Getting to Know Fedora Silverblue

DevConf.cz 2019

Micah Abbott - @rageear

Principal Quality Engineer - Red Hat

What is Fedora Silverblue?

Fedora Silverblue is...

Fedora

RPMs (delivered via ostree)

Containers

Flatpaks

an immutable host

Awesome!

Immutable Host?

See also: immutable infrastructure

An immutable host is where the OS is delivered in such a way that it is difficult or impossible to modify

Allows for hosts to become disposable (i.e. cattle)

Provides a foundation for repeatable deployments (i.e. phoenix servers)

Typically delivered as image (or image-like artifact)

Previous examples:

Comparing Silverblue to Fedora Workstation

Both share the following:

RPMs from the Fedora ecosystem

Support package installation (although differently)

Can run containers and Flatpaks

Different Filesystem Mutability

Only /var and /etc are writeable on Silverblue

Different Upgrade Mechanisms

Silverblue uses atomic, transactional updates

Running system is not touched during updates (thank you bubblewrap)

You can pull the plug on a Silverblue host during an upgrade

Tradeoff: reboot to get into upgraded OS

Different Delivery Mechanisms

Silverblue has OS delivered as OSTree commit

Although both can install packages as RPMs

What is ostree + rpm-ostree?

(lib)ostree can be simplified as "git for operating systems"

Files are checksummed + tracked via content-addressed object store

Files are de-duplicated via hardlinks

Can handle bootloader configuration, management of /etc


$ ostree --repo=/var/srv/repo init mode=archive
$ mkdir /tmp/tree && cd /tmp/tree
$ echo "foo" > 1
$ echo "bar" > 2
$ mkdir subdir
$ cp /usr/share/dict/words subdir/words

$ ostree commit --repo=/var/srv/repo --branch=master --subject="initial commit"
9e18627134f378b4e433a9a8fee429b875b26d41e236672f1f58366492691a6d

$ cd $(mktemp -d)
$ ostree --repo=/var/srv/repo checkout master
$ ls -l master/
total 8
-rw-rw-r--. 2 miabbott miabbott  4 Dec 31  1969 1
-rw-rw-r--. 2 miabbott miabbott  4 Dec 31  1969 2
drwxrwxr-x. 2 miabbott miabbott 60 Dec 31  1969 subdir
                            

Quoting the rpm-ostree documentation...

rpm-ostree is a hybrid image/package system

Uses libostree as the base image format

Accepts RPMs on the server side for composes and client side for package layering using libdnf

Primary entrypoint for managing your Silverblue OS

Managing the Silverblue OS

Current status: rpm-ostree status


$ rpm-ostree status -a
State: idle                                                                                                                                                                                                       
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 6 days ago
Deployments:                                                             
  ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190119.0 (2019-01-19T00:53:06Z)
                BaseCommit: f027d3d70a4da161200382ad85c16ff1b6b5c4c05d357b962ed10fda6f2dc395
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
             SecAdvisories: FEDORA-2019-a8ffcff7ee  Low        openssl-1:1.1.1a-1.fc29.x86_64
                            FEDORA-2019-a8ffcff7ee  Low        openssl-libs-1:1.1.1a-1.fc29.x86_64
                              CVE-2018-0495 OpenSSL: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries [fedora-all]
                              https://bugzilla.redhat.com/show_bug.cgi?id=1591170
                              CVE-2018-0735 openssl: timing side channel attack in ECDSA signature generation [fedora-all]
                              https://bugzilla.redhat.com/show_bug.cgi?id=1644357
                              CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm [fedora-all]
                              https://bugzilla.redhat.com/show_bug.cgi?id=1644366
                            FEDORA-2019-ae92ca8981  Low        libjpeg-turbo-2.0.0-3.fc29.x86_64
                              CVE-2018-19664 libjpeg-turbo: heap-based buffer over-read in the put_pixel_rows function in wrbmp.c [fedora-all]
                              https://bugzilla.redhat.com/show_bug.cgi?id=1656219
                              CVE-2018-20330 libjpeg-turbo: heap-based buffer overflow in tjLoadImage [fedora-all]
                              https://bugzilla.redhat.com/show_bug.cgi?id=1665224
                            FEDORA-2019-f812c9fb22  Moderate   kernel-headers-4.19.15-300.fc29.x86_64
                              CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CONF_OPT
                              https://bugzilla.redhat.com/show_bug.cgi?id=1663176
                              CVE-2019-3460 kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP
                              https://bugzilla.redhat.com/show_bug.cgi?id=1663179
                      Diff: 42 upgraded, 1 removed
           LayeredPackages: cockpit-bridge compat-ffmpeg28 ffmpeg-libs krb5-workstation libvirt libvirt-client libvirt-daemon-kvm libvirt-devel qemu-kvm tmux vagrant-libvirt vim-enhanced virt-install
                            virt-manager

● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190117.0 (2019-01-17T00:55:06Z)
                BaseCommit: ef211d6ba2a0facdc6f1d12f77fe99451286a43f9a093fdffb9dd6f595b8a06f
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
           LayeredPackages: cockpit-bridge compat-ffmpeg28 ffmpeg-libs krb5-workstation libvirt libvirt-client libvirt-daemon-kvm libvirt-devel qemu-kvm tmux vagrant-libvirt vim-enhanced virt-install
                            virt-manager

  ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190115.0 (2019-01-15T01:10:09Z)
                BaseCommit: 563df16841c048e9c43e83adf2fff952aafcea40495b2a95b8365f7b13443add
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
           LayeredPackages: cockpit-bridge compat-ffmpeg28 ffmpeg-libs krb5-workstation libvirt libvirt-client libvirt-daemon-kvm libvirt-devel qemu-kvm tmux vagrant-libvirt vim-enhanced virt-install
                            virt-manager
                            

Upgrades!

rpm-ostree upgrade


$ sudo rpm-ostree upgrade
⠒ Receiving objects: 99% (5991/5992) 2.8 MB/s 283.0 MB
Receiving objects: 99% (5991/5992) 2.8 MB/s 283.0 MB... done
Staging deployment... done
Upgraded:
  alsa-lib 1.1.7-3.fc29 -> 1.1.8-1.fc29
  alsa-plugins-pulseaudio 1.1.7-2.fc29 -> 1.1.8-1.fc29
  alsa-ucm 1.1.7-3.fc29 -> 1.1.8-1.fc29
  alsa-utils 1.1.7-2.fc29 -> 1.1.8-2.fc29
  dbxtool 8-7.fc29 -> 8-8.fc29
  evolution-data-server 3.30.3-1.fc29 -> 3.30.4-1.fc29
  evolution-data-server-langpacks 3.30.3-1.fc29 -> 3.30.4-1.fc29
  firefox 64.0-4.fc29 -> 64.0-7.fc29
  fwupd 1.1.4-1.fc29 -> 1.2.3-1.fc29
  gnupg2 2.2.11-1.fc29 -> 2.2.12-1.fc29
  gnupg2-smime 2.2.11-1.fc29 -> 2.2.12-1.fc29
  krb5-libs 1.16.1-23.fc29 -> 1.16.1-24.fc29
  libgxps 0.3.0-6.fc29 -> 0.3.1-1.fc29
  libical 3.0.3-7.fc29 -> 3.0.4-1.fc29
  libinput 1.12.4-1.fc29 -> 1.12.5-1.fc29
  libreport-filesystem 2.9.7-1.fc29 -> 2.9.7-2.fc29
  libxml2 2.9.8-4.fc29 -> 2.9.8-5.fc29
  openconnect 7.08-10.fc29 -> 8.01-1.fc29
  pipewire 0.2.5-1.fc29 -> 0.2.5-2.fc29
  pipewire-libs 0.2.5-1.fc29 -> 0.2.5-2.fc29
  python3 3.7.1-4.fc29 -> 3.7.2-1.fc29
  python3-libs 3.7.1-4.fc29 -> 3.7.2-1.fc29
  python3-libxml2 2.9.8-4.fc29 -> 2.9.8-5.fc29
  qgnomeplatform 0.5-5.fc29 -> 0.5-6.fc29
  qt5-qtbase 5.11.1-9.fc29 -> 5.11.3-1.fc29
  qt5-qtbase-common 5.11.1-9.fc29 -> 5.11.3-1.fc29
  qt5-qtbase-gui 5.11.1-9.fc29 -> 5.11.3-1.fc29
  qt5-qtdeclarative 5.11.1-3.fc29 -> 5.11.3-1.fc29
  qt5-qtxmlpatterns 5.11.1-3.fc29 -> 5.11.3-1.fc29
  vim-minimal 2:8.1.575-1.fc29 -> 2:8.1.702-1.fc29
Removed:
  libmodulemd-1.7.0-1.fc29.x86_64
Added:
  compat-openssl10-1:1.0.2o-3.fc29.x86_64
  gc-7.6.4-4.fc29.x86_64
  gdbm-1:1.18-1.fc29.x86_64
  guile-5:2.0.14-12.fc29.x86_64
  libatomic_ops-7.6.6-1.fc29.x86_64
  libmodulemd1-1.8.0-1.fc29.x86_64
  libxmlb-0.1.6-1.fc29.x86_64
  make-1:4.2.1-10.fc29.x86_64
  python-unversioned-command-2.7.15-11.fc29.noarch
  python2-2.7.15-11.fc29.x86_64
  python2-libs-2.7.15-11.fc29.x86_64
  python2-pip-18.1-1.fc29.noarch
  python2-setuptools-40.4.3-1.fc29.noarch
  tpm2-abrmd-2.0.3-2.fc29.x86_64
  tpm2-abrmd-selinux-2.0.0-2.fc29.noarch
  tpm2-tools-3.1.3-2.fc29.x86_64
  tpm2-tss-2.1.0-1.fc29.x86_64
Run "systemctl reboot" to start a reboot
                            

Reboot into the new deployment...


$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                    Commit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4

  ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190105.0 (2019-01-05T01:14:13Z)
                    Commit: 8bc882c6b40c526b63a0197fe7e0df31149255b9429f224937a7ee6e3415753d
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
                            

What if the upgrade is bad?

rpm-ostree rollback


$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                    Commit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4

  ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190105.0 (2019-01-05T01:14:13Z)
                    Commit: 8bc882c6b40c526b63a0197fe7e0df31149255b9429f224937a7ee6e3415753d
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4

$ sudo rpm-ostree rollback
Moving '8bc882c6b40c526b63a0197fe7e0df31149255b9429f224937a7ee6e3415753d.0' to be first deployment
Transaction complete; bootconfig swap: yes; deployment count change: 0
Downgraded:
  alsa-lib 1.1.8-1.fc29 -> 1.1.7-3.fc29
  alsa-plugins-pulseaudio 1.1.8-1.fc29 -> 1.1.7-2.fc29
  alsa-ucm 1.1.8-1.fc29 -> 1.1.7-3.fc29
  alsa-utils 1.1.8-2.fc29 -> 1.1.7-2.fc29
  dbxtool 8-8.fc29 -> 8-7.fc29
  evolution-data-server 3.30.4-1.fc29 -> 3.30.3-1.fc29
  evolution-data-server-langpacks 3.30.4-1.fc29 -> 3.30.3-1.fc29
  firefox 64.0-7.fc29 -> 64.0-4.fc29
  fwupd 1.2.3-1.fc29 -> 1.1.4-1.fc29
  gnupg2 2.2.12-1.fc29 -> 2.2.11-1.fc29
  gnupg2-smime 2.2.12-1.fc29 -> 2.2.11-1.fc29
  krb5-libs 1.16.1-24.fc29 -> 1.16.1-23.fc29
  libgxps 0.3.1-1.fc29 -> 0.3.0-6.fc29
  libical 3.0.4-1.fc29 -> 3.0.3-7.fc29
  libinput 1.12.5-1.fc29 -> 1.12.4-1.fc29
  libreport-filesystem 2.9.7-2.fc29 -> 2.9.7-1.fc29
  libxml2 2.9.8-5.fc29 -> 2.9.8-4.fc29
  openconnect 8.01-1.fc29 -> 7.08-10.fc29
  pipewire 0.2.5-2.fc29 -> 0.2.5-1.fc29
  pipewire-libs 0.2.5-2.fc29 -> 0.2.5-1.fc29
  python3 3.7.2-1.fc29 -> 3.7.1-4.fc29
  python3-libs 3.7.2-1.fc29 -> 3.7.1-4.fc29
  python3-libxml2 2.9.8-5.fc29 -> 2.9.8-4.fc29
  qgnomeplatform 0.5-6.fc29 -> 0.5-5.fc29
  qt5-qtbase 5.11.3-1.fc29 -> 5.11.1-9.fc29
  qt5-qtbase-common 5.11.3-1.fc29 -> 5.11.1-9.fc29
  qt5-qtbase-gui 5.11.3-1.fc29 -> 5.11.1-9.fc29
  qt5-qtdeclarative 5.11.3-1.fc29 -> 5.11.1-3.fc29
  qt5-qtxmlpatterns 5.11.3-1.fc29 -> 5.11.1-3.fc29
  vim-minimal 2:8.1.702-1.fc29 -> 2:8.1.575-1.fc29
Removed:
  compat-openssl10-1:1.0.2o-3.fc29.x86_64
  gc-7.6.4-4.fc29.x86_64
  gdbm-1:1.18-1.fc29.x86_64
  guile-5:2.0.14-12.fc29.x86_64
  libatomic_ops-7.6.6-1.fc29.x86_64
  libmodulemd1-1.8.0-1.fc29.x86_64
  libxmlb-0.1.6-1.fc29.x86_64
  make-1:4.2.1-10.fc29.x86_64
  python-unversioned-command-2.7.15-11.fc29.noarch
  python2-2.7.15-11.fc29.x86_64
  python2-libs-2.7.15-11.fc29.x86_64
  python2-pip-18.1-1.fc29.noarch
  python2-setuptools-40.4.3-1.fc29.noarch
  tpm2-abrmd-2.0.3-2.fc29.x86_64
  tpm2-abrmd-selinux-2.0.0-2.fc29.noarch
  tpm2-tools-3.1.3-2.fc29.x86_64
  tpm2-tss-2.1.0-1.fc29.x86_64
Added:
  libmodulemd-1.7.0-1.fc29.x86_64
Run "systemctl reboot" to start a reboot

$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
  ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190105.0 (2019-01-05T01:14:13Z)
                    Commit: 8bc882c6b40c526b63a0197fe7e0df31149255b9429f224937a7ee6e3415753d
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4

● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                    Commit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
                            

Switching major versions

rpm-ostree rebase


$ sudo ostree remote add --set=gpgkeypath=/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-28-primary silverblue-28 https://kojipkgs.fedoraproject.org/atomic/repo/
$ sudo rpm-ostree rebase silverblue-28:fedora/28/x86_64/workstation
⠚ Receiving objects: 99% (50480/50485) 1.4 MB/s 1.3 GB
Receiving objects: 99% (50480/50485) 1.4 MB/s 1.3 GB... done
Staging deployment... done
Upgraded:
  buildah 1.5-1.gite94b4f9.fc29 -> 1.5-2.gite94b4f9.fc28
  nss 3.41.0-1.fc29 -> 3.41.0-3.fc28
  nss-softokn 3.41.0-1.fc29 -> 3.41.0-3.fc28
...
$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
  ostree://silverblue-28:fedora/28/x86_64/workstation
                   Version: 28.20190111.0 (2019-01-11T02:39:24Z)
                    Commit: 30d4e5835197933310c9894ff74aed2f66a570273258966d65d0aa755b5641af
              GPGSignature: Valid signature by 128CF232A9371991C8A65695E08E7E629DB62FB1

● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                    Commit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
                            

Switching the entire OS?!


$ sudo ostree remote add  --no-gpg-verify centos-atomic-host  http://mirror.centos.org/centos/7/atomic/x86_64/repo
$ sudo rpm-ostree rebase centos-atomic-host:centos-atomic-host/7/x86_64/standard                                                                                                 [1308/4514]
⠓ Receiving objects: 99% (16208/16253) 933.5 kB/s 544.2 MB
Receiving objects: 99% (16208/16253) 933.5 kB/s 544.2 MB... done
Staging deployment... done
Upgraded:
  device-mapper 1.02.154-1.fc29 -> 7:1.02.149-10.el7_6.2
  device-mapper-event 1.02.154-1.fc29 -> 7:1.02.149-10.el7_6.2
  device-mapper-event-libs 1.02.154-1.fc29 -> 7:1.02.149-10.el7_6.2
  device-mapper-libs 1.02.154-1.fc29 -> 7:1.02.149-10.el7_6.2
...
$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
  ostree://centos-atomic-host:centos-atomic-host/7/x86_64/standard
                   Version: 7.1812 (2019-01-10T22:08:06Z)
                    Commit: 4b209055c332f3008348b06b06c92e7ab785f4cc2c28aee42fc054711f2c3670

● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                    Commit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
                            

Package Layering

Paradigm is to use containers; package layering is a last resort (IMO)

Also useful for "host extensions" - libvirt, pcsc-lite

Creates a new ostree commit that includes package changes

Able to override base package set with remove/replace

Package layers are tracked with base OS; can be upgraded

Examples!

rpm-ostree install/uninstall


$ sudo rpm-ostree install jq
Checking out tree ad2a133... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2019-01-12T01:49:26Z
rpm-md repo 'fedora' (cached); generated: 2018-10-24T22:20:15Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 2 packages (355.6 kB)
Downloading from 'fedora'... done
Downloading from 'updates'... done
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
Added:
  jq-1.5-13.fc29.x86_64
  oniguruma-6.9.1-1.fc29.x86_64
Run "systemctl reboot" to start a reboot

$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
  ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                BaseCommit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
           LayeredPackages: jq

● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                    Commit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
$ jq
-bash: jq: command not found
                            

More Examples!

rpm-ostree override replace


$ sudo rpm-ostree override replace https://kojipkgs.fedoraproject.org//packages/podman/0.10.1.3/4.gitdb08685.fc29/x86_64/podman-0.10.1.3-4.gitdb08685.fc29.x86_64.rpm
Downloading 'https://kojipkgs.fedoraproject.org//packages/podman/0.10.1.3/4.gitdb08685.fc29/x86_64/podman-0.10.1.3-4.gitdb08685.fc29.x86_64.rpm'... done!
Checking out tree ad2a133... done
Enabled rpm-md repositories: updates fedora
Updating metadata for 'updates'... done
rpm-md repo 'updates'; generated: 2019-01-12T01:49:26Z
Updating metadata for 'fedora'... done
rpm-md repo 'fedora'; generated: 2018-10-24T22:20:15Z
Importing rpm-md... done
Resolving dependencies... done
Applying 1 override
Processing packages... done
Running pre scripts... done
Running post scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
Downgraded:
  podman 1:0.12.1.2-1.git9551f6b.fc29 -> 1:0.10.1.3-4.gitdb08685.fc29
Run "systemctl reboot" to start a reboot

$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
  ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                BaseCommit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
      ReplacedBasePackages: podman 1:0.12.1.2-1.git9551f6b.fc29 -> 1:0.10.1.3-4.gitdb08685.fc29

● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                    Commit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
                            

Another Example!

rpm-ostree override remove


$ rpm -ql virtualbox-guest-additions | grep /usr/bin
/usr/bin/VBoxClient
/usr/bin/VBoxClient-all
/usr/bin/VBoxControl

$ sudo rpm-ostree override remove virtualbox-guest-additions
Checking out tree ad2a133... done
Resolving dependencies... done
Applying 1 override
Processing packages... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
Removed:
  virtualbox-guest-additions-5.2.22-1.fc29.x86_64
Run "systemctl reboot" to start a reboot
...

$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20190112.0 (2019-01-12T00:49:46Z)
                BaseCommit: ad2a133614fb3d72f9e7e11acc8f8a9d246a8112d14d03a455cb094db307f337
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
       RemovedBasePackages: virtualbox-guest-additions-5.2.22-1.fc29.x86_64
...

$ ls -l /usr/bin/VBoxClient
ls: cannot access '/usr/bin/VBoxClient': No such file or directory
                            

Containers and Container Tools

Containers are Linux

Except for FreeBSD jails and Solaris zones...shhhhh

cgroups, user namespaces, network namespaces...

Popularized via Docker and adoption of microservices

Usually a single process per container (usually...)

Previous Tooling

Don't say the D-word or you make Dan Walsh weep

Also, stop disabling SELinux - https://stopdisablingselinux.com/

New Hotness!

A new set of tooling in the form of buildah, podman, skopeo, and fedora-toolbox


Buildah - use it to build your containers images

Podman - use it to run and manage your containers

Skopeo - use it to inspect registries, copy container images

Fedora Toolbox - use it to create "pet" development containers

Buildah

Supports building container images from Dockerfiles

Can mount working container filesystem for manipulation

Supports OCI image format and Docker image format


$ ctr=$(sudo buildah from scratch)
$ mp=$(sudo buildah mount $ctr)
$ sudo dnf -y --installroot=$mp --releasever=29 install jq
...
$ sudo buildah commit $ctr jq
$ sudo buildah unmount $ctr
$ sudo buildah rm $ctr

$ sudo buildah images
IMAGE NAME                                               IMAGE TAG            IMAGE ID             CREATED AT             SIZE
localhost/jq                                             latest               17bf11dbaf8a         Jan 13, 2019 14:31     444 MB
                            

Podman

Intended as a drop-in replacement for (most of) docker CLI

Supports OCI image format and Docker image format

Doesn't require a daemon running (#nobigfatdaemons)

Full management of container life cycle

Can run containers unprivileged (experimental)


$ sudo buildah images
IMAGE NAME                                               IMAGE TAG            IMAGE ID             CREATED AT             SIZE
localhost/jq                                             latest               17bf11dbaf8a         Jan 13, 2019 14:31     444 MB

$ sudo podman images
REPOSITORY     TAG      IMAGE ID       CREATED         SIZE
localhost/jq   latest   17bf11dbaf8a   9 minutes ago   444 MB

$ rpm-ostree status --json | sudo podman run --rm -i localhost/jq /usr/bin/jq -C .deployments[]?.checksum
"6792650074abcb68f9f165c2eb63d9a419a01cc619adcd598b83bf93fca1efaa"
"a83a471e89cb2a292406ca81a3a994d0399453d0f7c7734db0e4185e4f85d28e"
                            

Skopeo

Copy an image from and to various storage mechanisms

Delete an image from an image repository

Inspect a remote image showing its properties including its layers


$ skopeo inspect docker://registry.fedoraproject.org/fedora:latest
{
    "Name": "registry.fedoraproject.org/fedora",
    "Digest": "sha256:62a63551532c29d266342c2a36282a094e980a8bb1077be10f3ea72f265cfb16",
    "RepoTags": [
        "24",
        "25",
        "26-modular",
        "26",
        "27-aarch64",
        "27-armhfp",
        "27-ppc64le",
        "27-x86_64",
        "27",
        "28-aarch64",
        "28-armhfp",
        "28-ppc64le",
        "28-x86_64",
        "28",
        "29-aarch64",
        "29-ppc64le",
        "29-s390x",
        "29-x86_64",
        "29",
        "30-aarch64",
        "30-ppc64le",
        "30-s390x",
        "30-x86_64",
        "30",
        "latest",
        "rawhide",
        "30-armhfp",
        "29-armhfp"
    ],
    "Created": "2019-01-09T06:48:29Z",
    "DockerVersion": "1.10.1",
    "Labels": {
        "license": "MIT",
        "name": "fedora",
        "vendor": "Fedora Project",
        "version": "29"
    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
        "sha256:472dbbf50fa66a103d664a1af893a9b4cd9b06524ddb8fa2d1ae04bb4c405749"
    ]
}
                            

Fedora Toolbox

Creates a fully mutable container for installing dev tools (or any package)

Runs rootless container (i.e. no 'sudo podman run')

Can be package layered as an RPM or run directly as a script

Automagically mounts in your $HOME directory

Flatpaks

Containers for GUI apps

Uses libostree to store runtimes + apps on disk

Uses bubblewrap to allow unprivileged users setup + run containers

DBus, systemd, Appstream metadata...

Apps are distributed in the OCI image format

Allows for distribution of apps on any flavor of Linux

In action...


$ flatpak --user remote-add flathub https://flathub.org/repo/flathub.flatpakrepo

$ flatpak --user search spotify
Application ID                   Version    Branch Remotes Description
com.spotify.Client               1.0.96.181 stable flathub Online music streaming service
org.clementine_player.Clementine 1.3.1-git  stable flathub Plays music files and Internet radio

$ flatpak --user install flathub com.spotify.Client
Required runtime for com.spotify.Client/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/18.08) found in remote flathub
Do you want to install it? [y/n]: y
Installing in user:
org.freedesktop.Platform/x86_64/18.08              flathub 527965a0652d
org.freedesktop.Platform.Locale/x86_64/18.08       flathub db13dbb8145b
org.freedesktop.Platform.html5-codecs/x86_64/18.08 flathub 6347e3aa5a5c
com.spotify.Client/x86_64/stable                   flathub 8f0a500bf0ed
  permissions: ipc, network, pulseaudio, x11, dri
  file access: xdg-music:ro, xdg-pictures:ro
  dbus access: org.freedesktop.Notifications, org.gnome.SessionManager, org.gnome.SettingsDaemon
  dbus ownership: org.mpris.MediaPlayer2.spotify
  tags: proprietary
Is this ok [y/n]: y
Installing for user: org.freedesktop.Platform/x86_64/18.08 from flathub
[####################] 776 metadata, 12606 content objects fetched; 268834 KiB transferred in 106 seconds
Now at 527965a0652d.
Installing for user: org.freedesktop.Platform.Locale/x86_64/18.08 from flathub
[####################] 4 metadata, 1 content objects fetched; 16 KiB transferred in 0 seconds
Now at db13dbb8145b.
Installing for user: org.freedesktop.Platform.html5-codecs/x86_64/18.08 from flathub
[####################] 22 metadata, 127 content objects fetched; 2722 KiB transferred in 1 seconds
Now at 6347e3aa5a5c.
Installing for user: com.spotify.Client/x86_64/stable from flathub
[####################] Downloading files: 1024/1024 118.6 MB (3.4 MB/s)
Now at 8f0a500bf0ed.

$ flatpak --user list
Ref                                                Options
com.spotify.Client/x86_64/stable                   user,current
org.freedesktop.Platform.html5-codecs/x86_64/18.08 user,runtime
org.freedesktop.Platform/x86_64/18.08              user,runtime
                        

Going Forward

Still some rough edges to smooth out

Enabling automatic OS upgrades by default

Installed Flatpaks out of the box (built + delivered from Fedora infra)

Making Silverblue default Fedora Workstation choice

Improving documentation, growing the community