Conversation
OhmSpectator
force-pushed
the
feature/split-rootfs
branch
from
febc050 to
b5a1ebb
Compare
|
I'm impressed I had only one Yetus warning =D |
|
I am quite in favour of this idea, at least in principle. @rene has raised it before as well. I am not convinced this is the best way to solve the "300MB limit" issue; that is better handled by resizing partitions (which can be done safely, if done correctly). However, this does have the option of making the "common OS" (term created by Daniel Derksen) much more common, and then all of the "additional things" be added later or earlier. That is the real value IMO; reducing EVE's proliferation. I have been using the term "boot+core" for the first part, and "system+app" for the second part:
Of course, we can be OK with any terminology. I do have some specific disagreements with parts of the design.
I have done a number of experiments on containers in erofs with verity, and it works quite well. Summarizing: I like what you are doing, definitely bring @rene into it, as he has ideas. How we build and integrate with the "other parts" should be subject to discussion. |
|
@deitch, it's just a PoC for one of the approaches that @rene asked me to accomplish by the end of this year. I totally like your comments and I guess you have a better vision of which tools should be used for that. There is a design doc that you can also comment on. Ping @rene in DM to get a link to it. For now I'm done with the task. |
|
Never assume I have a better vision; just a potentially different one. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #5470 +/- ##
==========================================
+ Coverage 19.52% 29.49% +9.96%
==========================================
Files 19 18 -1
Lines 3021 2417 -604
==========================================
+ Hits 590 713 +123
+ Misses 2310 1552 -758
- Partials 121 152 +31 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Even if we had the resizing today I don't know how we would convince all users to do that operation in production before they need the next set of fixes for CVEs (which are likely to push the current image above the 300MB limit). So I think we need this tool in our collection of tools to be able to move forward (in addition to getting the resizing in place). |
I thought I added this comment from my phone earlier, but here we go again. Even if we have good partition resizing support, a user probably needs some additional care (e.g., don't power off intentionally or accidentally during the resizing operation), which means they might want to pick a good time to do that. Thus I think we need this approach plus resizing (plus a larger default partition size at install). |
Agreed. In the long run, the resize will solve us for many years to come, especially with the new sizes. But we need this. |
|
Even if I think implementation-wise it should be somewhat different. |
|
This approach (or any, for that matter), if not designed from the ground up to address the security implications it may bring, can completely undermine one of EVE’s foundational security guarantees: a device left unattended cannot be permanently backdoored (at both the EVE-OS level and the application level if an encrypted partition is used).
@deitch This can’t help without root hash signing (which is another can of worms by itself). An attacker with root access or, in our case with physical disk access, can simply modify the image and then update the entire hash tree. There are possible solutions but each have their own limitations and bring complexity :
@andrewd-zededa I'm not familiar with the design of eve-k, but the same issue may apply to it ☝🏼 |
@shjala |
@shjala why not?
With verity, any changes on the filesystem will cause the kernel to refuse to pass those through. The key is to have:
With the above, the extended blocks reader is ensured that the contents of the extended block never are changed, or are prevented if changed. What did I miss? |
OhmSpectator
force-pushed
the
feature/split-rootfs
branch
from
b5a1ebb to
6ab0bbb
Compare
github-actions
bot
requested review from
andrewd-zededa,
deitch,
europaul,
naiming-zededa,
rene,
rouming,
rucoder,
shjala and
zedi-pramodh
OhmSpectator
force-pushed
the
feature/split-rootfs
branch
from
90b02fb to
4522a94
Compare
Add dedicated bootstrap/pkgs LinuxKit templates, glue them into the build graph, and expose make targets for producing each squashfs so the new architecture can be built independently of the legacy rootfs. Signed-off-by: Nikolay Martyanov <nikolay@zededa.com>
Wire the split rootfs into developer workflows by adding live/run targets, and documenting the new entry points in the help output. Signed-off-by: Nikolay Martyanov <nikolay@zededa.com>
Introduce the external-services loader that discovers pkgs.img, mounts it, and starts services through containerd, and register the agent inside the boot sequence. Signed-off-by: Nikolay Martyanov <nikolay@zededa.com>
Add SPLIT-ROOTFS.md outlining the motivation, build pipeline, and Pillar integration for the bootstrap/pkgs experiment. Signed-off-by: Nikolay Martyanov <nikolay@zededa.com>
- Makefile: installer-split target, eve-hv-supported metadata injection - installer.yml.in: include rootfs-ext.img in installer - pkg/installer/install: read HV from CONFIG, copy ext to persist - pkg/grub: read eve-hv-type from CONFIG, write /run/eve-hv-type - storage-init: select ext4/ZFS based on CONFIG eve-hv-type - onboot.sh: propagate CONFIG eve-hv-type to runtime - extsloader: skip kube service when HV != k - rootfs_core/ext/universal.yml.in: split rootfs templates - docs/SPLIT-ROOTFS-DESIGN.md: v1.6 with POC implementation status Signed-off-by: Nikolay Martyanov <ohmspectator@gmail.com>
- gate zedkube startup in device-steps by eve-hv-type (/run/eve-hv-type, fallback /etc/eve-hv-type). - subscribe to ENClusterAppStatus in zedmanager only for kube HV. - update rootfs_ext service template to match the split/universal service set for this WIP. Signed-off-by: Nikolay Martyanov <ohmspectator@gmail.com>
Exclude /persist/pkgs and /persist/eve-services from volumemgr large-file scan to avoid oversized DiskMetric payloads in split rootfs runs. Also tighten FindLargeFiles exclude matching to directory boundaries and add a regression test. Signed-off-by: Nikolay Martyanov <ohmspectator@gmail.com>
Switch kube-only behavior from build-time assumptions to runtime checks for pillar-k running on non-k hypervisor types. - gate PVC disk metrics and PVC format bootstrap scan by runtime HV type - add shared kube runtime guard and apply it across exported kubeapi functions in //go:build k files - add runtime fail-fast checks in zedkube and kubevirt hypervisor exported entry points - reject kubevirt hypervisor selection when runtime HV type is not k - make CSI handler constructor safely fall back when kube runtime is disabled - keep node-drain behavior runtime-aware (NOTSUPPORTED on non-k) - handle DeleteNAD call-site errors explicitly This keeps split/universal images runtime-driven instead of relying on compile-time -k behavior. Signed-off-by: Nikolay Martyanov <ohmspectator@gmail.com>
OhmSpectator
force-pushed
the
feature/split-rootfs
branch
from
4522a94 to
db48c64
Compare
github-actions
bot
requested review from
christoph-zededa,
jsfakian,
milan-zededa and
uncleDecart
Split-rootfs OTA update mechanism:
- Makefile: eve-split target rewritten to avoid recursive make (fixes
dirty-timestamp and monolithic rootfs rebuild issues). Uses cp instead
of symlinks so Docker COPY gets real files, not dangling symlinks.
- Dockerfile.in: conditional #SPLIT_ROOTFS_LABEL# for Extension disk label
- baseosmgr/worker.go: WriteExtensionToPersist after WriteToPartition
- baseosmgr/handleextension.go: CAS helper for Extension extraction
- cas/extension.go: FindAdditionalDiskBlob for OCI manifest walking
- extsloader: CAS self-heal via Puller.Pull with FilesTarget{Disks},
pubsub ProcessChange for BaseOsStatus/ContentTreeStatus subscriptions
- types/locationconsts.go: shared Extension A/B path constants
- Roadmap doc updated with HV-agnostic Core limitation note
Eden test infrastructure:
- tests/eden/run.sh: split-rootfs test entry (test #8)
- tests/eden/prepare-split-rootfs-test.sh: build/push/setup/test script
Tested: monolith(15.11.0) -> split OTA, CAS self-heal extracts Extension,
dm-verity mount, debug/SSH container starts from Extension.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- types/extsloadertypes.go: new ExtsloaderStatus type with State enum (Starting/Ready/Failed), published via pubsub by extsloader - extsloader: publish ExtsloaderStatus via pubsub instead of only writing /run/extsloader-state.json (kept as debug aid, marked for removal) - nodeagent: subscribe to ExtsloaderStatus from extsloader, check Extension ready state before marking update TestComplete in testing window (handletimers.go:checkExtsloaderReady). If /etc/ext-verity-roothash exists but Extension not ready, testing window keeps waiting → eventual reboot → automatic rollback - base/logobjecttypes.go: register ExtsloaderStatusLogType Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- pkg/pillar/Dockerfile: add cryptsetup package (provides veritysetup) to the runtime PKGS. Required for dm-verity verification of Extension. - extsloader: remove legacy read-only loop mount fallback. dm-verity is now mandatory for Extension mounting. If veritysetup is missing or roothash not found, mount fails → extsloader reports failed → nodeagent testing window holds → rollback. - Remove "no-verity" PCR12 measurement path since verity is always used. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- tests/eden/prepare-broken-split-image.sh: builds a split-rootfs EVE image with corrupted ext-verity-roothash for rollback testing - tools/make-ext-verity.sh: dm-verity hash tree generation for Extension Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
OhmSpectator
force-pushed
the
feature/split-rootfs
branch
from
db48c64 to
063e1b2
Compare
…sitions Add CleanupUnusedExtension() to baseosmgr/handleextension.go. Called when a partition transitions to "unused" state: - After successful update (handleZbootTestComplete): other slot's ext cleaned - After uninstall (doBaseOsUninstall): other partition marked unused, ext cleaned - After failed version check (doBaseOsActivate): partition marked unused, ext cleaned This prevents stale Extension images from accumulating on /persist. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
4 participants
Description
This PR introduces the split-rootfs proof of concept for EVE. The build now produces two LinuxKit images - a minimal “bootstrap” rootfs with only boot-critical services and a “pkgs” rootfs containing non-critical services - and exposes make targets to build/run them either independently or together. Pillar gains the
extsloaderagent that discoverspkgs.img, mounts it, and starts its services viacontainerdso they appear in eve list. Documentation indocs/SPLIT-ROOTFS.mddescribes the architecture, workflows, and validation steps for the experiment.PR dependencies
None.
How to test and validate this PR
Confirm the artifacts appear under
dist/amd64/<version>/installer/.Inside the EVE, confirm
/persist/pkgsis mounted, extsloader is running (logread | grep extsloader), and the pkgs services show up ineve status.No automated tests cover this yet.
Changelog notes
Adds experimental split-rootfs tooling (bootstrap + pkgs images), developer run targets, and the Pillar external services loader that auto-starts
pkgs.imgcontents.PR Backports
Checklist