* docs: We're read only by default in a container
Closes: https://github.com/bootc-dev/bootc/issues/1461
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Add comprehensive documentation for the root.transient-ro option that allows
privileged users to create dynamic top-level mountpoints at runtime while
keeping the filesystem read-only by default.
Notably, we skip generating an fstab entry for boot, even if it's on a
separate partition. this requires the image initramfs have some
knowledge to find the rootfs and bootfs (labels or DPS).
See https://github.com/bootc-dev/bootc/issues/1441
- Note the existence of `/run` here
- Describe how to use `podman login --authfile` to write it
- Also describe the pattern of symlinking to keep things in sync
where desired
Signed-off-by: Colin Walters <walters@verbum.org>
- Changes via `rpm-ostree kargs` will persist, this came up
as a question
- Explicitly mention the `unshare -m` trick
- Emphasize a bit more bootc+rpm-ostree do interoperate;
except for removing things added by `/usr/lib/bootc/kargs.d`,
don't do that
Literally just find and replace github.com/containers/bootc with
github.com/bootc-dev/bootc
We have the redirect in place so none of this is really important, but
I figure removing as many instances of the old repo and replacing them
with the current can't hurt for things like search engine
optimization. Plus some non-zero number of people might assume one is
a fork of the other or something.
Signed-off-by: John Eckersberg <jeckersb@redhat.com>
Especially fix the intro and note that bootc's APIs are stable.
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Colin Walters <walters@verbum.org>
- Doesn't apply to LBIs, and actually c/storage has no knob for
this
- Elaborate a bit on /etc and /var
Signed-off-by: Colin Walters <walters@verbum.org>
This deprecates skip-fetch-check in favor of the inverse,
run-fetch-check. Updates docs and tests to reflect the change.
Signed-off-by: ckyrouac <ckyrouac@redhat.com>
- Move the recommendation for `tmpfiles.d` above the philosophy
so it's a bit more obvious
- Reword and clarify the "only applied once" semantic
- Drop the link to the ostree change as it's no longer "new"
Motivated by seeing another question on this.
Signed-off-by: Colin Walters <walters@verbum.org>
Update the --via-loopback example to clarify that this must be run as
root.
We already state this at the very top of this document, but this makes
it clearer for users who skip directly down to this example command.
Adds an --apply flag to the `bootc rollback` command to implement
automated restarts.
Have confirmed this works by building the bootc binary and running
`bootc rollback --apply` on my host. This restarted the machine
into the new (rollback) image.
Closes #1029
Signed-off-by: Robert Sturla <robertsturla@outlook.com>
Tweak the changes in #1191 to more clearly lay out the tradeoffs of
state overlays. Contrast it with transient root (since that was one of
the primary motivations for it), and generalize the "alternatives" to be
about both approaches.
We wrote the code and it is useful. We are probably just going
to need to support it into the forseeable future. However, my
core problem with it is what I wrote in the docs here: it has
no equivalent in the docker/podman ecosystem, which I think
cuts against a core principle that we're trying to make
the booted host align with containers.
Of course, stateoverlay isn't a lot of code, and in theory
it's a bit independent of ostree, so perhaps we could try to
split it out at some point and then it could be used by e.g.
`podman run --mount=type=stateoverlay` or so.
Before anyone starts just blindly enabling stateoverlays
I'd like them to have considered alternatives such as the
symlink approach.
Signed-off-by: Colin Walters <walters@verbum.org>
Split this out of the fsverity PR.
We obviously want a `fsck` command. This starts by doing
just two checks:
- A verification of `etc/resolv.conf`; this tests
98995f662b
- Just run `ostree fsck`
But obvious things we should be adding here are:
- Verifying kargs
- Verifying LBIs
etc.
Signed-off-by: Colin Walters <walters@verbum.org>
Basically I want to get Anaconda to run this, then we
can perform arbitrary fixups on whatever it did
between the install and reboot without changing Anaconda's
code.
This also applies to user `%post` scripts for example;
maybe those break the bootloader entries in /boot;
we have the opportunity to catch such things here.
Or we may choose to start forcibly relabeling the target
`/etc`.
Signed-off-by: Colin Walters <walters@verbum.org>
