v2024.5

What's Changed

• Release 2024.4 by @cgwalters in #3197
• docs: Move SPDX identifiers under first title by @travier in #3199
• sepolicy: Fix publicity mismatch for ostree_sepolicy_host_enabled by @cgwalters in #3196
• main: Ignore SIGPIPE when printing version by @dbnicholson in #3203
• otcore: Drop config load print by @cgwalters in #3204
• bootloader/grub2: Don't do anything if we have static configs by @cgwalters in #3205
• sysroot: Turn on bootloader-naming-2 by default by @cgwalters in #3206
• kargs: parse spaces in kargs input and keep quotes by @HuijingHei in #3208
• Ensure boot directory is open before accessing it for early pruning by @rborn-tx in #3213
• checkout: Always replace existing content with overlay mode by @cgwalters in #3214

Full Changelog: v2024.4...v2024.5

v2024.4

What's Changed

• Release 2024.3 by @cgwalters in #3172
• rofiles-fuse: Check fsverity flag for copyup by @cgwalters in #3175
• tests: Use long key IDs by @teythoon in #3178
• docs: Add webrick dependancy for building site locally by @ericcurtin in #3179
• tests: Use long key IDs, I found another one by @teythoon in #3180
• README: Add Red Hat In-Vehicle Operating System by @ericcurtin in #3181
• workflow/docs: Update to actions/checkout@v4 & dependabot: Update github-actions weekly by @travier in #3176
• test-admin-deploy-var: Don't rely on OSTREE_FEATURES by @smcv in #3184
• deploy: Don't fail if loading composefs configuration fails due to mi… by @alexlarsson in #3189
• ostree-prepare-root: Amend comment about shared mounts by @rborn-tx in #3186
• Docs fixes & SPDX identifiers uniformisation by @travier in #3185
• prepare-root: Disallow hotfixes if using signed composefs images by @alexlarsson in #3194
• generator: Fixes for Android Boot environment by @ericcurtin in #3192
• sysroot: Reword comment and use gboolean over bool, error handling by @ericcurtin in #3195

New Contributors

• @teythoon made their first contribution in #3178

Full Changelog: v2024.3...v2024.4

v2024.3

New features and notable changes

This release changes how /var works (again):

• sysroot: Rework /var handling to act like Docker VOLUME /var by @cgwalters in #3166
• Drop tmpfiles var by @cgwalters in #3168

The mount setup also had a semantic change for those enabling root.transient:

• prepare-root: Switch to a tmpfs for transient root by @cgwalters in #3173

Also related to prepare-root, it is now recommend to enable composefs by simply configuring ostree-prepare-root.conf and not the ex-integrity.composefs variable:

• deploy: Honor prepare-root.conf at deploy time for composefs by @cgwalters in #3165

Other changes

• prepare-root: Unify root.transient with composefs by @cgwalters in #3170
• Release by @cgwalters in #3160
• libostree: write selinux xattr when on non-selinux systems by @mvo5 in #3151
• ostree.repo-config(5): Fix a typo by @smcv in #3167
• Expose MOUNT_ATTR_IDMAP detection result to C code by @rborn-tx in #3169
• docs/atomic-rollbacks: Add a section on rollbacks by @ericcurtin in #3171
• Release 2024.3 by @cgwalters in #3172

New Contributors

• @mvo5 made their first contribution in #3151
• @rborn-tx made their first contribution in #3169

Full Changelog: v2024.2...v2024.3

2024.2

What's Changed

New features

The ostree admin pin command learned more human-consumable verbs:

• admin/pin: Add commands to pin booted, pending and rollbacks deployments by @ericcurtin in #3146
• generator: Exit if there's no /run/ostree by @cgwalters in #3147

Bugfixes

• deploy: Ignore sockets, fifos in /etc/ during merge by @yummypeng in #3143
• grub2-15_ostree: Graceful exit if /etc/default/grub doesn't exist by @travier in #3150
• Track deployment root/inode from prepare root by @cgwalters in #3164

Other changes

• Release 2024.1 by @cgwalters in #3141
• tests: Skip composefs test if /var/tmp does not support user xattrs by @smcv in #3145
• composefs: Bump composefs max version to 1 by @alexlarsson in #3149
• ci: Add a bootc/c9s workflow by @cgwalters in #3152
• syslinux: Avoid double /boot if bootprefix is enabled by @cgwalters in #3157
• admin/state-overlay: Require root and don't lock sysroot by @jlebon in #3158
• Enable sysroot.bootprefix by default by @cgwalters in #3156
• Revert "Enable sysroot.bootprefix by default" by @cgwalters in #3159

New Contributors

• @yummypeng made their first contribution in #3143

Full Changelog: v2024.1...v2024.2

2024.1

New features

There are two major new APIs around configuring mutability and persistence of the root filesystem.

First, OSTree gained support for a new root.transient flag that makes / an overlayfs that is persistent across reboots but not across upgrades. This makes the system behave a bit more similarly to e.g. Docker and following tools such as podman and Kubernetes.

• prepare-root: Add support for root.transient by @cgwalters in #3114
• Doc root transient by @cgwalters in #3117

There is a different approach in the (still classified as experimental) ostree-state-overlay@.service unit:

• Add concept of state overlays by @jlebon in #3120

This approach instead allows operating systems or downstream builders to choose to apply persistent merge semantics to specific targeted directories (e.g. /opt).

Notable bugfixes

• prepare-root: Fix composefs + ostree admin unlock --hotfix compat by @cgwalters in #3129
• lib/deploy: Round to block size in early prune space check by @jlebon in #3130
• • status: Pass correct remote name when verifying by @cgwalters in #3131

Other misc changes

• Release 2023.8 by @cgwalters in #3111

• Update Torizon information by @leonheldattoradex in #3112

• doc: Add section about ostree and bootloaders by @jmarrero in #3116

• Link to gardenlinux/ostree-image-builder in README by @fwilhe in #3121

• deploy: Log calculated needed space by @cgwalters in #3123

• rust: Add missing feature versions by @cgwalters in #3124

• switchroot: Be explicit about what could cause /sysroot to be ro by @ericcurtin in #3125

• zipl: A few fixes by @cgwalters in #3119

• docs/composefs: Add note about toplevel dirs by @cgwalters in #3127

• switchroot: use shared constant for unlock --hotfix by @cgwalters in #3128

• status: Fix build without GPGME by @ericcurtin in #3132

• systemd/ostree-boot-complete: Start earlier by @cgwalters in #3133

• status: Introduce tool to quickly check if we are booted as default by @ericcurtin in #3134

• status: Rename query-booted to is-default by @ericcurtin in #3136

• doc: Add section about ostree and aboot by @ericcurtin in #3135

New Contributors

• @leonheldattoradex made their first contribution in #3112
• @fwilhe made their first contribution in #3121

Full Changelog: v2023.8...v2024.1

2023.8

This release stabilizes "deployment finalization locking" which
is very useful for automatic update workflows.

• sysroot: Stabilize deployment finalization, add API by @cgwalters in #3090

There's a new post-copy command which may be useful for build
systems that generate a filesystem tree outside of ostree:

• Add ostree admin post-copy command by @alexlarsson in #309

The commit logic started using reflinks (if available) which
can be a big speedup.

• commit: Try reflinks for local commits by default by @cgwalters in #3106

System root and bootloader:

• bootloader/zipl: Run in target deployment as container if needed by @cgwalters in #3104
• bootloader/zipl: No-op if run as non-root by @cgwalters in #3085
• lib/bootloader-zipl: Check for Secure Boot before zipl by @nikita-dubrovskii in #3080

Finally, ostree now ships a tmpfiles.d fragment which copies from /usr/share/factory/var to /var
by default:

• tmpfiles: Copy /usr/share/factory/var to /var by @cgwalters in #3103

v2023.7

A variety of things here. I think the new support for a "transient etc"
will be appreciated in many places. Note that to work with SELinux
the build system side needs to ensure the labels on /usr/etc match /etc.

Another important change is that the ostree HTTP layer now retries requests
by default; this closes a very longstanding RFE.

Also on the pull side, a longstanding bug was fixed where we'd still
try to fetch "loose" objects even when we were doing a delta pull.

There's a variety of clang-analyzer fixes (some false positives, some real
memory leaks, etc).

Even more in the below log; thanks to all contributors!

What's Changed

• Release by @cgwalters in #3005
• Misc c99 style 5 by @cgwalters in #3006
• 2023.6 coverity minor fixes by @cgwalters in #3013
• Refactor composefs warnings by @cgwalters in #2994
• More analyzer fixes 2 by @cgwalters in #3016
• More analyzer fixes 3 by @cgwalters in #3017
• mutable-tree: Quiet clang-analyzer warning by @cgwalters in #3019
• mutable-tree: Change some g_return_if_fail to g_assert() by @cgwalters in #3020
• build(deps): bump libglnx from c02eb59 to 54ad67d by @dependabot in #3023
• Clang analyzer fixes 5 by @cgwalters in #3024
• deploy: Remove global sync by default by @cgwalters in #2968
• sysroot: Promote the "early prune" behavior to default by @cgwalters in #3012
• build(deps): bump composefs from 1aed878 to 597a766 by @dependabot in #3018
• Drop cap-std from our public APIs by @cgwalters in #3027
• rust: Port to glib 0.18 by @cgwalters in #3029
• build(deps): bump composefs from 597a766 to d085fbf by @dependabot in #3028
• build(deps): bump composefs from d085fbf to af86742 by @dependabot in #3030
• rust/sys: Also bump semver for this by @cgwalters in #3035
• ci: Add an automatic labeler action by @cgwalters in #3037
• rust: Drop composefs from crate by @cgwalters in #3038
• lib/pull: Don't scan commit objects we fetch via deltas by @jlebon in #2054
• rust: Switch to using include by @cgwalters in #3039
• build(deps): bump libglnx from 54ad67d to aff1eea by @dependabot in #3047
• gitmodules: Use github GNOME mirror by @cgwalters in #3052
• rust/tests: Adjust for new ostree by @cgwalters in #3051
• boot/dracut: Add erofs and overlayfs kernel modules by @ericcurtin in #3053
• tests: Add an integration test for composefs signatures by @cgwalters in #3021
• docs: Add authenticated-repos.md by @cgwalters in #3058
• build(deps): bump composefs from af86742 to cca8be4 by @dependabot in #3046
• repo: Default bootloader to zipl on s390x by @cgwalters in #3059
• Revert "ci: Run cosa unprivileged" by @jlebon in #3049
• When exporting, use hardlinks for duplicated files by @owtaylor in #3060
• ci: Ensure composefs is enabled on Fedora by @cgwalters in #3067
• repo: Add an option to label /usr/etc as /etc by @cgwalters in #3063
• tests: Fix whiteout test by @alexlarsson in #3072
• Support transient /etc by @alexlarsson in #3062
• deploy: Improve error message for nonexistent stateroot by @cgwalters in #3073
• composefs: Add more error prefixing by @cgwalters in #3074
• deploy: Remove lock when re-staging by @cgwalters in #3077
• tests: Use ext4, re-enable composefs test by @cgwalters in #3075
• karg-delete: support multiple times by @HuijingHei in #3078
• ostree-fetcher-curl: handle non 404 errors as G_IO_ERROR_TIMED_OUT by @jmarrero in #2843
• lib/deploy: Log SELinux policy refresh by @jlebon in #3081

New Contributors

• @owtaylor made their first contribution in #3060

Full Changelog: v2023.6...v2023.7

2023.6

signing: ed25519 can now be backed by openssl

If ostree is compiled with OpenSSL support (as it is on e.g. Fedora derivatives), this also enables an OpenSSL-backed implementation of the ed25519 signature support. Previously, this required libsodium - which can still be used if desired instead of openssl.

composefs changes

Now enabled at build time (but disabled at runtime) by default

On systems with sufficiently new glibc and fsverity, ostree enables support for composefs at build time. It continues to be disabled by default at runtime.

composefs now supports signature verification

There is support for an "initramfs root binding key" that can be injected into the initramfs, and used to verify the ostree commit (including its embedded composefs checksum). One suggested model is to follow how e.g. Fedora signs kernel modules with a transient throwaway key. For more, please see the ostree/composefs doc.

Note that composefs continues to be classified as experimental.

Configuration format has changed

The old ot-composefs kernel argument is no longer honored in favor of a configuration file that should be present in the initramfs.

ostree-prepare-root other changes

• A new configuration file in the initramfs is honored: /etc/ostree/prepare-root.conf
• This configuration file can also specify the readonly-sysroot default, which is now recommended
• Improved Android Boot support
• The sysroot.readonly flag can now also be configured from here, and this is recommended
• /run/ostree-booted is now non-empty, and contains serialized state (this is an implementation detail)
• Several preparatory code cleanups for other changes
• ostree-prepare-root has a new man page which documents the previous state, along with the above

ostree admin set-default

A long-overdue CLI verb to change the default deployment for the next boot.

sysroot other bugfixes and changes

• It is now supported to have /usr/etc with an empty /etc. This is preparatory for supporting a transient /etc.
• Finally fixed the global sync timeout at shutdown
• Increased verbosity of changes
• ostree admin deploy now honors --stateroot as we prefer that term over --os

trivial-httpd

The remnants of the deprecated ostree trivial-httpd CLI are now completely gone.

Alexander Larsson (8):
      tests: Fix composefs test
      sign-ed25519: Drop some uses of libsodium
      sign-ed25519: Implement sign and verify using openssl
      CI: Enable --with-crypto=openssl on debian testing to test openssl signatures
      libotutil: Link to crypto libs
      ostree-prepare-root: Validate ed25519 signatures when requested
      Read composefs configuration from initrd instead of commandline
      prepare-root: Only support base64 formated public key files

Colin Walters (84):
      tests/transactionality: Port a bit to xshell
      tests: Drop unused alias
      tests: Enable mtime test
      docs: Update user and group section
      Separate prepare-root static path
      prepare-root: Link to glib
      configure: post-release version bump
      Drop "ostree trivial-httpd" CLI, move to tests directory
      fetcher: Always open tmpfiles in repo (except on FUSE)
      show: Add --print-hex
      build-sys: Add libsodium to OT_DEP_CRYPTO
      Factor out a libotcore
      build: Drop `make syntax-check`
      Add an internal constant for the composefs image name
      prepare-root: Use otutil and g_print
      prepare-root: Drop unused verity flag querying
      sysroot: Add some error prefixing for bootversion
      prepare-root: Use constant for ed25519 signature
      prepare-root: Add metadata for composefs to `/run/ostree-booted`
      remount: Don't overwrite /run/ostree-booted
      remount: Use new metadata in `/run/ostree-booted` for composefs
      prepare-root: Drop dead `pivot_root` code
      Use /run/ostree-booted metadata for sysroot-ro state passing
      man: Add ostree-prepare-root
      mount: Fix gcc -fanalyzer warning for parsing androidboot.slot_suffix
      build-sys: Enable composefs at *build time* by default
      prepare-root: Refactor composefs config handling
      commit: Add `--sign-from-file`
      tests: Remove dead references to "SEED"
      sign-ed25519: More verbose errors for invalid length
      sign-ed25519: Add some comments for data structure
      sign-ed25519: Don't set sk unless we've validated it
      generator: Deduplicate ostree= karg parsing
      prepare-root: Drop code mounting `/proc`
      prepare-root: Drop more dead code
      Add an always-on `inode64` feature
      composefs: Use lowerdir in /run
      generator: Stop creating `/run/ostree-booted`
      src/generator: Move all logic into libostree-1.so
      kernel-args: Move private functions out of public header
      sysroot: Add a bit more error prefixing
      repo: Clarify when we fail to parse a remote
      prepare-root: Introduce `ostree/prepare-root.conf`
      prepare-root: Default sysroot.readonly=true if composefs
      prepare-root: Don't parse target root when composefs enabled
      tree-wide: Consistently `(void)g_variant_lookup()`
      core, switchroot: Harden a bit against `g_variant_get_data() == NULL`
      checksum-utils: Add an assertion that `buf != NULL`
      deploy: Be way more verbose about what we're doing
      tests/destructive: Turn off global sync()
      deploy: Support an empty `/etc` and populated `/usr/etc`
      composefs: Only call `_get_symlink_target()` on symlinks
      os-init: Create a mount namespace
      Add `admin set-default`
      More fully drop `trivial-httpd` entrypoint
      deploy: Fix mutex locking for global sync timeout
      README.md: Drop dead mailing list, link to GH discussions
      prepare-root: Use declare-and-initialize
      prepare-root: Check for empty string, not strlen > 0
      prepare-root: Use ptrarray, not linked list
      switchroot,generator: Only read /proc/cmdline once
      deploy: Add some error prefixing
      prepare-root: Minor clarifications
      repo: Bump lock timeout to 5 minutes
      Add `ostree admin stateroot-init` as alias for `os-init`
      admin-deploy: Add `--stateroot` as alias for `--os`
      admin: Port to c99 style
      remote-add: Port to c99 style
      lzma: Port to C99 style
      checkout: Port to C99 style
      cli/set-origin: Port to C99 style
      tests/destructive: Port more to xshell
      build-sys: Disable composefs on too-old Linux headers
      tests: Add otcore unit tests
      tests/inst: Update to latest ostree-ext
      cmd/init: Port to C99 style
      cmd/grub2-generate: Port to C99 style
      Move prepare-root karg helpers into otcore, add unit tests
      deploy: Add bootloader-naming-2 opt-init
      ci: Add c9s build
      build-sys: Look for both linux/mount.h and sys/mount.h
      build-sys: Really fix composefs check
      Release 2023.6
      configure: post-release version bump

Eric Curtin (6):
      android-boot: Remove dependency on ostree= karg, use androidboot.slot_suffix=
      Remove steal_pointer and steal_pointer_impl as we link in glib now
      bootloader: fold all Android Bootloader specific logic into prepare-root
      prepare-root: On a non-A/B androidboot system, boot system slot a
      prepare-root: Changes made to find_proc_cmdline_key
      prepare-root: If composefs is configured as "maybe" don't fail

dependabot[bot] (5):
      build(deps): bump composefs from `412cb5e` to `ac729b5`
      build(deps): bump composefs from `ac729b5` to `1704f82`
      build(deps): bump libglnx from `07e3e49` to `c02eb59`
      build(deps): bump composefs from `1704f82` to `a6e827d`
      build(deps): bump composefs from `a6e827d` to `1aed878`

samcday (1):
      docs: update boot loader spec link

2023.5

This is a bugfix release for the recent 2023.4.

Key bugs fixed

• Revert "fetcher: Always open tmpfiles in repo location" by @cgwalters in #2901
• Fix return value of generator on non-ostree systems by @cgwalters in #2911

Other changes

• build(deps): bump composefs from c9188cd to 08bdb03 by @dependabot in #2892
• ci: Add some composefs testing by @cgwalters in #2893
• Release 2023.4 by @cgwalters in #2895
• lib/deploy: Use off_t not __off_t by @akiernan in #2896
• prepare-root: Adjust to composefs mount struct changes by @dbnicholson in #2903
• bootloader: Pass "options" to aboot bootloader backend by @ericcurtin in #2902
• ci: Add "it compiles" coverage for --with-static-compiler by @cgwalters in #2906
• ci/prow: Build tests before trying to install by @cgwalters in #2904
• tests: Source libtest before exiting by @cgwalters in #2907
• ci: Fix executability by @cgwalters in #2910
• build(deps): bump composefs from 08bdb03 to 412cb5e by @dependabot in #2899

Full Changelog: v2023.4...v2023.5

2023.4

Notable bugfixes

• commit: fix ostree deployment on 64-bit inode fs by @aospan in #2874

This is a simple patch that is a candidate for backporting to e.g. stable distribution/OS versions of ostree.

New features

composefs

See the documentation.

• Add initial composefs integration by @alexlarsson in #2640
• Composefs followups by @cgwalters in #2872
• composefs: Add some basic docs by @cgwalters in #2885
• composefs: Avoid double unref by @cgwalters in #2890
• lib: Rework composefs metadata, drop custom signatures by @cgwalters in #2891
• composefs: Change how we do signatures by @alexlarsson in #2879

ostree=aboot for Android Boot

• Add ostree=aboot for signed Android Boot Images by @ericcurtin in #2877

HTTP/pull fixes

• ostree-fetcher-curl: explicitly use HTTP1.1 when HTTP2 is disabled by @daissi in #2886
• Increase the metadata size limit to 128MB by @barthalion in #2865
• fetcher: Always open tmpfiles in repo location by @cgwalters in #2875

Other changes

• tests: A bit more xshell porting by @cgwalters in #2860
• lib/deploy: Use fallocate for early prune space check by @jlebon in #2866
• prepare-root: Move sysroot.tmp creation earlier by @cgwalters in #2864
• lib/deploy: Disambiguate error messages for early prune space check by @dustymabe in #2870
• lib/deploy: skip fallocate call when requested size is 0 by @dustymabe in #2871
• test-concurrency: Don't lower timeout by @cgwalters in #2882
• build(deps): bump composefs from af8e1a7 to c9188cd by @dependabot in #2881
• pull: Add error prefixing for corrupt checksums by @cgwalters in #2884
• fix build with lld linker by @kraj in #2880
• Add more error prefixing when parsing commit objects by @cgwalters in #2888

New Contributors

• @dustymabe made their first contribution in #2870
• @aospan made their first contribution in #2874
• @barthalion made their first contribution in #2865
• @kraj made their first contribution in #2880
• @daissi made their first contribution in #2886

Full Changelog: v2023.3...v2023.4