On Wed, 2022-02-16 at 12:12 -0500, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot > > == Summary == > > This change is about enabling an opt-in ostree feature that re-mounts > `/sysroot` as read only to avoid accidental changes. > > Users and administrators are not expected to directly interact with > the content available there and should instead use the interface > offered by rpm-ostree, GNOME Software or (soon) Plasma Discover to > manage their system. > I use Silverblue. How does this affect my ability to modify /etc in the opt-in scenario? Does rpm-ostree offer a method to modify /etc in that case? What if I want a mutable /var, like I currently have, does this change under this proposal? What is the value of this for the normal Fedora Linux user? > == Owner == > > * Name: [[User:Siosm| Timothée Ravier]], [[User:Tpopela| Tomáš > Popela]], [[User:jkonecny| Jiří Konečný]] > * Email: siosm@xxxxxxxxxxxxxxxxx, tpopela@xxxxxxxxxxxxxxxxx, > jkonecny@xxxxxxxxxx > * FESCo shepherd: [[User:Ngompa| Neal Gompa]] > ngompa@xxxxxxxxxxxxxxxxx > > > == Detailed Description == > > On rpm-ostree based systems, the real root (the root directory of the > root partition on the disk) is mounted under the `/sysroot` path. By > default it contains the state of the system (the content of `var` and > `etc`) as well as the system versions themselves (each versioned copy > of `/usr`) in the ostree repository (`/ostree/repo`). > > This change is about enabling an opt-in ostree feature that re-mounts > `/sysroot` as read only to avoid accidental changes. > > Users and administrators are not expected to directly interact with > the content available there and should instead use the interface > offered by rpm-ostree, GNOME Software or (soon) Plasma Discover to > manage their system. > > Example of issue: > https://github.com/fedora-silverblue/issue-tracker/issues/232 > > This change replicates for Fedora Silverblue/Kinoite what has been > done in Fedora CoreOS in a previous release. > > == Feedback == > > None so far. > > > == Benefit to Fedora == > > This will make Fedora Silverblue/Kinoite more robust to accidental > damage from users. > > == Scope == > * Proposal owners: > ** Work on the changes requires for new installations (potentially > Anaconda configuration changes) and support for in place updates for > existing installations (requires a two step process). > * Other developers: > ** Potential Anaconda changes required. > * Release engineering: N/A > * Policies and guidelines: N/A (not needed for this Change) > * Trademark approval: N/A (not needed for this Change) > * Alignment with Objectives: N/A > > == Upgrade/compatibility impact == > > We will create a systemd unit that perform the updates in place for > existing systems. This will require a two step process (changing the > existing kernel arguments, and then enabling the ostree feature). > Once > the feature is enabled, user won't be able to rollback to previous > deployments where the kernel argument is not set. We will have to > clearly document that in the documentation for easier > troubleshooting. > See, that's an unwelcome thing IMO. > == How To Test == > > Only try the following if you are confortable debugging an un- > bootable > system and have made backups! > > `$ sudo rpm-ostree kargs --append-if-missing=rw` > > `$ sudo ostree config --repo=/sysroot/ostree/repo set > "sysroot.readonly" "true"` > > `$ sudo systemctl reboot` > > Note that you can not "rollback" to the previous deployment to undo > this change. You will have to boot into a Live ISO and edit the > config > file in the ostree repo to remove this config option. > > == User Experience == > > There should be no visible change in user experience. > I don't know. I think not being able to boot into my previous deployments a visible change to my user experience. > == Dependencies == > > Requires changes in Anaconda (maybe just config?) to set default > kargs > and property on ostree repo for new installations. > > == Contingency Plan == > > Revert the change before the release. > > == Documentation == > > N/A (not a System Wide Change) > > == Release Notes == > > TODO > Seems like there is lot's more todo. > Stephen > -- > Ben Cotton > He / Him / His > Fedora Program Manager > Red Hat > TZ=America/Indiana/Indianapolis > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
