rpm-ostree is the hybrid image/package system that provides transactional upgrades on Atomic Host. Here are some highlights from version v2017.7, including PolicyKit and experimental overrides support.

As usual, you can test out this release by rebasing your Fedora Atomic Host onto the testing branch. Feel free to also leave karma in the pending Bodhi updates:

Note that this is the final release of rpm-ostree on Fedora 25 as we focus our efforts on Fedora 26.

Experimental support for overrides

The most visible change in this release is the addition of a new ex subcommand: rpm-ostree ex override (the ex command groups new features that are not ready to be declared stable; details of how these commands work may change in the future).

Whereas the install command allows you to overlay packages on top of the base commit received from your content provider, the override command allows you to modify the set of packages in the base commit itself. For example, you may want to remove a package that conflicts with an overlay, or more interestingly, update a package to a newer version to fix a bug.

Of course, such modifications should be done with care, since they in effect void the warranty implied by an ostree commit. However, these powerful semantics enable us to take the image/package hybrid paradigm to a new level. Thanks to rpm-ostree, you can easily keep track of every deviation from the base image.

The override command supports two subcommands: remove and replace.

Removal overrides

Not surprisingly, the remove subcommand allows you remove a base package. Let’s see it in action!

The host below has strace installed and no packages layered:

# rpm-ostree status
State: idle
Deployments:
* fedora-atomic:fedora/26/x86_64/testing/atomic-host
                   Version: 26.91 (2017-07-23 09:39:09)
                    Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
              GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D

# rpm -q strace
strace-4.18-1.fc26.x86_64
# strace -V
strace -- version 4.18
Copyright (c) 1991-2017 The strace developers <https://strace.io>.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Let’s now add an override to remove strace:

# rpm-ostree ex override remove strace
Checking out tree 20431e5... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2017-07-23 22:35:15
rpm-md repo 'fedora' (cached); generated: 2016-11-15 19:49:18

Importing metadata [===========================================] 100%
Resolving dependencies... done
Applying 1 override... done
Writing rpmdb... done
Writing OSTree commit... done
Copying /etc changes: 25 modified, 0 removed, 628 added
Transaction complete; bootconfig swap: yes deployment count change: 1
Removed:
  strace-4.18-1.fc26.x86_64
Run "systemctl reboot" to start a reboot

Let’s confirm that strace is truly gone:

# reboot
...
# rpm-ostree status
State: idle
Deployments:
* fedora-atomic:fedora/26/x86_64/testing/atomic-host
                   Version: 26.91 (2017-07-23 09:39:09)
                BaseCommit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
              GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
       RemovedBasePackages: strace-4.18-1.fc26.x86_64

  fedora-atomic:fedora/26/x86_64/testing/atomic-host
                   Version: 26.91 (2017-07-23 09:39:09)
                    Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
              GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
# rpm -q strace
package strace is not installed
# strace -V
bash: strace: command not found

We can remove the override by using the reset command:

# rpm-ostree ex override reset strace
Copying /etc changes: 25 modified, 0 removed, 630 added
Transaction complete; bootconfig swap: no deployment count change: 0
Added:
  strace-4.18-1.fc26.x86_64
Run "systemctl reboot" to start a reboot
# rpm-ostree status
State: idle
Deployments:
  fedora-atomic:fedora/26/x86_64/testing/atomic-host
                   Version: 26.91 (2017-07-23 09:39:09)
                    Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
              GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D

* fedora-atomic:fedora/26/x86_64/testing/atomic-host
                   Version: 26.91 (2017-07-23 09:39:09)
                BaseCommit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
              GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
       RemovedBasePackages: strace-4.18-1.fc26.x86_64

Replacement overrides

Similarly, the replace subcommand allows you to replace a base package with a different version. For now, you can only replace packages using local RPMs.

In this example, instead of removing strace, we will upgrade it. On this machine, I’ve got v4.17 installed:

# rpm -q strace
strace-4.17-1.fc26.x86_64

I’ve also got the build for the next version, v4.18, handy:

# ls -l strace-*.rpm
-rw-r--r--. 1 root root 659434 Jul 24 16:58 strace-4.18-1.fc26.x86_64.rpm

And now, we can add an override to replace strace:

# rpm-ostree ex override replace strace-4.18-1.fc26.x86_64.rpm
Checking out tree 6f3c6a2... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2017-07-23 22:35:15
rpm-md repo 'fedora' (cached); generated: 2016-11-15 19:49:18

Importing metadata [===========================================] 100%
Resolving dependencies... done
Applying 1 override... done
Writing rpmdb... done
Writing OSTree commit... done
Copying /etc changes: 25 modified, 0 removed, 636 added
Transaction complete; bootconfig swap: yes deployment count change: 1
Upgraded:
  strace 4.17-1.fc26 -> 4.18-1.fc26
Run "systemctl reboot" to start a reboot

And finally, let’s reboot to check that it worked:

# reboot
...
# rpm-ostree status
State: idle
Deployments:
* fedora-atomic:fedora/26/x86_64/testing/atomic-host
                   Version: 26.91 (2017-07-23 09:39:09)
                BaseCommit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
              GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
      ReplacedBasePackages: strace 4.17-1.fc26 -> 4.18-1.fc26

  fedora-atomic:fedora/26/x86_64/testing/atomic-host
                   Version: 26.91 (2017-07-23 09:39:09)
                    Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
              GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
[root@f25-ros-dev2 ~]# rpm -q strace
strace-4.18-1.fc26.x86_64
[root@f25-ros-dev2 ~]# strace -V | grep version
strace -- version 4.18

Of course, this can be used for more meaningful packages as well, like docker and kubernetes. For example, here I’m updating kubernetes to the latest build I could find in Koji (with complete disregard to matching the distro):

# rpm -q kubernetes
kubernetes-1.5.3-1.fc26.x86_64
# kube-apiserver --version
Kubernetes v1.5.3
# # ls -l kubernetes-*.rpm
-rw-r--r--. 1 root root    43446 Jul 24 17:12 kubernetes-1.7.1-1.fc27.x86_64.rpm
-rw-r--r--. 1 root root 22750546 Jul 24 17:54 kubernetes-client-1.7.1-1.fc27.x86_64.rpm
-rw-r--r--. 1 root root 39959790 Jul 24 17:13 kubernetes-master-1.7.1-1.fc27.x86_64.rpm
-rw-r--r--. 1 root root 22432058 Jul 24 17:55 kubernetes-node-1.7.1-1.fc27.x86_64.rpm
# rpm-ostree ex override replace kubernetes-*.rpm
...
Upgraded:
  kubernetes 1.5.3-1.fc26 -> 1.7.1-1.fc27
  kubernetes-client 1.5.3-1.fc26 -> 1.7.1-1.fc27
  kubernetes-master 1.5.3-1.fc26 -> 1.7.1-1.fc27
  kubernetes-node 1.5.3-1.fc26 -> 1.7.1-1.fc27
Run "systemctl reboot" to start a reboot
# reboot
...
# rpm-ostree status
State: idle
Deployments:
* fedora-atomic:fedora/26/x86_64/testing/atomic-host
                   Version: 26.91 (2017-07-23 09:39:09)
                BaseCommit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
              GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
      ReplacedBasePackages: kubernetes-client 1.5.3-1.fc26 -> 1.7.1-1.fc27, kubernetes 1.5.3-1.fc26 -> 1.7.1-1.fc27, kubernetes-node 1.5.3-1.fc26 -> 1.7.1-1.fc27, kubernetes-master 1.5.3-1.fc26 -> 1.7.1-1.fc27

  fedora-atomic:fedora/26/x86_64/testing/atomic-host
                   Version: 26.91 (2017-07-23 09:39:09)
                    Commit: d2ef5e5b1e3803a9e79ecf6a005e6ad80d3b69632b7f3ee7fcb6a46174a9bbf3
              GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
# rpm -q kubernetes
kubernetes-1.7.1-1.fc27.x86_64
# kube-apiserver --version
Kubernetes v1.7.1

We’ll look to cleaning up the status output in the future in cases where multiple related subpackages are updated.

PolicyKit support for D-Bus API

rpm-ostree now ships with a polkit policy. This is primarily motivated by work underway to support rpm-ostree in GNOME Software, though it’s useful in the server case as well. It is currently visible only at the D-Bus API level; for now, the rpm-ostree CLI tool still needs to be run as root for most operations. In the future, users will be able to authenticate directly from the terminal and thus avoid having to use sudo completely.

Other minor fixes and improvements

There are many other small improvements, here are a few:

  • rpm-ostree now logs even more information to the journal.

  • rpm-ostree now shows GPG signatures only in the output of status and does so in a less verbose way.

Instead of this output:

  GPGSignature: 1 signature
                Signature made Fri Jul  7 13:19:06 2017 using RSA key ID 812A6B4B64DAB85D
                Good signature from "Fedora 26 Primary <fedora-26-primary@fedoraproject.org>"

rpm-ostree now prints this:

  GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D

As usual, you can see the full list of changes in the release notes.