Re: Suggestion: Use a unified kernel image by default in the future.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Wed, Jul 20, 2022, at 4:44 AM, Gerd Hoffmann wrote:

> Where does that build happen?  Must be outside the kernel
> rpm build process, so probably when generating the ostree?

Exactly.  We also run all %post scripts server side too for example.

You can see the logs for this at e.g.
https://kojipkgs.fedoraproject.org/compose/updates/Fedora-36-updates-20220720.0/logs/aarch64/Everything/ostree-3/create-ostree-repo.log
for aarch64 silverblue 36.  And at e.g.
https://jenkins-fedora-coreos-pipeline.apps.ocp.fedoraproject.org/job/build/912/consoleFull
for a Fedora CoreOS testing-devel build (that also builds update disk images).

(One profound difference between these two things right now is that with Fedora CoreOS we actually test the ostree image before shipping it to users, for example booting the resulting update in qemu, including the server side generated dracut image etc. in a tightly integrated build/test setup, which Koji...doesn't.)

> Any plans for switching to unified kernel images, to have the
> initrd covered by secure boot signing?

There's a lot of active related debate on things related to this; but it's really important to understand that with ostree in general it is a top level goal to support "open" Linux systems where you are root on your computer - the same way as yum based systems.  While we ship as an image by default, it is intentional that you can e.g. change the initramfs locally (you can run `rpm-ostree initramfs --enable` to dynamically switch to client-side dracut runs) or kernel command line arguments or more generally inject persistent, privileged code.

I for sure want to support people creating their own actually "sealed"/"locked down" systems, particularly for e.g. IoT type setups and support for "unified" style kernel images is likely part of that.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux