ref: fedora/rawhide/${basearch}/ostree-base automatic_version_prefix: "38" mutate-os-release: "38" include: fedora-common-ostree-pkgs.yaml packages: - git-core - lvm2 - rpm-ostree # Container management - buildah - podman - skopeo - toolbox # Provides terminal tools like clear, reset, tput, and tset - ncurses # Flatpak support - flatpak - xdg-desktop-portal # HFS filesystem tools for Apple hardware # See https://github.com/projectatomic/rpm-ostree/issues/1380 - hfsplus-tools # Contains default ostree remote config to be used on client's # system for fetching ostree update - fedora-repos-ostree # the archive repo for more reliable package layering # https://github.com/coreos/fedora-coreos-tracker/issues/400 - fedora-repos-archive selinux: true documentation: true boot-location: modules etc-group-members: - wheel tmp-is-dir: true ignore-removed-users: - root ignore-removed-groups: - root check-passwd: type: file filename: passwd check-groups: type: file filename: group default_target: graphical.target packages-aarch64: - bootupd - grub2-efi - ostree-grub2 - efibootmgr - shim packages-armhfp: - extlinux-bootloader - xorg-x11-drv-armada packages-ppc64: - grub2 - ostree-grub2 packages-ppc64le: - grub2 - ostree-grub2 packages-x86_64: - bootupd - grub2-efi-ia32 - grub2-efi-x64 - grub2-pc - ostree-grub2 - efibootmgr - shim-ia32 - shim-x64 - microcode_ctl - mcelog - thermald - hyperv-daemons - open-vm-tools-desktop - virtualbox-guest-additions - xorg-x11-drv-intel - xorg-x11-drv-openchrome - xorg-x11-drv-vesa - xorg-x11-drv-vmware # Make sure the following are not pulled in when Recommended by other packages exclude-packages: - PackageKit # We can not include openh264. See https://fedoraproject.org/wiki/OpenH264 - gstreamer1-plugin-openh264 - mozilla-openh264 - openh264 postprocess: - | #!/usr/bin/env bash set -xeuo pipefail # Work around https://bugzilla.redhat.com/show_bug.cgi?id=1265295 # From https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/05core/usr/lib/systemd/journald.conf.d/10-coreos-persistent.conf install -dm0755 /usr/lib/systemd/journald.conf.d/ echo -e "[Journal]\nStorage=persistent" > /usr/lib/systemd/journald.conf.d/10-persistent.conf # See: https://src.fedoraproject.org/rpms/glibc/pull-request/4 # Basically that program handles deleting old shared library directories # mid-transaction, which never applies to rpm-ostree. This is structured as a # loop/glob to avoid hardcoding (or trying to match) the architecture. for x in /usr/sbin/glibc_post_upgrade.*; do if test -f ${x}; then ln -srf /usr/bin/true ${x} fi done - | #!/usr/bin/env bash set -xeuo pipefail # Setup unit & script for readonly sysroot migration: # - https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot # - https://bugzilla.redhat.com/show_bug.cgi?id=2060976 cat > /usr/lib/systemd/system/fedora-silverblue-readonly-sysroot.service <<'EOF' [Unit] Description=Fedora Silverblue Read-Only Sysroot Migration Documentation=https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot ConditionPathExists=!/var/lib/.fedora_silverblue_readonly_sysroot RequiresMountsFor=/sysroot /boot ConditionPathIsReadWrite=/sysroot [Service] Type=oneshot ExecStart=/usr/libexec/fedora-silverblue-readonly-sysroot RemainAfterExit=yes [Install] WantedBy=multi-user.target 'EOF' chmod 644 /usr/lib/systemd/system/fedora-silverblue-readonly-sysroot.service cat > /usr/libexec/fedora-silverblue-readonly-sysroot <<'EOF' #!/bin/bash # Update an existing system to use a read only sysroot # See https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot # and https://bugzilla.redhat.com/show_bug.cgi?id=2060976 set -euo pipefail main() { # Used to condition execution of this unit at the systemd level local -r stamp_file="/var/lib/.fedora_silverblue_readonly_sysroot if [[ -f "${stamp_file}" ]]; then exit 0 fi local -r ostree_sysroot_readonly="$(ostree config --repo=/sysroot/ostree/repo get "sysroot.readonly" &> /dev/null || echo "false")" if [[ "${ostree_sysroot_readonly}" == "true" ]]; then # Nothing to do touch "${stamp_file}" exit 0 fi local -r boot_entries="$(ls -A /boot/loader/entries/ | wc -l)" # Ensure that we can read BLS entries to avoid touching systems where /boot # is not mounted if [[ "${boot_entries}" -eq 0 ]]; then echo "No BLS entry found: Maybe /boot is not mounted?" 1>&2 echo "This is unexpected thus no migration will be performed" 1>&2 touch "${stamp_file}" exit 0 fi # Check if any existing deployment is still missing the rw karg local rw_kargs_found=0 local count=0 for f in "/boot/loader/entries/"*; do count="$(grep -c "^options .* rw" "${f}" || true)" if [[ "${count}" -ge 1 ]]; then rw_kargs_found=$((rw_kargs_found + 1)) fi done # Some deployments are still missing the rw karg. Let's try to update them if [[ "${boot_entries}" -ne "${rw_kargs_found}" ]]; then ostree admin kargs edit-in-place --append-if-missing=rw || \ echo "Failed to edit kargs in place with ostree" 1>&2 fi # Re-check if any existing deployment is still missing the rw karg rw_kargs_found=0 count=0 for f in "/boot/loader/entries/"*; do count="$(grep -c "^options .* rw" "${f}" || true)" if [[ "${count}" -ge 1 ]]; then rw_kargs_found=$((rw_kargs_found + 1)) fi done unset count # If all deployments are good, then we can set the sysroot.readonly option # in the ostree repo config if [[ "${boot_entries}" -eq "${rw_kargs_found}" ]]; then echo "Setting up the sysroot.readonly option in the ostree repo config" ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true" touch "${stamp_file}" exit 0 fi # If anything else before failed, we will retry on next boot echo "Will retry next boot" 1>&2 exit 0 } main "${@}" 'EOF' chmod 755 /usr/libexec/fedora-silverblue-readonly-sysroot # Enable the corresponding unit systemctl enable fedora-silverblue-readonly-sysroot.service