rpm-ostree is the hybrid image/package system that provides transactional upgrades on Atomic Host. Here are some highlights from version v2017.7, including PolicyKit and experimental overrides support.
As usual, you can test out this release by rebasing your Fedora Atomic Host onto the testing branch. Feel free to also leave karma in the pending Bodhi updates:
Note that this is the final release of rpm-ostree on Fedora 25 as we focus our efforts on Fedora 26.
Experimental support for overrides
The most visible change in this release is the addition of a
new ex subcommand: rpm-ostree ex override (the ex
command groups new features that are not ready to be
declared stable; details of how these commands work may
change in the future).
Whereas the install command allows you to overlay packages
on top of the base commit received from your content
provider, the override command allows you to modify the
set of packages in the base commit itself. For example, you
may want to remove a package that conflicts with an overlay,
or more interestingly, update a package to a newer version
to fix a bug.
Of course, such modifications should be done with care,
since they in effect void
the warranty implied by an
ostree commit. However, these powerful semantics enable us
to take the image/package hybrid paradigm to a new level.
Thanks to rpm-ostree, you can easily keep track of every
deviation from the base image.
The override command supports two subcommands: remove
and replace.
Removal overrides
Not surprisingly, the remove subcommand allows you remove
a base package. Let’s see it in action!
The host below has strace installed and no packages
layered:
# rpm-ostree status
State: idle
Deployments:
* fedora-atomic:fedora/26/x86_64/testing/atomic-host
Version: 26.91 (2017-07-23 09:39:09)
Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
# rpm -q strace
strace-4.18-1.fc26.x86_64
# strace -V
strace -- version 4.18
Copyright (c) 1991-2017 The strace developers <https://strace.io>.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Let’s now add an override to remove strace:
# rpm-ostree ex override remove strace
Checking out tree 20431e5... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2017-07-23 22:35:15
rpm-md repo 'fedora' (cached); generated: 2016-11-15 19:49:18
Importing metadata [===========================================] 100%
Resolving dependencies... done
Applying 1 override... done
Writing rpmdb... done
Writing OSTree commit... done
Copying /etc changes: 25 modified, 0 removed, 628 added
Transaction complete; bootconfig swap: yes deployment count change: 1
Removed:
strace-4.18-1.fc26.x86_64
Run "systemctl reboot" to start a reboot
Let’s confirm that strace is truly gone:
# reboot
...
# rpm-ostree status
State: idle
Deployments:
* fedora-atomic:fedora/26/x86_64/testing/atomic-host
Version: 26.91 (2017-07-23 09:39:09)
BaseCommit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
RemovedBasePackages: strace-4.18-1.fc26.x86_64
fedora-atomic:fedora/26/x86_64/testing/atomic-host
Version: 26.91 (2017-07-23 09:39:09)
Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
# rpm -q strace
package strace is not installed
# strace -V
bash: strace: command not found
We can remove the override by using the reset command:
# rpm-ostree ex override reset strace
Copying /etc changes: 25 modified, 0 removed, 630 added
Transaction complete; bootconfig swap: no deployment count change: 0
Added:
strace-4.18-1.fc26.x86_64
Run "systemctl reboot" to start a reboot
# rpm-ostree status
State: idle
Deployments:
fedora-atomic:fedora/26/x86_64/testing/atomic-host
Version: 26.91 (2017-07-23 09:39:09)
Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
* fedora-atomic:fedora/26/x86_64/testing/atomic-host
Version: 26.91 (2017-07-23 09:39:09)
BaseCommit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
RemovedBasePackages: strace-4.18-1.fc26.x86_64
Replacement overrides
Similarly, the replace subcommand allows you to replace a
base package with a different version. For now, you can only
replace packages using local RPMs.
In this example, instead of removing strace, we will
upgrade it. On this machine, I’ve got v4.17 installed:
# rpm -q strace
strace-4.17-1.fc26.x86_64
I’ve also got the build for the next version, v4.18, handy:
# ls -l strace-*.rpm
-rw-r--r--. 1 root root 659434 Jul 24 16:58 strace-4.18-1.fc26.x86_64.rpm
And now, we can add an override to replace strace:
# rpm-ostree ex override replace strace-4.18-1.fc26.x86_64.rpm
Checking out tree 6f3c6a2... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2017-07-23 22:35:15
rpm-md repo 'fedora' (cached); generated: 2016-11-15 19:49:18
Importing metadata [===========================================] 100%
Resolving dependencies... done
Applying 1 override... done
Writing rpmdb... done
Writing OSTree commit... done
Copying /etc changes: 25 modified, 0 removed, 636 added
Transaction complete; bootconfig swap: yes deployment count change: 1
Upgraded:
strace 4.17-1.fc26 -> 4.18-1.fc26
Run "systemctl reboot" to start a reboot
And finally, let’s reboot to check that it worked:
# reboot
...
# rpm-ostree status
State: idle
Deployments:
* fedora-atomic:fedora/26/x86_64/testing/atomic-host
Version: 26.91 (2017-07-23 09:39:09)
BaseCommit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
ReplacedBasePackages: strace 4.17-1.fc26 -> 4.18-1.fc26
fedora-atomic:fedora/26/x86_64/testing/atomic-host
Version: 26.91 (2017-07-23 09:39:09)
Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
[root@f25-ros-dev2 ~]# rpm -q strace
strace-4.18-1.fc26.x86_64
[root@f25-ros-dev2 ~]# strace -V | grep version
strace -- version 4.18
Of course, this can be used for more meaningful packages as
well, like docker and kubernetes. For example, here I’m
updating kubernetes to the latest build I could find in
Koji (with complete disregard to matching the distro):
# rpm -q kubernetes
kubernetes-1.5.3-1.fc26.x86_64
# kube-apiserver --version
Kubernetes v1.5.3
# # ls -l kubernetes-*.rpm
-rw-r--r--. 1 root root 43446 Jul 24 17:12 kubernetes-1.7.1-1.fc27.x86_64.rpm
-rw-r--r--. 1 root root 22750546 Jul 24 17:54 kubernetes-client-1.7.1-1.fc27.x86_64.rpm
-rw-r--r--. 1 root root 39959790 Jul 24 17:13 kubernetes-master-1.7.1-1.fc27.x86_64.rpm
-rw-r--r--. 1 root root 22432058 Jul 24 17:55 kubernetes-node-1.7.1-1.fc27.x86_64.rpm
# rpm-ostree ex override replace kubernetes-*.rpm
...
Upgraded:
kubernetes 1.5.3-1.fc26 -> 1.7.1-1.fc27
kubernetes-client 1.5.3-1.fc26 -> 1.7.1-1.fc27
kubernetes-master 1.5.3-1.fc26 -> 1.7.1-1.fc27
kubernetes-node 1.5.3-1.fc26 -> 1.7.1-1.fc27
Run "systemctl reboot" to start a reboot
# reboot
...
# rpm-ostree status
State: idle
Deployments:
* fedora-atomic:fedora/26/x86_64/testing/atomic-host
Version: 26.91 (2017-07-23 09:39:09)
BaseCommit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
ReplacedBasePackages: kubernetes-client 1.5.3-1.fc26 -> 1.7.1-1.fc27, kubernetes 1.5.3-1.fc26 -> 1.7.1-1.fc27, kubernetes-node 1.5.3-1.fc26 -> 1.7.1-1.fc27, kubernetes-master 1.5.3-1.fc26 -> 1.7.1-1.fc27
fedora-atomic:fedora/26/x86_64/testing/atomic-host
Version: 26.91 (2017-07-23 09:39:09)
Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
# rpm -q kubernetes
kubernetes-1.7.1-1.fc27.x86_64
# kube-apiserver --version
Kubernetes v1.7.1
We’ll look to cleaning up the status output in the future in cases where multiple related subpackages are updated.
PolicyKit support for D-Bus API
rpm-ostree now ships with a polkit policy. This is primarily
motivated by work underway to support rpm-ostree in GNOME
Software, though it’s useful in the server case as well.
It is currently visible only at the D-Bus API level; for
now, the rpm-ostree CLI tool still needs to be run as root
for most operations. In the future, users will be able to
authenticate directly from the terminal and thus avoid
having to use sudo completely.
Other minor fixes and improvements
There are many other small improvements, here are a few:
rpm-ostree now logs even more information to the journal.
rpm-ostree now shows GPG signatures only in the output of
statusand does so in a less verbose way.
Instead of this output:
GPGSignature: 1 signature
Signature made Fri Jul 7 13:19:06 2017 using RSA key ID 812A6B4B64DAB85D
Good signature from "Fedora 26 Primary <fedora-26-primary@fedoraproject.org>"
rpm-ostree now prints this:
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
As usual, you can see the full list of changes in the release notes.