Enable composefs for 41+

Enabling composefs allow an increase in security by making the filesystem truly read-only. It's also a cornerstone towards a truly sealed system with full integrity checks at runtime. It will also allow storage deduplication between the host filesystem and the containers storage in the long run, which is a huge win: faster downloads and faster container startup times. A thing that this is known to break is the "chattr -i" hack for new toplevel dirs (xref coreos/rpm-ostree#337). Basically if you want that, you either need to make a derived image, or enable transient root. Ref: https://fedoraproject.org/wiki/Changes/ComposefsAtomicCoreOSIoT Co-authored-by: jbtrystram <[email protected]>
jbtrystram · Aug 29, 2024 · 2548e2a · 2548e2a
1 parent 6c7dc68
commit 2548e2a
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/manifests/composefs.yaml b/manifests/composefs.yaml
@@ -0,0 +1,3 @@
+# Enable composefs by default.
+ostree-layers:
+  - overlay/08composefs
diff --git a/manifests/fedora-coreos.yaml b/manifests/fedora-coreos.yaml
@@ -30,6 +30,8 @@ conditional-include:
   # Wifi firmwares will be dropped in F41
   - if: releasever < 41
     include: wifi-firmwares.yaml
+  - if: releasever >= 41
+    include: composefs.yaml
 
 ostree-layers:
   - overlay/15fcos

diff --git a/overlay.d/08composefs/README.md b/overlay.d/08composefs/README.md
@@ -0,0 +1 @@
+Enable composefs by default; more in https://ostreedev.github.io/ostree/composefs/
diff --git a/overlay.d/08composefs/usr/lib/ostree/prepare-root.conf b/overlay.d/08composefs/usr/lib/ostree/prepare-root.conf
@@ -0,0 +1,2 @@
+[composefs]
+enabled = true