Enable composefs #3009
Enable composefs #3009
Conversation
|
Why is it always kdump 😭 |
|
After chatting a bit with Coiby Xu I filed https://bugzilla.redhat.com/show_bug.cgi?id=2284097 |
|
Maybe related to the kdump failure : https://issues.redhat.com/browse/RHEL-35885 |
|
Tested this today locally : |
jbtrystram
force-pushed
the
enable_composefs
branch
2 times, most recently
from
b3d9f6e
to
1850843
Compare
|
Interesting failures (but making total sense) : I suppose this is because
Same here, |
|
Pushed some fixes which should help. |
|
Thanks ! |
|
Live ISO fails to boot with : From what I understand it's because in the composeFS path, ostree-prepare-root want to mount I guess the quickfix option here would be to disable composeFS on the live ISO, since it's already a read-only system anyway. We could add the @cgwalters WDYT ? Let's try |
|
This didn't work : okay, I just see now that this karg support was merged last week and not released yet |
Yes, or have the liveiso actually be built from a derived image/commit which drops the composefs config. |
|
I think we can use the karg in the short-term, but it's also awkward to work around this as a built-in karg in our official ISOs. Note that ISO kargs are highly visible because there are APIs to query and modify them. (And on that point, nothing actually prevents a user from deleting that karg. We could say "don't do that", but that's awkward UX.) I think this is basically another instance of ostreedev/ostree#1921 (which I've just retitled); so then ostree-prepare-root would detect that this is a live environment and just not even try to set up composefs there. |
jbtrystram
force-pushed
the
enable_composefs
branch
from
49c6b4a
to
51c0317
Compare
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/ostree-cmdline.sh
Show resolved
Hide resolved
in the composeFS path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Overriding the kernel command line to disable composeFS in that case. See ostreedev/ostree#1921 And coreos#3009 (comment)
jbtrystram
force-pushed
the
enable_composefs
branch
from
51c0317
to
51a5bef
Compare
In the composefs path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Override the kernel command line to disable composefs in that case. See ostreedev/ostree#1921 and coreos#3009 (comment)
jlebon
force-pushed
the
enable_composefs
branch
from
51a5bef
to
3f47e4f
Compare
|
Sorry, I messed up the suggestion in #3009 (comment). It should've been |
|
Thanks @jlebon ! I am a bit embarrassed I didn't caught it 😅 |
Enabling composefs allow an increase in security by making the filesystem truly read-only. It's also a cornerstone towards a truly sealed system with full integrity checks at runtime. It will also allow storage deduplication between the host filesystem and the containers storage in the long run, which is a huge win: faster downloads and faster container startup times. A thing that this is known to break is the "chattr -i" hack for new toplevel dirs (xref coreos/rpm-ostree#337). Basically if you want that, you either need to make a derived image, or enable transient root. Ref: https://fedoraproject.org/wiki/Changes/ComposefsAtomicCoreOSIoT Co-authored-by: jbtrystram <jbtrystram@redhat.com>
We are trying to enable composeFS in rawhide and there is an issue where kdump fails to generate the initrd from boot. Manually trigerring the rebuild works but requires the extra manual step. Snoozing this test to let some time for the kdump team to investigate. Note that the kdump over SSH test works so we still have some coverage for kdump.
On composefs, / is now an overlay, so some of the commands that query `/` don't quite work. Tweak them to instead query `/sysroot`, which should still be the actual storage layer underneath the composefs mount that we really care about for these tests.
In the composefs path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Override the kernel command line to disable composefs in that case. See ostreedev/ostree#1921 and coreos#3009 (comment)
jlebon
force-pushed
the
enable_composefs
branch
from
3f47e4f
to
3f3d65b
Compare
|
CI happy on rawhide. Retargeted testing-devel and approved. Will let someone else also stamp and merge. |
|
🎉 |
| @@ -51,3 +51,10 @@ | |||
| streams: | |||
| - rawhide | |||
| - branched | |||
| - pattern: ext.config.kdump.crash | |||
| tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2284097 | |||
There was a problem hiding this comment.
can you open an FCOS issue tracker ticket for this?
There was a problem hiding this comment.
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
rebased #2856 on rawhide
See: #2856 (comment)
See: coreos/fedora-coreos-tracker#1718