Move from OSTree to OCI for updates of new systems #1823
Labels
area/bootable-containers
Related to the bootable containers effort.
area/updates
component/rpm-ostree
component/zincati
F42-Changes
F42
kind/enhancement
Comments
jlebon
added a commit
to jlebon/coreos-assembler
that referenced
this issue
Nov 1, 2024
Take the digest pullspec for the base OS bootable container and put it in the new `oci-image` field in the release metadata. Part of coreos/fedora-coreos-tracker#1823.
jlebon
added a commit
to jlebon/coreos-assembler
that referenced
this issue
Nov 1, 2024
When updating the release index, gather the OCI pullspecs across all arches for a given release into a single list and inject it into the new `oci-images` key, the same way we do for OSTree commits and `commits`. Part of coreos/fedora-coreos-tracker#1823.8000
jlebon
added a commit
to jlebon/fedora-coreos-cincinnati
that referenced
this issue
Nov 1, 2024
Currently, we're starting a total of N x M scrapers, where N is the number of streams, and M the number of arches. So right now, this would be 3 x 4 = 12 scrapers. This is very wasteful because each scraper individually downloads the release index and update metadata every 30 seconds, even though that metadata is not different per architecture. I think the reason it was set up this way is in case we wanted to host separate e.g. release index or update files _per_ architecture in S3 instead of all togother. This can be seen by the fact the code supports templating those URLs with `basearch`. However, it's unlikely we'll be changing that design decision, so let's just do the saner thing and rework the scraping to be stream-based. This is done by changing the scraper to host not one single `Graph` object, but instead a `HashMap<String, Graph>` which maps architectures to graphs. Then, when a request for a graph comes in, we lookup in our cache keying off of the requested architecture. This is prep for adding another dimension to the matrix, which is whether the OCI version of the graph was reported. If we didn't do this cleanup first, it would have blown up the number of scrapers to 24. Part of coreos/fedora-coreos-tracker#1823.
jlebon
added a commit
to jlebon/fedora-coreos-cincinnati
that referenced
this issue
Nov 1, 2024
When parsing the release index, check for the new `oci-images` key. If present, also build up a separate graph with only nodes containing OCI information. In that case, the node payload is the pullspec and the scheme declared in the node metadata is `oci`. When a client requests a graph, check if the `oci=` URL parameter was set. If so, return back the OCI graph instead of the OSTree one. Part of coreos/fedora-coreos-tracker#1823.
jlebon
added a commit
to jlebon/stream-metadata-go
that referenced
this issue
Nov 1, 2024
Add support in both release metadata and the release index for specifying OCI image pullspecs for a given release. In both cases, the new fields are located at the same level as the existing `commits` key holding OSTree checksums. The key is called `oci-image` in release metadata and `oci-images` in the release index. Part of coreos/fedora-coreos-tracker#1823.
|
OK, some progress on this:
So the next step on this is support in Zincati for a config knob that tells it to request the OCI version of the graph and deploy using |
jlebon
added a commit
to jlebon/stream-metadata-go
that referenced
this issue
Nov 1, 2024
Add support in both release metadata and the release index for specifying OCI image pullspecs for a given release. In both cases, the new fields are located at the same level as the existing `commits` key holding OSTree checksums. The key is called `oci-image` in release metadata and `oci-images` in the release index. Part of coreos/fedora-coreos-tracker#1823.
|
Awesome! |
jlebon
added a commit
to jlebon/fedora-coreos-cincinnati
that referenced
this issue
Nov 2, 2024
Currently, we're starting a total of N x M scrapers, where N is the number of streams, and M the number of arches. So right now, this would be 3 x 4 = 12 scrapers. This is very wasteful because each scraper individually downloads the release index and update metadata every 30 seconds, even though that metadata is not different per architecture. I think the reason it was set up this way is in case we wanted to host separate e.g. release index or update files _per_ architecture in S3 instead of all together. This can be seen by the fact the code supports templating those URLs with `basearch`. However, it's unlikely we'll be changing that design decision, so let's just do the saner thing and rework the scraping to be stream-based. This is done by changing the scraper to host not one single `Graph` object, but instead a `HashMap<String, Graph>` which maps architectures to graphs. Then, when a request for a graph comes in, we lookup in our cache keying off of the requested architecture. This is prep for adding another dimension to the matrix, which is whether the OCI version of the graph was requested. If we didn't do this cleanup first, it would have blown up the number of scrapers to 24. Part of coreos/fedora-coreos-tracker#1823.
jlebon
added a commit
to jlebon/fedora-coreos-cincinnati
that referenced
this issue
Nov 2, 2024
When parsing the release index, check for the new `oci-images` key. If present, also build up a separate graph with only nodes containing OCI information. In that case, the node payload is the pullspec and the scheme declared in the node metadata is `oci`. When a client requests a graph, check if the `oci=` URL parameter was set. If so, return back the OCI graph instead of the OSTree one. Part of coreos/fedora-coreos-tracker#1823.
jlebon
added a commit
to jlebon/stream-metadata-go
that referenced
this issue
Nov 6, 2024
Add support in both release metadata and the release index for specifying OCI image pullspecs for a given release. In both cases, the new fields are located at the same level as the existing `commits` key holding OSTree checksums. The key is called `oci-image` in release metadata and `oci-images` in the release index. Part of coreos/fedora-coreos-tracker#1823.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
jlebon
added a commit
to jlebon/coreos-assembler
that referenced
this issue
Nov 7, 2024
Take the digest pullspec for the base OS bootable container and put it in the new `oci-image` field in the release metadata. Part of coreos/fedora-coreos-tracker#1823.
jlebon
added a commit
to jlebon/coreos-assembler
that referenced
this issue
Nov 7, 2024
When updating the release index, gather the OCI pullspecs across all arches for a given release into a single list and inject it into the new `oci-images` key, the same way we do for OSTree commits and `commits`. Part of coreos/fedora-coreos-tracker#1823.
jlebon
added a commit
to jlebon/fedora-coreos-cincinnati
that referenced
this issue
Nov 7, 2024
When parsing the release index, check for the new `oci-images` key. If present, also build up a separate graph with only nodes containing OCI information. In that case, the node payload is the pullspec and the scheme declared in the node metadata is `oci`. When a client requests a graph, check if the `oci=` URL parameter was set. If so, return back the OCI graph instead of the OSTree one. Part of coreos/fedora-coreos-tracker#1823.
Instead of a config knob, Zincati can just cue off of the origin. If the OS is on OSTree, query the OSTree graph. If it's on OCI, query the OCI graph. So then the barrier release is just about switching the origin over from OSTree to OCI. Discussed the rollout plan for this with @travier and @dustymabe:
|
dustymabe
pushed a commit
to coreos/coreos-assembler
that referenced
this issue
Nov 13, 2024
Take the digest pullspec for the base OS bootable container and put it in the new `oci-image` field in the release metadata. Part of coreos/fedora-coreos-tracker#1823.
dustymabe
pushed a commit
to coreos/coreos-assembler
that referenced
this issue
Nov 13, 2024
When updating the release index, gather the OCI pullspecs across all arches for a given release into a single list and inject it into the new `oci-images` key, the same way we do for OSTree commits and `commits`. Part of coreos/fedora-coreos-tracker#1823.
dustymabe
added a commit
to coreos/fedora-coreos-config
that referenced
this issue
Mar 31, 2025
This is part of the overall move to OCI based updates that is coming in the Fedora 42 cycle for FCOS. See: coreos/fedora-coreos-tracker#1823 Closes: #3423
dustymabe
added a commit
to coreosbot-releng/fedora-coreos-config
that referenced
this issue
Mar 31, 2025
This is part of the overall move to OCI based updates that is coming in the Fedora 42 cycle for FCOS. See: coreos/fedora-coreos-tracker#1823 Closes: coreos#3423 (cherry picked from commit 22d6552)
dustymabe
added a commit
to coreos/fedora-coreos-config
that referenced
this issue
Mar 31, 2025
This is part of the overall move to OCI based updates that is coming in the Fedora 42 cycle for FCOS. See: coreos/fedora-coreos-tracker#1823 Closes: #3423 (cherry picked from commit 22d6552)
jbtrystram
added a commit
to jbtrystram/fedora-coreos-docs
that referenced
this issue
Apr 1, 2025
With the f42 rebase we will switch disk images to use OCI for updates. While this is transparent for most users, it's still a big technical change so it's worth mentionning it, at least so users using can look into it. See https://fedoraproject.org/wiki/Changes/CoreOSOstree2OCIUpdates coreos/fedora-coreos-tracker#1823
jbtrystram
added a commit
to coreos/fedora-coreos-docs
that referenced
this issue
Apr 1, 2025
With the f42 rebase we will switch disk images to use OCI for updates. While this is transparent for most users, it's still a big technical change so it's worth mentionning it, at least so users using can look into it. See https://fedoraproject.org/wiki/Changes/CoreOSOstree2OCIUpdates coreos/fedora-coreos-tracker#1823
jbtrystram
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this issue
Apr 9, 2025
To simplify testing for coreos/fedora-coreos-tracker#1823 This script write a Zincati status override containing a fake rpm-ostree status output to appear like it's on an OCI deployement. Zincati will look under the well-known path of /run/zincati/booted-status-override.json. The content will trigger the OCI code path in Zincati. This will later run as ExecStartPre in the zincati.service environment Just ship the migration script for now, without the zincati service changes, to allow testing. See coreos/fedora-coreos-tracker#1890 See coreos/fedora-coreos-tracker#1823 (comment) Requires zincati 0.0.30 Ref coreos/zincati#1273 Ref coreos/zincati#1241
dustymabe
pushed a commit
to coreos/fedora-coreos-config
that referenced
this issue
Apr 9, 2025
To simplify testing for coreos/fedora-coreos-tracker#1823 This script write a Zincati status override containing a fake rpm-ostree status output to appear like it's on an OCI deployement. Zincati will look under the well-known path of /run/zincati/booted-status-override.json. The content will trigger the OCI code path in Zincati. This will later run as ExecStartPre in the zincati.service environment Just ship the migration script for now, without the zincati service changes, to allow testing. See coreos/fedora-coreos-tracker#1890 See coreos/fedora-coreos-tracker#1823 (comment) Requires zincati 0.0.30 Ref coreos/zincati#1273 Ref coreos/zincati#1241
dustymabe
added a commit
to dustymabe/fedora-coreos-config
that referenced
this issue
Apr 11, 2025
These changes are ones that we are adopting for F42+ and since F42 GA is a GO for Tuesday 04/15 we'll go ahead and make the change for `testing-devel` now. - coreos/fedora-coreos-tracker#1823 - coreos/fedora-coreos-tracker#1852
dustymabe
added a commit
to dustymabe/fedora-coreos-config
that referenced
this issue
Apr 11, 2025
These changes are ones that we are adopting for F42+ and since F42 GA is a GO for Tuesday 04/15 we'll go ahead and make the change for `testing-devel` now. We can update image-base.yaml because now the change can apply everywhere. - coreos/fedora-coreos-tracker#1823 - coreos/fedora-coreos-tracker#1852
jbtrystram
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this issue
Apr 15, 2025
In [1] we moved newly provisioned systems to be deployed via container and thus retrieving updates via zincati from the OCI registry (quay.io/fedora/fedora-coreos). This starts the migration script shipped in [2] before Zincati to set up the migration at the next update. A way to override this is to add another drop-in with `ExecStartPre=` with a higher ranking name under the systemd drop in path, e.g. `/etc/systemd/system/zincati.service.d/90-no-oci.conf`. [1] coreos/fedora-coreos-tracker#1823 [2] coreos#3355 Closes coreos/fedora-coreos-tracker#1890
dustymabe
added a commit
to dustymabe/fedora-coreos-config
that referenced
this issue
Apr 15, 2025
These changes are ones that we are adopting for F42+ and since F42 GA is a GO for Tuesday 04/15 we'll go ahead and make the change for `testing-devel` now. We can update image-base.yaml because now the change can apply everywhere. - coreos/fedora-coreos-tracker#1823 - coreos/fedora-coreos-tracker#1852
dustymabe
added a commit
to coreos/fedora-coreos-config
that referenced
this issue
Apr 15, 2025
These changes are ones that we are adopting for F42+ and since F42 GA is a GO for Tuesday 04/15 we'll go ahead and make the change for `testing-devel` now. We can update image-base.yaml because now the change can apply everywhere. - coreos/fedo 8000 ra-coreos-tracker#1823 - coreos/fedora-coreos-tracker#1852
jbtrystram
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this issue
Apr 16, 2025
In [1] we moved newly provisioned systems to be deployed via container and thus retrieving updates via zincati from the OCI registry (quay.io/fedora/fedora-coreos). This starts the migration script shipped in [2] before Zincati to set up the migration at the next update. Slightly tweak the migration script to look for a stamp to opt-out of the migration and create one to signal failure. Also add a MOTD that look for those stamps and display an appropriate message. [1] coreos/fedora-coreos-tracker#1823 [2] coreos#3355 Closes coreos/fedora-coreos-tracker#1890
jbtrystram
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this issue
Apr 16, 2025
In [1] we moved newly provisioned systems to be deployed via container and thus retrieving updates via zincati from the OCI registry (quay.io/fedora/fedora-coreos). This starts the migration script shipped in [2] before Zincati to set up the migration at the next update. Slightly tweak the migration script to look for a stamp to opt-out of the migration and create one to signal failure. Also add a MOTD that look for those stamps and display an appropriate message. [1] coreos/fedora-coreos-tracker#1823 [2] coreos#3355 Closes coreos/fedora-coreos-tracker#1890
jbtrystram
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this issue
Apr 17, 2025
In [1] we moved newly provisioned systems to be deployed via container and thus retrieving updates via zincati from the OCI registry (quay.io/fedora/fedora-coreos). This starts the migration script shipped in [2] before Zincati to set up the migration at the next update. Slightly tweak the migration script to look for a stamp to opt-out of the migration and create one to signal failure. Also add a MOTD that look for those stamps and display an appropriate message. [1] coreos/fedora-coreos-tracker#1823 [2] coreos#3355 Closes coreos/fedora-coreos-tracker#1890
|
The fix for this went into |
|
We are not able to switch to a new derived image via bootc on |
|
Can you also add the output of e.g. |
|
A small update, I am not able to reproduce the issue manually, so we are looking what is wrong in |
|
The fix for this went into |
jbtrystram
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this issue
May 13, 2025
In [1] we moved newly provisioned systems to be deployed via container and thus retrieving updates via zincati from the OCI registry (quay.io/fedora/fedora-coreos). This starts the migration script shipped in [2] before Zincati to set up the migration at the next update. Slightly tweak the migration script to look for a stamp to opt-out of the migration and create one to signal failure. Also add a MOTD that look for those stamps and display an appropriate message. [1] coreos/fedora-coreos-tracker#1823 [2] coreos#3355 Closes coreos/fedora-coreos-tracker#1890
jbtrystram
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this issue
May 14, 2025
In [1] we moved newly provisioned systems to be deployed via container and thus retrieving updates via zincati from the OCI registry (quay.io/fedora/fedora-coreos). This starts the migration script shipped in [2] before Zincati to set up the migration at the next update. Slightly tweak the migration script to look for a stamp to opt-out of the migration and create one to signal failure. Also add a MOTD that look for those stamps and display an appropriate message. [1] coreos/fedora-coreos-tracker#1823 [2] coreos#3355 Closes coreos/fedora-coreos-tracker#1890
jbtrystram
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this issue
May 14, 2025
In [1] we moved newly provisioned systems to be deployed via container and thus retrieving updates via zincati from the OCI registry (quay.io/fedora/fedora-coreos). This starts the migration script shipped in [2] before Zincati to set up the migration at the next update. Slightly tweak the migration script to look for a stamp to opt-out of the migration and create one to signal failure. Also add a MOTD that look for those stamps and display an appropriate message. [1] coreos/fedora-coreos-tracker#1823 [2] coreos#3355 Closes coreos/fedora-coreos-tracker#1890
jbtrystram
added a commit
to jbtrystram/fedora-coreos-config
that referenced
this issue
May 15, 2025
In [1] we moved newly provisioned systems to be deployed via container and thus retrieving updates via zincati from the OCI registry (quay.io/fedora/fedora-coreos). This starts the migration script shipped in [2] before Zincati to set up the migration at the next update. Slightly tweak the migration script to look for a stamp to opt-out of the migration and create one to signal failure. Also add a MOTD that look for those stamps and display an appropriate message. [1] coreos/fedora-coreos-tracker#1823 [2] coreos#3355 Closes coreos/fedora-coreos-tracker#1890
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, FCOS pushes updates via an OSTree repo. To better align with the bootable containers initiative, let's move to updating FCOS via a container image. Container images are already being published in https://quay.io/repository/fedora/fedora-coreos.
Note this ticket is separate from #1263, which covers also fleshing out the story of layering. In this ticket, we're strictly scoping the effort to changing the transport used.
The text was updated successfully, but these errors were encountered: