buildextend-metal: Make sysroot-ro an opt-in image.yaml parameter #1235
Conversation
|
Hmm, the reason I didn't do this was because we already have systems out there that have Let's just work towards fixing coreos/fedora-coreos-tracker#343? If it takes too long and we have to e.g. ship an ostree fix/new rpm-ostree feature that needs an ostree bump, we can disable it at compile-time for now in Fedora and drop the lockfile pin on ostree (coreos/fedora-coreos-config#300). |
|
I think you're right, but we can split the difference here - switch fedora-coreos-config to keep it on if you prefer. I commented on this around the ipv6 bits too - this is another thing that's really a property of the package versions. Having future changes like this be opt-in via |
We want to use the new read-only `/sysroot` feature of libostree. Opt-in to that to tell cosa we support it and want it. For more details, see: ostreedev/ostree#1265 coreos/coreos-assembler#1235
|
Sure, WFM: coreos/fedora-coreos-config#304 This is tricky though. I think we should consider read-only sysroot as part of the "CoreOS" model. So then, it's not really something that we opt into, but is just hardcoded as part of cosa. OTOH, supporting it in RHCOS for example requires updating at least ostree and rpm-ostree, and having a knob in the config to make ratcheting it in easier makes sense. But I hope eventually we can drop that knob entirely and just always have it enabled. (Unlike the IPv6 work for example, there's not really a "preference" here; having a read-only |
I think we're in agreement that it is part of CoreOS, but we have already a split between "policy" and "mechanism" in the config repo and coreos-assembler (ish) and this is a bit more "policy". |
We want to use the new read-only `/sysroot` feature of libostree. Opt-in to that to tell cosa we support it and want it. For more details, see: ostreedev/ostree#1265 coreos/coreos-assembler#1235
We want to use the new read-only `/sysroot` feature of libostree. Opt-in to that to tell cosa we support it and want it. For more details, see: ostreedev/ostree#1265 coreos/coreos-assembler#1235
See coreos/fedora-coreos-tracker#343 (comment) Basically we need to make raw `ostree` operations work and not just `ostree admin`. Pairs with coreos/fedora-coreos-config#304
cgwalters
force-pushed
the
image-readonly-opt
branch
from
7b5ac2c to
65b6ed5
Compare
|
OK rebased this and renamed to Now that I look at this I'm feeling we need to rework this in ostree, see ostreedev/ostree#2104 I also force pushed coreos/fedora-coreos-config#304 to use the new name (and that should merge first). |
/hold until coreos/fedora-coreos-config#304 merges |
We want to use the new read-only `/sysroot` feature of libostree. Opt-in to that to tell cosa we support it and want it. For more details, see: ostreedev/ostree#1265 coreos/coreos-assembler#1235
|
/hold cancel |
|
Can someone lgtm this please? |
|
/lgtm |
| @@ -189,6 +189,11 @@ if [ "${image_type}" == metal4k ]; then | |||
| disk_args+=("--no-x86-bios-partition") | |||
| fi | |||
|
|
|||
| sysroot_ro="$(python3 -c 'import sys, yaml; v=yaml.safe_load(sys.stdin).get("sysroot-readonly", False); print("1" if v else "")' < "$configdir/image.yaml")" | |||
There was a problem hiding this comment.
I really am not a fan of this shell pattern. We need a bash helper function.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ashcrow, cgwalters, darkmuggle, jlebon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Oops I think this one is obsolete, we patched ostree and the git master ostree is also fixed in ostreedev/ostree#2113 |
See
coreos/fedora-coreos-tracker#343 (comment)
Basically we need to make raw
ostreeoperations work and notjust
ostree admin.