forked from containers/bootc
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
I went through the docs and cleaned some things up, fixed some missing content, etc. Also a patch to `xtask` to make it so that `cargo xtask manpages` works even when $PWD is in `docs`. Signed-off-by: Colin Walters <[email protected]>
- Loading branch information
Showing
17 changed files
with
208 additions
and
88 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -128,58 +128,7 @@ The bootc project aims to support generic/general-purpose operating | |
systems and distributions that will ship unconfigured images. An | ||
unconfigured image does not have a default password or SSH key, etc. | ||
|
||
There are two fundamental ways to handle this: | ||
|
||
### Using cloud-init type flows | ||
|
||
Some operating systems may come with `cloud-init` or similar tools | ||
that know how to e.g. inject SSH keys or external configuration. | ||
|
||
Other tools in this space are: | ||
|
||
- [systemd-firstboot](https://www.freedesktop.org/software/systemd/man/systemd-firstboot.html) | ||
- [gnome-initial-setup](https://gitlab.gnome.org/GNOME/gnome-initial-setup) | ||
|
||
The general idea here is that things like users, passwords and ssh keys | ||
are dynamically created on first boot (and in general managed per-system); | ||
the configuration comes from a place *external* to the image. | ||
|
||
### Injecting configuration into a custom image | ||
|
||
But a new super-power with `bootc` is that you can also easily | ||
create a derived container that injects your desired configuration, | ||
alongside any additional executable code (binaries, packages, scripts, etc). | ||
|
||
The expectation is that most operating systems will be designed such | ||
that user state i.e. `/root` and `/home` will be on a separate, persistent data store. | ||
For example, in the default ostree model, `/root` is `/var/roothome` | ||
and `/home` is `/var/home`. Content in `/var` cannot be shipped | ||
in the image - it is per machine state. | ||
|
||
#### Injecting SSH keys in a container image | ||
|
||
In the following example, we will configure OpenSSH to read the | ||
set of authorized keys for the root user from content | ||
that lives in `/usr` (i.e. is owned by the container image). | ||
We will also create a `/usr/etc-system` directory which is intentionally distinct | ||
from the default ostree `/etc` which may be locally writable. | ||
|
||
The `AuthorizedKeysFile` invocation below then configures sshd to look | ||
for keys in this location. | ||
|
||
```Dockerfile | ||
FROM <image> | ||
RUN mkdir -p /usr/etc-system/ && \ | ||
echo 'AuthorizedKeysFile /usr/etc-system/%u.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ | ||
echo 'ssh-ed25519 AAAAC3Nza... [email protected]' > /usr/etc-system/root.keys && chmod 0600 /usr/etc-system/root.keys && \ | ||
ostree container commit | ||
``` | ||
|
||
A key point here is that now the set of authorized keys is "owned" | ||
by the container image - it will be read-only at runtime because | ||
the files are underneath `/usr`. To rotate or change the set of keys, | ||
one would build a new container image. Client systems using `bootc upgrade` | ||
will transactionally update to this new system state. | ||
For more information, see [Image building and configuration guidance](building/guidance.md). | ||
|
||
## More advanced installation with `to-filesystem` | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,10 @@ | ||
# man bootc-fetch-apply-updates.service | ||
|
||
This systemd service and associated `.timer` unit simply invoke | ||
`bootc upgrade --apply`. It is a minimal demonstration of | ||
an "upgrade agent". | ||
|
||
More information: [bootc-upgrade](../man/bootc-upgrade.md). | ||
|
||
The systemd unit is not enabled by default upstream, but it | ||
may be enabled in some operating systems. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -40,4 +40,4 @@ Only changes to the \`spec\` section are honored. | |
|
||
# VERSION | ||
|
||
v0.1.0 | ||
v0.1.9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -31,4 +31,4 @@ string-valued filesystem name suitable for passing to \`mkfs.\$type\`. | |
|
||
# VERSION | ||
|
||
v0.1.0 | ||
v0.1.9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -139,4 +139,4 @@ firmware will be skipped | |
|
||
# VERSION | ||
|
||
v0.1.0 | ||
v0.1.9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -123,4 +123,4 @@ firmware will be skipped | |
|
||
# VERSION | ||
|
||
v0.1.0 | ||
v0.1.9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -139,4 +139,4 @@ mounting. To override this, use \`\--root-mount-spec\`. | |
|
||
# VERSION | ||
|
||
v0.1.0 | ||
v0.1.9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# NAME | ||
|
||
bootc-rollback - Change the bootloader entry ordering; the deployment | ||
under \`rollback\` will be queued for the next boot, and the current | ||
will become rollback. If there is a \`staged\` entry (an unapplied, | ||
queued upgrade) then it will be discarded | ||
|
||
# SYNOPSIS | ||
|
||
**bootc-rollback** \[**-h**\|**\--help**\] \[**-V**\|**\--version**\] | ||
|
||
# DESCRIPTION | ||
|
||
Change the bootloader entry ordering; the deployment under \`rollback\` | ||
will be queued for the next boot, and the current will become rollback. | ||
If there is a \`staged\` entry (an unapplied, queued upgrade) then it | ||
will be discarded. | ||
|
||
Note that absent any additional control logic, if there is an active | ||
agent doing automated upgrades (such as the default | ||
\`bootc-fetch-apply-updates.timer\` and associated \`.service\`) the | ||
change here may be reverted. Its recommended to only use this in concert | ||
with an agent that is in active control. | ||
|
||
A systemd journal message will be logged with | ||
\`MESSAGE_ID=26f3b1eb24464d12aa5e7b544a6b5468\` in order to detect a | ||
rollback invocation. | ||
|
||
# OPTIONS | ||
|
||
**-h**, **\--help** | ||
|
||
: Print help (see a summary with -h) | ||
|
||
**-V**, **\--version** | ||
|
||
: Print version | ||
|
||
# VERSION | ||
|
||
v0.1.9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -37,4 +37,4 @@ The exact API format is not currently declared stable. | |
|
||
# VERSION | ||
|
||
v0.1.0 | ||
v0.1.9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.