From ce9751e88da749c3347f2cfd0f8c14c741dc4974 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 15 Feb 2024 13:21:46 -0500
Subject: [PATCH] Enable composefs for 41+

Enabling composefs allow an increase in security by making the
filesystem truly read-only.

It's also a cornerstone towards a truly sealed system with full
integrity checks at runtime.

It will also allow storage deduplication between the host filesystem
and the containers storage in the long run, which is a huge win: faster
downloads and faster container startup times.

A thing that this is known to break is the "chattr -i" hack for new
toplevel dirs (xref https://github.com/coreos/rpm-ostree/issues/337).

Basically if you want that, you either need to make a derived image,
or enable transient root.

Ref: https://fedoraproject.org/wiki/Changes/ComposefsAtomicCoreOSIoT

Co-authored-by: jbtrystram <jbtrystram@redhat.com>
---
 manifests/composefs.yaml                               | 3 +++
 manifests/fedora-coreos.yaml                           | 2 ++
 overlay.d/08composefs/README.md                        | 1 +
 overlay.d/08composefs/usr/lib/ostree/prepare-root.conf | 2 ++
 4 files changed, 8 insertions(+)
 create mode 100644 manifests/composefs.yaml
 create mode 100644 overlay.d/08composefs/README.md
 create mode 100644 overlay.d/08composefs/usr/lib/ostree/prepare-root.conf

diff --git a/manifests/composefs.yaml b/manifests/composefs.yaml
new file mode 100644
index 0000000000..d575c1349b
--- /dev/null
+++ b/manifests/composefs.yaml
@@ -0,0 +1,3 @@
+# Enable composefs by default.
+ostree-layers:
+  - overlay/08composefs
diff --git a/manifests/fedora-coreos.yaml b/manifests/fedora-coreos.yaml
index 581e0e38b9..7cfe12eb2b 100644
--- a/manifests/fedora-coreos.yaml
+++ b/manifests/fedora-coreos.yaml
@@ -30,6 +30,8 @@ conditional-include:
   # Wifi firmwares will be dropped in F41
   - if: releasever < 41
     include: wifi-firmwares.yaml
+  - if: releasever >= 41
+    include: composefs.yaml
 
 ostree-layers:
   - overlay/15fcos
diff --git a/overlay.d/08composefs/README.md b/overlay.d/08composefs/README.md
new file mode 100644
index 0000000000..383ebb17a1
--- /dev/null
+++ b/overlay.d/08composefs/README.md
@@ -0,0 +1 @@
+Enable composefs by default; more in https://ostreedev.github.io/ostree/composefs/
diff --git a/overlay.d/08composefs/usr/lib/ostree/prepare-root.conf b/overlay.d/08composefs/usr/lib/ostree/prepare-root.conf
new file mode 100644
index 0000000000..2faae22bc9
--- /dev/null
+++ b/overlay.d/08composefs/usr/lib/ostree/prepare-root.conf
@@ -0,0 +1,2 @@
+[composefs]
+enabled = true