-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deploy: Add support for providing config overlay for /etc
#2220
Comments
Although particularly #2081 we kind of support this today if one does a locked+staged deployment. Hmm, it looks like we never quite promoted the rpm-ostree logic for deployment locking into ostree. |
Here's a random idea: What if we supported Maybe we make |
Building upon the previous suggestion, it might be interesting to try and support a (mostly) ephemeral /etc, something like a union mount of /usr/etc and a tmpfs with some magic to try and store things like /etc/machine-id in a place it can persist. The use-case I had in mind is a system that tries to avoid the configuration management problem by just generating non-default configs in /etc on every boot. |
Also, what about secrets? ostree was never designed to store secrets. I think anyone who is doing this and transporting them would want to ensure that the data is encrypted in transit (i.e. TLS) and ideally at rest too. Maybe something like eCryptfs or integration with fs-crypt? |
@cgwalters What kind of secrets do you expect OSTree to be transporting over a network? Not sure I'm following here |
A good example would be someone who is using ostree to do builds for devices that need to connect to one or more WiFi networks, and they want to bake in the credentials necessary for that. Another example is requiring a secret key or token in order to access OS updates at all. |
As of lately, my focus is on "ostree native containers" work over here: https://github.com/ostreedev/ostree-rs-ext This helps solve this problem because there is a new first-class way to add configuration changes into the transaction by having them be part of a derived image. |
Related:
And many more.
Basically let's support update systems also providing configuration in a transactional way.
ostree admin deploy --etc-overlay=configlayer-0 --etc-overlay=configlayer-1 <osref>
would take the defaults from the new
osref
tree's/etc
and overlay the provided config layers on top.And
ostree admin deploy --etc=<etcref> <osref>
would just use whatever is in
<etcref>
for/etc
entirely, avoiding any defaults.The text was updated successfully, but these errors were encountered: