Move from OSTree to OCI for updates

[jlebon]

Currently, FCOS pushes updates via an OSTree repo. To better align with the bootable containers initiative, let's move to updating FCOS via a container image. Container images are already being published in https://quay.io/repository/fedora/fedora-coreos.

Note this ticket is separate from #1263, which covers also fleshing out the story of layering. In this ticket, we're strictly scoping the effort to changing the transport used.

[jlebon]

OK, some progress on this:

• release: support OCI image pullspecs stream-metadata-go#75 adds support for a new oci-image key in the release metadata and a new oci-images key in the release index
• Inject oci-image in release metadata and oci-images in release index coreos-assembler#3919 populates those newly supported keys from the base-oscontainer key in the build metadata
• Add support for querying OCI graph fedora-coreos-cincinnati#99 teaches Cincinnati to read those keys and serve an OCI-based graph when the request includes oci=true
• daemon/transaction-types: Support custom origins for digested pullspecs rpm-ostree#5120 teaches rpm-ostree to allow custom origin information when passing a digest pullspec to rpm-ostree rebase

So the next step on this is support in Zincati for a config knob that tells it to request the OCI version of the graph and deploy using rpm-ostree rebase with appropriate custom origin info.

[cgwalters]

Awesome!

[jlebon]

So the next step on this is support in Zincati for a config knob that tells it to request the OCI version of the graph

Instead of a config knob, Zincati can just cue off of the origin. If the OS is on OSTree, query the OSTree graph. If it's on OCI, query the OCI graph. So then the barrier release is just about switching the origin over from OSTree to OCI.

Discussed the rollout plan for this with @travier and @dustymabe:

• Switch next bootimages to deploy-via-container whenever all the code needed has landed in FCOS.
  • This means that only new nodes will be updating via containers to start, giving us a way to bake it before switching updating nodes.
• After X next releases (e.g. 2 or 3), do barrier release to switch origin on existing nodes.
• Switch the testing bootimages to deploy-via-container. If we're still before Beta freeze, just do it. If we're after Beta freeze, do it at GA.
  • Stable follows 2 weeks after.
• After X testing releases, do barrier release to switch origin on existing nodes.
  • Stable follows 2 weeks after.

[jlebon]

One thing we discussed related to this was signing. Currently, the FCOS OCI artifacts are not signed (really, AFAICT none of the Fedora container images are signed either). Ideally, we close that gap before we fully switch over.

At least the OSTree commit inside of the OCI is still signed, but we'd still need to download and extract without any verification. But even then it's not really used in any meaningful way client-side currently because when importing into the OSTree repo, it's the OCI "merge commit" that gets deployed. We'd have to unencapsulate instead and in the process point at the remote OSTree config containing the GPG settings. So yeah... all around much better if we just fix this at the OCI level.

Related Robosignatory issue: https://pagure.io/robosignatory/issue/22

[jlebon]

One thing we discussed related to this was signing.

Was chatting with @cgwalters about this. One interesting note is that the Konflux pipelines building rhel-bootc and centos-bootc do sign container images today. See e.g. the shield icons in https://quay.io/repository/centos-bootc/centos-bootc?tab=tags. Ideally, we also have that setup for fedora-bootc as we bring it up in the Fedora Konflux, and we can piggy-back on it for FCOS too (even if we're not building the whole thing in Konflux just yet).

Otherwise, it should also be possible to make the rpm-ostree consumption of the embedded signature better.