It realy doesnt make sense at this point
It realy doesnt make sense at this point to build everything from scratch ourself as the point is for us to build uppon what fedora image based distros provide, there would also be not much of a benefit to us going from scratch
92 Replies
My main concern is with the upcoming changes with composefs and co. It probably won't be a thing for a few months, but it'll definitely hinder any project that wants to build directly off existing sb images.
GitHub
Design phases for composefs integration · Issue #2867 · ostreedev/o...
composefs/ostree (and beyond) Background A key design goal of ostree at its creation was to not require any new functionality in the Linux kernel. The baseline mechanisms of hard links and read-onl...
what's the specific concern?
My guess is we will have to do slight modifications but that shouldnt be too hard
If I understood this right, when this lands, there will be an option where everything is signed with a per-deployment private/public key pair and verified on the fly. Because nobody except the fedora project has access to those keys, it's rather difficult to add anything.
Well we would have to sign everything ourself of course
But thats expected
yeah we'll just do what they tell us to do
Anything “from scratch” is usually not a good idea and needs substantiating to justify that it’s worth it. No need to continuously re-invent the wheel. Besides, what’s “from scratch”?
I'll see if I can drop in on this meeting tho
what meeting?
the one they mention in the issue
They know that there are people basing on sb so colin and co will probably ensure it can be done
that's tomorrow
Oh ok just found it. I’ll be able to join as a listener as well given it doesn’t go for over an hour. Would be nice if it’s recorded
Is there incentive for them to care?
I’m new to this whole ecosystem
oh, that's good
I might join as well if i actualy can wake up at right time
Yes, because beyond us a lot of groups are doing this type of modificstions for coreos like we do for silverblue
How does this benefit silverblue
And coreos uses same tech as silverblue
Security and trust
One of the biggest concerns with immutable systems is customizability. Ensuring that custom deployments can be easily made without duplicating a bunch of work is a good thing for sb and friends.
It eould also make no sense for them to first make big features that allow easy cusomizability then go and lock it down right after in next big featurr
I've been trying real hard to kill that myth lol
because they are supporting these things on purpose
True, it looks like they want RHEL to go immutable at some point
Red Hat CoreOS is alr a thing
RHEL Edge already exists
and is the default distro for all openshift deployments
Well the os upon which openshift runs is already immutable rhel coreos
Interesting
but yeah, it'd be nice if they made a general purpose RHEL ostree one too
I thought red hat tests things on fedora and centos beforehand
Things are getting weird now so I don’t know if that’s still the case
Rhel coreos can be used but to get isos is an adventure
Kinda but not always
atomic host wg was proposed/added in 2015, (over) 8 years ago
What else do they do to test things before use by major corporations?
the core tech is mature
Last updated: 2014-11-11
Some of them they test on their own amd other things they test as a part of open source projects related to it, besides coreos is kinda an old thing by now
Coreos is really a continuation of container linux
I think you mean the opposite maybe https://en.wikipedia.org/wiki/Container_Linux
Container Linux
Container Linux (formerly CoreOS Linux) is a discontinued open-source lightweight operating system based on the Linux kernel and designed for providing infrastructure to clustered deployments, while focusing on automation, ease of application deployment, security, reliability and scalability. As an operating system, Container Linux provided onl...
Discontinued
Latest release May 22, 2020; 3 years ago
Actually no first it was coreos then coreos container linux then it all turned to fedora coreos and rhel coreos
Yes because container linix got discontinued as fedora coreos and rhel coreos became priority
idk what youre trying to aruge, red hat wouldnt default to deploying an os that they dont support
I’m not trying to argue anything, I’m just confused and sharing what I saw
As coreos was a company that red hat bought so they folded container linux into rhel core os and fedora core os
Maybe CoreOS is discontinued but not RHEL CoreOS. At least that’s my understanding now
heres the dev repository for the configs
old coreos was replaced by new rpm-ostree coreos
and old coreOS became flatcar linux
why do the names have to be so confusing
The CoreOS team announced the end-of-life for Container Linux on May 26, 2020,[1] offering Fedora CoreOS,[21] and RHEL CoreOS as its replacement, both based on Red Hat.
Coreos was a company that made a product they named coreos container linux(or just coreos) then redhat bought coreos the company and contianer linux got folded into rhel coreos and fedora coreos
Imagine saying something along the lines Linux is discontinued and now we have GNU/Linux
I guess it sort of makes sense to keep the name of the discontinued thing as part of the new one
Sorry, I’m being pedantic
Ignore me
it was very confusing, I hated that entire year
xkcd: Standards
Fortunately, the charging one has been solved now that we've all standardized on mini-USB. Or is it micro-USB? Shit.
reading this issue again, though, it seems like ublue would be able to take the existing images signed by fedora and add their own key to the fs-verity keyring and sign whatever new packages and files the project installs with a key from ublue. This still doesn't help the problem of having to sign each and every new file, though. Hopefully something comes up at the meeting
Do you still think there’s benefit to starting from scratch images
I’m curious
yeah if you wanted to make a distro
https://github.com/sodaliterocks/sodalite is like that
GitHub
GitHub - sodaliterocks/sodalite: 🪨 A Pantheon experience for rpm-os...
🪨 A Pantheon experience for rpm-ostree. Contribute to sodaliterocks/sodalite development by creating an account on GitHub.
And we arent making distro
itd also mean duplicating a bunch of work
yeah carbonOS does it this way too
I mean, yeah, if you wanna make something custom and different, that's how you'd do it
but we just want to hot rod the existing Fedora to make it easier for people to use it
so in our case we want to be as thin as possible
And i can never make it as good as silverblue team can
yeah, we want to reuse that fedora QA, which is why we don't swap out kernels and stuff
Basically silverblue and co have this slot that says optional battery here, we are just sticking the battery in out of the box
no i mean why should "ublue starts from scratch images instead of the ones from
quay.io/fedora-ostree-desktops"
that's pretty neat, fits exactly my use case
i want the benefits of silverblue but I don't care too much, just give me automatic good defaultsright
we're currently on quay.io/fedora-ostree-desktops because that's where they have the images, they don't have official images yet until F39, so we're using these until they make official images
makes sense most of it goes over my head
it will be transparent to everyone, the images will just be better by then
like they will be better tested by fedora, etc.
nice
does that also apply the bootable installer
idk why we still need to boot into an installer rather than directly installing
yeah what we have now is the best they have, they only just added support to anaconda last month
and they're rewriting the installer anyway so we're mostly just monitoring
interesting
who's they
fedora
nice
so before last month fedora didn't have support to anaconda?
not for the method we're using to install the OS
fedora is in the middle of developing all of this, it's not going to be ready until F39
what does the fedora installer use
the fedora installer is called anaconda
so ublue recently added support for anacoda is what you're saying?
sorry i lost track on who's "they" in each sentence
no, fedora added support for installing oci images to the installer they use, which is called anaconda.
oh
Is there no way to join the meeting anonymously?
did someone attend? I wasn't able to
i overslept
so they just asked for a name? or was the meeting for authorized people only
GitHub
Design phases for composefs integration · Issue #2867 · ostreedev/o...
composefs/ostree (and beyond) Background A key design goal of ostree at its creation was to not require any new functionality in the Linux kernel. The baseline mechanisms of hard links and read-onl...
Sadly couldnt
There were only ~6 people in the meeting when I got there, but I had to leave quickly and there was no recording of it
There’s another meeting next week, same day and time
They wanted a name
You could just put foo
I’m not trying to participate, just watch
oh
I thought you needed a name to watch
The majority of “the immediate way forward” type questions/objectives are kind of put here, too
https://github.com/coreos/fedora-coreos-tracker/issues/1252#issuecomment-1574293095
GitHub
Strategy for file verification (IMA, fs-verity, composefs) · Issue ...
In Fedora 37, RPM content will be signed. This will be used in at least Fedora IoT in combination with IMA to verify executed files. rpm-ostree support for propagating these signatures has already ...
With these the "unsigned" path at least seems to work pretty well for me in some basic testing. We get nice stuff like mount -o remount,rw /usr no longer works. And you can also no longer chattr -i / etc.
With this, fedora Silverblue’s roots are now truly immutable
™️What does immediate way forward mean?
#2867 were the objectives, that comment was the steps to meet them
Actually this would totally break the current “install nix on Silverblue” script
https://github.com/dnkmmr69420/nix-installer-scripts/blob/main/installer-scripts/silverblue-nix-installer.sh