create root level direcotries (`chattr -i` workaround): | ||
** Requires derivation, thus the container flow | ** Requires derivation, thus the container flow | ||
Line 88: | Line 83: | ||
This will increase the robustness of image based Fedora systems and prepare them for future increased security guarantees. | This will increase the robustness of image based Fedora systems and prepare them for future increased security guarantees. | ||
This will align the existing image based variants of Fedora (Atomic Desktops, CoreOS, IoT) to the work that is done as part of the Bootable Containers Initiative. | This will align the existing image based variants of Fedora (<s>Atomic Desktops</s>, CoreOS, IoT) to the work that is done as part of the Bootable Containers Initiative. | ||
<!-- What is the benefit to the distribution? Will the software we generate be improved? How will the process of creating Fedora releases be improved? | <!-- What is the benefit to the distribution? Will the software we generate be improved? How will the process of creating Fedora releases be improved? | ||
Line 121: | Line 116: | ||
* Proposal owners: | * Proposal owners: | ||
** Enable composefs in Atomic Desktops (bootable containers only) | ** <s>Enable composefs in Atomic Desktops (bootable containers only)</s> | ||
** Enable composefs in CoreOS | ** Enable composefs in CoreOS | ||
** Enable composefs in IoT | ** Enable composefs in IoT | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
Line 158: | Line 153: | ||
* Make sure that you do not rely on Dual Boot support | * Make sure that you do not rely on Dual Boot support | ||
* Make sure that you bootloader is recent enough to support BLS configs | * Make sure that you bootloader is recent enough to support BLS configs | ||
** If you don't know, update it using the instructions from https:// | ** If you don't know, update it using the instructions from https://fedoramagazine.org/manual-action-needed-to-resolve-boot-failure-for-fedora-atomic-desktops-and-fedora-iot/ first | ||
* Remove `ostree-grub2` from the upcoming deployment: `rpm-ostree override remove ostree-grub2` | * Once your bootloader is updated and you have validated that you have "double" entries in the GRUB menu, follow the instructions from https://gitlab.com/fedora/ostree/sig/-/issues/35#note_1986555833 | ||
* Atomic Desktops only: Remove `ostree-grub2` from the upcoming deployment: `rpm-ostree override remove ostree-grub2` | |||
* Enable composefs: `sudo ostree config set ex-integrity.composefs yes` | * Enable composefs: `sudo ostree config set ex-integrity.composefs yes` | ||
* Update your system to a new version: `rpm-ostree update` | * Update your system to a new version: `rpm-ostree update` | ||
Line 196: | Line 192: | ||
== Dependencies == | == Dependencies == | ||
For the Atomic Desktops, this change depends on: | <s>For the Atomic Desktops, this change depends on: | ||
* Bootupd support: | * Bootupd support: | ||
** https://gitlab.com/fedora/ostree/sig/-/issues/1 | ** https://gitlab.com/fedora/ostree/sig/-/issues/1 | ||
** https://fedoraproject.org/wiki/Changes/FedoraSilverblueBootupd | ** https://fedoraproject.org/wiki/Changes/FedoraSilverblueBootupd</s> | ||
CoreOS and IoT | CoreOS and IoT already do not depends on `ostree-grub2`. | ||
<!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | <!-- What other packages (RPMs) depend on this package? Are there changes outside the developers' control on which completion of this change depends? In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate? Other upstream projects like the kernel (if this is not a kernel change)? --> | ||
Line 215: | Line 211: | ||
== Documentation == | == Documentation == | ||
For Fedora CoreOS: https://docs.fedoraproject.org/en-US/fedora-coreos/composefs/ | |||
== Release Notes == | == Release Notes == | ||
On Fedora CoreOS and Fedora IoT systems, the root mount of the system (/) is now mounted using composefs, which makes it a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full at runtime verification of filesystem integrity. | |||
Latest revision as of 17:04, 24 October 2024
Enabling composefs by default for CoreOS and IoT
Summary
We want to enable composefs by default for Fedora CoreOS and Fedora IoT. This makes the root mount of the system (/
) a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full at runtime verification of filesystem integrity.
This change will be enabled only for the Bootable Container images of Fedora Atomic Desktops and not the classic ostree ones.
This change is deferred to Fedora 42 for the Atomic Desktops. See the new change page and the tracking issue for details.
Owner
- Jean-Baptiste Trystram, jbtrystram@redhat.com
- Timothée Ravier, siosm@fedoraproject.org
- Paul Whalen, pwhalen@fedoraproject.org
Current status
- Targeted release: Fedora Linux 41
- Last updated: 2024-10-24
- Announced
- Discussion thread
- FESCo issue: #3240
- Tracker bug: #2305772
- Release notes tracker: #125
Detailed Description
Ostree based systems currently have /usr
mounted as read-only and managed by ostree/rpm-ostree. The integrity of the content of /usr
is only validated by ostree/rpm-ostree during updates and deployment operations, but not at "runtime". If a file is corrupted on disk (maliciously or not), it will only be detected if a full check is performed using ostree fsck
.
On those systems, the runtime root (/
) of the system is currently mounted as read-write but with the immutable
bit set (chattr +i /
) to prevent accidental modifications.
composefs is a new project that combines several existing filesystems (overlayfs, EROFS) to provide a very flexible mechanism to support read-only mountable filesystem trees, stacking on top of an underlying "lower" Linux filesystem.
Using composefs, it will no longer be possible to mutate the underlaying file content that is part of the system (/usr
) nor the layout of the root directory. It will result in I/O errors at the kernel level.
The content is /etc
and /var
will remain writtable as it is today.
This change is part of the Fedora Bootable Containers Initiative. The bootc
container images already enable composefs thus this change is to align existing variants to the new Bootable Containers defaults.
It is tracked in:
- Fedora Atomic Desktops: https://gitlab.com/fedora/ostree/sig/-/issues/35
- Fedora CoreOS: https://github.com/coreos/fedora-coreos-tracker/issues/1718
- Fedora IoT: https://github.com/fedora-iot/iot-distro/issues/52
This is the first step toward a full boot chain integrity, that will requiring signing the composefs metadata during composes and using Unified Kernel Images (UKI). See: https://gitlab.com/fedora/bootc/tracker/-/issues/14
As podman also use composefs to store containers layers, this enable deduplication of files between containers and host. This will result in less disk usage but also faster container startup and less memory use. See https://github.com/containers/composefs/issues/125
Feedback
Nothing specific so far.
We have the following "known issues":
- No longer possible to create root level direcotries (
chattr -i
workaround):- Requires derivation, thus the container flow
- https://github.com/coreos/rpm-ostree/issues/337
- Alternative: https://github.com/ostreedev/ostree/pull/3114
- Might impact Podman Desktop for Fedora CoreOS. They will likely disable it until a solution is found.
- Issues with kdump:
Benefit to Fedora
This will increase the robustness of image based Fedora systems and prepare them for future increased security guarantees.
This will align the existing image based variants of Fedora (Atomic Desktops, CoreOS, IoT) to the work that is done as part of the Bootable Containers Initiative.
Scope
- Proposal owners:
Enable composefs in Atomic Desktops (bootable containers only)- Enable composefs in CoreOS
- Enable composefs in IoT
- Other developers:
- Applications doing disk-full checks on
/
will have to be updated to look at other places as/
will be small (a few MB) and full (100% used).
- Applications doing disk-full checks on
- Release engineering: N/A (not needed for this Change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy 2028:
- Aligns with the goal: "Immutable variants are the majority of Fedora Linux in use"
Upgrade/compatibility impact
To be fleshed out
Early Testing (Optional)
Do you require 'QA Blueprint' support? N
How To Test
- Make sure that you do not rely on Dual Boot support
- Make sure that you bootloader is recent enough to support BLS configs
- If you don't know, update it using the instructions from https://fedoramagazine.org/manual-action-needed-to-resolve-boot-failure-for-fedora-atomic-desktops-and-fedora-iot/ first
- Once your bootloader is updated and you have validated that you have "double" entries in the GRUB menu, follow the instructions from https://gitlab.com/fedora/ostree/sig/-/issues/35#note_1986555833
- Atomic Desktops only: Remove
ostree-grub2
from the upcoming deployment:rpm-ostree override remove ostree-grub2
- Enable composefs:
sudo ostree config set ex-integrity.composefs yes
- Update your system to a new version:
rpm-ostree update
- Or do a manual (re)deploy of the current version:
sudo ostree admin deploy fedora/39/x86_64/silverblue
- Or do a manual (re)deploy of the current version:
- Reboot into the new deployment
User Experience
The main visible change will be that the root filesystem (/
) is now small and full (a few MB, 100% used). The real root is mounted in /sysroot
and most of the data is stored in /var
.
Dependencies
For the Atomic Desktops, this change depends on:
Bootupd support:
CoreOS and IoT already do not depends on ostree-grub2
.
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) Undo the change. It's a single line change in a configuration file.
- Contingency deadline: Beta Freeze / Release Freeze
- Blocks release? No
Documentation
For Fedora CoreOS: https://docs.fedoraproject.org/en-US/fedora-coreos/composefs/
Release Notes
On Fedora CoreOS and Fedora IoT systems, the root mount of the system (/) is now mounted using composefs, which makes it a truly read only filesystem, increasing the system integrity and robustness. This is the first step toward a full at runtime verification of filesystem integrity.