Move from OSTree to OCI for updates

[jlebon]

Currently, FCOS pushes updates via an OSTree repo. To better align with the bootable containers initiative, let's move to updating FCOS via a container image. Container images are already being published in https://quay.io/repository/fedora/fedora-coreos.

Note this ticket is separate from #1263, which covers also fleshing out the story of layering. In this ticket, we're strictly scoping the effort to changing the transport used.

[jlebon]

OK, some progress on this:

• release: support OCI image pullspecs stream-metadata-go#75 adds support for a new oci-image key in the release metadata and a new oci-images key in the release index
• Inject oci-image in release metadata and oci-images in release index coreos-assembler#3919 populates those newly supported keys from the base-oscontainer key in the build metadata
• Add support for querying OCI graph fedora-coreos-cincinnati#99 teaches Cincinnati to read those keys and serve an OCI-based graph when the request includes oci=true
• daemon/transaction-types: Support custom origins for digested pullspecs rpm-ostree#5120 teaches rpm-ostree to allow custom origin information when passing a digest pullspec to rpm-ostree rebase

So the next step on this is support in Zincati for a config knob that tells it to request the OCI version of the graph and deploy using rpm-ostree rebase with appropriate custom origin info.

[cgwalters]

Awesome!

[jlebon]

So the next step on this is support in Zincati for a config knob that tells it to request the OCI version of the graph

Instead of a config knob, Zincati can just cue off of the origin. If the OS is on OSTree, query the OSTree graph. If it's on OCI, query the OCI graph. So then the barrier release is just about switching the origin over from OSTree to OCI.

Discussed the rollout plan for this with @travier and @dustymabe:

• Switch next bootimages to deploy-via-container whenever all the code needed has landed in FCOS.
  • This means that only new nodes will be updating via containers to start, giving us a way to bake it before switching updating nodes.
• After X next releases (e.g. 2 or 3), do barrier release to switch origin on existing nodes.
• Switch the testing bootimages to deploy-via-container. If we're still before Beta freeze, just do it. If we're after Beta freeze, do it at GA.
  • Stable follows 2 weeks after.
• After X testing releases, do barrier release to switch origin on existing nodes.
  • Stable follows 2 weeks after.

[jlebon]

One thing we discussed related to this was signing. Currently, the FCOS OCI artifacts are not signed (really, AFAICT none of the Fedora container images are signed either). Ideally, we close that gap before we fully switch over.

At least the OSTree commit inside of the OCI is still signed, but we'd still need to download and extract without any verification. But even then it's not really used in any meaningful way client-side currently because when importing into the OSTree repo, it's the OCI "merge commit" that gets deployed. We'd have to unencapsulate instead and in the process point at the remote OSTree config containing the GPG settings. So yeah... all around much better if we just fix this at the OCI level.

Related Robosignatory issue: https://pagure.io/robosignatory/issue/22

[jlebon]

One thing we discussed related to this was signing.

Was chatting with @cgwalters about this. One interesting note is that the Konflux pipelines building rhel-bootc and centos-bootc do sign container images today. See e.g. the shield icons in https://quay.io/repository/centos-bootc/centos-bootc?tab=tags. Ideally, we also have that setup for fedora-bootc as we bring it up in the Fedora Konflux, and we can piggy-back on it for FCOS too (even if we're not building the whole thing in Konflux just yet).

Otherwise, it should also be possible to make the rpm-ostree consumption of the embedded signature better.

[travier]

The Change Checkpoint: Proposal submission deadline (Self Contained Changes) for F42 is Tue 2025-01-14.

[jlebon]

Re. signing, @travier and I were playing with

$ rpm-ostree rebase ostree-remote-image:fedora:registry:quay.io/fedora/fedora-coreos:testing-devel

and confirmed that it does verify the OSTree signature using the fedora remote. And I now realize this is also how it's set up in Rawhide already. Ideally though, the signing state would also show up in rpm-ostree status or bootc status as it does for the non-OCI case.

Anyway, we still of course want to instead sign the OCI itself but we don't expect that to happen before we move to Konflux.

[cgwalters]

Yes, there's a lot of custom stuff in the ostree-container stack to do this for exactly this reason.

Anyway, we still of course want to instead sign the OCI itself

Yes.

[jlebon]

Ideally though, the signing state would also show up in rpm-ostree status or bootc status as it does for the non-OCI case.

I didn't do exactly this, but I consider it addressed by containers/bootc#1028 and coreos/rpm-ostree#5223. See notably sample output in coreos/rpm-ostree#5223 (comment).

[travier]

We might also have to fix coreos/rpm-ostree#4951 as well.

[jbtrystram]

Related Fedora change request : https://fedoraproject.org/wiki/Changes/CoreOSOstree2OCIUpdates

[jbtrystram]

Documenting the next steps (after coreos/zincati#1241 is merged):

• Release Zincati
• Document steps to take for people that have disabled Zincati
• Prepare a barrier release doing the rebase to OCI
• Write a MOTD explaining what to do if Zincati is disabled (we don't want to force a reboot on people that have disabled Zincati)
• Add an entry to the major changes documation page

[jbtrystram]

So we discussed how to make the switch to OCI through Zincati : running a service to manually rebase through a barrier release would cause two reboots (one to get the update through Zincati, one to rebase to the OCI image), and double the download, causing the second reboot to be outside the Zincati window potentially.

An alternative is to fake out the origin file, causing Zincati to think the deployment is now OCI, so the next update will be fetched through OCI and rebased.
This works but create a cosmetic issue :

[core@cosa-devsh ~]$ rpm-ostree status
State: idle
Deployments:
● ostree-remote-image:fedora:registry:quay.io/fedora/fedora-coreos:testing
             CustomOrigin: Fedora CoreOS testing stream
                  Version: 41.20250105.2.0 (2025-01-06T19:46:25Z)

  (error fetching image metadata)
             CustomOrigin: Fedora CoreOS testing stream
                  Version: 41.20241215.2.0 (2024-12-17T00:07:38Z)

See how rpm-ostree status cannot find the "faked deployment". Though it's cosmetic only, I was able to overlay packages just fine.

[travier]

• Document how to setup/update proxy configuration for the OCI case. Likely based on https://docs.fedoraproject.org/en-US/bootc/proxy/

[jbtrystram]

• Document how to setup/update proxy configuration for the OCI case. Likely based on docs.fedoraproject.org/en-US/bootc/proxy

Seems those docs are based on FCOS docs already https://docs.fedoraproject.org/en-US/fedora-coreos/proxy/

[dustymabe]

We discussed this during the community meeting today:

• ACTION: @jbtrystram to update the change to make clear that bootimages will migrate first, then existing notes after. Also mention clearly that deriving the images won't be supported for now (@jbtrystram:matrix.org, 16:53:17)
• INFO: FCOS will move to default to pulling updates from OCI registry in the F42 time frame. (@dustymabe:matrix.org, 16:56:20)