Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Complete composefs integration in Fedora CoreOS #1718

Closed
Tracked by #1726
travier opened this issue Apr 24, 2024 · 17 comments
Closed
Tracked by #1726

Complete composefs integration in Fedora CoreOS #1718

travier opened this issue Apr 24, 2024 · 17 comments
Assignees

Comments

@travier
Copy link
Member

travier commented Apr 24, 2024

Describe the enhancement

We should complete the integration of composefs in Fedora CoreOS. Composefs brings better security and potentially better performance (no need to create a deploy anymore).

Support for composefs already partially landed in ostree and coreos-assembler. Now we need to figure out the missing pieces, the integration and testing.

System details

All

Additional information

See:

@travier travier added kind/enhancement jira for syncing to jira labels Apr 24, 2024
@jlebon
Copy link
Member

jlebon commented Apr 24, 2024

Also see coreos/fedora-coreos-config#2856. I think essentially we need to pick up that PR and push it through to get it running in rawhide at least. But note coreos/fedora-coreos-config#2856 (comment):

A thing that this is known to break is the "chattr -i" hack for new toplevel dirs (xref coreos/rpm-ostree#337 )

What I don't know offhand is how problematic that will be in reality. My instinct says we can do this, but with a sufficiently loud announcement.

But note in the context of bootable containers, you can create whatever top-level directory you'd like at derivation time. The tricky bit is if you need to create dynamically named top-level directories. In that case... those use cases might need a tmpfs overlay on top (e.g. the rootfs.transient work, though ideally you could create the overlay, add your directories and then change the overlay back to read-only, but that'd need to be done from the initramfs I think).

@travier
Copy link
Member Author

travier commented Apr 24, 2024

Some edited notes from the meeting:

Composefs is a combination of filesystems (overlayfs, erofs) that creates an ostree like system without some of the downsides of ostree.

It also provides runtime integrity checks where ostree "only" provides offline integrity checks.

Combined with podman / container storage support, you can even gain disk space and memory de-duplication if your containers use the same binaries as your system. If we share the ostree/composefs repo with the podman system container store then we can de-dup the files with the same hash.

It also has potential (small) performance improvements for deployments/updates as you don't need to create an entire filesystem tree for /usr anymore for each version as those are fully stored as EROFS images. Ostree creates a hardlink farm for each deployment, but you can not hardlink folders and symlinks so you need to create the entire tree. With composefs, the filesystem hierarchy (mostly paths and metadata) is stored in the EROFS filesystem, which is a read only FS stored in a file. The file content remain in the ostree repo / composefs store. Compoefs uses overlayfs to reference the files stored in the ostree repo, via the filesystem stored as EROFS.

In the first phase AIUI, ostree will still create deployments anyway, but we would dynamically create the composefs image at boot.

@jbtrystram
Copy link
Contributor

Writing up some investigation I did today around signing the ostree commit with a key that we embed into initramfs to leverage composeFS validation.

We need to sign the ostree commit with an Ed25519 key, likely during the Build OSTree stage of the pipeline. At the moment i don't think we do that, looking at coreos-assembler/src/cmd-build.
Then we can embed the pubkey in initramfs and wire up things.

I initially thought that would interfere with the robosignatory step but after writing this up I don't think so. Still worth asking :)

https://ostreedev.github.io/ostree/composefs/#signatures

@travier
Copy link
Member Author

travier commented May 29, 2024

ostreedev/ostree#3256

@jbtrystram
Copy link
Contributor

jbtrystram commented May 29, 2024

initial experiment : coreos/coreos-assembler#3813

@travier
Copy link
Member Author

travier commented Jun 10, 2024

Draft change in https://fedoraproject.org/wiki/Changes/ComposefsAtomicCoreOSIoT

@jlebon
Copy link
Member

jlebon commented Jul 3, 2024

We discussed this in today's community meeting. One thing that came up was about how to roll this out to existing nodes.

Currently, as it's enabled via a /usr dropin, it would affect existing nodes and new installs simultaneously. If those could be decoupled, then we could e.g. let it bake even in stable for a month or two on new installs before enabling it for upgrading nodes.

Regardless of the approach, once this hits next, this should be part of our communications to raise awareness and invite testing.

@jlebon
Copy link
Member

jlebon commented Jul 11, 2024

xref: ostreedev/ostree#3277

@travier
Copy link
Member Author

travier commented Jul 17, 2024

This has been approved by FESCo: https://pagure.io/fesco/issue/3240

@jbtrystram
Copy link
Contributor

this is currently stuck on https://bugzilla.redhat.com/show_bug.cgi?id=2284097

@jbtrystram
Copy link
Contributor

The kdump issue should be resolved with rhkdump/kdump-utils#28

@travier
Copy link
Member Author

travier commented Sep 3, 2024

Documentation needed:

So it's probably best to make a dedicated page that would start by explaining quickly what composefs is about and would then discuss the details above.

We should also give a heads to the podman team and help them set things up to disable it for them.

@jbtrystram jbtrystram self-assigned this Sep 3, 2024
jbtrystram added a commit to jbtrystram/fedora-coreos-docs that referenced this issue Sep 4, 2024
We added composeFS starting in f41. Since it comes with a couple of
drawbacks let's document it and explain how to disable it.

coreos/fedora-coreos-tracker#1718 (comment)
coreos/fedora-coreos-config#3009
@jlebon
Copy link
Member

jlebon commented Sep 4, 2024

We should also give a heads to the podman team and help them set things up to disable it for them.

cc @baude @mheon

jbtrystram added a commit to jbtrystram/fedora-coreos-docs that referenced this issue Sep 4, 2024
We added composeFS starting in f41. Since it comes with a couple of
drawbacks let's document it and explain how to disable it.

coreos/fedora-coreos-tracker#1718 (comment)
coreos/fedora-coreos-config#3009
jbtrystram added a commit to jbtrystram/fedora-coreos-docs that referenced this issue Sep 5, 2024
We added composeFS starting in f41. Since it comes with a couple of
drawbacks let's document it and explain how to disable it.

coreos/fedora-coreos-tracker#1718 (comment)
coreos/fedora-coreos-config#3009
jbtrystram added a commit to jbtrystram/fedora-coreos-docs that referenced this issue Sep 6, 2024
We added composeFS starting in f41. Since it comes with a couple of
drawbacks let's document it and explain how to disable it.

coreos/fedora-coreos-tracker#1718 (comment)
coreos/fedora-coreos-config#3009
jbtrystram added a commit to coreos/fedora-coreos-docs that referenced this issue Sep 6, 2024
We added composeFS starting in f41. Since it comes with a couple of
drawbacks let's document it and explain how to disable it.

coreos/fedora-coreos-tracker#1718 (comment)
coreos/fedora-coreos-config#3009
@travier
Copy link
Member Author

travier commented Sep 9, 2024

@travier travier added the status/pending-testing-release Fixed upstream. Waiting on a testing release. label Sep 23, 2024
@travier travier added the status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. label Sep 23, 2024
@travier
Copy link
Member Author

travier commented Sep 23, 2024

The fix for this went into next stream release 41.20240916.1.0. Please try out the new release and report issues.

@travier travier closed this as completed Sep 23, 2024
@travier travier removed the status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. label Sep 23, 2024
@dustymabe
Copy link
Member

The fix for this went into testing stream release 41.20241027.2.0. Please try out the new release and report issues.

@dustymabe dustymabe added status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. and removed status/pending-testing-release Fixed upstream. Waiting on a testing release. labels Oct 29, 2024
@dustymabe
Copy link
Member

The fix for this went into stable stream release 41.20241027.3.0.

@dustymabe dustymabe removed the status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. label Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants