particle-os/debian-atomic-system-files
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

first commit

Browse source
This commit is contained in:
robojerk 2025-09-01 14:05:34 -07:00
commit 93e2ad4b29
35 changed files with 1048 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

224
README.md Normal file
View file

@ -0,0 +1,224 @@
# Debian Atomic Infrastructure Files
This directory contains the missing systemd services, configuration files, and infrastructure components needed to make Debian work with OSTree and bootc-image-builder, based on our analysis of the successful Fedora Atomic system.
## 📁 Directory Structure
```
debian-atomic-files/
├── ostree-systemd/ # OSTree systemd services and configuration
├── bootc/ # Bootc systemd services and infrastructure
├── apt-ostree-systemd/ # APT-OSTree systemd services and kernel hooks
├── ostree-dracut/ # OSTree dracut module
└── README.md # This file
```
## 🎯 Purpose
These files address the **critical missing infrastructure** that prevents Debian from working with OSTree and bootc-image-builder. Based on our analysis of the successful Fedora Atomic system, we discovered that **28+ systemd services** are required for a functional OSTree system, and Debian packages are missing most of them.
## 📦 Package Structure
### 1. `ostree-systemd` Package
**Purpose**: Provides essential OSTree systemd services and configuration files.
**Files**:
- `systemd/system/ostree-prepare-root.service` - Handles OSTree deployment during initramfs
- `systemd/system/ostree-remount.service` - Manages OSTree bind mounts after boot
- `systemd/system/ostree-state-overlay@.service` - Template for OSTree state overlays
- `systemd/system/ostree-finalize-staged.service` - Finalizes staged deployments
- `systemd/system/ostree-finalize-staged-hold.service` - Prevents finalization conflicts
- `systemd/system/ostree-boot-complete.service` - Completes boot process
- `ostree/prepare-root.conf` - OSTree configuration (composefs, readonly sysroot)
- `tmpfiles.d/ostree-tmpfiles.conf` - Runtime directory creation and cleanup
**Installation Path**: `/usr/lib/systemd/system/`, `/usr/lib/ostree/`, `/usr/lib/tmpfiles.d/`
### 2. `bootc` Package
**Purpose**: Provides bootc infrastructure for automatic updates, filesystem growth, and cleanup.
**Files**:
- `systemd/system/bootc-fetch-apply-updates.service` - Automatic updates service
- `systemd/system/bootc-fetch-apply-updates.timer` - Timer for automatic updates (1h after boot, then every 8h)
- `systemd/system/bootc-generic-growpart.service` - Auto-grow root filesystem on VMs
- `systemd/system/bootc-destructive-cleanup.service` - Cleanup after installations
- `systemd/system/bootc-publish-rhsm-facts.service` - Publish facts to subscription manager
- `systemd/system/bootc-status-updated.target` - Status coordination target
- `systemd/system/bootc-status-updated-onboot.target` - Boot status target
- `systemd/system/bootc-root-setup.service` - Bootc root setup in initramfs
**Installation Path**: `/usr/lib/systemd/system/`
### 3. `bootc-dracut` Package
**Purpose**: Provides bootc dracut configuration for initramfs generation.
**Files**:
- `usr/lib/dracut.conf.d/10-bootc-base.conf` - Bootc dracut configuration (hostonly=no, add ostree module)
**Installation Path**: `/usr/lib/dracut.conf.d/`
### 4. `apt-ostree` Package (Enhanced)
**Purpose**: APT-OSTree package should include all systemd services and kernel installation hooks (like rpm-ostree does).
**Files**:
- `systemd/system/apt-ostreed.service` - APT-OSTree system management daemon
- `systemd/system/apt-ostree-bootstatus.service` - Log boot status to journal
- `systemd/system/apt-ostree-countme.service` - Analytics reporting service
- `systemd/system/apt-ostree-countme.timer` - Weekly analytics timer
- `systemd/system/apt-ostree-fix-shadow-mode.service` - Fix shadow permissions
- `systemd/system/apt-ostreed-automatic.service` - Automatic updates service
- `systemd/system/apt-ostreed-automatic.timer` - Automatic updates timer
- `kernel/install.d/05-aptostree.install` - Kernel installation hook for OSTree
- `kernel/install.conf` - Kernel install configuration (layout=ostree)
- `tmpfiles.d/apt-ostree-0-integration.conf` - APT-OSTree tmpfiles integration
- `tmpfiles.d/apt-ostree-0-integration-opt-usrlocal.conf` - /usr/local and /opt directory setup
- `tmpfiles.d/apt-ostree-0-integration-opt-usrlocal-compat.conf` - Backwards compatibility for /usr/local
- `apt-ostreed.conf` - APT-OSTree daemon configuration
- `org.debian.aptostree1.conf` - D-Bus policy configuration
**Installation Path**: `/usr/lib/systemd/system/`, `/usr/lib/kernel/install.d/`, `/usr/lib/kernel/`, `/usr/lib/tmpfiles.d/`, `/etc/`, `/usr/share/dbus-1/system.d/`
**Note**: These files should be bundled with the `apt-ostree` package itself, not as a separate package.
### 5. `ostree-dracut` Package
**Purpose**: Provides OSTree dracut module for initramfs integration.
**Files**:
- `modules.d/98ostree/module-setup.sh` - OSTree dracut module setup script
**Installation Path**: `/usr/lib/dracut/modules.d/98ostree/`
## 🔧 What Each File Does
### OSTree Systemd Services
**`ostree-prepare-root.service`**:
- **Purpose**: Handles OSTree deployment during initramfs phase
- **Function**: Runs `/usr/lib/ostree/ostree-prepare-root /sysroot`
- **Timing**: After `sysroot.mount`, before `initrd-root-fs.target`
- **Critical**: This is what makes OSTree deployment work during boot
**`ostree-remount.service`**:
- **Purpose**: Handles OSTree bind mounts after boot
- **Function**: Runs `/usr/lib/ostree/ostree-remount` binary
- **Timing**: After `var.mount`, before `local-fs.target`
- **Critical**: Manages overlay filesystems for `/etc`, `/var`, etc.
**`ostree-state-overlay@.service`**:
- **Purpose**: Template service for OSTree state overlays
- **Function**: Runs `ostree admin state-overlay %i /%I`
- **Critical**: Enables writable overlays on read-only OSTree deployments
**`ostree-finalize-staged.service`**:
- **Purpose**: Finalizes staged deployments
- **Function**: Runs `ostree admin finalize-staged` on service stop
- **Timing**: After `local-fs.target`, before `basic.target`
- **Critical**: Required for proper deployment finalization
**`ostree-boot-complete.service`**:
- **Purpose**: Completes boot process and handles soft-reboot cleanup
- **Function**: Runs `ostree admin boot-complete`
- **Timing**: After `sysinit.target`, before `ostree-finalize-staged.service`
- **Critical**: Handles boot completion and cleanup
### Bootc Systemd Services
**`bootc-fetch-apply-updates.service` + `.timer`**:
- **Purpose**: Automatic updates via `bootc upgrade --apply --quiet`
- **Timer**: Runs 1h after boot, then every 8h with 2h randomization
- **Critical**: Provides automatic update functionality
**`bootc-generic-growpart.service`**:
- **Purpose**: Automatically grow root filesystem on VMs
- **Function**: Runs `/usr/libexec/bootc-generic-growpart`
- **Condition**: Only runs on VMs with `/sysroot` mounted
- **Critical**: Handles filesystem growth automatically
**`bootc-destructive-cleanup.service`**:
- **Purpose**: Cleanup after alongside installation
- **Function**: Runs `/usr/lib/bootc/fedora-bootc-destructive-cleanup`
- **Critical**: Cleans up after destructive operations
### APT-OSTree Services
**`apt-ostreed.service`**:
- **Purpose**: APT-OSTree system management daemon
- **Type**: DBus service (`org.debian.aptostree1`)
- **Function**: Runs `apt-ostree start-daemon`
- **Critical**: Provides system management API
**`apt-ostree-bootstatus.service`**:
- **Purpose**: Log booted deployment status to journal
- **Function**: Runs `apt-ostree status -b`
- **Critical**: Provides boot status logging
### Kernel Installation Hooks
**`05-aptostree.install`**:
- **Purpose**: OSTree-aware kernel installation hook
- **Function**: Delegates to `apt-ostree kernel-install` for OSTree systems
- **Critical**: Ensures proper kernel installation in OSTree environment
**`install.conf`**:
- **Purpose**: Kernel install configuration
- **Content**: `layout=ostree`
- **Critical**: Tells kernel-install to use OSTree-specific hooks
### Dracut Module
**`98ostree/module-setup.sh`**:
- **Purpose**: OSTree dracut module for initramfs
- **Function**: Installs OSTree binaries and services into initramfs
- **Critical**: Required for OSTree integration in initramfs
## 🚀 Implementation Strategy
### Phase 1: Create Debian Packages
1. **`ostree-systemd`** - Essential OSTree services
2. **`bootc`** - Bootc infrastructure
3. **`ostree-dracut`** - Dracut module
4. **`apt-ostree`** - Enhanced with systemd services and kernel hooks
### Phase 2: Package Installation
```bash
# Install the packages
sudo dpkg -i ostree-systemd_*.deb
sudo dpkg -i bootc_*.deb
sudo dpkg -i ostree-dracut_*.deb
sudo dpkg -i apt-ostree_*.deb # Enhanced with systemd services
```
### Phase 3: Test with bootc-image-builder
```bash
# Use existing bootc-image-builder with Debian container
bootc-image-builder build --config debian-atomic.yaml
```
## 🎯 Expected Results
After installing these packages, Debian should have:
- ✅ **Complete OSTree infrastructure** (28+ systemd services)
- ✅ **Proper kernel installation hooks** for OSTree
- ✅ **Dracut integration** for initramfs
- ✅ **Automatic update functionality** via bootc
- ✅ **Filesystem growth and cleanup** capabilities
- ✅ **Compatibility with bootc-image-builder**
## 📋 Next Steps
1. **Create Debian packages** from these files
2. **Test package installation** on Debian system
3. **Build Debian Atomic container** with apt-ostree
4. **Test with bootc-image-builder** to create bootable image
5. **Boot test** the resulting image
## 🔍 Key Insights
**The problem was not in the build process** - `bootc-image-builder` works fine. The problem was **missing package infrastructure** in Debian. These files provide the missing systemd services, configuration files, and hooks that make OSTree work properly.
**This approach is much more manageable** than initially thought - we just need to package these files and install them, then use the existing proven build process.

9
apt-ostree-systemd/apt-ostreed.conf Normal file
View file

@ -0,0 +1,9 @@
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# For option meanings, see apt-ostreed.conf(5).
[Daemon]
#AutomaticUpdatePolicy=none
#IdleExitTimeout=60
#LockLayering=false
#Recommends=true

4
apt-ostree-systemd/kernel/install.conf Normal file
View file

@ -0,0 +1,4 @@
# kernel-install will not try to run dracut and allow apt-ostree to
# take over. Apt-ostree will use this to know that it is responsible
# to run dracut and ensure that there is only one kernel in the image
layout=ostree

9
apt-ostree-systemd/kernel/install.d/05-aptostree.install Normal file
View file

@ -0,0 +1,9 @@
#!/usr/bin/bash
# Check if install.conf is missing or does not include layout=ostree
if [ ! -f /usr/lib/kernel/install.conf ] || ! grep -q layout=ostree /usr/lib/kernel/install.conf; then
exit 0
fi
# This is the hook that has kernel-install call into apt-ostree kernel-install
if test -x /usr/bin/apt-ostree; then
exec /usr/bin/apt-ostree kernel-install "$@"
fi

40
apt-ostree-systemd/org.debian.aptostree1.conf Normal file
View file

@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only root can own the service -->
<policy user="root">
<allow own="org.debian.aptostree1"/>
<allow send_destination="org.debian.aptostree1"/>
</policy>
<!-- Allow anyone to call into the service - we'll reject callers using PolicyKit -->
<policy context="default">
<deny send_destination="org.debian.aptostree1"/>
<allow send_destination="org.debian.aptostree1"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.debian.aptostree1"
send_interface="org.freedesktop.DBus.ObjectManager"/>
<allow send_destination="org.debian.aptostree1"
send_interface="org.freedesktop.DBus.Peer"/>
<allow send_destination="org.debian.aptostree1"
send_interface="org.freedesktop.DBus.Properties"
send_member="Get"/>
<allow send_destination="org.debian.aptostree1"
send_interface="org.freedesktop.DBus.Properties"
send_member="GetAll"/>
<allow send_destination="org.debian.aptostree1"
send_interface="org.debian.aptostree1.OS"/>
<allow send_destination="org.debian.aptostree1"
send_interface="org.debian.aptostree1.Sysroot"/>
</policy>
</busconfig>

12
apt-ostree-systemd/systemd/system/apt-ostree-bootstatus.service Normal file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Log apt-ostree Booted Deployment Status To Journal
Documentation=man:apt-ostree(1)
ConditionPathExists=/run/ostree-booted
[Service]
Type=oneshot
ExecStart=apt-ostree status -b
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

12
apt-ostree-systemd/systemd/system/apt-ostree-countme.service Normal file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Weekly apt-ostree Count Me reporting
Documentation=man:apt-ostree-countme.service(8)
ConditionPathExists=/run/ostree-booted
[Service]
Type=oneshot
User=apt-ostree
DynamicUser=yes
StateDirectory=apt-ostree-countme
StateDirectoryMode=750
ExecStart=apt-ostree countme

12
apt-ostree-systemd/systemd/system/apt-ostree-countme.timer Normal file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Weekly apt-ostree Count Me reporting
Documentation=man:apt-ostree-countme.service(8)
ConditionPathExists=/run/ostree-booted
[Timer]
OnCalendar=weekly
RandomizedDelaySec=1d
Persistent=true
[Install]
WantedBy=timers.target

25
apt-ostree-systemd/systemd/system/apt-ostree-fix-shadow-mode.service Normal file
View file

@ -0,0 +1,25 @@
[Unit]
# apt-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
Description=Update permissions for /etc/shadow
Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
# This new stamp file is written by the Rust code, and obsoletes
# the old /etc/.apt-ostree-shadow-mode-fixed.stamp
ConditionPathExists=!/etc/.apt-ostree-shadow-mode-fixed2.stamp
ConditionPathExists=/run/ostree-booted
# Filter out non-traditional ostree setups (e.g. live boots)
ConditionKernelCommandLine=ostree
# Because we read the sysroot
RequiresMountsFor=/boot
# Make sure this is started before any unprivileged (interactive) user has access to the system.
Before=systemd-user-sessions.service
[Service]
Type=oneshot
ExecStart=apt-ostree fix-shadow-perms
RemainAfterExit=yes
# So we can remount /sysroot writable in our own namespace
MountFlags=slave
[Install]
WantedBy=multi-user.target

8
apt-ostree-systemd/systemd/system/apt-ostreed-automatic.service Normal file
View file

@ -0,0 +1,8 @@
[Unit]
Description=APT-OSTree Automatic Update
Documentation=man:apt-ostree(1) man:apt-ostreed.conf(5)
ConditionPathExists=/run/ostree-booted
[Service]
Type=simple
ExecStart=apt-ostree upgrade --quiet --trigger-automatic-update-policy

14
apt-ostree-systemd/systemd/system/apt-ostreed-automatic.timer Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=APT-OSTree Automatic Update Trigger
Documentation=man:apt-ostree(1) man:apt-ostreed.conf(5)
ConditionPathExists=/run/ostree-booted
After=network-online.target
Wants=network-online.target
[Timer]
OnBootSec=1h
OnUnitInactiveSec=1d
Persistent=true
[Install]
WantedBy=timers.target

32
apt-ostree-systemd/systemd/system/apt-ostreed.service Normal file
View file

@ -0,0 +1,32 @@
[Unit]
Description=APT-OSTree System Management Daemon
Documentation=man:apt-ostree(1)
ConditionPathExists=/ostree
RequiresMountsFor=/boot
[Service]
# See similar code in apt-ostree-countme.service
User=apt-ostree
DynamicUser=yes
# As of right now, our primary API is DBus. But see also https://github.com/coreos/rpm-ostree/issues/3850
Type=dbus
BusName=org.debian.aptostree1
# To use the read-only sysroot bits
MountFlags=slave
# We have no business accessing /var/roothome or /var/home. In general
# the ostree design clearly avoids touching those, but since systemd offers
# us easy tools to toggle on protection, let's use them. In the future
# it'd be nice to do something like using DynamicUser=yes for the main service,
# and have a system apt-ostreed-transaction.service that runs privileged
# but as a subprocess.
ProtectHome=true
NotifyAccess=main
# Significantly bump this timeout from the default because
# we do a lot of stuff on daemon startup.
TimeoutStartSec=5m
# We start this main process with full privileges; it may spawn unprivileged processes
# with the apt-ostree user.
ExecStart=+apt-ostree start-daemon
ExecReload=apt-ostree reload
# disable/enable downloading filelists
Environment="DOWNLOAD_FILELISTS=false"

5
apt-ostree-systemd/tmpfiles.d/apt-ostree-0-integration-opt-usrlocal-compat.conf Normal file
View file

@ -0,0 +1,5 @@
# Traditionally, /usr/local has been a link to /var/usrlocal and /opt to /var/opt.
# A new model now is to allow OSTree commit content in those directories. For
# backwards compatibility, we keep the /var paths but flip the symlinks around.
L /var/usrlocal - - - - ../usr/local
L /var/opt - - - - ../usr/lib/opt

5
apt-ostree-systemd/tmpfiles.d/apt-ostree-0-integration-opt-usrlocal.conf Normal file
View file

@ -0,0 +1,5 @@
# Traditionally, /usr/local has been a link to /var/usrlocal and /opt to /var/opt.
# A new model now is to allow OSTree commit content in those directories. But
# this dropin implements the old model.
d /var/opt 0755 root root -
d /var/usrlocal 0755 root root -

18
apt-ostree-systemd/tmpfiles.d/apt-ostree-0-integration.conf Normal file
View file

@ -0,0 +1,18 @@
d /var/home 0755 root root -
d /var/srv 0755 root root -
d /var/roothome 0700 root root -
d /var/mnt 0755 root root -
d /run/media 0755 root root -
L /var/lib/dpkg - - - - ../../usr/share/dpkg
# this is normally owned by `filesystem`, but for multiple reasons, this doesn't
# work in the apt-ostree flow
d /usr/local/bin 0755 root root -
d /usr/local/etc 0755 root root -
d /usr/local/games 0755 root root -
d /usr/local/include 0755 root root -
d /usr/local/lib 0755 root root -
d /usr/local/man 0755 root root -
d /usr/local/sbin 0755 root root -
d /usr/local/share 0755 root root -
d /usr/local/src 0755 root root -

7
bootc-dracut/usr/lib/dracut.conf.d/10-bootc-base.conf Normal file
View file

@ -0,0 +1,7 @@
# Typically we want want a generic image and
# hostonly makes no sense as part of a server side build.
# (really hostonly=no should be the default if dracut detects that
# it's in a container or so)
hostonly=no
# We require ostree in the initramfs
add_dracutmodules+=" ostree "

22
bootc-systemd/systemd/system/bootc-root-setup.service Normal file
View file

@ -0,0 +1,22 @@
[Unit]
Description=bootc setup root
Documentation=man:bootc(1)
DefaultDependencies=no
# For now
ConditionKernelCommandLine=ostree
ConditionPathExists=/etc/initrd-release
After=sysroot.mount
After=ostree-prepare-root.service
Requires=sysroot.mount
Before=initrd-root-fs.target
OnFailure=emergency.target
OnFailureJobMode=isolate
[Service]
Type=oneshot
ExecStart=/usr/lib/bootc/initramfs-setup setup-root
StandardInput=null
StandardOutput=journal
StandardError=journal+console
RemainAfterExit=yes

12
bootc/systemd/system/bootc-destructive-cleanup.service Normal file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Cleanup previous the installation after an alongside installation
Documentation=man:bootc(8)
ConditionPathExists=/sysroot/etc/bootc-destructive-cleanup
[Service]
Type=oneshot
ExecStart=/usr/lib/bootc/fedora-bootc-destructive-cleanup
PrivateMounts=true
[Install]
WantedBy=multi-user.target

8
bootc/systemd/system/bootc-fetch-apply-updates.service Normal file
View file

@ -0,0 +1,8 @@
[Unit]
Description=Apply bootc updates
Documentation=man:bootc(8)
ConditionPathExists=/run/ostree-booted
[Service]
Type=oneshot
ExecStart=/usr/bin/bootc upgrade --apply --quiet

14
bootc/systemd/system/bootc-fetch-apply-updates.timer Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=Apply bootc updates
Documentation=man:bootc(8)
ConditionPathExists=/run/ostree-booted
[Timer]
OnBootSec=1h
# This time is relatively arbitrary and obviously expected to be overridden/changed
OnUnitInactiveSec=8h
# When deploying a large number of systems, it may be beneficial to increase this value to help with load on the registry.
RandomizedDelaySec=2h
[Install]
WantedBy=timers.target

22
bootc/systemd/system/bootc-generic-growpart.service Normal file
View file

@ -0,0 +1,22 @@
[Unit]
Description=Bootc Fallback Root Filesystem Grow
Documentation=https://gitlab.com/fedora/bootc/docs
# For now we skip bare metal cases, and we also have nothing to do
# for containers.
ConditionVirtualization=vm
# This helps verify that we're running in a bootc/ostree based target.
ConditionPathIsMountPoint=/sysroot
# For someone making a smaller image, assume they have this handled.
ConditionPathExists=/usr/bin/growpart
# We want to run before any e.g. large container images might be pulled.
DefaultDependencies=no
Requires=sysinit.target
After=sysinit.target
Before=basic.target
[Service]
ExecStart=/usr/libexec/bootc-generic-growpart
# So we can temporarily remount the sysroot writable
MountFlags=slave
# Just to auto-cleanup our temporary files
PrivateTmp=yes

12
bootc/systemd/system/bootc-publish-rhsm-facts.service Normal file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Publish bootc facts to Red Hat Subscription Manager
Documentation=man:bootc(8)
ConditionPathExists=/etc/rhsm/facts
[Service]
Type=oneshot
ExecStart=/usr/bin/bootc internals publish-rhsm-facts
[Install]
WantedBy=bootc-status-updated.target
WantedBy=bootc-status-updated-onboot.target

7
bootc/systemd/system/bootc-status-updated-onboot.target Normal file
View file

@ -0,0 +1,7 @@
[Unit]
Description=Target for bootc status changes on boot
Documentation=man:bootc-status-updated.target(8)
ConditionPathExists=/run/ostree-booted
[Install]
WantedBy=multi-user.target

5
bootc/systemd/system/bootc-status-updated.target Normal file
View file

@ -0,0 +1,5 @@
[Unit]
Description=Target for bootc status changes
Documentation=man:bootc-status-updated.target(8)
StopWhenUnneeded=true
ConditionPathExists=/run/ostree-booted

83
install.sh Executable file
View file

@ -0,0 +1,83 @@
#!/bin/bash
# Debian Atomic Infrastructure Installation Script
# This script installs the missing OSTree infrastructure files to a Debian system
set -e
echo "🚀 Installing Debian Atomic Infrastructure Files"
echo "================================================"
# Check if running as root
if [ "$EUID" -ne 0 ]; then
echo "❌ Please run as root (use sudo)"
exit 1
fi
# Create directories
echo "📁 Creating directories..."
mkdir -p /usr/lib/systemd/system
mkdir -p /usr/lib/ostree
mkdir -p /usr/lib/tmpfiles.d
mkdir -p /usr/lib/kernel/install.d
mkdir -p /usr/lib/dracut/modules.d/98ostree
mkdir -p /usr/lib/dracut.conf.d
mkdir -p /usr/share/dbus-1/system.d
# Install OSTree systemd services
echo "🔧 Installing OSTree systemd services..."
cp ostree-systemd/systemd/system/*.service /usr/lib/systemd/system/
cp ostree-systemd/ostree/prepare-root.conf /usr/lib/ostree/
cp ostree-systemd/tmpfiles.d/ostree-tmpfiles.conf /usr/lib/tmpfiles.d/
# Install bootc services
echo "🔧 Installing bootc services..."
cp bootc/systemd/system/*.service /usr/lib/systemd/system/
cp bootc-systemd/systemd/system/*.service /usr/lib/systemd/system/
cp bootc/systemd/system/*.timer /usr/lib/systemd/system/
cp bootc/systemd/system/*.target /usr/lib/systemd/system/
# Install bootc dracut configuration
echo "🔧 Installing bootc dracut configuration..."
cp bootc-dracut/usr/lib/dracut.conf.d/*.conf /usr/lib/dracut.conf.d/
# Install APT-OSTree services
echo "🔧 Installing APT-OSTree services..."
cp apt-ostree-systemd/systemd/system/*.service /usr/lib/systemd/system/
cp apt-ostree-systemd/systemd/system/*.timer /usr/lib/systemd/system/
cp apt-ostree-systemd/kernel/install.d/*.install /usr/lib/kernel/install.d/
cp apt-ostree-systemd/kernel/install.conf /usr/lib/kernel/
cp apt-ostree-systemd/tmpfiles.d/*.conf /usr/lib/tmpfiles.d/
cp apt-ostree-systemd/apt-ostreed.conf /etc/
cp apt-ostree-systemd/org.debian.aptostree1.conf /usr/share/dbus-1/system.d/
# Make kernel install hook executable
chmod +x /usr/lib/kernel/install.d/05-aptostree.install
# Install OSTree dracut module
echo "🔧 Installing OSTree dracut module..."
cp ostree-dracut/modules.d/98ostree/module-setup.sh /usr/lib/dracut/modules.d/98ostree/
chmod +x /usr/lib/dracut/modules.d/98ostree/module-setup.sh
# Reload systemd
echo "🔄 Reloading systemd..."
systemctl daemon-reload
echo "✅ Installation complete!"
echo ""
echo "📋 Installed components:"
echo " - OSTree systemd services (6 services)"
echo " - Bootc systemd services (8 services + timers + targets)"
echo " - APT-OSTree systemd services (4 services + timer)"
echo " - Kernel installation hooks (1 hook + config)"
echo " - OSTree dracut module (1 module)"
echo ""
echo "🎯 Next steps:"
echo " 1. Test with apt-ostree compose tree"
echo " 2. Test with apt-ostree compose container-encapsulate"
echo " 3. Test with bootc-image-builder"
echo " 4. Boot test the resulting image"
echo ""
echo "🔍 To verify installation:"
echo " systemctl list-units --type=service | grep -E '(ostree|bootc|apt-ostree)'"
echo " ls -la /usr/lib/kernel/install.d/05-aptostree.install"
echo " ls -la /usr/lib/dracut/modules.d/98ostree/module-setup.sh"

28
ostree-dracut/modules.d/98ostree/module-setup.sh Normal file
View file

@ -0,0 +1,28 @@
#!/usr/bin/bash
installkernel() {
instmods erofs overlay
}
check() {
if [[ -x $systemdutildir/systemd ]] && [[ -x /usr/lib/ostree/ostree-prepare-root ]]; then
return 255
fi
return 1
}
depends() {
return 0
}
install() {
dracut_install /usr/lib/ostree/ostree-prepare-root
for r in /usr/lib /etc; do
if test -f "$r/ostree/prepare-root.conf"; then
inst_simple "$r/ostree/prepare-root.conf"
fi
done
inst_simple "${systemdsystemunitdir}/ostree-prepare-root.service"
mkdir -p "${initdir}${systemdsystemconfdir}/initrd-root-fs.target.wants"
ln_r "${systemdsystemunitdir}/ostree-prepare-root.service" \
"${systemdsystemconfdir}/initrd-root-fs.target.wants/ostree-prepare-root.service"
}

4
ostree-systemd/ostree/prepare-root.conf Normal file
View file

@ -0,0 +1,4 @@
[composefs]
enabled = yes
[sysroot]
readonly = true

39
ostree-systemd/systemd/system/ostree-boot-complete.service Normal file
View file

@ -0,0 +1,39 @@
# Copyright (C) 2022 Red Hat, Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <https://www.gnu.org/licenses/>.
[Unit]
Description=OSTree Complete Boot
Documentation=man:ostree(1)
ConditionKernelCommandLine=ostree
# For now, this is the only condition on which we start, but it's
# marked as a triggering condition in case in the future we want
# to do something else.
ConditionPathExists=|/boot/ostree/finalize-failure.stamp
# Also run when soft-reboot cleanup is needed
ConditionPathExists=|/run/ostree/nextroot-booted
# We start early
DefaultDependencies=no
After=sysinit.target
RequiresMountsFor=/boot
# Ensure that we propagate the failure into the current boot before
# any further finalization attempts.
Before=ostree-finalize-staged.service
[Service]
Type=oneshot
# To write to /boot while keeping it read-only
MountFlags=slave
RemainAfterExit=yes
ExecStart=/usr/bin/ostree admin boot-complete

25
ostree-systemd/systemd/system/ostree-finalize-staged-hold.service Normal file
View file

@ -0,0 +1,25 @@
# Copyright (C) 2018 Red Hat, Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <https://www.gnu.org/licenses/>.
[Unit]
Description=OSTree Finalize Staged Hold
Documentation=man:ostree(1)
DefaultDependencies=no
ConditionPathExists=/run/ostree-booted
[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/bin/true

52
ostree-systemd/systemd/system/ostree-finalize-staged.service Normal file
View file

@ -0,0 +1,52 @@
# Copyright (C) 2018 Red Hat, Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <https://www.gnu.org/licenses/>.
# For some implementation discussion, see:
# https://lists.freedesktop.org/archives/systemd-devel/2018-March/040557.html
[Unit]
Description=OSTree Finalize Staged Deployment
Documentation=man:ostree(1)
ConditionPathExists=/run/ostree-booted
DefaultDependencies=no
RequiresMountsFor=/sysroot /boot
After=local-fs.target
Before=basic.target final.target
# We want to make sure the transaction logs are persisted to disk:
# https://bugzilla.redhat.com/show_bug.cgi?id=1751272
After=systemd-journal-flush.service
Conflicts=final.target
# Start the hold unit and ensure it stays active throughout this
# service.
Wants=ostree-finalize-staged-hold.service
After=ostree-finalize-staged-hold.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStop=/usr/bin/ostree admin finalize-staged
# This is a quite long timeout intentionally; the failure mode
# here is that people don't get an upgrade. We need to handle
# cases with slow rotational media, etc.
TimeoutStopSec=5m
# OSTree should never touch /var at all...except, we need to remove
# the /var/.updated flag, so we can't just `InaccessiblePaths=/var` right now.
# For now, let's at least use ProtectHome just so we have some sandboxing
# of that.
ProtectHome=yes
# And we shouldn't affect the current deployment's /etc.
ReadOnlyPaths=/etc
# We write to /sysroot and /boot of course.

35
ostree-systemd/systemd/system/ostree-prepare-root.service Normal file
View file

@ -0,0 +1,35 @@
# Copyright (C) 2013 Colin Walters <walters@verbum.org>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <https://www.gnu.org/licenses/>.
[Unit]
Description=OSTree Prepare OS/
Documentation=man:ostree(1)
DefaultDependencies=no
ConditionKernelCommandLine=ostree
ConditionPathExists=/etc/initrd-release
After=sysroot.mount
Requires=sysroot.mount
Before=initrd-root-fs.target
OnFailure=emergency.target
OnFailureJobMode=isolate
[Service]
Type=oneshot
ExecStart=/usr/lib/ostree/ostree-prepare-root /sysroot
StandardInput=null
StandardOutput=journal
StandardError=journal+console
RemainAfterExit=yes

40
ostree-systemd/systemd/system/ostree-remount.service Normal file
View file

@ -0,0 +1,40 @@
# Copyright (C) 2013 Colin Walters <walters@verbum.org>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <https://www.gnu.org/licenses/>.
[Unit]
Description=OSTree Remount OS/ Bind Mounts
Documentation=man:ostree(1)
DefaultDependencies=no
ConditionKernelCommandLine=ostree
OnFailure=emergency.target
Conflicts=umount.target
# Run after core mounts
After=-.mount var.mount
After=systemd-remount-fs.service
# But we run *before* most other core bootup services that need write access to /etc and /var
Before=local-fs.target umount.target
Before=systemd-random-seed.service plymouth-read-write.service systemd-journal-flush.service
Before=systemd-tmpfiles-setup.service systemd-rfkill.service systemd-rfkill.socket
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/ostree/ostree-remount
StandardInput=null
StandardOutput=journal
StandardError=journal+console
[Install]
WantedBy=local-fs.target

36
ostree-systemd/systemd/system/ostree-state-overlay@.service Normal file
View file

@ -0,0 +1,36 @@
# Copyright (C) 2023 Red Hat Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <https://www.gnu.org/licenses/>.
[Unit]
Description=OSTree State Overlay On /%I
Documentation=man:ostree(1)
DefaultDependencies=no
ConditionKernelCommandLine=ostree
# run after /var is setup since that's where the upperdir is stored
# and after boot.mount so we can load the sysroot
After=var.mount boot.mount
# but before local-fs.target, which we consider ourselves a part of
Before=local-fs.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/ostree admin state-overlay %i /%I
StandardInput=null
StandardOutput=journal
StandardError=journal+console
[Install]
WantedBy=local-fs.target

21
ostree-systemd/tmpfiles.d/ostree-tmpfiles.conf Normal file
View file

@ -0,0 +1,21 @@
# Copyright (C) 2017 Colin Walters <walters@verbum.org>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <https://www.gnu.org/licenses/>.
# ostree runtime configuration
d /run/ostree 0755 root root -
# https://github.com/ostreedev/ostree/issues/393
# Note this can eventually be removed now that we
# write to the deployment backing dir.
R! /var/tmp/ostree-unlock-ovl.*

147
verify.sh Executable file
View file

@ -0,0 +1,147 @@
#!/bin/bash
# Debian Atomic Infrastructure Verification Script
# This script verifies that all required files are installed correctly
echo "🔍 Verifying Debian Atomic Infrastructure Installation"
echo "====================================================="
# Check OSTree systemd services
echo "📋 Checking OSTree systemd services..."
ostree_services=(
"ostree-prepare-root.service"
"ostree-remount.service"
"ostree-state-overlay@.service"
"ostree-finalize-staged.service"
"ostree-finalize-staged-hold.service"
"ostree-boot-complete.service"
)
for service in "${ostree_services[@]}"; do
if [ -f "/usr/lib/systemd/system/$service" ]; then
echo "$service"
else
echo "$service - MISSING"
fi
done
# Check bootc services
echo "📋 Checking bootc services..."
bootc_services=(
"bootc-fetch-apply-updates.service"
"bootc-fetch-apply-updates.timer"
"bootc-generic-growpart.service"
"bootc-destructive-cleanup.service"
"bootc-publish-rhsm-facts.service"
"bootc-status-updated.target"
"bootc-status-updated-onboot.target"
"bootc-root-setup.service"
)
for service in "${bootc_services[@]}"; do
if [ -f "/usr/lib/systemd/system/$service" ]; then
echo "$service"
else
echo "$service - MISSING"
fi
done
# Check APT-OSTree services
echo "📋 Checking APT-OSTree services..."
apt_ostree_services=(
"apt-ostreed.service"
"apt-ostree-bootstatus.service"
"apt-ostree-countme.service"
"apt-ostree-countme.timer"
"apt-ostree-fix-shadow-mode.service"
"apt-ostreed-automatic.service"
"apt-ostreed-automatic.timer"
)
for service in "${apt_ostree_services[@]}"; do
if [ -f "/usr/lib/systemd/system/$service" ]; then
echo "$service"
else
echo "$service - MISSING"
fi
done
# Check configuration files
echo "📋 Checking configuration files..."
config_files=(
"/usr/lib/ostree/prepare-root.conf"
"/usr/lib/tmpfiles.d/ostree-tmpfiles.conf"
"/usr/lib/tmpfiles.d/apt-ostree-0-integration.conf"
"/usr/lib/tmpfiles.d/apt-ostree-0-integration-opt-usrlocal.conf"
"/usr/lib/tmpfiles.d/apt-ostree-0-integration-opt-usrlocal-compat.conf"
"/usr/lib/kernel/install.conf"
"/etc/apt-ostreed.conf"
"/usr/share/dbus-1/system.d/org.debian.aptostree1.conf"
"/usr/lib/dracut.conf.d/10-bootc-base.conf"
)
for file in "${config_files[@]}"; do
if [ -f "$file" ]; then
echo "$file"
else
echo "$file - MISSING"
fi
done
# Check kernel installation hooks
echo "📋 Checking kernel installation hooks..."
if [ -f "/usr/lib/kernel/install.d/05-aptostree.install" ]; then
echo " ✅ 05-aptostree.install"
if [ -x "/usr/lib/kernel/install.d/05-aptostree.install" ]; then
echo " ✅ 05-aptostree.install (executable)"
else
echo " ❌ 05-aptostree.install (not executable)"
fi
else
echo " ❌ 05-aptostree.install - MISSING"
fi
# Check dracut module
echo "📋 Checking dracut module..."
if [ -f "/usr/lib/dracut/modules.d/98ostree/module-setup.sh" ]; then
echo " ✅ 98ostree/module-setup.sh"
if [ -x "/usr/lib/dracut/modules.d/98ostree/module-setup.sh" ]; then
echo " ✅ 98ostree/module-setup.sh (executable)"
else
echo " ❌ 98ostree/module-setup.sh (not executable)"
fi
else
echo " ❌ 98ostree/module-setup.sh - MISSING"
fi
# Check systemd daemon reload
echo "📋 Checking systemd daemon status..."
if systemctl daemon-reload >/dev/null 2>&1; then
echo " ✅ systemd daemon reload successful"
else
echo " ❌ systemd daemon reload failed"
fi
# Count total services
echo "📊 Summary:"
ostree_count=$(ls /usr/lib/systemd/system/ostree-*.service 2>/dev/null | wc -l)
bootc_count=$(ls /usr/lib/systemd/system/bootc-*.service 2>/dev/null | wc -l)
apt_ostree_count=$(ls /usr/lib/systemd/system/apt-ostree*.service 2>/dev/null | wc -l)
total_services=$((ostree_count + bootc_count + apt_ostree_count))
echo " - OSTree services: $ostree_count"
echo " - Bootc services: $bootc_count"
echo " - APT-OSTree services: $apt_ostree_count"
echo " - Total services: $total_services"
if [ $total_services -ge 18 ]; then
echo " ✅ Installation looks complete!"
else
echo " ❌ Installation appears incomplete (expected ~18+ services)"
fi
echo ""
echo "🎯 Next steps:"
echo " 1. Test with apt-ostree compose tree"
echo " 2. Test with apt-ostree compose container-encapsulate"
echo " 3. Test with bootc-image-builder"
echo " 4. Boot test the resulting image"