-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable composefs #3009
Enable composefs #3009
Conversation
Why is it always kdump 😭 |
After chatting a bit with Coiby Xu I filed https://bugzilla.redhat.com/show_bug.cgi?id=2284097 |
Maybe related to the kdump failure : https://issues.redhat.com/browse/RHEL-35885 |
Tested this today locally :
|
b3d9f6e
to
1850843
Compare
Interesting failures (but making total sense) :
I suppose this is because
Same here, |
Pushed some fixes which should help. |
Thanks ! |
Live ISO fails to boot with :
From what I understand it's because in the composeFS path, ostree-prepare-root want to mount I guess the quickfix option here would be to disable composeFS on the live ISO, since it's already a read-only system anyway. We could add the @cgwalters WDYT ? Let's try |
This didn't work :
okay, I just see now that this karg support was merged last week and not released yet |
Yes, or have the liveiso actually be built from a derived image/commit which drops the composefs config. |
I think we can use the karg in the short-term, but it's also awkward to work around this as a built-in karg in our official ISOs. Note that ISO kargs are highly visible because there are APIs to query and modify them. (And on that point, nothing actually prevents a user from deleting that karg. We could say "don't do that", but that's awkward UX.) I think this is basically another instance of ostreedev/ostree#1921 (which I've just retitled); so then ostree-prepare-root would detect that this is a live environment and just not even try to set up composefs there. |
49c6b4a
to
51c0317
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, this looks sane to me. Obviously, the ostree-prepare-root cmdline bit is a massive hack, but it's not new either.
Once those changes are done and CI is happy, we can retarget the PR against testing-devel instead of creating a new one.
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/ostree-cmdline.sh
Show resolved
Hide resolved
in the composeFS path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Overriding the kernel command line to disable composeFS in that case. See ostreedev/ostree#1921 And coreos#3009 (comment)
51c0317
to
51a5bef
Compare
In the composefs path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Override the kernel command line to disable composefs in that case. See ostreedev/ostree#1921 and coreos#3009 (comment)
51a5bef
to
3f47e4f
Compare
Sorry, I messed up the suggestion in #3009 (comment). It should've been |
Thanks @jlebon ! I am a bit embarrassed I didn't caught it 😅 |
Enabling composefs allow an increase in security by making the filesystem truly read-only. It's also a cornerstone towards a truly sealed system with full integrity checks at runtime. It will also allow storage deduplication between the host filesystem and the containers storage in the long run, which is a huge win: faster downloads and faster container startup times. A thing that this is known to break is the "chattr -i" hack for new toplevel dirs (xref coreos/rpm-ostree#337). Basically if you want that, you either need to make a derived image, or enable transient root. Ref: https://fedoraproject.org/wiki/Changes/ComposefsAtomicCoreOSIoT Co-authored-by: jbtrystram <[email protected]>
We are trying to enable composeFS in rawhide and there is an issue where kdump fails to generate the initrd from boot. Manually trigerring the rebuild works but requires the extra manual step. Snoozing this test to let some time for the kdump team to investigate. Note that the kdump over SSH test works so we still have some coverage for kdump.
On composefs, / is now an overlay, so some of the commands that query `/` don't quite work. Tweak them to instead query `/sysroot`, which should still be the actual storage layer underneath the composefs mount that we really care about for these tests.
In the composefs path, ostree-prepare-root want to mount /etc/ and /var as writeable, which cannot in the live iso environnement. Override the kernel command line to disable composefs in that case. See ostreedev/ostree#1921 and coreos#3009 (comment)
3f47e4f
to
3f3d65b
Compare
CI happy on rawhide. Retargeted testing-devel and approved. Will let someone else also stamp and merge. |
🎉 |
@@ -51,3 +51,10 @@ | |||
streams: | |||
- rawhide | |||
- branched | |||
- pattern: ext.config.kdump.crash | |||
tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2284097 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you open an FCOS issue tracker ticket for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
We added composeFS starting in f41. Since it comes with a couple of drawbacks let's document it and explain how to disable it. coreos/fedora-coreos-tracker#1718 (comment) coreos/fedora-coreos-config#3009
rebased #2856 on rawhide
See: #2856 (comment)
See: coreos/fedora-coreos-tracker#1718