Skip to content

Switch to image-based A/B partition layout

Summary

Instead of using libostree to provide our atomicity, we switch to an A/B partition layout

Reasoning

  • This allows us to implement dm-verify for secure boot
  • This makes it easier (possible, even) to implement UKIs
    • OSTree requires a commit hash, which is tied to the target machine
    • OSTree commit hash cannot be pre-computed unless the kernel is shipped out-of-band with OSTree (which OSTree does not support)
  • This allows us to support systemd-boot better
    • Stock OSTree cannot handle vfat /boot partitions
    • We can mount the ESP to /efi
  • This will allow us to implement DDIs, and thus integrate w/ all of systemd's magical tooling
  • It's easier to implement the server-side of os-updated, since we can have a custom summary format that's better suited for carbonOS's use case. A lot of these things are relatively difficult to implement with ostree
    • Changelogs
    • Checkpoints
    • (Optional) Deltas
    • Update channels
    • Board-specific updates
    • Secure-boot controls (i.e. "you can only install this channel if you disable secure boot")
    • systemd-sysexts, and upcoming systemd-sysconfigs
    • Correct update size information (!!!)
  • Can never run low enough on space that an update fails
    • This is a problem with ostree - when low on space updates start failing sporadically
    • With A/B there's always enough space reserved to install an update

There's also some slight concern over the direction of the OSTree format:

  • Fedora (CoreOS, Silverblue, etc) seem to be interested in replacing the OSTree repo format with OCI for the purposes of system images

Prior Art

  • Chrome OS
  • Android

Notes

Some drawbacks of this change:

  • We'll need to waste a few GB of space, as overhead so that the OS can grow
  • We'll need to waste some more space b/c two images will not be sharing files among each other, unlike OSTree
  • os-updated will become more complicated
  • We'll need to figure out how to handle our own delta updates

Some yet-unresolved questions:

  • What fs to use in each OS partition (squashfs vs erofs, leaning slightly towards squashfs for now)
  • How big to make each OS partition (I'm thinking ~4 GB for now)
  • How will we do delta updates
Edited by Adrian Vovk