packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,383 Commits 2 Branches 0 Tags 18 MiB
C 50.8%
HTML 20.8%
Shell 13.9%
Makefile 12.4%
Yacc 0.7%
Other 1.3%
Go to file
Colin Walters 09238da065 admin: Add an `unlock` command, and libostree API 
I'm trying to improve the developer experience on OSTree-managed
systems, and I had an epiphany the other day - there's no reason we
have to be absolutely against mutating the current rootfs live.  The
key should be making it easy to rollback/reset to a known good state.

I see this command as useful for two related but distinct workflows:

 - `ostree admin unlock` will assume you're doing "development".  The
   semantics hare are that we mount an overlayfs on `/usr`, but the
   overlay data is in `/var/tmp`, and is thus discarded on reboot.
 - `ostree admin unlock --hotfix` first clones your current deployment,
   then creates an overlayfs over `/usr` persistent
   to this deployment.  Persistent in that now the initramfs switchroot
   tool knows how to mount it as well.  In this model, if you want
   to discard the hotfix, at the moment you roll back/reboot into
   the clone.

Note originally, I tried using `rofiles-fuse` over `/usr` for this,
but then everything immediately explodes because the default (at least
CentOS 7) SELinux policy denies tons of things (including `sshd_t`
access to `fusefs_t`).  Sigh.

So the switch to `overlayfs` came after experimentation.  It still
seems to have some issues...specifically `unix_chkpwd` is broken,
possibly because it's setuid?  Basically I can't ssh in anymore.

But I *can* `rpm -Uvh strace.rpm` which is handy.

NOTE: I haven't tested the hotfix path fully yet, specifically
the initramfs bits.
 		2016-03-23 11:09:09 -04:00
apidoc lib: Add ostree_sysroot_load_if_changed() API 2016-03-03 21:56:23 -05:00
bsdiff@1edf9f6568 bsdiff: change submodule location 2015-03-26 23:33:07 +01:00
build-aux Add infrastructure for "make syntax-check" 2015-01-30 15:27:36 +01:00
buildutil admin: Add an `unlock` command, and libostree API 2016-03-23 11:09:09 -04:00
contrib/golang contrib/golang: Initial golang bindings 2016-03-17 09:02:24 -04:00
docs deploy: Handle a read-only /boot 2016-03-21 12:49:05 -04:00
libglnx@769522753c repo: Port -refs.c to openat() 2016-01-28 14:57:13 -05:00
man admin: Add an `unlock` command, and libostree API 2016-03-23 11:09:09 -04:00
manual-tests Fix make syntax-check 2016-03-01 10:08:25 -05:00
packaging packaging: Add a fuse subpackage 2016-02-17 11:06:53 -05:00
src admin: Add an `unlock` command, and libostree API 2016-03-23 11:09:09 -04:00
tests Skip test_libarchive_ignore_device_file if we cannot write xattrs 2016-03-21 13:02:49 -04:00
.gitignore Update .gitignore 2015-08-08 21:53:43 -04:00
.gitmodules bsdiff: change submodule location 2015-03-26 23:33:07 +01:00
CONTRIBUTING.md Rewrite manual in mkdocs 2016-01-28 09:31:37 -05:00
COPYING COPYING: Update to latest FSF with current address 2014-01-16 10:22:30 -05:00
GNUmakefile Add infrastructure for "make syntax-check" 2015-01-30 15:27:36 +01:00
Makefile-boot.am syntax-check: Remove empty lines at the end of file 2015-02-02 15:07:56 +01:00
Makefile-decls.am libostree: Add initial GRUB2 support 2014-10-16 14:15:00 -04:00
Makefile-libostree-defines.am build: ostree-gpg-verify-result.h is a public header, install it 2015-03-20 10:56:23 -04:00
Makefile-libostree.am deploy: Handle a read-only /boot 2016-03-21 12:49:05 -04:00
Makefile-man.am admin: Add an `unlock` command, and libostree API 2016-03-23 11:09:09 -04:00
Makefile-ostree.am admin: Add an `unlock` command, and libostree API 2016-03-23 11:09:09 -04:00
Makefile-otutil.am libotutil: Establish a place for GPG utilities 2015-05-01 10:20:34 -04:00
Makefile-switchroot.am Add support for mkinitcpio 2013-10-24 14:27:49 -04:00
Makefile-tests.am test-libarchive: fix underlinking 2016-03-21 13:03:06 -04:00
Makefile.am tests: Port to glib-tap.mk, make `make check` run all of the tests 2016-03-03 08:50:19 -05:00
README-historical.md README: Just link to wiki, move most of it to README-historical.md 2014-01-20 18:00:09 -05:00
README.md docs: Cleanup Markdown 2016-03-16 15:02:18 -04:00
TODO Fix repeated words. 2015-01-30 15:27:36 +01:00
autogen.sh build: Make gtk-doc optional 2015-06-29 16:08:51 -04:00
cfg.mk tests: Port to glib-tap.mk, make `make check` run all of the tests 2016-03-03 08:50:19 -05:00
configure.ac deploy: Handle a read-only /boot 2016-03-21 12:49:05 -04:00
maint.mk tests: prefix invocation of ostree with where missing 2015-11-16 11:07:55 +01:00
mkdocs.yml mkdocs: Fix the site name 2016-03-21 12:53:40 -04:00
ostree.doap doap category infrastructure 2014-07-31 11:26:32 +02:00

README.md

OSTree

New! See the docs online at Read The Docs (OSTree)

OSTree is a tool that combines a "git-like" model for committing and downloading bootable filesystem trees, along with a layer for deploying them and managing the bootloader configuration.

OSTree is like git in that it checksums individual files and has a content-addressed-object store. It's unlike git in that it "checks out" the files via hardlinks, and they should thus be immutable. Therefore, another way to think of OSTree is that it's just a more polished version of Linux VServer hardlinks.

Features:

  • Atomic upgrades and rollback for the system
  • Replicating content incrementally over HTTP via GPG signatures and "pinned TLS" support
  • Support for parallel installing more than just 2 bootable roots
  • Binary history on the server side (and client)
  • Introspectable shared library API for build and deployment systems

This last point is important - you should think of the OSTree command line as effectively a "demo" for the shared library. The intent is that package managers, system upgrade tools, container build tools and the like use OSTree as a "deduplicating hardlink store".

Projects using OSTree

rpm-ostree is a tool that uses OSTree as a shared library, and supports committing RPMs into an OSTree repository, and deploying them on the client. This is appropriate for "fixed purpose" systems. There is in progress work for more sophisticated hybrid models, deeply integrating the RPM packaging with OSTree.

Project Atomic uses rpm-ostree to provide a minimal host for Docker formatted Linux containers. Replicating a base immutable OS, then using Docker for applications meshes together two different tools with different tradeoffs.

xdg-app uses OSTree for desktop application containers.

GNOME Continuous is a custom build system designed for OSTree, using OpenEmbedded in concert with a custom build system to do continuous delivery from hundreds of git repositories.

Building

Releases are available as GPG signed git tags, and most recent versions support extended validation using git-evtag.

However, in order to build from a git clone, you must update the submodules. If you're packaging OSTree and want a tarball, I recommend using a "recursive git archive" script. There are several available online; this code in OSTree is an example.

Once you have a git clone or recursive archive, building is the same as almost every autotools project:

env NOCONFIGURE=1 ./autogen.sh
./configure --prefix=...
make
make install DESTDIR=/path/to/dest

More documentation

New! See the docs online at Read The Docs (OSTree)

Some more information is available on the old wiki page: https://wiki.gnome.org/Projects/OSTree

Contributing

See Contributing.