search

coreos / fedora-coreos-tracker

Issue tracker for Fedora CoreOS
https://fedoraproject.org/coreos/
263 stars 59 forks source link

Enable `opt-usrlocal-overlays` by default #1681

Closed travier closed 3 months ago

travier commented 7 months ago

Describe the enhancement

opt-usrlocal-overlays: boolean, optional: Defaults to false. By default, /opt and /usr/local are symlinks to subdirectories in / var. This prevents the ability to compose with packages that install in those directories. If enabled, RPMs with /opt and /usr/local content are allowed; client-side, both paths are writable overlay directories on. Requires libostree v2023.9+.

See:

System details

N/A

Additional information

For Atomic Desktops, see: https://gitlab.com/fedora/ostree/sig/-/issues/20

cgwalters commented 7 months ago

Enabling by default would definitely escalate the divergence in things.

cgwalters commented 7 months ago

I think we need to start with telling anyone who wants to use package layering client side with opt to enable the service.

jlebon commented 7 months ago

Yeah, I don't think it's ready to enable by default yet. We really need more testing on this in real-world use cases to see how it fares. We can definitely document how to enable it for now client-side or in a derived container build (working on that right now).

xynydev commented 5 months ago

We can definitely document how to enable it for now client-side or in a derived container build (working on that right now).

If that is possible, I would appreciate the docs before this issue is completed, as I (/we) currently resort to a pretty ugly workaround for installing packages into /opt/ when building a derived container image.

jlebon commented 3 months ago

Just circling back here. Currently, we are no longer considering turning on state overlays by default. The ideal fix for /opt packages is to add symlinks to /var subdirs for the subpaths of /opt that need to be writable. That gives you the most immutability where possible, while poking holes only as needed. But it of course requires knowing what to symlink, which is software-dependent.

Both state overlays and transient root are easier alternatives which will make things Just Work, but with the tradeoff of allowing more mutability than necessary. This is documented in https://containers.github.io/bootc/filesystem.html#opt, in which I'm working to add the state overlay option (https://github.com/containers/bootc/pull/668).

Note that in FCOS, all of this is gated on https://github.com/coreos/fedora-coreos-tracker/issues/1718.