For the last few Fedora releases, the Workstation WG has been working on combining the best of the Project Atomic pattern with the Fedora Workstation Edition into a deliverable dubbed “Fedora Atomic Workstation”. In Fedora 27, we have reached a point where we feel comfortable inviting other developers and enthusiasts to try it out and even make it their daily driver.

Read on to discover what Fedora Atomic Workstation is, what its benefits are, and how you can get started today!

Note: this blog post is based on a talk I gave at DevConf.cz 2018. Head over to YouTube if you’d prefer listening to it.

What is Atomic Workstation?

Just like Atomic Host, Atomic Workstation uses RPM-OSTree as its update manager. However, Atomic Workstation is geared towards all the same use cases that the regular Workstation Edition is meant to fulfill. Though there are some differences between the two beyond the update model.

In an Atomic Workstation, desktop applications are shipped and run as flatpaks, and development mostly happens inside containers. For example, you may have a pet container with your development environment set up as well as an oc cluster up OpenShift cluster to develop server applications.

Why should I use Atomic Workstation?

So what are the advantages of this strategy? Many of the reasons below are shared with Atomic Host. Though I will try to give a more Workstation-centric point-of-view.

1. Transactional Updates

The main reason to use Atomic Workstation of course is transactional updates. This is as relevant in the server case as it is for desktops. Most people would consider their workstations to be the stereotypical pet system: set up and customized just the way they want them, and a huge hindrance to productivity if anything should happen to them. Using an update model which greatly reduces risks of failures is thus well justified.

I will not stay on this subject any longer since I assume readers of this blog are familiar with the benefits there and what pitfalls the Atomic model helps us avoid. If you are not familiar with these ideas, definitely check out the OSTree docs and the Project Atomic update docs if you’d like more information.

2. Immutability and Isolation

As discussed in a previous blog entry, all the great features of an OSTree-based system require immutability of the base OS. For example, /usr is not writable by default. This is equally true in Atomic Workstation as it is in Atomic Host. This is a good thing, because (1) it protects you from accidental damage, and (2) it encourages a healthier workflow.

For example, on yum/dnf-managed systems, RPM scriptlets run unconfined as root during update transactions, which opens the door for accidental (or intentional) corruption. On rpm-ostree-managed systems, all scriptlets are run on the server when composing the update. (As mentioned lower down, we do also support layering additional RPMs; their scriptlets are run in a locked down container and cannot affect the running system).

By running your applications in flatpaks and doing your development in containers, you not only help protect your base OS from harm but also minimize the number of packages standing between you and a successful boot.

Basing your development workflow around pet containers could warrant a blog post of its own. There have been some great talks around that area at DevConf.cz this year (linked below).

3. Effortless Change Tracking

Now, part of customizing your workstation will undoubtedly require installing packages that are not part of the base OSTree and aren’t quite fit for containerization (e.g. drivers, virtualization stacks, $FAVOURITE_EDITOR). Because RPM-OSTree is a hybrid model, it understands both RPMs and OSTrees. We can, for example, do rpm-ostree install vim-enhanced libvirt-client to layer additional packages. rpm-ostree status will then show:

$ rpm-ostree status
State: idle
Deployments:
● faw27:fedora/27/x86_64/workstation
                   Version: 27.62 (2018-01-31 21:39:54)
                BaseCommit: a052d7482a186f1979f8bba90cfe1a1d0c13e75a43a416b580d2f2a83c18fe5a
              GPGSignature: Valid signature by 860E19B0AFA800A1751881A6F55E7430F5282EE4
           LayeredPackages: libvirt-client vim-enhanced

In contrast to dnf/yum-managed systems, which provide a “bag of packages” approach, rpm-ostree status allows to know exactly what we changed from the base OSTree commit, and how to go back to the initial state (in this case, rpm-ostree uninstall libvirt-client vim-enhanced).

For completeness, I will mention that RPM-OSTree not only supports pure additions, but also replacing and removing base packages. All these changes can equally be tracked in rpm-ostree status and easily reverted.

Additionally, because in the OSTree model configuration defaults are stored in /usr/etc, one can also perform a simple diff to figure out which defaults were changed (e.g. diff /usr/etc /etc | less).

4. Upstream Testing

Having updates delivered as concrete units allows the content provider to more easily test them, which translates into a more stable operating system for end users. In contrast, it’s effectively impossible in the “bag of packages” approach to sanely test all permutations. This mostly means that testing is limited to the package-level.

In an OSTree model however, it’s possible to gate updates on higher-level integration tests such as what we’ve been doing in the two-week releases of Fedora Atomic Host. Note though that Atomic Workstation updates are not currently being gated on tests; we are still at the onset of these discussions.

5. Automatic Updates

In RPM-OSTree, we are currently working on adding an automatic update feature. Similar functionality on dnf-managed systems does exist. The difference is that the OSTree model allows us to eliminate or minimize many of the issues involved in such a scheme. For example, the ability to roll back updates is critical here, and this is something that RPM-OSTree does with ease.

In the future, we’d like to get to a point where (if enabled) the system automatically prepares updates in the background and upgrading simply involves rebooting your computer for minimal downtime.

How can I get started with Atomic Workstation?

You can either download the ISO and re-install from scratch, or you can convert your existing dnf-based system using the steps from this document. The latter also allows you to switch back and forth between the two models if you’re not yet ready to dive in.

Once booted into Atomic Workstation, check out the “Using the system” section here. To learn more about how to manage upgrades, check out the Project Atomic docs and the RPM-OSTree docs.

If you need any help, you can pop into the freenode/#atomic channel, or send an email to the atomic-devel mailing list.

More information