Skip to content

Commit

Permalink
Enable composefs for 41+
Browse files Browse the repository at this point in the history
Enabling composefs allow an increase in security by making the
filesystem truly read-only.

It's also a cornerstone towards a truly sealed system with full
integrity checks at runtime.

It will also allow storage deduplication between the host filesystem
and the containers storage in the long run, which is a huge win: faster
downloads and faster container startup times.

A thing that this is known to break is the "chattr -i" hack for new
toplevel dirs (xref coreos/rpm-ostree#337).

Basically if you want that, you either need to make a derived image,
or enable transient root.

Ref: https://fedoraproject.org/wiki/Changes/ComposefsAtomicCoreOSIoT

Co-authored-by: jbtrystram <jbtrystram@redhat.com>
  • Loading branch information
2 people authored and travier committed Aug 30, 2024
1 parent 8721038 commit ce9751e
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 0 deletions.
3 changes: 3 additions & 0 deletions manifests/composefs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Enable composefs by default.
ostree-layers:
- overlay/08composefs
2 changes: 2 additions & 0 deletions manifests/fedora-coreos.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ conditional-include:
# Wifi firmwares will be dropped in F41
- if: releasever < 41
include: wifi-firmwares.yaml
- if: releasever >= 41
include: composefs.yaml

ostree-layers:
- overlay/15fcos
Expand Down
1 change: 1 addition & 0 deletions overlay.d/08composefs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Enable composefs by default; more in https://ostreedev.github.io/ostree/composefs/
2 changes: 2 additions & 0 deletions overlay.d/08composefs/usr/lib/ostree/prepare-root.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[composefs]
enabled = true

0 comments on commit ce9751e

Please sign in to comment.