1 - Introduction

RPM-OSTree Overview

OSTree is a tool to manage bootable, immutable, versioned filesystem trees. Unlike traditional package managers like rpm or dpkg that know how to install, uninstall, configure packages, OSTree has no knowledge of the relationship between files. But when you add rpm capabilities on top of OSTree, it becomes RPM-OSTree, meaning a filetree replication system that is also package-aware.

The idea behind it is to use a client/server architecture to keep your Linux installed machines (physical or VM) in sync with the latest bits, in a predictable and reliable manner. To achieve that, OSTree uses a git-like repository that records the changes to any file and replicate them to any subscriber.

A system administrator or an image builder developer takes a base Linux image, prepares the packages and other configuration on a server box, executes a command to compose a filetree that the host machines will download and then incrementally upgrade whenever a new change has been committed. You may read more about OSTree here.

Why use RPM-OSTree in Photon?

There are several important benefits:

  • Reliable, efficient: The filetree replication is simple, reliable and efficient. It will only transfer deltas over the network. If you have deployed two almost identical bootable images on same box (differing just by several files), it will not take twice the space. The new tree will have a set of hardlinks to the old tree and only the different files will have a separate copy stored to disk.
  • Atomic: the filetree replication is atomic. At the end of a deployment, you are either booting from one deployment, or the other. There is no “partial deployed bootable image”. If anything bad happens during replication or deployment- power loss, network failure, your machine boots from the old image. There is even a tool option to cleanup old deployed (successfully or not) image.
  • Manageable: You are provided simple tools to figure out exactly what packages have been installed, to compare files, configuration and package changes between versions.
  • Predictable, repeatable: A big headache for a system administrator is to maintain a farm of computers with different packages, files and configuration installed in different order, that will result in exponential set of test cases. With RPM-OStree, you get identical, predictable installed systems.

As drawbacks, I would mention:

  • Some applications configured by user on host may have compatibility issues if they save configuration or download into read only directories like /usr.
  • People not used with “read only” file systems will be disappointed that they could no longer use RPM, yum, tdnf to install whatever they want. Think of this as an “enterprise policy”. They may circumvent this by customizing the target directory to a writable directory like /var or using rpm to install packages and record them using a new RPM repository in a writable place.
  • Administrators need to be aware about the directories re-mapping specific to OSTree and plan accordingly.

Photon with RPM-OSTree installation profiles

Photon takes advantage of RPM-OSTree and offers several installation choices:

  • Photon RPM-OSTree server - used to compose customized Photon OS installations and to prepare updates. I will call it for short ‘server’.
  • Photon RPM-OSTree host connected to a default online server repository via http or https, maintained by VMware Photon OS team, where future updates will be published. This will create a minimal installation profile, but with the option to self-upgrade. I will call it for short ‘default host’.
  • Photon RPM-OSTree host connected to a custom server repository. It requires a Photon RPM-OSTree Server installed in advance. I will call it for short ‘custom host’.

Terminology

In this section, the term OSTree refers to the general use of this technology, the format of the repository or replication protocol.

The term RPM-OSTree emphasizes the layer that adds RedHat Package Manager compatibility on both ends - at server and at host. However, since Photon OS is an RPM-based Linux, there are places in the documentation and even in the installer menus where OSTree may be used instead of RPM-OSTree when the distinction is not obvious or does not matter in that context.

When ostree and rpm-ostree are encountered, they refer to the usage of the specific Unix commands.

Finally, Photon RPM-OSTree is the application or implementation of the RPM-OStree system into Photon OS, materialized into two options: Photon Server and Photon Host (or client). Server or Host may be used with or without the Photon and/or RPM-OStree qualifier, but it means the same thing.

Sample code

Codes samples used throughout the book are small commands that can be typed at shell command prompt and do not require downloading additional files. As an alternative, one can remote connect via ssh, so cut & paste sample code from outside sources or copy files via scp will work. See the Photon Administration guide to learn how to enable ssh. The samples assume that the following VMs have been installed - see the steps in the next chapters:

  • A default host VM named photon-host-def.
  • Two server VMs named photon-srv1 and photon-srv2.
  • Two custom host VMs named photon-host-cus1 and photon-host-cus2, connected each to the corresponding server during install.

How to read this document

The RPM OSTree guide is structured to be used both as a sequential read and as a reference documentation.
If you are just interested in deploying a host system and keeping it up to date, then read Installing a Photon RPM-OSTree host against default server repository and Host updating operations.

If you want to install your own server and experiment with customizing packages for your Photon hosts, then read Installing a Photon RPM-OSTree server onwards. There are references to the concepts discussed throughout the book, if you need to understand them better.

RPM OSTree in Photon OS

This section is relevant to RPM OSTree in Photon OS.

Photon OS supports the following features:

  • Upgrade
  • Rollback
  • Remote, compose, and rebase server
  • Installation and uninstallation of packages with URL
  • Installation and uninstallation of packages from default repos
  • Automatic updates

2 - Installing a host against default server repository

RPM-OSTree Host default server repo installation option in Photon OS will setup a profile similar to Photon Minimal, with the added benefit of being able to self-upgrade.

Who is this for?

The RPM-OSTree ‘default host’ is the easiest way to deploy a Photon RPM-OSTree host from ISO/cdrom, without the need to deploy and maintain an RPM-OSTree server. It is targeted at the user who relies on VMware Photon OS team to keep his or her system up-to-date, configured to get its updates from the official Photon OSTree repository.

This is also the fastest way to install a host, as we’ve included in the ISO/cdrom an identical copy of the Photon “starter” RPM-OSTree repository that is published online by VMware Photon OS team. So rather than pulling from the online repository, the installer pulls the repo from cdrom, which saves bandwidth and also reduces to zero the chances of failing due to a networking problem. After successful installation, any updates are going to be pulled from the official online repository, when Photon OS team will make them available.

Note: It is also possible to install an RPM-OSTree host against the official online repo via PXE boot, without the benefit of fast, local pull from cdrom. This will be covered in the PXE boot/kickstart chapter, as it requires additional configuration.

Installing the ISO

User will first download Photon OS ISO file that contains the installer, which is able to deploy any of the supported Photon installation profiles.

There are some steps common to all Photon installation profiles, starting with adding a VM in VMware Fusion, Workstation or ESXi, selecting the OS family, then customizing for disk size, CPU, memory size, network interface etc. (or leaving the defaults) and selecting the ISO image as cdrom. The installer will launch, that will go through disk partitioning and accepting the license agreement screens, followed by selecting an installation profile. These steps are described at the page linked below, so I won’t repeat them, just that instead of setting up a Photon Minimal profile, we will install a Photon OSTree host:

Running Project Photon on Fusion.

Select the Photon OSTree Host option.

PhotonChooseHost

Continue with setting up a host name like photon1-def and a root password, re-confirm. Then, select “Default OSTree Server” and continue.

PhotonChooseHostDefault

PhotonHostDefaultFinish

When installation is over, the VM will reboot and will show in grub VMWare Photon/Linux 5.0_minimal (ostree), which will reassure that it’s booting from an OSTree image!

PhotonHostFirstRebootGrub

Boot, login and you are ready to use it.

To upgrade your host, see Host updating operations.

3 - Concepts in Action

Now that we have a fresh installed host (either as default or custom), we can better explain the OStree concepts and see them in action.

Querying the deployed filetrees

The first thing to do is to run a command that tells us what is installed on the machine and when. Since it’s a fresh install from the CD, there is only one bootable filetree image deployed.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree status 
State: idle
Deployments:
● ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2021-02-20T07:15:43Z)
Commit: 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f

Bootable filetree version

5.0_minimal is not the Linux Photon OS release version, nor daily build, but rather a human readable, self-incrementing version associated with every commit that brings file/package updates. Think of this as version 0. The following versions are going to be 5.0_minimal.1, 5.0_minimal.2, 5.0_minimal.3 and so on.

Commit ID

The ID listed is actually the first 5 bytes (10 hex digits) of the commit hash. If you want to see the verbose mode, use the -v option.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree status -v
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2021-02-20T07:15:43Z)
Commit: 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f
└─ photon (2021-02-20T07:11:24Z)
Staged: no
    StateRoot: photon

RPM OStree Options

To see the list of options available with the rpm-ostree command, use the -h option.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree -h
Usage:
    rpm-ostree [OPTION…] COMMAND

Builtin Commands:
    compose  Commands to compose a tree
    cleanup  Clear cached/pending data
    db   Commands to query the RPM database
    deploy   Deploy a specific commit
    rebase   Switch to a different tree
    rollback Revert to the previously booted tree
    status   Get the version of the booted system
    upgrade  Perform a system upgrade
    reload   Reload configuration
    usroverlay   Apply a transient overlayfs to /usr
    cancel   Cancel an active transaction
    initramfsEnable or disable local initramfs regeneration
    install  Overlay additional packages
    uninstallRemove overlayed additional packages
    override Manage base package overrides
    resetRemove all mutations
    refresh-md   Generate rpm repo metadata
    kargsQuery or modify kernel arguments

Help Options:
    -h, --help   Show help options

Application Options:
    --versionPrint version information and exit

OSname

The OS Name identifies the operating system installed. All bootable filetrees for the same OS will share the /var directory, in other words applications installed in one booted image into this directory will be available in all other images.
If a new set of images are created for a different OS, they will receive a fresh copy of /var that is not shared with the previous OS images for the initial OS. In other words, if a machine is dual boot for different operating systems, they will not share each other’s /var content, however they will still merge 3-way /etc.

Refspec

The Refspec is a branch inside the repo, expressed in a hierarchical way. In this case, it’s the default branch that will receive package updates for the Photon OS 1.0 Minimal installation profile on Intel platforms. There could be other branches in the future, for example photon/3.0/x86_64/full that will match the Full installation profile (full set of packages installed).
Think of Refspec as the head of the minimal branch (just like in git) at the origin repo. On the replicated, local repo at the host, minimal is a file that contains the latest commit ID known for that branch.

root@photon-7c2d910d79e9 [ ~ ]# cat /ostree/repo/refs/remotes/photon/photon/5.0/x86_64/minimal
820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88

Why are there two ‘photon’ directory levels in the remotes path? The photon: prefix in the Refspec listed by rpm-ostree status corresponds to the first photon directory in the remotes path and is actually the name given to the remote that the host is connected to, which points to an http or https URL. We’ll talk about remotes later, but for now think of it as a namespace qualifier. The second photon is part of the Refspec path itself.

Deployments

We’ve used so far rpm-ostree. The same information can be obtained running an ostree command:

root@photon-7c2d910d79e9 [ ~ ]# ostree admin status
* photon 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f.0
Version: 5.0_minimal
origin refspec: photon:photon/5.0/x86_64/minimal

But where is this information stored? As you may have guessed, the local repo stores the heads of the deployed trees - the most recent commitment ID, just like Git does:

root@photon-7c2d910d79e9 [ ~ ]# cat /ostree/repo/refs/heads/ostree/0/1/0 
965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f

This also where this command that lists the references (local heads and remotes) takes its data from:

root@photon-7c2d910d79e9 [ ~ ]# ostree refs
photon:photon/5.0/x86_64/minimal
ostree/0/1/0

Based on that, it could find the root of the deployment that it boots from. The actual filetree is deployed right here:

root@photon-7c2d910d79e9 [ ~ ]# ls -l /ostree/deploy/photon/deploy/965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f.0
total 36
lrwxrwxrwx  2 root root7 Feb 23 05:43 bin -> usr/bin
drwxr-xr-x  2 root root 4096 Jan  1  1970 boot
drwxr-xr-x  2 root root 4096 Jan  1  1970 dev
drwxr-xr-x 45 root root 4096 Feb 23 06:08 etc
lrwxrwxrwx  2 root root8 Feb 23 05:43 home -> var/home
lrwxrwxrwx  3 root root7 Feb 23 05:43 lib -> usr/lib
lrwxrwxrwx  3 root root7 Feb 23 05:43 lib64 -> usr/lib
lrwxrwxrwx  2 root root9 Feb 23 05:43 media -> run/media
lrwxrwxrwx  2 root root7 Feb 23 05:43 mnt -> var/mnt
lrwxrwxrwx  2 root root7 Feb 23 05:43 opt -> var/opt
lrwxrwxrwx  2 root root   14 Feb 23 05:43 ostree -> sysroot/ostree
drwxr-xr-x  2 root root 4096 Jan  1  1970 proc
lrwxrwxrwx  2 root root   12 Feb 23 05:43 root -> var/roothome
drwxr-xr-x  2 root root 4096 Jan  1  1970 run
lrwxrwxrwx  2 root root8 Feb 23 05:43 sbin -> usr/sbin
lrwxrwxrwx  2 root root7 Feb 23 05:43 srv -> var/srv
drwxr-xr-x  2 root root 4096 Jan  1  1970 sys
drwxr-xr-x  4 root root 4096 Feb 23 05:44 sysroot
lrwxrwxrwx  2 root root   11 Feb 23 05:43 tmp -> sysroot/tmp
drwxr-xr-x 10 root root 4096 Jan  1  1970 usr
drwxr-xr-x  8 root root 4096 Feb 23 05:44 var

So how is a deployment linked to a specific branch, originating from a remote repo? Well, there is a file next to the deployed filetree root directory with the same name and .origin suffix, that contains exactly this info:

root@photon-7c2d910d79e9 [ ~ ]# cat /ostree/deploy/photon/deploy/965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f.0.origin 
[origin]
refspec=photon:photon/5.0/x86_64/minimal

Fast forwarding a bit, if there is a new deployment due to an upgrade or rebase, a new filetree will be added at the same level, and a new .origin file will tie it to the remote branch it originated from.

The photon directory in the path is the actual OSname. Multiple deployments of same OS will share a writable /var folder.

root@photon-7c2d910d79e9 [ ~ ]# ls -l /ostree/deploy/photon/var/
total 52
drwxr-xr-x   5 root root 4096 Feb 23 05:44 cache
drwxr-xr-x   2 root root 4096 Feb 23 05:44 home
drwxr-xr-x. 17 root root 4096 Feb 23 05:44 lib
drwxr-xr-x   2 root root 4096 Feb 23 05:44 local
lrwxrwxrwx.  1 root root   11 Feb 23 05:44 lock -> ../run/lock
drwxr-xr-x.  4 root root 4096 Feb 23 05:44 log
drwxr-xr-x   2 root root 4096 Feb 23 05:44 mail
drwxr-xr-x   2 root root 4096 Feb 23 05:44 mnt
drwxr-xr-x   4 root root 4096 Feb 23 05:44 opt
drwx------   4 root root 4096 Feb 23 06:09 roothome
lrwxrwxrwx.  1 root root6 Feb 23 05:44 run -> ../run
drwxr-xr-x   3 root root 4096 Feb 23 05:44 spool
drwxr-xr-x   2 root root 4096 Feb 23 05:44 srv
drwxrwxrwt.  5 root root 4096 Feb 23 06:08 tmp
drwxr-xr-x  11 root root 4096 Feb 23 05:44 usrlocal

4 - Querying for Commit File and Package Metadata

There are several ostree and rpm-ostree commands that list file or package data based on either the Commit ID, or Refspec. If Refspec is passed as a parameter, it’s the same as passing the most recent commit ID (head) for that branch.

Commit history

For a host that is freshly installed, there is only one commit in the history for the only branch.

root@photon-7c2d910d79e9 [ ~ ]# ostree log photon/5.0/x86_64/minimal
commit 820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88
ContentChecksum:  c7956cedc5c1b8c07a06e10789c17364a5b7a4b970daab64f3398b7c42bd97d9
Date:  2020-11-04 02:21:47 +0000
Version: 5.0_minimal
(no subject)

This commit has no parent; if there was an older commit, it would have been listed too. We can get the same listing (either nicely formatted or raw variant data) by passing the Commit ID. Just the first several hex digits will suffice to identify the commit ID. We can either request to be displayed in a pretty format, or raw - the actual C struct.

root@photon-7c2d910d79e9 [ ~ ]# ostree log 820b
commit 820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88
ContentChecksum:  c7956cedc5c1b8c07a06e10789c17364a5b7a4b970daab64f3398b7c42bd97d9
Date:  2020-11-04 02:21:47 +0000
Version: 5.0_minimal
(no subject)
root@photon-7c2d910d79e9 [ ~ ]# ostree log 820b --raw
commit 820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88
({'rpmostree.inputhash': <'1ce3f6d518ec2cbaebc2de2ccb01888e59fc7efb482caba590bc96a604e54f82'>, 'rpmostree.rpmmd-repos': <[{'id': <'photon'>, 'timestamp': <uint64 1604456423>}]>, 'version': <'5.0_minimal'>, 'rpmostree.rpmdb.pkglist': <[('Linux-PAM', '0', '1.4.0', '2.ph5', 'x86_64'), ('attr', '0', '2.4.48', '1.ph5', 'x86_64'), ('audit', '0', '2.8.5', '3.ph5', 'x86_64'), ('autogen-libopts', '0', '5.18.16', '3.ph5', 'x86_64'), ('bash', '0', '5.0', '1.ph5', 'x86_64'), ('bc', '0', '1.07.1', '4.ph5', 'x86_64'), ('bridge-utils', '0', '1.6', '1.ph5', 'x86_64'), ('bubblewrap', '0', '0.4.1', '1.ph5', 'x86_64'), ('bzip2', '0', '1.0.8', '3.ph5', 'x86_64'), ('bzip2-libs', '0', '1.0.8', '3.ph5', 'x86_64'), ('ca-certificates', '0', '20201001', '1.ph5', 'x86_64'), ('ca-certificates-pki', '0', '20201001', '1.ph5', 'x86_64'), ('cloud-init', '0', '20.3', '2.ph5', 'noarch'), ('coreutils-selinux', '0', '8.32', '2.ph5', 'x86_64'), ('cpio', '0', '2.13', '1.ph5', 'x86_64'), ('cracklib', '0', '2.9.7', '1.ph5', 'x86_64'), ('cracklib-dicts', '0', '2.9.7', '1.ph5', 'x86_64'), ('curl', '0', '7.72.0', '2.ph5', 'x86_64'), ('curl-libs', '0', '7.72.0', '2.ph5', 'x86_64'), ('cyrus-sasl', '0', '2.1.27', '3.ph5', 'x86_64'), ('dbus', '0', '1.13.18', '1.ph5', 'x86_64'), ('device-mapper', '0', '2.03.10', '2.ph5', 'x86_64'), ('device-mapper-libs', '0', '2.03.10', '2.ph5', 'x86_64'), ('dhcp-client', '0', '4.4.2', '1.ph5', 'x86_64'), ('dhcp-libs', '0', '4.4.2', '1.ph5', 'x86_64'), ('dracut', '0', '050', '5.ph5', 'x86_64'), ('dracut-tools', '0', '050', '5.ph5', 'x86_64'), ('e2fsprogs', '0', '1.45.6', '2.ph5', 'x86_64'), ('e2fsprogs-libs', '0', '1.45.6', '2.ph5', 'x86_64'), ('elfutils', '0', '0.181', '2.ph5', 'x86_64'), ('elfutils-libelf', '0', '0.181', '2.ph5', 'x86_64'), ('expat', '0', '2.2.9', '2.ph5', 'x86_64'), ('expat-libs', '0', '2.2.9', '2.ph5', 'x86_64'), ('file', '0', '5.39', '1.ph5', 'x86_64'), ('file-libs', '0', '5.39', '1.ph5', 'x86_64'), ('filesystem', '0', '1.1', '4.ph5', 'x86_64'), ('findutils', '0', '4.7.0', '1.ph5', 'x86_64'), ('finger', '0', '0.17', '3.ph5', 'x86_64'), ('flex', '0', '2.6.4', '3.ph5', 'x86_64'), ('fuse', '0', '2.9.9', '1.ph5', 'x86_64'), ('gawk', '0', '5.1.0', '1.ph5', 'x86_64'), ('gc', '0', '8.0.4', '1.ph5', 'x86_64'), ('gdbm', '0', '1.18.1', '1.ph5', 'x86_64'), ('glib', '0', '2.66.1', '1.ph5', 'x86_64'), ('glib-networking', '0', '2.66.0', '1.ph5', 'x86_64'), ('glibc', '0', '2.32', '1.ph5', 'x86_64'), ('glibc-iconv', '0', '2.32', '1.ph5', 'x86_64'), ('gmp', '0', '6.2.0', '1.ph5', 'x86_64'), ('gnupg', '0', '2.2.23', '1.ph5', 'x86_64'), ('gnutls', '0', '3.6.15', '3.ph5', 'x86_64'), ('gobject-introspection', '0', '1.66.0', '1.ph5', 'x86_64'), ('gpgme', '0', '1.14.0', '1.ph5', 'x86_64'), ('grep', '0', '3.4', '1.ph5', 'x86_64'), ('grub2', '0', '2.04', '2.ph5', 'x86_64'), ('grub2-efi', '0', '2.04', '2.ph5', 'x86_64'), ('grub2-efi-image', '0', '2.04', '2.ph5', 'x86_64'), ('grub2-pc', '0', '2.04', '2.ph5', 'x86_64'), ('grub2-theme', '0', '5.0', '1.ph5', 'noarch'), ('grub2-theme-ostree', '0', '5.0', '1.ph5', 'noarch'), ('guile', '0', '2.0.13', '3.ph5', 'x86_64'), ('gzip', '0', '1.10', '1.ph5', 'x86_64'), ('iana-etc', '0', '2.30', '2.ph5', 'noarch'), ('icu', '0', '67.1', '1.ph5', 'x86_64'), ('iproute2', '0', '5.8.0', '1.ph5', 'x86_64'), ('iptables', '0', '1.8.4', '1.ph5', 'x86_64'), ('iputils', '0', '20200821', '1.ph5', 'x86_64'), ('json-c', '0', '0.15', '2.ph5', 'x86_64'), ('json-glib', '0', '1.6.0', '1.ph5', 'x86_64'), ('kmod', '0', '27', '1.ph5', 'x86_64'), ('krb5', '0', '1.17', '4.ph5', 'x86_64'), ('libacl', '0', '2.2.53', '1.ph5', 'x86_64'), ('libarchive', '0', '3.4.3', '3.ph5', 'x86_64'), ('libassuan', '0', '2.5.3', '1.ph5', 'x86_64'), ('libcap', '0', '2.43', '1.ph5', 'x86_64'), ('libcap-ng', '0', '0.8', '1.ph5', 'x86_64'), ('libdb', '0', '5.3.28', '2.ph5', 'x86_64'), ('libdnet', '0', '1.11', '7.ph5', 'x86_64'), ('libffi', '0', '3.3', '1.ph5', 'x86_64'), ('libgcc', '0', '8.4.0', '1.ph5', 'x86_64'), ('libgcrypt', '0', '1.8.6', '2.ph5', 'x86_64'), ('libgpg-error', '0', '1.39', '1.ph5', 'x86_64'), ('libgpg-error-devel', '0', '1.39', '1.ph5', 'x86_64'), ('libksba', '0', '1.4.0', '1.ph5', 'x86_64'), ('libltdl', '0', '2.4.6', '3.ph5', 'x86_64'), ('libmetalink', '0', '0.1.3', '2.ph5', 'x86_64'), ('libmicrohttpd', '0', '0.9.71', '2.ph5', 'x86_64'), ('libmodulemd', '0', '2.9.4', '1.ph5', 'x86_64'), ('libmspack', '0', '0.10.1alpha', '1.ph5', 'x86_64'), ('libnsl', '0', '1.3.0', '1.ph5', 'x86_64'), ('libpsl', '0', '0.21.1', '1.ph5', 'x86_64'), ('libpwquality', '0', '1.4.2', '1.ph5', 'x86_64'), ('librepo', '0', '1.12.1', '3.ph5', 'x86_64'), ('libseccomp', '0', '2.5.0', '2.ph5', 'x86_64'), ('libselinux', '0', '3.1', '1.ph5', 'x86_64'), ('libsemanage', '0', '3.1', '1.ph5', 'x86_64'), ('libsepol', '0', '3.1', '1.ph5', 'x86_64'), ('libsolv', '0', '0.6.35', '5.ph5', 'x86_64'), ('libsoup', '0', '2.72.0', '1.ph5', 'x86_64'), ('libssh2', '0', '1.9.0', '2.ph5', 'x86_64'), ('libstdc++', '0', '8.4.0', '1.ph5', 'x86_64'), ('libtasn1', '0', '4.14', '1.ph5', 'x86_64'), ('libtirpc', '0', '1.2.6', '1.ph5', 'x86_64'), ('libtool', '0', '2.4.6', '3.ph5', 'x86_64'), ('libunistring', '0', '0.9.10', '1.ph5', 'x86_64'), ('libxml2', '0', '2.9.10', '3.ph5', 'x86_64'), ('libxml2-devel', '0', '2.9.10', '3.ph5', 'x86_64'), ('libxslt', '0', '1.1.34', '1.ph5', 'x86_64'), ('libyaml', '0', '0.2.5', '1.ph5', 'x86_64'), ('linux', '0', '5.9.0', '3.ph5', 'x86_64'), ('lua', '0', '5.3.5', '1.ph5', 'x86_64'), ('lz4', '0', '1.9.2', '1.ph5', 'x86_64'), ('m4', '0', '1.4.18', '3.ph5', 'x86_64'), ('motd', '0', '0.1.3', '6.ph5', 'noarch'), ('mozjs', '0', '78.3.1', '1.ph5', 'x86_64'), ('mpfr', '0', '4.1.0', '1.ph5', 'x86_64'), ('ncurses', '0', '6.2', '2.ph5', 'x86_64'), ('ncurses-libs', '0', '6.2', '2.ph5', 'x86_64'), ('ncurses-terminfo', '0', '6.2', '2.ph5', 'x86_64'), ('net-tools', '0', '1.60', '12.ph5', 'x86_64'), ('nettle', '0', '3.6', '1.ph5', 'x86_64'), ('npth', '0', '1.6', '1.ph5', 'x86_64'), ('nspr', '0', '4.29', '1.ph5', 'x86_64'), ('nss', '0', '3.57', '1.ph5', 'x86_64'), ('nss-altfiles', '0', '2.23.0', '1.ph5', 'x86_64'), ('nss-libs', '0', '3.57', '1.ph5', 'x86_64'), ('open-vm-tools', '0', '11.1.5', '4.ph5', 'x86_64'), ('openldap', '0', '2.4.53', '2.ph5', 'x86_64'), ('openssh', '0', '8.4p1', '2.ph5', 'x86_64'), ('openssh-clients', '0', '8.4p1', '2.ph5', 'x86_64'), ('openssh-server', '0', '8.4p1', '2.ph5', 'x86_64'), ('openssl', '0', '1.1.1g', '3.ph5', 'x86_64'), ('ostree', '0', '2020.6', '1.ph5', 'x86_64'), ('ostree-grub2', '0', '2020.6', '1.ph5', 'x86_64'), ('ostree-libs', '0', '2020.6', '1.ph5', 'x86_64'), ('pcre', '0', '8.44', '1.ph5', 'x86_64'), ('pcre-libs', '0', '8.44', '1.ph5', 'x86_64'), ('photon-release', '0', '5.0', '1.ph5', 'noarch'), ('photon-repos', '0', '5.0', '1.ph5', 'noarch'), ('pinentry', '0', '1.1.0', '1.ph5', 'x86_64'), ('pkg-config', '0', '0.29.2', '3.ph5', 'x86_64'), ('policycoreutils', '0', '3.1', '1.ph5', 'x86_64'), ('polkit', '0', '0.118', '1.ph5', 'x86_64'), ('popt', '0', '1.16', '5.ph5', 'x86_64'), ('procps-ng', '0', '3.3.16', '1.ph5', 'x86_64'), ('python3', '0', '3.8.6', '1.ph5', 'x86_64'), ('python3-PyYAML', '0', '5.3.1', '1.ph5', 'x86_64'), ('python3-asn1crypto', '0', '1.4.0', '1.ph5', 'noarch'), ('python3-attrs', '0', '20.2.0', '2.ph5', 'noarch'), ('python3-certifi', '0', '2020.6.20', '1.ph5', 'noarch'), ('python3-cffi', '0', '1.14.3', '2.ph5', 'x86_64'), ('python3-chardet', '0', '3.0.4', '2.ph5', 'noarch'), ('python3-configobj', '0', '5.0.6', '5.ph5', 'noarch'), ('python3-cryptography', '0', '3.1.1', '2.ph5', 'x86_64'), ('python3-gobject-introspection', '0', '1.66.0', '1.ph5', 'x86_64'), ('python3-idna', '0', '2.10', '1.ph5', 'noarch'), ('python3-jinja2', '0', '2.11.2', '1.ph5', 'noarch'), ('python3-jsonpatch', '0', '1.26', '1.ph5', 'noarch'), ('python3-jsonpointer', '0', '2.0', '2.ph5', 'noarch'), ('python3-jsonschema', '0', '3.2.0', '1.ph5', 'noarch'), ('python3-libs', '0', '3.8.6', '1.ph5', 'x86_64'), ('python3-markupsafe', '0', '1.1.1', '1.ph5', 'x86_64'), ('python3-netifaces', '0', '0.10.9', '2.ph5', 'x86_64'), ('python3-oauthlib', '0', '3.1.0', '1.ph5', 'noarch'), ('python3-packaging', '0', '20.4', '2.ph5', 'noarch'), ('python3-prettytable', '0', '0.7.2', '7.ph5', 'noarch'), ('python3-pyOpenSSL', '0', '19.1.0', '2.ph5', 'noarch'), ('python3-pyasn1', '0', '0.4.8', '1.ph5', 'noarch'), ('python3-pycparser', '0', '2.20', '1.ph5', 'noarch'), ('python3-pyparsing', '0', '2.4.7', '1.ph5', 'noarch'), ('python3-pyrsistent', '0', '0.17.3', '1.ph5', 'x86_64'), ('python3-requests', '0', '2.24.0', '1.ph5', 'noarch'), ('python3-setuptools', '0', '3.8.6', '1.ph5', 'noarch'), ('python3-six', '0', '1.15.0', '2.ph5', 'noarch'), ('python3-urllib3', '0', '1.25.10', '2.ph5', 'noarch'), ('python3-xml', '0', '3.8.6', '1.ph5', 'x86_64'), ('readline', '0', '7.0', '3.ph5', 'x86_64'), ('rpcsvc-proto', '0', '1.4.2', '1.ph5', 'x86_64'), ('rpm', '0', '4.14.2', '11.ph5', 'x86_64'), ('rpm-libs', '0', '4.14.2', '11.ph5', 'x86_64'), ('rpm-ostree', '0', '2020.5', '4.ph5', 'x86_64'), ('sed', '0', '4.8', '1.ph5', 'x86_64'), ('selinux-policy', '0', '3.14.7', '1.ph5', 'noarch'), ('shadow', '0', '4.8.1', '2.ph5', 'x86_64'), ('shadow-tools', '0', '4.8.1', '2.ph5', 'x86_64'), ('shim-signed', '0', '15', '1.ph5', 'x86_64'), ('sqlite-libs', '0', '3.33.0', '1.ph5', 'x86_64'), ('sudo', '0', '1.8.30', '2.ph5', 'x86_64'), ('systemd', '0', '245.5', '3.ph5', 'x86_64'), ('tcp_wrappers', '0', '7.6', '7.ph5', 'x86_64'), ('tzdata', '0', '2020a', '1.ph5', 'noarch'), ('util-linux', '0', '2.36', '1.ph5', 'x86_64'), ('util-linux-libs', '0', '2.36', '1.ph5', 'x86_64'), ('vim', '0', '8.2.1361', '1.ph5', 'x86_64'), ('which', '0', '2.21', '6.ph5', 'x86_64'), ('xmlsec1', '0', '1.2.30', '3.ph5', 'x86_64'), ('xz', '0', '5.2.5', '1.ph5', 'x86_64'), ('xz-libs', '0', '5.2.5', '1.ph5', 'x86_64'), ('zchunk', '0', '1.1.7', '1.ph5', 'x86_64'), ('zchunk-libs', '0', '1.1.7', '1.ph5', 'x86_64'), ('zlib', '0', '1.2.11', '2.ph5', 'x86_64'), ('zstd', '0', '1.4.5', '2.ph5', 'x86_64'), ('zstd-libs', '0', '1.4.5', '2.ph5', 'x86_64')]>}, @ay [], @a(say) [], '', '', uint64 1604456507, [byte 0xca, 0x99, 0x35, 0xe5, 0xaa, 0xc6, 0xbd, 0xb3, 0x52, 0xb4, 0x81, 0x62, 0xbb, 0x3f, 0xba, 0x44, 0x0e, 0x3c, 0xa0, 0x00, 0xc8, 0x6f, 0x7c, 0x32, 0xa0, 0xa0, 0x8b, 0xc6, 0xf0, 0xd5, 0x06, 0x0e], [byte 0x44, 0x6a, 0x0e, 0xf1, 0x1b, 0x7c, 0xc1, 0x67, 0xf3, 0xb6, 0x03, 0xe5, 0x85, 0xc7, 0xee, 0xee, 0xb6, 0x75, 0xfa, 0xa4, 0x12, 0xd5, 0xec, 0x73, 0xf6, 0x29, 0x88, 0xeb, 0x0b, 0x6c, 0x54, 0x88])

Listing file mappings

This command lists the file relations between the original source Linux Photon filetree and the deployed filetree. The normal columns include file type type (regular file, directory, link), permissions in chmod octal format, userID, groupID, file size, file name.

root@photon-7c2d910d79e9 [ ~ ]# ostree ls photon/5.0/x86_64/minimal
d00755 0 0  0 /
l00777 0 0  0 /bin -> usr/bin
l00777 0 0  0 /home -> var/home
l00777 0 0  0 /lib -> usr/lib
l00777 0 0  0 /lib64 -> usr/lib
l00777 0 0  0 /media -> run/media
l00777 0 0  0 /mnt -> var/mnt
l00777 0 0  0 /opt -> var/opt
l00777 0 0  0 /ostree -> sysroot/ostree
l00777 0 0  0 /root -> var/roothome
l00777 0 0  0 /sbin -> usr/sbin
l00777 0 0  0 /srv -> var/srv
l00777 0 0  0 /tmp -> sysroot/tmp
d00755 0 0  0 /boot
d00755 0 0  0 /dev
d00755 0 0  0 /proc
d00755 0 0  0 /run
d00755 0 0  0 /sys
d00755 0 0  0 /sysroot
d00755 0 0  0 /usr
d00755 0 0  0 /var

Extra columns can be added like checksum (-C) and extended attributes (-X).

root@photon-7c2d910d79e9 [ ~ ]# ostree ls photon/5.0/x86_64/minimal -C
d00755 0 0  0 ca9935e5aac6bdb352b48162bb3fba440e3ca000c86f7c32a0a08bc6f0d5060e 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /
l00777 0 0  0 389846c2702216e1367c8dfb68326a6b93ccf5703c89c93979052a9bf359608e /bin -> usr/bin
l00777 0 0  0 4344c10bf4931483f918496534f12ed9b50dc6a2cead35e3cd9dd898d6ac9414 /home -> var/home
l00777 0 0  0 f11902ca9d69a80df33918534a3e443251fd0aa7f94b76301e1f55e52aed29dd /lib -> usr/lib
l00777 0 0  0 f11902ca9d69a80df33918534a3e443251fd0aa7f94b76301e1f55e52aed29dd /lib64 -> usr/lib
l00777 0 0  0 75317a3df11447c470ffdd63dde045450ca97dfb2a97a0f3f6a21a5da66f737c /media -> run/media
l00777 0 0  0 97c55dbe24e8f3aecfd3f3e5b3f44646fccbb39799807d37a217e9c871da108b /mnt -> var/mnt
l00777 0 0  0 46b1abbd27a846a9257a8d8c9fc4b384ac0888bdb8ac0d6a2d5de72715bd5092 /opt -> var/opt
l00777 0 0  0 d37269e3f46023fd0275212473e07011894cdf4148cbf3fb5758a7e9471dad8e /ostree -> sysroot/ostree
l00777 0 0  0 6f800e74eed172661278d1e1f09e389a6504dcd3358618e1c1618f91f9d33601 /root -> var/roothome
l00777 0 0  0 e0bead7be9323b06bea05cb9b66eb151839989e3a4e5d1a93e09a36919e91818 /sbin -> usr/sbin
l00777 0 0  0 5d4250bba1ed300f793fa9769474351ee5cebd71e8339078af7ebfbe6256d9b5 /srv -> var/srv
l00777 0 0  0 364fbd62f91ca1e06eb7dbd50c93de8976f2cea633658e2dbe803ce6f7490c09 /tmp -> sysroot/tmp
d00755 0 0  0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /boot
d00755 0 0  0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /dev
d00755 0 0  0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /proc
d00755 0 0  0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /run
d00755 0 0  0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /sys
d00755 0 0  0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /sysroot
d00755 0 0  0 83902b1171980665a74c9ea4d3817add50e9fd3279d3ee92381fb2c0098f7ab0 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /usr
d00755 0 0  0 a3a987e053ea5a116f1e75a31cd7557fc6e57a3ae09e64171d7fea17ef71ec3e 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /var

By default, only the top folders are listed, but -R will list recursively. Instead of listing over 10,000 files, let’s filter to just all files that contain ‘rpm-ostree’, ‘rpmostree’ or ‘RpmOstree’, that must belong to rpm-ostree package itself.

root@photon-7c2d910d79e9 [ ~ ]# ostree ls photon/5.0/x86_64/minimal -R | grep -e '[Rr]pm-\?[Oo]stree'
-00755 0 0 787208 /usr/bin/rpm-ostree
d00755 0 0  0 /usr/bin/rpm-ostree-host
-00644 0 0   1069 /usr/bin/rpm-ostree-host/function.inc
-00755 0 0  10507 /usr/bin/rpm-ostree-host/mk-ostree-host.sh
d00755 0 0  0 /usr/bin/rpm-ostree-server
-00755 0 0   6452 /usr/bin/rpm-ostree-server/mkostreerepo
-00644 0 0209 /usr/etc/rpm-ostreed.conf
l00777 0 0  0 /usr/lib/librpmostree-1.so.1 -> librpmostree-1.so.1.0.0
-00755 0 0 9878248 /usr/lib/librpmostree-1.so.1.0.0
-00644 0 0   2312 /usr/lib/girepository-1.0/RpmOstree-1.0.typelib
-00755 0 0 22 /usr/lib/kernel/install.d/00-rpmostree-skip.install
d00755 0 0  0 /usr/lib/rpm-ostree
-00755 0 0 1846216 /usr/lib/rpm-ostree/libdnf.so.2
-00644 0 0622 /usr/lib/rpm-ostree/rpm-ostree-0-integration.conf
d00755 0 0  0 /usr/lib/sysimage/rpm-ostree-base-db
-00644 0 0 1069056 /usr/lib/sysimage/rpm-ostree-base-db/Basenames
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Conflictname
-00644 0 0 159744 /usr/lib/sysimage/rpm-ostree-base-db/Dirnames
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Enhancename
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Filetriggername
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Group
-00644 0 0  12288 /usr/lib/sysimage/rpm-ostree-base-db/Installtid
-00644 0 0  16384 /usr/lib/sysimage/rpm-ostree-base-db/Name
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Obsoletename
-00644 0 0 4313088 /usr/lib/sysimage/rpm-ostree-base-db/Packages
-00644 0 0 102400 /usr/lib/sysimage/rpm-ostree-base-db/Providename
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Recommendname
-00644 0 0 106496 /usr/lib/sysimage/rpm-ostree-base-db/Requirename
-00644 0 0  24576 /usr/lib/sysimage/rpm-ostree-base-db/Sha1header
-00644 0 0  16384 /usr/lib/sysimage/rpm-ostree-base-db/Sigmd5
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Suggestname
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Supplementname
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Transfiletriggername
-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Triggername
-00644 0 0263 /usr/lib/systemd/system/rpm-ostree-bootstatus.service
-00644 0 0257 /usr/lib/systemd/system/rpm-ostreed-automatic.service
-00644 0 0227 /usr/lib/systemd/system/rpm-ostreed-automatic.timer
-00644 0 0325 /usr/lib/systemd/system/rpm-ostreed.service
-00644 0 0102 /usr/lib/systemd/system-preset/40-rpm-ostree-auto.preset
-00644 0 0622 /usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf
-00644 0 0   1572 /usr/lib/tmpfiles.d/rpm-ostree-1-autovar.conf
-00755 0 0 53 /usr/libexec/rpm-ostreed
-00644 0 0   3049 /usr/share/bash-completion/completions/rpm-ostree
-00644 0 0  17210 /usr/share/dbus-1/interfaces/org.projectatomic.rpmostree1.xml
-00644 0 0133 /usr/share/dbus-1/system-services/org.projectatomic.rpmostree1.service
-00644 0 0   1530 /usr/share/dbus-1/system.d/org.projectatomic.rpmostree1.conf
-00644 0 0   6593 /usr/share/polkit-1/actions/org.projectatomic.rpmostree1.policy
d00755 0 0  0 /usr/share/rpm-ostree
-00644 0 0   1199 /usr/share/rpm-ostree/treefile.json

atomic is really an alias for rpm-ostree command. The last file treefile.json is not installed by the rpm-ostree package, it is actually downloaded from the server, as we will see in the next chapter. For now, let us notice “osname” : “photon”, “ref” : “photon/1.0/x86_64/minimal”, “automatic_version_prefix” : “1.0_minimal”, that matches what we have known so far, and also the “documentation” : false setting, that explains why there are no manual files installed for rpm-ostree, and in fact for any package.

root@photon-host [ /usr/share/rpm-ostree ]# ls -l /usr/share/man/man1 
total 0

Listing configuration changes

To diff the current /etc configuration versus default /etc (from the base image), this command will show the Modified, Added and Deleted files:

root@photon-7c2d910d79e9 [ ~ ]# ostree admin config-diff
M  ssh/sshd_config
M  udev/hwdb.bin
M  fstab
M  machine-id
M  gshadow
M  hosts
M  shadow
A  ssh/ssh_host_rsa_key
A  ssh/ssh_host_rsa_key.pub
A  ssh/ssh_host_dsa_key
A  ssh/ssh_host_dsa_key.pub
A  ssh/ssh_host_ecdsa_key
A  ssh/ssh_host_ecdsa_key.pub
A  ssh/ssh_host_ed25519_key
A  ssh/ssh_host_ed25519_key.pub
A  hostname
A  group-
A  locale.conf
A  .pwd.lock
A  gshadow-
A  shadow-
A  resolv.conf
A  .updated

Listing packages

The following is the rpm-ostree command that lists all the packages for that branch, extracted from RPM database.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree db list photon/5.0/x86_64/minimal
    ostree commit: photon/5.0/x86_64/minimal (820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88)
     Linux-PAM-1.4.0-2.ph5.x86_64
     attr-2.4.48-1.ph5.x86_64
     audit-2.8.5-3.ph5.x86_64
     autogen-libopts-5.18.16-3.ph5.x86_64
     bash-5.0-1.ph5.x86_64
     bc-1.07.1-4.ph5.x86_64
     bridge-utils-1.6-1.ph5.x86_64
     bubblewrap-0.4.1-1.ph5.x86_64
     bzip2-1.0.8-3.ph5.x86_64
     bzip2-libs-1.0.8-3.ph5.x86_64
     ca-certificates-20201001-1.ph5.x86_64
     ca-certificates-pki-20201001-1.ph5.x86_64
     cloud-init-20.3-2.ph5.noarch
     coreutils-selinux-8.32-2.ph5.x86_64
     cpio-2.13-1.ph5.x86_64
     cracklib-2.9.7-1.ph5.x86_64
     cracklib-dicts-2.9.7-1.ph5.x86_64
     curl-7.72.0-2.ph5.x86_64
     curl-libs-7.72.0-2.ph5.x86_64
     cyrus-sasl-2.1.27-3.ph5.x86_64
     dbus-1.13.18-1.ph5.x86_64
     device-mapper-2.03.10-2.ph5.x86_64
     device-mapper-libs-2.03.10-2.ph5.x86_64
     dhcp-client-4.4.2-1.ph5.x86_64
     dhcp-libs-4.4.2-1.ph5.x86_64
     dracut-050-5.ph5.x86_64
     dracut-tools-050-5.ph5.x86_64
     e2fsprogs-1.45.6-2.ph5.x86_64
     e2fsprogs-libs-1.45.6-2.ph5.x86_64
     elfutils-0.181-2.ph5.x86_64
     elfutils-libelf-0.181-2.ph5.x86_64
     expat-2.2.9-2.ph5.x86_64
     expat-libs-2.2.9-2.ph5.x86_64
     file-5.39-1.ph5.x86_64
     file-libs-5.39-1.ph5.x86_64
     filesystem-1.1-4.ph5.x86_64
     findutils-4.7.0-1.ph5.x86_64
     finger-0.17-3.ph5.x86_64
     flex-2.6.4-3.ph5.x86_64
     fuse-2.9.9-1.ph5.x86_64
     gawk-5.1.0-1.ph5.x86_64
     gc-8.0.4-1.ph5.x86_64
     gdbm-1.18.1-1.ph5.x86_64
     glib-2.66.1-1.ph5.x86_64
     glib-networking-2.66.0-1.ph5.x86_64
     glibc-2.32-1.ph5.x86_64
     glibc-iconv-2.32-1.ph5.x86_64
     gmp-6.2.0-1.ph5.x86_64
     gnupg-2.2.23-1.ph5.x86_64
     gnutls-3.6.15-3.ph5.x86_64
     gobject-introspection-1.66.0-1.ph5.x86_64
     gpgme-1.14.0-1.ph5.x86_64
     grep-3.4-1.ph5.x86_64
     grub2-2.04-2.ph5.x86_64
     grub2-efi-2.04-2.ph5.x86_64
     grub2-efi-image-2.04-2.ph5.x86_64
     grub2-pc-2.04-2.ph5.x86_64
     grub2-theme-5.0-1.ph5.noarch
     grub2-theme-ostree-5.0-1.ph5.noarch
     guile-2.0.13-3.ph5.x86_64
     gzip-1.10-1.ph5.x86_64
     iana-etc-2.30-2.ph5.noarch
     icu-67.1-1.ph5.x86_64
     iproute2-5.8.0-1.ph5.x86_64
     iptables-1.8.4-1.ph5.x86_64
     iputils-20200821-1.ph5.x86_64
     json-c-0.15-2.ph5.x86_64
     json-glib-1.6.0-1.ph5.x86_64
     kmod-27-1.ph5.x86_64
     krb5-1.17-4.ph5.x86_64
     libacl-2.2.53-1.ph5.x86_64
     libarchive-3.4.3-3.ph5.x86_64
     libassuan-2.5.3-1.ph5.x86_64
     libcap-2.43-1.ph5.x86_64
     libcap-ng-0.8-1.ph5.x86_64
     libdb-5.3.28-2.ph5.x86_64
     libdnet-1.11-7.ph5.x86_64
     libffi-3.3-1.ph5.x86_64
     libgcc-8.4.0-1.ph5.x86_64
     libgcrypt-1.8.6-2.ph5.x86_64
     libgpg-error-1.39-1.ph5.x86_64
     libgpg-error-devel-1.39-1.ph5.x86_64
     libksba-1.4.0-1.ph5.x86_64
     libltdl-2.4.6-3.ph5.x86_64
     libmetalink-0.1.3-2.ph5.x86_64
     libmicrohttpd-0.9.71-2.ph5.x86_64
     libmodulemd-2.9.4-1.ph5.x86_64
     libmspack-0.10.1alpha-1.ph5.x86_64
     libnsl-1.3.0-1.ph5.x86_64
     libpsl-0.21.1-1.ph5.x86_64
     libpwquality-1.4.2-1.ph5.x86_64
     librepo-1.12.1-3.ph5.x86_64
     libseccomp-2.5.0-2.ph5.x86_64
     libselinux-3.1-1.ph5.x86_64
     libsemanage-3.1-1.ph5.x86_64
     libsepol-3.1-1.ph5.x86_64
     libsolv-0.6.35-5.ph5.x86_64
     libsoup-2.72.0-1.ph5.x86_64
     libssh2-1.9.0-2.ph5.x86_64
     libstdc++-8.4.0-1.ph5.x86_64
     libtasn1-4.14-1.ph5.x86_64
     libtirpc-1.2.6-1.ph5.x86_64
     libtool-2.4.6-3.ph5.x86_64
     libunistring-0.9.10-1.ph5.x86_64
     libxml2-2.9.10-3.ph5.x86_64
     libxml2-devel-2.9.10-3.ph5.x86_64
     libxslt-1.1.34-1.ph5.x86_64
     libyaml-0.2.5-1.ph5.x86_64
     linux-5.9.0-3.ph5.x86_64
     lua-5.3.5-1.ph5.x86_64
     lz4-1.9.2-1.ph5.x86_64
     m4-1.4.18-3.ph5.x86_64
     motd-0.1.3-6.ph5.noarch
     mozjs-78.3.1-1.ph5.x86_64
     mpfr-4.1.0-1.ph5.x86_64
     ncurses-6.2-2.ph5.x86_64
     ncurses-libs-6.2-2.ph5.x86_64
     ncurses-terminfo-6.2-2.ph5.x86_64
     net-tools-1.60-12.ph5.x86_64
     nettle-3.6-1.ph5.x86_64
     npth-1.6-1.ph5.x86_64
     nspr-4.29-1.ph5.x86_64
     nss-3.57-1.ph5.x86_64
     nss-altfiles-2.23.0-1.ph5.x86_64
     nss-libs-3.57-1.ph5.x86_64
     open-vm-tools-11.1.5-4.ph5.x86_64
     openldap-2.4.53-2.ph5.x86_64
     openssh-8.4p1-2.ph5.x86_64
     openssh-clients-8.4p1-2.ph5.x86_64
     openssh-server-8.4p1-2.ph5.x86_64
     openssl-1.1.1g-3.ph5.x86_64
     ostree-2020.6-1.ph5.x86_64
     ostree-grub2-2020.6-1.ph5.x86_64
     ostree-libs-2020.6-1.ph5.x86_64
     pcre-8.44-1.ph5.x86_64
     pcre-libs-8.44-1.ph5.x86_64
     photon-release-5.0-1.ph5.noarch
     photon-repos-5.0-1.ph5.noarch
     pinentry-1.1.0-1.ph5.x86_64
     pkg-config-0.29.2-3.ph5.x86_64
     policycoreutils-3.1-1.ph5.x86_64
     polkit-0.118-1.ph5.x86_64
     popt-1.16-5.ph5.x86_64
     procps-ng-3.3.16-1.ph5.x86_64
     python3-3.8.6-1.ph5.x86_64
     python3-PyYAML-5.3.1-1.ph5.x86_64
     python3-asn1crypto-1.4.0-1.ph5.noarch
     python3-attrs-20.2.0-2.ph5.noarch
     python3-certifi-2020.6.20-1.ph5.noarch
     python3-cffi-1.14.3-2.ph5.x86_64
     python3-chardet-3.0.4-2.ph5.noarch
     python3-configobj-5.0.6-5.ph5.noarch
     python3-cryptography-3.1.1-2.ph5.x86_64
     python3-gobject-introspection-1.66.0-1.ph5.x86_64
     python3-idna-2.10-1.ph5.noarch
     python3-jinja2-2.11.2-1.ph5.noarch
     python3-jsonpatch-1.26-1.ph5.noarch
     python3-jsonpointer-2.0-2.ph5.noarch
     python3-jsonschema-3.2.0-1.ph5.noarch
     python3-libs-3.8.6-1.ph5.x86_64
     python3-markupsafe-1.1.1-1.ph5.x86_64
     python3-netifaces-0.10.9-2.ph5.x86_64
     python3-oauthlib-3.1.0-1.ph5.noarch
     python3-packaging-20.4-2.ph5.noarch
     python3-prettytable-0.7.2-7.ph5.noarch
     python3-pyOpenSSL-19.1.0-2.ph5.noarch
     python3-pyasn1-0.4.8-1.ph5.noarch
     python3-pycparser-2.20-1.ph5.noarch
     python3-pyparsing-2.4.7-1.ph5.noarch
     python3-pyrsistent-0.17.3-1.ph5.x86_64
     python3-requests-2.24.0-1.ph5.noarch
     python3-setuptools-3.8.6-1.ph5.noarch
     python3-six-1.15.0-2.ph5.noarch
     python3-urllib3-1.25.10-2.ph5.noarch
     python3-xml-3.8.6-1.ph5.x86_64
     readline-7.0-3.ph5.x86_64
     rpcsvc-proto-1.4.2-1.ph5.x86_64
     rpm-4.14.2-11.ph5.x86_64
     rpm-libs-4.14.2-11.ph5.x86_64
     rpm-ostree-2020.5-4.ph5.x86_64
     sed-4.8-1.ph5.x86_64
     selinux-policy-3.14.7-1.ph5.noarch
     shadow-4.8.1-2.ph5.x86_64
     shadow-tools-4.8.1-2.ph5.x86_64
     shim-signed-15-1.ph5.x86_64
     sqlite-libs-3.33.0-1.ph5.x86_64
     sudo-1.8.30-2.ph5.x86_64
     systemd-245.5-3.ph5.x86_64
     tcp_wrappers-7.6-7.ph5.x86_64
     tzdata-2020a-1.ph5.noarch
     util-linux-2.36-1.ph5.x86_64
     util-linux-libs-2.36-1.ph5.x86_64
     vim-8.2.1361-1.ph5.x86_64
     which-2.21-6.ph5.x86_64
     xmlsec1-1.2.30-3.ph5.x86_64
     xz-5.2.5-1.ph5.x86_64
     xz-libs-5.2.5-1.ph5.x86_64
     zchunk-1.1.7-1.ph5.x86_64
     zchunk-libs-1.1.7-1.ph5.x86_64
     zlib-1.2.11-2.ph5.x86_64
     zstd-1.4.5-2.ph5.x86_64
     zstd-libs-1.4.5-2.ph5.x86_64

Querying for package details

We are able to use the query option of rpm to make sure any package have been installed properly. The files list should match the previous file mappings in 4.2, so let’s check package rpm-ostree. As we’ve seen, manual files listed here are actually missing, they were not installed.

root@photon-7c2d910d79e9 [ ~ ]# rpm -ql  rpm-ostree
    /etc/rpm-ostreed.conf
    /usr/bin/rpm-ostree
    /usr/bin/rpm-ostree-host
    /usr/bin/rpm-ostree-host/function.inc
    /usr/bin/rpm-ostree-host/mk-ostree-host.sh
    /usr/bin/rpm-ostree-server
    /usr/bin/rpm-ostree-server/mkostreerepo
    /usr/lib/girepository-1.0/RpmOstree-1.0.typelib
    /usr/lib/librpmostree-1.so.1
    /usr/lib/librpmostree-1.so.1.0.0
    /usr/lib/rpm-ostree
    /usr/lib/rpm-ostree/libdnf.so.2
    /usr/lib/rpm-ostree/rpm-ostree-0-integration.conf
    /usr/lib/systemd/system/rpm-ostree-bootstatus.service
    /usr/lib/systemd/system/rpm-ostreed-automatic.service
    /usr/lib/systemd/system/rpm-ostreed-automatic.timer
    /usr/lib/systemd/system/rpm-ostreed.service
    /usr/libexec/rpm-ostreed
    /usr/share/bash-completion/completions/rpm-ostree
    /usr/share/dbus-1/interfaces/org.projectatomic.rpmostree1.xml
    /usr/share/dbus-1/system-services/org.projectatomic.rpmostree1.service
    /usr/share/dbus-1/system.d/org.projectatomic.rpmostree1.conf
    /usr/share/man/man1/rpm-ostree.1.gz
    /usr/share/man/man5/rpm-ostreed.conf.5.gz
    /usr/share/man/man8/rpm-ostreed-automatic.service.8.gz
    /usr/share/man/man8/rpm-ostreed-automatic.timer.8.gz
    /usr/share/polkit-1/actions/org.projectatomic.rpmostree1.policy

Why am I unable to install, upgrade or uninstall packages?

The OSTree host installer needs the server URL or the server repository.

When you perform the installation using the repo, the install packages are located under the layer package. When you install with the URL, the packages are located under the local packages.

You can use the rpm-ostree uninstall command to uninstall only the layered and local packages but not the base packages. To modify the base packages, you can use the rpm-ostree override command.

When you run rpm-ostree upgrade, the command will only upgrade packages based on the commit available in the server.

5 - Host Updating Operations

Upgrade overview

If you’ve used yum, dnf (and now tdnf for Photon) in RPM systems or apt-get in Debian based Unix, you understand what “install” is for packages and the subtle difference between “update” and “upgrade”.

OSTree and RPM-OSTree don’t distinguish between them and the term “upgrade” has a slightly different meaning - to bring the system in sync with the remote repo, to the top of the Refspec (branch), just like in Git, by pulling the latest changes.

In fact, ostree and rpm-ostree commands support a single “upgrade” verb for a file image tree and a package list in the same refspec (branch). rpm-ostree upgrade will install a package if it doesn’t exist, will not touch it if it has same version in the new image, will upgrade it if the version number is higher and it may actually downgrade it, if the package has been downgraded in the new image. I wish this operation had a different name, to avoid any confusion.

The reverse operation of an upgrade is a “rollback” and fortunately it’s not named “downgrade” because it may upgrade packages in the last case describe above.

As we’ll see in a future chapter, a jump to a different Refspec (branch) is also supported and it’s named “rebase”.

Incremental upgrade

To check if there are any updates available, one would execute:

root@photon-host-def [ ~ ]# rpm-ostree upgrade
Updating from: photon:photon/5.0/x86_64/minimal

No upgrade available.

It is good idea to check periodically for updates.

To check if there are any new updates without actually applying them, we will pass the –check-diff flag, that would list the different packages as added, modified or deleted - if such operations were to happen.

root@photon-host [ ~ ]# rpm-ostree upgrade --check-diff
Updating from: photon:photon/5.0/x86_64/minimal

8 metadata, 13 content objects fetched; 1026 KiB transferred in 0 seconds
+gawk-4.1.3-2.ph1.x86_64
+sudo-1.8.15-3.ph1.x86_64
+wget-1.17.1-2.ph1.x86_64

We like what we see and now let’s upgrade for real. This command will deploy a new bootable filetree.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree upgrade --allow-downgrade
⠂ Receiving metadata objects: 0/(estimating) -/s 0 bytes... 
Receiving metadata objects: 0/(estimating) -/s 0 bytes... done
Staging deployment... done
Downgraded:
  audit 2.8.5-6.ph5 -> 2.8.5-3.ph5
  cloud-init 20.4.1-1.ph5 -> 20.3-2.ph5
  cpio 2.13-3.ph5 -> 2.13-1.ph5
  curl 7.74.0-1.ph5 -> 7.72.0-2.ph5
  curl-libs 7.74.0-1.ph5 -> 7.72.0-2.ph5
  cyrus-sasl 2.1.27-4.ph5 -> 2.1.27-3.ph5
  dhcp-client 4.4.2-2.ph5 -> 4.4.2-1.ph5
  dhcp-libs 4.4.2-2.ph5 -> 4.4.2-1.ph5
  dracut 050-7.ph5 -> 050-5.ph5
  dracut-tools 050-7.ph5 -> 050-5.ph5
  file 5.39-2.ph5 -> 5.39-1.ph5
  file-libs 5.39-2.ph5 -> 5.39-1.ph5
  gdbm 1.19-1.ph5 -> 1.18.1-1.ph5
  glibc 2.32-2.ph5 -> 2.32-1.ph5
  glibc-iconv 2.32-2.ph5 -> 2.32-1.ph5
  gobject-introspection 1.66.0-3.ph5 -> 1.66.0-1.ph5
  grub2-theme 5.0-2.ph5 -> 5.0-1.ph5
  grub2-theme-ostree 5.0-2.ph5 -> 5.0-1.ph5
  iproute2 5.10.0-1.ph5 -> 5.8.0-1.ph5
  iptables 1.8.7-1.ph5 -> 1.8.4-1.ph5
  json-c 0.15-3.ph5 -> 0.15-2.ph5
  libgcc 10.2.0-1.ph5 -> 8.4.0-1.ph5
  libmetalink 0.1.3-3.ph5 -> 0.1.3-2.ph5
  libmodulemd 2.11.0-1.ph5 -> 2.9.4-1.ph5
  librepo 1.12.1-4.ph5 -> 1.12.1-3.ph5
  libsepol 3.1-2.ph5 -> 3.1-1.ph5
  libsolv 0.6.35-7.ph5 -> 0.6.35-5.ph5
  libssh2 1.9.0-3.ph5 -> 1.9.0-2.ph5
  libstdc++ 10.2.0-1.ph5 -> 8.4.0-1.ph5
  libxml2 2.9.10-6.ph5 -> 2.9.10-3.ph5
  libxml2-devel 2.9.10-6.ph5 -> 2.9.10-3.ph5
  libxslt 1.1.34-2.ph5 -> 1.1.34-1.ph5
  linux 5.10.4-15.ph5 -> 5.9.0-3.ph5
  ncurses 6.2-3.ph5 -> 6.2-2.ph5
  ncurses-libs 6.2-3.ph5 -> 6.2-2.ph5
  ncurses-terminfo 6.2-3.ph5 -> 6.2-2.ph5
  nss 3.57-2.ph5 -> 3.57-1.ph5
  nss-libs 3.57-2.ph5 -> 3.57-1.ph5
  open-vm-tools 11.2.5-1.ph5 -> 11.1.5-4.ph5
  openldap 2.4.53-3.ph5 -> 2.4.53-2.ph5
  openssl 1.1.1i-2.ph5 -> 1.1.1g-3.ph5
  pcre 8.44-2.ph5 -> 8.44-1.ph5
  pcre-libs 8.44-2.ph5 -> 8.44-1.ph5
  python3 3.9.1-2.ph5 -> 3.8.6-1.ph5
  python3-PyYAML 5.4.1-1.ph5 -> 5.3.1-1.ph5
  python3-attrs 20.3.0-2.ph5 -> 20.2.0-2.ph5
  python3-cryptography 3.2.1-1.ph5 -> 3.1.1-2.ph5
  python3-gobject-introspection 1.66.0-3.ph5 -> 1.66.0-1.ph5
  python3-libs 3.9.1-2.ph5 -> 3.8.6-1.ph5
  python3-packaging 20.4-3.ph5 -> 20.4-2.ph5
  python3-pyrsistent 0.17.3-2.ph5 -> 0.17.3-1.ph5
  python3-setuptools 3.9.1-2.ph5 -> 3.8.6-1.ph5
  python3-urllib3 1.25.11-1.ph5 -> 1.25.10-2.ph5
  python3-xml 3.9.1-2.ph5 -> 3.8.6-1.ph5
  rpm 4.16.1.2-1.ph5 -> 4.14.2-11.ph5
  rpm-libs 4.16.1.2-1.ph5 -> 4.14.2-11.ph5
  rpm-ostree 2020.5-5.ph5 -> 2020.5-4.ph5
  shadow 4.8.1-3.ph5 -> 4.8.1-2.ph5
  shadow-tools 4.8.1-3.ph5 -> 4.8.1-2.ph5
  sudo 1.9.5-1.ph5 -> 1.8.30-2.ph5
  systemd 247.3-1.ph5 -> 245.5-3.ph5
  util-linux 2.36-2.ph5 -> 2.36-1.ph5
  util-linux-libs 2.36-2.ph5 -> 2.36-1.ph5
Removed:
  libpcap-1.10.0-1.ph5.x86_64
  python3-Pygments-2.7.2-2.ph5.noarch
  python3-alabaster-0.7.12-1.ph5.noarch
  python3-babel-2.8.0-3.ph5.noarch
  python3-docutils-0.16-1.ph5.noarch
  python3-imagesize-1.2.0-2.ph5.noarch
  python3-pytz-2020.4-2.ph5.noarch
  python3-snowballstemmer-2.0.0-1.ph5.noarch
  python3-sphinx-3.3.0-2.ph5.noarch
  python3-sphinxcontrib-applehelp-1.0.2-1.ph5.noarch
  python3-sphinxcontrib-devhelp-1.0.2-1.ph5.noarch
  python3-sphinxcontrib-htmlhelp-1.0.3-1.ph5.noarch
  python3-sphinxcontrib-jsmath-1.0.1-1.ph5.noarch
  python3-sphinxcontrib-qthelp-1.0.3-1.ph5.noarch
  python3-sphinxcontrib-serializinghtml-1.1.4-1.ph5.noarch
  python3-typing-3.7.4.3-1.ph5.noarch
  systemd-libs-247.3-1.ph5.x86_64
  systemd-pam-247.3-1.ph5.x86_64
  systemd-rpm-macros-247.3-1.ph5.noarch
  systemd-udev-247.3-1.ph5.x86_64
Run "systemctl reboot" to start a reboot

By looking at the commit history, notice that the new commit has the original commit as parent.

root@photon-7c2d910d79e9 [ ~ ]# ostree log photon/5.0/x86_64/minimal
commit 820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88
ContentChecksum:  c7956cedc5c1b8c07a06e10789c17364a5b7a4b970daab64f3398b7c42bd97d9
Date:  2020-11-04 02:21:47 +0000
Version: 5.0_minimal
(no subject)

Notice that now we have a new reference, that corresponds to the newly deployed image.

root@photon-7c2d910d79e9 [ ~ ]# ostree refs
ostree/0/1/1
photon:photon/5.0/x86_64/minimal
ostree/0/1/0

Let us look at the status. The new filetree version .1 has the expected Commit ID and a newer timestamp, that is actually the server date/time when the image has been generated, not the time/date when it was downloaded or installed at the host. The old image has a star next to it, showing that’s the image the system is booted currently into.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree status
State: idle
Deployments:
  ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2020-11-04T02:21:47Z)
Commit: 820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88
  Diff: 63 downgraded, 20 removed

● ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2021-02-20T07:15:43Z)
Commit: 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f

Now let’s type reboot. Grub will list the new filetree as the first image, marked with a star, as the default bootable image. If the keyboard is not touched and order is not changed, grub will timeout and will boot into that image.

Grub-dual-boot-1-0

Let’s look again at the status. It’s identical, just that the star is next to the newer image, to show it’s the current image it has booted from.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree status
State: idle
Deployments:
● ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2020-11-04T02:21:47Z)
Commit: 820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88
  Diff: 63 downgraded, 20 removed

  ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2021-02-20T07:15:43Z)
Commit: 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f

Also, the current deployment directory is based on the new commit:

root@photon-7c2d910d79e9 [ ~ ]# ostree admin config-diff --print-current-dir
/ostree/deploy/photon/deploy/820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88.0

A fresh upgrade for a new version will delete the older, original image and bring a new one, that will become the new default image. The previous ‘default’ image will move down one position as the backup image.

Listing file differences

Now we can look at what files have been Added, Modified, Deleted due to the addition of those three packages and switching of the boot directories, by comparing the two commits.

root@photon-7c2d910d79e9 [ ~ ]# ostree diff 820b 965c
M    /usr/bin/VGAuthService
M    /usr/bin/[
M    /usr/bin/asn1Coding
M    /usr/bin/asn1Decoding
M    /usr/bin/asn1Parser
M    /usr/bin/attr
M    /usr/bin/aulast
M    /usr/bin/aulastlog
M    /usr/bin/ausyscall
M    /usr/bin/auvirt
M    /usr/bin/b2sum
M    /usr/bin/base32
M    /usr/bin/base64
M    /usr/bin/basename
M    /usr/bin/basenc
M    /usr/bin/bash
M    /usr/bin/bc
M    /usr/bin/bootctl
M    /usr/bin/bsdcat
M    /usr/bin/bsdcpio
M    /usr/bin/bsdtar
M    /usr/bin/busctl
M    /usr/bin/bwrap
M    /usr/bin/bzip2
M    /usr/bin/bzip2recover
M    /usr/bin/cal
M    /usr/bin/captest
M    /usr/bin/cat
M    /usr/bin/certtool
M    /usr/bin/certutil
M    /usr/bin/chage
M    /usr/bin/chattr
M    /usr/bin/chcon
M    /usr/bin/chfn
M    /usr/bin/chgrp
M    /usr/bin/chmem
M    /usr/bin/chmod
M    /usr/bin/choom
M    /usr/bin/chown
M    /usr/bin/chrt
M    /usr/bin/chsh
M    /usr/bin/cksum
M    /usr/bin/clear
M    /usr/bin/cloud-id
M    /usr/bin/cloud-init
M    /usr/bin/col
M    /usr/bin/colcrt
M    /usr/bin/colrm
M    /usr/bin/column
M    /usr/bin/comm
M    /usr/bin/coredumpctl
M    /usr/bin/cp
M    /usr/bin/cpio
M    /usr/bin/csplit
M    /usr/bin/curl
M    /usr/bin/curl-config
M    /usr/bin/cut
M    /usr/bin/cvtsudoers
M    /usr/bin/date
M    /usr/bin/dbus-cleanup-sockets
M    /usr/bin/dbus-daemon
M    /usr/bin/dbus-launch
M    /usr/bin/dbus-monitor
M    /usr/bin/dbus-run-session
M    /usr/bin/dbus-send
M    /usr/bin/dbus-test-tool
M    /usr/bin/dbus-update-activation-environment
M    /usr/bin/dbus-uuidgen
M    /usr/bin/dc
M    /usr/bin/dd
M    /usr/bin/debuginfod
M    /usr/bin/debuginfod-find
M    /usr/bin/deltainfoxml2solv
M    /usr/bin/derb
M    /usr/bin/df
M    /usr/bin/dir
M    /usr/bin/dircolors
M    /usr/bin/dirmngr
M    /usr/bin/dirmngr-client
M    /usr/bin/dirname
M    /usr/bin/dmesg
M    /usr/bin/du
M    /usr/bin/dumpsexp
M    /usr/bin/dumpsolv
M    /usr/bin/echo
M    /usr/bin/eject
M    /usr/bin/env
M    /usr/bin/eu-addr2line
M    /usr/bin/eu-ar
M    /usr/bin/eu-elfclassify
M    /usr/bin/eu-elfcmp
M    /usr/bin/eu-elfcompress
M    /usr/bin/eu-elflint
M    /usr/bin/eu-findtextrel
M    /usr/bin/eu-nm
M    /usr/bin/eu-objdump
M    /usr/bin/eu-ranlib
M    /usr/bin/eu-readelf
M    /usr/bin/eu-size
M    /usr/bin/eu-stack
M    /usr/bin/eu-strings
M    /usr/bin/eu-strip
M    /usr/bin/eu-unstrip
M    /usr/bin/expand
M    /usr/bin/expiry
M    /usr/bin/expr
M    /usr/bin/factor
M    /usr/bin/faillog
M    /usr/bin/fallocate
M    /usr/bin/false
M    /usr/bin/file
M    /usr/bin/filecap
M    /usr/bin/fincore
M    /usr/bin/find
M    /usr/bin/findmnt
M    /usr/bin/finger
M    /usr/bin/flex
M    /usr/bin/flock
M    /usr/bin/fmt
M    /usr/bin/fold
M    /usr/bin/free
M    /usr/bin/fusermount
M    /usr/bin/gawk
M    /usr/bin/gawk-5.1.0
M    /usr/bin/gdbm_dump
M    /usr/bin/gdbm_load
M    /usr/bin/gdbmtool
M    /usr/bin/genbrk
M    /usr/bin/gencat
M    /usr/bin/gencfu
M    /usr/bin/gencnval
M    /usr/bin/gendict
M    /usr/bin/gendiff
M    /usr/bin/genrb
M    /usr/bin/getconf
M    /usr/bin/getent
M    /usr/bin/getfattr
M    /usr/bin/getopt
M    /usr/bin/gnutls-cli
M    /usr/bin/gnutls-cli-debug
M    /usr/bin/gnutls-serv
M    /usr/bin/gpasswd
M    /usr/bin/gpg
M    /usr/bin/gpg-agent
M    /usr/bin/gpg-connect-agent
M    /usr/bin/gpg-error
M    /usr/bin/gpg-wks-server
M    /usr/bin/gpgconf
M    /usr/bin/gpgparsemail
M    /usr/bin/gpgscm
M    /usr/bin/gpgsm
M    /usr/bin/gpgsplit
M    /usr/bin/gpgtar
M    /usr/bin/gpgv
M    /usr/bin/grep
M    /usr/bin/groups
M    /usr/bin/grub2-editenv
M    /usr/bin/grub2-file
M    /usr/bin/grub2-fstest
M    /usr/bin/grub2-glue-efi
M    /usr/bin/grub2-menulst2cfg
M    /usr/bin/grub2-mkimage
M    /usr/bin/grub2-mklayout
M    /usr/bin/grub2-mknetdir
M    /usr/bin/grub2-mkpasswd-pbkdf2
M    /usr/bin/grub2-mkrelpath
M    /usr/bin/grub2-mkrescue
M    /usr/bin/grub2-mkstandalone
M    /usr/bin/grub2-render-label
M    /usr/bin/grub2-script-check
M    /usr/bin/grub2-syslinux2cfg
M    /usr/bin/gss-client
M    /usr/bin/guile
M    /usr/bin/gzip
M    /usr/bin/hardlink
M    /usr/bin/head
M    /usr/bin/hexdump
M    /usr/bin/hmac256
M    /usr/bin/hostid
M    /usr/bin/hostname
M    /usr/bin/hostnamectl
M    /usr/bin/iconv
M    /usr/bin/icuinfo
M    /usr/bin/id
M    /usr/bin/infocmp
M    /usr/bin/install
M    /usr/bin/installcheck
M    /usr/bin/ionice
M    /usr/bin/ipcmk
M    /usr/bin/ipcrm
M    /usr/bin/ipcs
M    /usr/bin/irqtop
M    /usr/bin/isosize
M    /usr/bin/join
M    /usr/bin/journalctl
M    /usr/bin/js78
M    /usr/bin/json-glib-format
M    /usr/bin/json-glib-validate
M    /usr/bin/kadmin
M    /usr/bin/kbxutil
M    /usr/bin/kdestroy
M    /usr/bin/kernel-install
M    /usr/bin/kill
M    /usr/bin/kinit
M    /usr/bin/klist
M    /usr/bin/kmod
M    /usr/bin/kpasswd
M    /usr/bin/kswitch
M    /usr/bin/ktutil
M    /usr/bin/kvno
M    /usr/bin/last
M    /usr/bin/lastlog
M    /usr/bin/ldapcompare
M    /usr/bin/ldapdelete
M    /usr/bin/ldapexop
M    /usr/bin/ldapmodify
M    /usr/bin/ldapmodrdn
M    /usr/bin/ldappasswd
M    /usr/bin/ldapsearch
M    /usr/bin/ldapurl
M    /usr/bin/ldapwhoami
M    /usr/bin/libtool
M    /usr/bin/link
M    /usr/bin/ln
M    /usr/bin/locale
M    /usr/bin/localectl
M    /usr/bin/localedef
M    /usr/bin/locate
M    /usr/bin/logger
M    /usr/bin/login
M    /usr/bin/loginctl
M    /usr/bin/logname
M    /usr/bin/look
M    /usr/bin/ls
M    /usr/bin/lsattr
M    /usr/bin/lsblk
M    /usr/bin/lscpu
M    /usr/bin/lsipc
M    /usr/bin/lsirq
M    /usr/bin/lslocks
M    /usr/bin/lslogins
M    /usr/bin/lsmem
M    /usr/bin/lsns
M    /usr/bin/lua
M    /usr/bin/luac
M    /usr/bin/lz4
M    /usr/bin/lzmadec
M    /usr/bin/lzmainfo
M    /usr/bin/m4
M    /usr/bin/makeconv
M    /usr/bin/makedb
M    /usr/bin/mcookie
M    /usr/bin/md5sum
M    /usr/bin/mergesolv
M    /usr/bin/mesg
M    /usr/bin/mkdir
M    /usr/bin/mkfifo
M    /usr/bin/mkinitrd
M    /usr/bin/mknod
M    /usr/bin/mktemp
M    /usr/bin/modulemd-validator
M    /usr/bin/more
M    /usr/bin/mount
M    /usr/bin/mountpoint
M    /usr/bin/mpicalc
M    /usr/bin/mt
M    /usr/bin/mv
M    /usr/bin/namei
M    /usr/bin/netcap
M    /usr/bin/netstat
M    /usr/bin/nettle-hash
M    /usr/bin/nettle-lfib-stream
M    /usr/bin/nettle-pbkdf2
M    /usr/bin/networkctl
M    /usr/bin/newgidmap
M    /usr/bin/newgrp
M    /usr/bin/newrole
M    /usr/bin/newuidmap
M    /usr/bin/nice
M    /usr/bin/nl
M    /usr/bin/nohup
M    /usr/bin/nproc
M    /usr/bin/nsenter
M    /usr/bin/numfmt
M    /usr/bin/ocsptool
M    /usr/bin/od
M    /usr/bin/openssl
M    /usr/bin/ostree
M    /usr/bin/passwd
M    /usr/bin/paste
M    /usr/bin/pathchk
M    /usr/bin/pcregrep
M    /usr/bin/pcretest
M    /usr/bin/pgrep
M    /usr/bin/pidof
M    /usr/bin/pinentry-curses
M    /usr/bin/pinentry-tty
M    /usr/bin/ping
M    /usr/bin/pinky
M    /usr/bin/pk-example-frobnicate
M    /usr/bin/pk12util
M    /usr/bin/pkaction
M    /usr/bin/pkcheck
M    /usr/bin/pkcs1-conv
M    /usr/bin/pkexec
M    /usr/bin/pkg-config
M    /usr/bin/pkgdata
M    /usr/bin/pkill
M    /usr/bin/pkttyagent
M    /usr/bin/pmap
M    /usr/bin/portablectl
M    /usr/bin/pr
M    /usr/bin/printenv
M    /usr/bin/printf
M    /usr/bin/prlimit
M    /usr/bin/ps
M    /usr/bin/pscap
M    /usr/bin/psktool
M    /usr/bin/ptx
M    /usr/bin/pwd
M    /usr/bin/pwdx
M    /usr/bin/pwmake
M    /usr/bin/pwscore
M    /usr/bin/pydoc3
M    /usr/bin/python3
M    /usr/bin/readlink
M    /usr/bin/realpath
M    /usr/bin/rename
M    /usr/bin/renice
M    /usr/bin/repo2solv
M    /usr/bin/repomdxml2solv
M    /usr/bin/resolvectl
M    /usr/bin/rev
M    /usr/bin/rm
M    /usr/bin/rmdir
M    /usr/bin/rofiles-fuse
M    /usr/bin/rpcgen
M    /usr/bin/rpm
M    /usr/bin/rpm-ostree
M    /usr/bin/rpm2archive
M    /usr/bin/rpm2cpio
M    /usr/bin/rpmdb
M    /usr/bin/rpmdb2solv
M    /usr/bin/rpmgraph
M    /usr/bin/rpmkeys
M    /usr/bin/rpmmd2solv
M    /usr/bin/rpms2solv
M    /usr/bin/runcon
M    /usr/bin/sclient
M    /usr/bin/scp
M    /usr/bin/script
M    /usr/bin/scriptlive
M    /usr/bin/scriptreplay
M    /usr/bin/secon
M    /usr/bin/sed
M    /usr/bin/seq
M    /usr/bin/setarch
M    /usr/bin/setfattr
M    /usr/bin/setsid
M    /usr/bin/setterm
M    /usr/bin/sexp-conv
M    /usr/bin/sftp
M    /usr/bin/sha1sum
M    /usr/bin/sha224sum
M    /usr/bin/sha256sum
M    /usr/bin/sha384sum
M    /usr/bin/sha512sum
M    /usr/bin/shred
M    /usr/bin/shuf
M    /usr/bin/sim_client
M    /usr/bin/slabtop
M    /usr/bin/sleep
M    /usr/bin/sort
M    /usr/bin/split
M    /usr/bin/srptool
M    /usr/bin/ssh
M    /usr/bin/ssh-add
M    /usr/bin/ssh-agent
M    /usr/bin/ssh-keygen
M    /usr/bin/ssh-keyscan
M    /usr/bin/stat
M    /usr/bin/stdbuf
M    /usr/bin/stty
M    /usr/bin/su
M    /usr/bin/sudo
M    /usr/bin/sudoreplay
M    /usr/bin/sum
M    /usr/bin/sync
M    /usr/bin/systemctl
M    /usr/bin/systemd-analyze
M    /usr/bin/systemd-ask-password
M    /usr/bin/systemd-cat
M    /usr/bin/systemd-cgls
M    /usr/bin/systemd-cgtop
M    /usr/bin/systemd-delta
M    /usr/bin/systemd-detect-virt
M    /usr/bin/systemd-escape
M    /usr/bin/systemd-hwdb
M    /usr/bin/systemd-id128
M    /usr/bin/systemd-inhibit
M    /usr/bin/systemd-machine-id-setup
M    /usr/bin/systemd-mount
M    /usr/bin/systemd-notify
M    /usr/bin/systemd-path
M    /usr/bin/systemd-repart
M    /usr/bin/systemd-run
M    /usr/bin/systemd-socket-activate
M    /usr/bin/systemd-stdio-bridge
M    /usr/bin/systemd-tmpfiles
M    /usr/bin/systemd-tty-ask-password-agent
M    /usr/bin/tabs
M    /usr/bin/tac
M    /usr/bin/tail
M    /usr/bin/taskset
M    /usr/bin/tee
M    /usr/bin/test
M    /usr/bin/testsolv
M    /usr/bin/tic
M    /usr/bin/timedatectl
M    /usr/bin/timeout
M    /usr/bin/tload
M    /usr/bin/toe
M    /usr/bin/top
M    /usr/bin/touch
M    /usr/bin/tput
M    /usr/bin/tr
M    /usr/bin/tracepath
M    /usr/bin/traceroute6
M    /usr/bin/true
M    /usr/bin/truncate
M    /usr/bin/tset
M    /usr/bin/tsort
M    /usr/bin/tty
M    /usr/bin/uconv
M    /usr/bin/udevadm
M    /usr/bin/ul
M    /usr/bin/ulockmgr_server
M    /usr/bin/umount
M    /usr/bin/uname
M    /usr/bin/unexpand
M    /usr/bin/uniq
M    /usr/bin/unlink
M    /usr/bin/unshare
M    /usr/bin/unzck
M    /usr/bin/updateinfoxml2solv
M    /usr/bin/uptime
M    /usr/bin/userdbctl
M    /usr/bin/users
M    /usr/bin/utmpdump
M    /usr/bin/uuclient
M    /usr/bin/uuidgen
M    /usr/bin/uuidparse
M    /usr/bin/vdir
M    /usr/bin/vim
M    /usr/bin/vmhgfs-fuse
M    /usr/bin/vmstat
M    /usr/bin/vmtoolsd
M    /usr/bin/vmware-checkvm
M    /usr/bin/vmware-hgfsclient
M    /usr/bin/vmware-namespace-cmd
M    /usr/bin/vmware-rpctool
M    /usr/bin/vmware-toolbox-cmd
M    /usr/bin/vmware-vgauth-cmd
M    /usr/bin/vmware-vgauth-smoketest
M    /usr/bin/vmware-vmblock-fuse
M    /usr/bin/vmware-xferlogs
M    /usr/bin/w
M    /usr/bin/wall
M    /usr/bin/watch
M    /usr/bin/watchgnupg
M    /usr/bin/wc
M    /usr/bin/wdctl
M    /usr/bin/whereis
M    /usr/bin/which
M    /usr/bin/who
M    /usr/bin/whoami
M    /usr/bin/xargs
M    /usr/bin/xmlcatalog
M    /usr/bin/xmllint
M    /usr/bin/xmlsec1
M    /usr/bin/xmlwf
M    /usr/bin/xsltproc
M    /usr/bin/xz
M    /usr/bin/xzdec
M    /usr/bin/yat2m
M    /usr/bin/yes
M    /usr/bin/zck
M    /usr/bin/zck_delta_size
M    /usr/bin/zck_gen_zdict
M    /usr/bin/zck_read_header
M    /usr/bin/zckdl
M    /usr/bin/zstd
M    /usr/bin/rpm-ostree-server/mkostreerepo
M    /usr/etc/ld.so.cache
M    /usr/etc/photon-release
M    /usr/etc/shadow
M    /usr/etc/sudoers
M    /usr/etc/cloud/cloud.cfg
M    /usr/etc/iproute2/rt_protos
M    /usr/etc/pam.d/vmtoolsd
M    /usr/etc/systemd/journald.conf
M    /usr/etc/systemd/logind.conf
M    /usr/etc/systemd/networkd.conf
M    /usr/etc/systemd/resolved.conf
M    /usr/etc/systemd/system.conf
M    /usr/etc/systemd/user.conf
M    /usr/etc/udev/hwdb.bin
M    /usr/etc/udev/udev.conf
M    /usr/etc/udev/rules.d/99-vmware-hotplug.rules
M    /usr/etc/vmware-tools/tools.conf.example
M    /usr/etc/vmware-tools/vgauth.conf
M    /usr/include/sudo_plugin.h
M    /usr/lib/e2initrd_helper
M    /usr/lib/ld-2.32.so
M    /usr/lib/libBrokenLocale-2.32.so
M    /usr/lib/libDeployPkg.so.0.0.0
M    /usr/lib/libSegFault.so
M    /usr/lib/libacl.so.1.1.2253
M    /usr/lib/libanl-2.32.so
M    /usr/lib/libarchive.so.13.4.3
M    /usr/lib/libasm-0.181.so
M    /usr/lib/libassuan.so.0.8.3
M    /usr/lib/libattr.so.1.1.2448
M    /usr/lib/libaudit.so.1.0.0
M    /usr/lib/libauparse.so.0.0.0
M    /usr/lib/libblkid.so.1.1.0
M    /usr/lib/libbz2.so.1.0.8
M    /usr/lib/libc-2.32.so
M    /usr/lib/libcap-ng.so.0.0.0
M    /usr/lib/libcap.so.2.43
M    /usr/lib/libcom_err.so.2.1
M    /usr/lib/libcord.so.1.4.0
M    /usr/lib/libcrack.so.2.9.0
M    /usr/lib/libcrypt-2.32.so
M    /usr/lib/libcrypto.so.1.1
M    /usr/lib/libcurl.so.4
M    /usr/lib/libdb-5.3.so
M    /usr/lib/libdbus-1.so.3.29.0
M    /usr/lib/libdebuginfod-0.181.so
M    /usr/lib/libdevmapper.so.1.02
M    /usr/lib/libdhcp.a
M    /usr/lib/libdhcpctl.a
M    /usr/lib/libdl-2.32.so
M    /usr/lib/libdnet.1.0.1
M    /usr/lib/libdw-0.181.so
M    /usr/lib/libe2p.so.2.3
M    /usr/lib/libelf-0.181.so
M    /usr/lib/libexpat.so.1.6.11
M    /usr/lib/libexslt.so.0.8.20
M    /usr/lib/libext2fs.so.2.4
M    /usr/lib/libfdisk.so.1.1.0
M    /usr/lib/libffi.so.7.1.0
M    /usr/lib/libfl.so.2.0.0
M    /usr/lib/libformw.so.6.2
M    /usr/lib/libfreebl3.chk
M    /usr/lib/libfreebl3.so
M    /usr/lib/libfreeblpriv3.chk
M    /usr/lib/libfreeblpriv3.so
M    /usr/lib/libfuse.so.2.9.9
M    /usr/lib/libgc.so.1.4.3
M    /usr/lib/libgcc_s.so.1
M    /usr/lib/libgccpp.so.1.4.0
M    /usr/lib/libgcrypt.so.20.2.6
M    /usr/lib/libgdbm.so.6.0.0
M    /usr/lib/libgdbm_compat.so.4.0.0
M    /usr/lib/libgio-2.0.so.0.6600.1
M    /usr/lib/libgirepository-1.0.so.1.0.0
M    /usr/lib/libglib-2.0.so.0.6600.1
M    /usr/lib/libgmodule-2.0.so.0.6600.1
M    /usr/lib/libgmp.so.10.4.0
M    /usr/lib/libgnutls.so.30.28.1
M    /usr/lib/libgnutlsxx.so.28.1.0
M    /usr/lib/libgobject-2.0.so.0.6600.1
M    /usr/lib/libgpg-error.so.0.30.0
M    /usr/lib/libgpgme.so.11.23.0
M    /usr/lib/libgssapi_krb5.so.2.2
M    /usr/lib/libgssrpc.so.4.2
M    /usr/lib/libgthread-2.0.so.0.6600.1
M    /usr/lib/libguestlib.so.0.0.0
M    /usr/lib/libguile-2.0.so.22.8.1
M    /usr/lib/libguilereadline-v-18.so.18.0.0
M    /usr/lib/libhgfs.so.0.0.0
M    /usr/lib/libhistory.so.7.0
M    /usr/lib/libhogweed.so.6.0
M    /usr/lib/libicui18n.so.67.1
M    /usr/lib/libicuio.so.67.1
M    /usr/lib/libicutest.so.67.1
M    /usr/lib/libicutu.so.67.1
M    /usr/lib/libicuuc.so.67.1
M    /usr/lib/libip4tc.so.2.0.0
M    /usr/lib/libip6tc.so.2.0.0
M    /usr/lib/libipq.so.0.0.0
M    /usr/lib/libjson-c.so.5.1.0
M    /usr/lib/libjson-glib-1.0.so.0.600.0
M    /usr/lib/libk5crypto.so.3.1
M    /usr/lib/libkadm5clnt_mit.so.11.0
M    /usr/lib/libkadm5srv_mit.so.11.0
M    /usr/lib/libkdb5.so.9.0
M    /usr/lib/libkmod.so.2.3.5
M    /usr/lib/libkrad.so.0.0
M    /usr/lib/libkrb5.so.3.3
M    /usr/lib/libkrb5support.so.0.1
M    /usr/lib/libksba.so.8.12.0
M    /usr/lib/liblber-2.4.so.2.11.1
M    /usr/lib/libldap-2.4.so.2.11.1
M    /usr/lib/libldap_r-2.4.so.2.11.1
M    /usr/lib/libltdl.so.7.3.1
M    /usr/lib/liblua.so.5.3.4
M    /usr/lib/liblz4.so.1.9.2
M    /usr/lib/liblzma.so.5.2.5
M    /usr/lib/libm-2.32.so
M    /usr/lib/libmagic.so.1.0.0
M    /usr/lib/libmemusage.so
M    /usr/lib/libmenuw.so.6.2
M    /usr/lib/libmetalink.so.3.1.0
M    /usr/lib/libmicrohttpd.so.12.56.0
M    /usr/lib/libmodulemd.so.2
M    /usr/lib/libmount.so.1.1.0
M    /usr/lib/libmozjs-78.so
M    /usr/lib/libmpfr.so.6.1.0
M    /usr/lib/libmspack.so.0.1.0
M    /usr/lib/libmvec-2.32.so
M    /usr/lib/libncursesw.so.6.2
M    /usr/lib/libnettle.so.8.0
M    /usr/lib/libnpth.so.0.1.2
M    /usr/lib/libnsl-2.32.so
M    /usr/lib/libnsl.so.2.0.1
M    /usr/lib/libnspr4.so
M    /usr/lib/libnss3.so
M    /usr/lib/libnss_altfiles.so.2
M    /usr/lib/libnss_compat-2.32.so
M    /usr/lib/libnss_db-2.32.so
M    /usr/lib/libnss_dns-2.32.so
M    /usr/lib/libnss_files-2.32.so
M    /usr/lib/libnss_hesiod-2.32.so
M    /usr/lib/libnss_myhostname.so.2
M    /usr/lib/libnss_mymachines.so.2
M    /usr/lib/libnss_resolve.so.2
M    /usr/lib/libnss_systemd.so.2
M    /usr/lib/libnssckbi-testlib.so
M    /usr/lib/libnssckbi.so
M    /usr/lib/libnssdbm3.chk
M    /usr/lib/libnssdbm3.so
M    /usr/lib/libnsssysinit.so
M    /usr/lib/libnssutil3.so
M    /usr/lib/libomapi.a
M    /usr/lib/libopts.so.25.17.1
M    /usr/lib/libostree-1.so.1.0.0
M    /usr/lib/libpam.so.0.85.1
M    /usr/lib/libpam_misc.so.0.82.1
M    /usr/lib/libpamc.so.0.82.1
M    /usr/lib/libpanelw.so.6.2
M    /usr/lib/libpcre.so.1.2.12
M    /usr/lib/libpcre16.so.0.2.12
M    /usr/lib/libpcre32.so.0.0.12
M    /usr/lib/libpcrecpp.so.0.0.2
M    /usr/lib/libpcreposix.so.0.0.7
M    /usr/lib/libpkcs11testmodule.so
M    /usr/lib/libplc4.so
M    /usr/lib/libplds4.so
M    /usr/lib/libpolkit-agent-1.so.0.0.0
M    /usr/lib/libpolkit-gobject-1.so.0.0.0
M    /usr/lib/libpopt.so.0.0.0
M    /usr/lib/libprocps.so.8.0.2
M    /usr/lib/libpsl.so.5.3.3
M    /usr/lib/libpthread-2.32.so
M    /usr/lib/libpwquality.so.1.0.2
M    /usr/lib/libpython3.so
M    /usr/lib/libreadline.so.7.0
M    /usr/lib/librepo.so.0
M    /usr/lib/libresolv-2.32.so
M    /usr/lib/librpmostree-1.so.1.0.0
M    /usr/lib/librt-2.32.so
M    /usr/lib/libsasl2.so.3.0.0
M    /usr/lib/libseccomp.so.2.5.0
M    /usr/lib/libselinux.so.1
M    /usr/lib/libsemanage.so.1
M    /usr/lib/libsepol.so.1
M    /usr/lib/libsmartcols.so.1.1.0
M    /usr/lib/libsmime3.so
M    /usr/lib/libsoftokn3.chk
M    /usr/lib/libsoftokn3.so
M    /usr/lib/libsolv.so.0
M    /usr/lib/libsolvext.so.0
M    /usr/lib/libsoup-2.4.so.1.11.0
M    /usr/lib/libsoup-gnome-2.4.so.1.11.0
M    /usr/lib/libsqlite3.so.0.8.6
M    /usr/lib/libss.so.2.0
M    /usr/lib/libssh2.so.1.0.1
M    /usr/lib/libssl.so.1.1
M    /usr/lib/libssl3.so
M    /usr/lib/libstdc++.so.6
M    /usr/lib/libsystemd.so.0
M    /usr/lib/libtasn1.so.6.5.6
M    /usr/lib/libthread_db-1.0.so
M    /usr/lib/libtirpc.so.3.0.0
M    /usr/lib/libudev.so.1
M    /usr/lib/libulockmgr.so.1.0.1
M    /usr/lib/libunistring.a
M    /usr/lib/libunistring.so.2.1.0
M    /usr/lib/libutil-2.32.so
M    /usr/lib/libuuid.so.1.3.0
M    /usr/lib/libverto.so.0.0
M    /usr/lib/libvgauth.so.0.0.0
M    /usr/lib/libvmtools.so.0.0.0
M    /usr/lib/libwrap.a
M    /usr/lib/libwrap.so.0.7.6
M    /usr/lib/libxml2.so.2.9.10
M    /usr/lib/libxmlsec1-nss.so.1.2.30
M    /usr/lib/libxmlsec1-openssl.so.1.2.30
M    /usr/lib/libxmlsec1.so.1.2.30
M    /usr/lib/libxslt.so.1.1.34
M    /usr/lib/libxtables.so.12
M    /usr/lib/libyaml-0.so.2.0.9
M    /usr/lib/libz.so.1.2.11
M    /usr/lib/libzck.so.1.1.7
M    /usr/lib/libzstd.so.1.4.5
M    /usr/lib/bash/basename
M    /usr/lib/bash/dirname
M    /usr/lib/bash/fdflags
M    /usr/lib/bash/finfo
M    /usr/lib/bash/head
M    /usr/lib/bash/id
M    /usr/lib/bash/ln
M    /usr/lib/bash/logname
M    /usr/lib/bash/mkdir
M    /usr/lib/bash/mypid
M    /usr/lib/bash/pathchk
M    /usr/lib/bash/print
M    /usr/lib/bash/printenv
M    /usr/lib/bash/push
M    /usr/lib/bash/realpath
M    /usr/lib/bash/rmdir
M    /usr/lib/bash/seq
M    /usr/lib/bash/setpgid
M    /usr/lib/bash/sleep
M    /usr/lib/bash/strftime
M    /usr/lib/bash/sync
M    /usr/lib/bash/tee
M    /usr/lib/bash/truefalse
M    /usr/lib/bash/tty
M    /usr/lib/bash/uname
M    /usr/lib/bash/unlink
M    /usr/lib/bash/whoami
M    /usr/lib/cloud-init/ds-identify
M    /usr/lib/dracut/dracut-install
M    /usr/lib/dracut/dracut-version.sh
M    /usr/lib/dracut/skipcpio
M    /usr/lib/engines-1.1/afalg.so
M    /usr/lib/engines-1.1/capi.so
M    /usr/lib/engines-1.1/padlock.so
M    /usr/lib/gawk/filefuncs.so
M    /usr/lib/gawk/fnmatch.so
M    /usr/lib/gawk/fork.so
M    /usr/lib/gawk/inplace.so
M    /usr/lib/gawk/intdiv.so
M    /usr/lib/gawk/ordchr.so
M    /usr/lib/gawk/readdir.so
M    /usr/lib/gawk/readfile.so
M    /usr/lib/gawk/revoutput.so
M    /usr/lib/gawk/revtwoway.so
M    /usr/lib/gawk/rwarray.so
M    /usr/lib/gawk/time.so
M    /usr/lib/gconv/ANSI_X3.110.so
M    /usr/lib/gconv/ARMSCII-8.so
M    /usr/lib/gconv/ASMO_449.so
M    /usr/lib/gconv/BIG5.so
M    /usr/lib/gconv/BIG5HKSCS.so
M    /usr/lib/gconv/BRF.so
M    /usr/lib/gconv/CP10007.so
M    /usr/lib/gconv/CP1125.so
M    /usr/lib/gconv/CP1250.so
M    /usr/lib/gconv/CP1251.so
M    /usr/lib/gconv/CP1252.so
M    /usr/lib/gconv/CP1253.so
M    /usr/lib/gconv/CP1254.so
M    /usr/lib/gconv/CP1255.so
M    /usr/lib/gconv/CP1256.so
M    /usr/lib/gconv/CP1257.so
M    /usr/lib/gconv/CP1258.so
M    /usr/lib/gconv/CP737.so
M    /usr/lib/gconv/CP770.so
M    /usr/lib/gconv/CP771.so
M    /usr/lib/gconv/CP772.so
M    /usr/lib/gconv/CP773.so
M    /usr/lib/gconv/CP774.so
M    /usr/lib/gconv/CP775.so
M    /usr/lib/gconv/CP932.so
M    /usr/lib/gconv/CSN_369103.so
M    /usr/lib/gconv/CWI.so
M    /usr/lib/gconv/DEC-MCS.so
M    /usr/lib/gconv/EBCDIC-AT-DE-A.so
M    /usr/lib/gconv/EBCDIC-AT-DE.so
M    /usr/lib/gconv/EBCDIC-CA-FR.so
M    /usr/lib/gconv/EBCDIC-DK-NO-A.so
M    /usr/lib/gconv/EBCDIC-DK-NO.so
M    /usr/lib/gconv/EBCDIC-ES-A.so
M    /usr/lib/gconv/EBCDIC-ES-S.so
M    /usr/lib/gconv/EBCDIC-ES.so
M    /usr/lib/gconv/EBCDIC-FI-SE-A.so
M    /usr/lib/gconv/EBCDIC-FI-SE.so
M    /usr/lib/gconv/EBCDIC-FR.so
M    /usr/lib/gconv/EBCDIC-IS-FRISS.so
M    /usr/lib/gconv/EBCDIC-IT.so
M    /usr/lib/gconv/EBCDIC-PT.so
M    /usr/lib/gconv/EBCDIC-UK.so
M    /usr/lib/gconv/EBCDIC-US.so
M    /usr/lib/gconv/ECMA-CYRILLIC.so
M    /usr/lib/gconv/EUC-CN.so
M    /usr/lib/gconv/EUC-JISX0213.so
M    /usr/lib/gconv/EUC-JP-MS.so
M    /usr/lib/gconv/EUC-JP.so
M    /usr/lib/gconv/EUC-KR.so
M    /usr/lib/gconv/EUC-TW.so
M    /usr/lib/gconv/GB18030.so
M    /usr/lib/gconv/GBBIG5.so
M    /usr/lib/gconv/GBGBK.so
M    /usr/lib/gconv/GBK.so
M    /usr/lib/gconv/GEORGIAN-ACADEMY.so
M    /usr/lib/gconv/GEORGIAN-PS.so
M    /usr/lib/gconv/GOST_19768-74.so
M    /usr/lib/gconv/GREEK-CCITT.so
M    /usr/lib/gconv/GREEK7-OLD.so
M    /usr/lib/gconv/GREEK7.so
M    /usr/lib/gconv/HP-GREEK8.so
M    /usr/lib/gconv/HP-ROMAN8.so
M    /usr/lib/gconv/HP-ROMAN9.so
M    /usr/lib/gconv/HP-THAI8.so
M    /usr/lib/gconv/HP-TURKISH8.so
M    /usr/lib/gconv/IBM037.so
M    /usr/lib/gconv/IBM038.so
M    /usr/lib/gconv/IBM1004.so
M    /usr/lib/gconv/IBM1008.so
M    /usr/lib/gconv/IBM1008_420.so
M    /usr/lib/gconv/IBM1025.so
M    /usr/lib/gconv/IBM1026.so
M    /usr/lib/gconv/IBM1046.so
M    /usr/lib/gconv/IBM1047.so
M    /usr/lib/gconv/IBM1097.so
M    /usr/lib/gconv/IBM1112.so
M    /usr/lib/gconv/IBM1122.so
M    /usr/lib/gconv/IBM1123.so
M    /usr/lib/gconv/IBM1124.so
M    /usr/lib/gconv/IBM1129.so
M    /usr/lib/gconv/IBM1130.so
M    /usr/lib/gconv/IBM1132.so
M    /usr/lib/gconv/IBM1133.so
M    /usr/lib/gconv/IBM1137.so
M    /usr/lib/gconv/IBM1140.so
M    /usr/lib/gconv/IBM1141.so
M    /usr/lib/gconv/IBM1142.so
M    /usr/lib/gconv/IBM1143.so
M    /usr/lib/gconv/IBM1144.so
M    /usr/lib/gconv/IBM1145.so
M    /usr/lib/gconv/IBM1146.so
M    /usr/lib/gconv/IBM1147.so
M    /usr/lib/gconv/IBM1148.so
M    /usr/lib/gconv/IBM1149.so
M    /usr/lib/gconv/IBM1153.so
M    /usr/lib/gconv/IBM1154.so
M    /usr/lib/gconv/IBM1155.so
M    /usr/lib/gconv/IBM1156.so
M    /usr/lib/gconv/IBM1157.so
M    /usr/lib/gconv/IBM1158.so
M    /usr/lib/gconv/IBM1160.so
M    /usr/lib/gconv/IBM1161.so
M    /usr/lib/gconv/IBM1162.so
M    /usr/lib/gconv/IBM1163.so
M    /usr/lib/gconv/IBM1164.so
M    /usr/lib/gconv/IBM1166.so
M    /usr/lib/gconv/IBM1167.so
M    /usr/lib/gconv/IBM12712.so
M    /usr/lib/gconv/IBM1364.so
M    /usr/lib/gconv/IBM1371.so
M    /usr/lib/gconv/IBM1388.so
M    /usr/lib/gconv/IBM1390.so
M    /usr/lib/gconv/IBM1399.so
M    /usr/lib/gconv/IBM16804.so
M    /usr/lib/gconv/IBM256.so
M    /usr/lib/gconv/IBM273.so
M    /usr/lib/gconv/IBM274.so
M    /usr/lib/gconv/IBM275.so
M    /usr/lib/gconv/IBM277.so
M    /usr/lib/gconv/IBM278.so
M    /usr/lib/gconv/IBM280.so
M    /usr/lib/gconv/IBM281.so
M    /usr/lib/gconv/IBM284.so
M    /usr/lib/gconv/IBM285.so
M    /usr/lib/gconv/IBM290.so
M    /usr/lib/gconv/IBM297.so
M    /usr/lib/gconv/IBM420.so
M    /usr/lib/gconv/IBM423.so
M    /usr/lib/gconv/IBM424.so
M    /usr/lib/gconv/IBM437.so
M    /usr/lib/gconv/IBM4517.so
M    /usr/lib/gconv/IBM4899.so
M    /usr/lib/gconv/IBM4909.so
M    /usr/lib/gconv/IBM4971.so
M    /usr/lib/gconv/IBM500.so
M    /usr/lib/gconv/IBM5347.so
M    /usr/lib/gconv/IBM803.so
M    /usr/lib/gconv/IBM850.so
M    /usr/lib/gconv/IBM851.so
M    /usr/lib/gconv/IBM852.so
M    /usr/lib/gconv/IBM855.so
M    /usr/lib/gconv/IBM856.so
M    /usr/lib/gconv/IBM857.so
M    /usr/lib/gconv/IBM858.so
M    /usr/lib/gconv/IBM860.so
M    /usr/lib/gconv/IBM861.so
M    /usr/lib/gconv/IBM862.so
M    /usr/lib/gconv/IBM863.so
M    /usr/lib/gconv/IBM864.so
M    /usr/lib/gconv/IBM865.so
M    /usr/lib/gconv/IBM866.so
M    /usr/lib/gconv/IBM866NAV.so
M    /usr/lib/gconv/IBM868.so
M    /usr/lib/gconv/IBM869.so
M    /usr/lib/gconv/IBM870.so
M    /usr/lib/gconv/IBM871.so
M    /usr/lib/gconv/IBM874.so
M    /usr/lib/gconv/IBM875.so
M    /usr/lib/gconv/IBM880.so
M    /usr/lib/gconv/IBM891.so
M    /usr/lib/gconv/IBM901.so
M    /usr/lib/gconv/IBM902.so
M    /usr/lib/gconv/IBM903.so
M    /usr/lib/gconv/IBM9030.so
M    /usr/lib/gconv/IBM904.so
M    /usr/lib/gconv/IBM905.so
M    /usr/lib/gconv/IBM9066.so
M    /usr/lib/gconv/IBM918.so
M    /usr/lib/gconv/IBM921.so
M    /usr/lib/gconv/IBM922.so
M    /usr/lib/gconv/IBM930.so
M    /usr/lib/gconv/IBM932.so
M    /usr/lib/gconv/IBM933.so
M    /usr/lib/gconv/IBM935.so
M    /usr/lib/gconv/IBM937.so
M    /usr/lib/gconv/IBM939.so
M    /usr/lib/gconv/IBM943.so
M    /usr/lib/gconv/IBM9448.so
M    /usr/lib/gconv/IEC_P27-1.so

Listing package differences

We can also look at package differences, as you expect, using the right tool for the job.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree db diff 820b 965c
ostree diff commit from: 820b (820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88)
ostree diff commit to:   965c (965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f)
Upgraded:
audit 2.8.5-3.ph5 -> 2.8.5-6.ph5
cloud-init 20.3-2.ph5 -> 20.4.1-1.ph5
cpio 2.13-1.ph5 -> 2.13-3.ph5
curl 7.72.0-2.ph5 -> 7.74.0-1.ph5
curl-libs 7.72.0-2.ph5 -> 7.74.0-1.ph5
cyrus-sasl 2.1.27-3.ph5 -> 2.1.27-4.ph5
dhcp-client 4.4.2-1.ph5 -> 4.4.2-2.ph5
dhcp-libs 4.4.2-1.ph5 -> 4.4.2-2.ph5
dracut 050-5.ph5 -> 050-7.ph5
dracut-tools 050-5.ph5 -> 050-7.ph5
file 5.39-1.ph5 -> 5.39-2.ph5
file-libs 5.39-1.ph5 -> 5.39-2.ph5
gdbm 1.18.1-1.ph5 -> 1.19-1.ph5
glibc 2.32-1.ph5 -> 2.32-2.ph5
glibc-iconv 2.32-1.ph5 -> 2.32-2.ph5
gobject-introspection 1.66.0-1.ph5 -> 1.66.0-3.ph5
grub2-theme 5.0-1.ph5 -> 4.0-2.ph5
grub2-theme-ostree 5.0-1.ph5 -> 5.0-2.ph5
iproute2 5.8.0-1.ph5 -> 5.10.0-1.ph5
iptables 1.8.4-1.ph5 -> 1.8.7-1.ph5
json-c 0.15-2.ph5 -> 0.15-3.ph5
libgcc 8.4.0-1.ph5 -> 10.2.0-1.ph5
libmetalink 0.1.3-2.ph5 -> 0.1.3-3.ph5
libmodulemd 2.9.4-1.ph5 -> 2.11.0-1.ph5
librepo 1.12.1-3.ph5 -> 1.12.1-4.ph5
libsepol 3.1-1.ph5 -> 3.1-2.ph5
libsolv 0.6.35-5.ph5 -> 0.6.35-7.ph5
libssh2 1.9.0-2.ph5 -> 1.9.0-3.ph5
libstdc++ 8.4.0-1.ph5 -> 10.2.0-1.ph5
libxml2 2.9.10-3.ph5 -> 2.9.10-6.ph5
libxml2-devel 2.9.10-3.ph5 -> 2.9.10-6.ph5
libxslt 1.1.34-1.ph5 -> 1.1.34-2.ph5
linux 5.9.0-3.ph5 -> 5.10.4-15.ph5
ncurses 6.2-2.ph5 -> 6.2-3.ph5
ncurses-libs 6.2-2.ph5 -> 6.2-3.ph5
ncurses-terminfo 6.2-2.ph5 -> 6.2-3.ph5
nss 3.57-1.ph5 -> 3.57-2.ph5
nss-libs 3.57-1.ph5 -> 3.57-2.ph5
open-vm-tools 11.1.5-4.ph5 -> 11.2.5-1.ph5
openldap 2.4.53-2.ph5 -> 2.4.53-3.ph5
openssl 1.1.1g-3.ph5 -> 1.1.1i-2.ph5
pcre 8.44-1.ph5 -> 8.44-2.ph5
pcre-libs 8.44-1.ph5 -> 8.44-2.ph5
python3 3.8.6-1.ph5 -> 3.9.1-2.ph5
python3-PyYAML 5.3.1-1.ph5 -> 5.4.1-1.ph5
python3-attrs 20.2.0-2.ph5 -> 20.3.0-2.ph5
python3-cryptography 3.1.1-2.ph5 -> 3.2.1-1.ph5
python3-gobject-introspection 1.66.0-1.ph5 -> 1.66.0-3.ph5
python3-libs 3.8.6-1.ph5 -> 3.9.1-2.ph5
python3-packaging 20.4-2.ph5 -> 20.4-3.ph5
python3-pyrsistent 0.17.3-1.ph5 -> 0.17.3-2.ph5
python3-setuptools 3.8.6-1.ph5 -> 3.9.1-2.ph5
python3-urllib3 1.25.10-2.ph5 -> 1.25.11-1.ph5
python3-xml 3.8.6-1.ph5 -> 3.9.1-2.ph5
rpm 4.14.2-11.ph5 -> 4.16.1.2-1.ph5
rpm-libs 4.14.2-11.ph5 -> 4.16.1.2-1.ph5
rpm-ostree 2020.5-4.ph5 -> 2020.5-5.ph5
shadow 4.8.1-2.ph5 -> 4.8.1-3.ph5
shadow-tools 4.8.1-2.ph5 -> 4.8.1-3.ph5
sudo 1.8.30-2.ph5 -> 1.9.5-1.ph5
systemd 245.5-3.ph5 -> 247.3-1.ph5
util-linux 2.36-1.ph5 -> 2.36-2.ph5
util-linux-libs 2.36-1.ph5 -> 2.36-2.ph5
Added:
libpcap-1.10.0-1.ph5.x86_64
python3-Pygments-2.7.2-2.ph5.noarch
python3-alabaster-0.7.12-1.ph5.noarch
python3-babel-2.8.0-3.ph5.noarch
python3-docutils-0.16-1.ph5.noarch
python3-imagesize-1.2.0-2.ph5.noarch
python3-pytz-2020.4-2.ph5.noarch
python3-snowballstemmer-2.0.0-1.ph5.noarch
python3-sphinx-3.3.0-2.ph5.noarch
python3-sphinxcontrib-applehelp-1.0.2-1.ph5.noarch
python3-sphinxcontrib-devhelp-1.0.2-1.ph5.noarch
python3-sphinxcontrib-htmlhelp-1.0.3-1.ph5.noarch
python3-sphinxcontrib-jsmath-1.0.1-1.ph5.noarch
python3-sphinxcontrib-qthelp-1.0.3-1.ph5.noarch
python3-sphinxcontrib-serializinghtml-1.1.4-1.ph5.noarch
python3-typing-3.7.4.3-1.ph5.noarch
systemd-libs-247.3-1.ph5.x86_64
systemd-pam-247.3-1.ph5.x86_64
systemd-rpm-macros-247.3-1.ph5.noarch
systemd-udev-247.3-1.ph5.x86_64

Rollback

If we want to go back to the previous image, we can rollback. The order of the images will be changed, so the old filetree will become the default bootable image. If -r option is passed, the rollback will continue with a reboot.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree rollback
Moving '965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f.0' to be first deployment
Transaction complete; bootconfig swap: yes; deployment count change: 0
Upgraded:
  audit 2.8.5-3.ph5 -> 2.8.5-6.ph5
  cloud-init 20.3-2.ph5 -> 20.4.1-1.ph5
  cpio 2.13-1.ph5 -> 2.13-3.ph5
  curl 7.72.0-2.ph5 -> 7.74.0-1.ph5
  curl-libs 7.72.0-2.ph5 -> 7.74.0-1.ph5
  cyrus-sasl 2.1.27-3.ph5 -> 2.1.27-4.ph5
  dhcp-client 4.4.2-1.ph5 -> 4.4.2-2.ph5
  dhcp-libs 4.4.2-1.ph5 -> 4.4.2-2.ph5
  dracut 050-5.ph5 -> 050-7.ph5
  dracut-tools 050-5.ph5 -> 050-7.ph5
  file 5.39-1.ph5 -> 5.39-2.ph5
  file-libs 5.39-1.ph5 -> 5.39-2.ph5
  gdbm 1.18.1-1.ph5 -> 1.19-1.ph5
  glibc 2.32-1.ph5 -> 2.32-2.ph5
  glibc-iconv 2.32-1.ph5 -> 2.32-2.ph5
  gobject-introspection 1.66.0-1.ph5 -> 1.66.0-3.ph5
  grub2-theme 5.0-1.ph5 -> 5.0-2.ph5
  grub2-theme-ostree 5.0-1.ph5 -> 5.0-2.ph5
  iproute2 5.8.0-1.ph5 -> 5.10.0-1.ph5
  iptables 1.8.4-1.ph5 -> 1.8.7-1.ph5
  json-c 0.15-2.ph5 -> 0.15-3.ph5
  libgcc 8.4.0-1.ph5 -> 10.2.0-1.ph5
  libmetalink 0.1.3-2.ph5 -> 0.1.3-3.ph5
  libmodulemd 2.9.4-1.ph5 -> 2.11.0-1.ph5
  librepo 1.12.1-3.ph5 -> 1.12.1-4.ph5
  libsepol 3.1-1.ph5 -> 3.1-2.ph5
  libsolv 0.6.35-5.ph5 -> 0.6.35-7.ph5
  libssh2 1.9.0-2.ph5 -> 1.9.0-3.ph5
  libstdc++ 8.4.0-1.ph5 -> 10.2.0-1.ph5
  libxml2 2.9.10-3.ph5 -> 2.9.10-6.ph5
  libxml2-devel 2.9.10-3.ph5 -> 2.9.10-6.ph5
  libxslt 1.1.34-1.ph5 -> 1.1.34-2.ph5
  linux 5.9.0-3.ph5 -> 5.10.4-15.ph5
  ncurses 6.2-2.ph5 -> 6.2-3.ph5
  ncurses-libs 6.2-2.ph5 -> 6.2-3.ph5
  ncurses-terminfo 6.2-2.ph5 -> 6.2-3.ph5
  nss 3.57-1.ph5 -> 3.57-2.ph5
  nss-libs 3.57-1.ph5 -> 3.57-2.ph5
  open-vm-tools 11.1.5-4.ph5 -> 11.2.5-1.ph5
  openldap 2.4.53-2.ph5 -> 2.4.53-3.ph5
  openssl 1.1.1g-3.ph5 -> 1.1.1i-2.ph5
  pcre 8.44-1.ph5 -> 8.44-2.ph5
  pcre-libs 8.44-1.ph5 -> 8.44-2.ph5
  python3 3.8.6-1.ph5 -> 3.9.1-2.ph5
  python3-PyYAML 5.3.1-1.ph5 -> 5.4.1-1.ph5
  python3-attrs 20.2.0-2.ph5 -> 20.3.0-2.ph5
  python3-cryptography 3.1.1-2.ph5 -> 3.2.1-1.ph5
  python3-gobject-introspection 1.66.0-1.ph5 -> 1.66.0-3.ph5
  python3-libs 3.8.6-1.ph5 -> 3.9.1-2.ph5
  python3-packaging 20.4-2.ph5 -> 20.4-3.ph5
  python3-pyrsistent 0.17.3-1.ph5 -> 0.17.3-2.ph5
  python3-setuptools 3.8.6-1.ph5 -> 3.9.1-2.ph5
  python3-urllib3 1.25.10-2.ph5 -> 1.25.11-1.ph5
  python3-xml 3.8.6-1.ph5 -> 3.9.1-2.ph5
  rpm 4.14.2-11.ph5 -> 4.16.1.2-1.ph5
  rpm-libs 4.14.2-11.ph5 -> 4.16.1.2-1.ph5
  rpm-ostree 2020.5-4.ph5 -> 2020.5-5.ph5
  shadow 4.8.1-2.ph5 -> 4.8.1-3.ph5
  shadow-tools 4.8.1-2.ph5 -> 4.8.1-3.ph5
  sudo 1.8.30-2.ph5 -> 1.9.5-1.ph5
  systemd 245.5-3.ph5 -> 247.3-1.ph5
  util-linux 2.36-1.ph5 -> 2.36-2.ph5
  util-linux-libs 2.36-1.ph5 -> 2.36-2.ph5
Added:
  libpcap-1.10.0-1.ph5.x86_64
  python3-Pygments-2.7.2-2.ph5.noarch
  python3-alabaster-0.7.12-1.ph5.noarch
  python3-babel-2.8.0-3.ph5.noarch
  python3-docutils-0.16-1.ph5.noarch
  python3-imagesize-1.2.0-2.ph5.noarch
  python3-pytz-2020.4-2.ph5.noarch
  python3-snowballstemmer-2.0.0-1.ph5.noarch
  python3-sphinx-3.3.0-2.ph5.noarch
  python3-sphinxcontrib-applehelp-1.0.2-1.ph5.noarch
  python3-sphinxcontrib-devhelp-1.0.2-1.ph5.noarch
  python3-sphinxcontrib-htmlhelp-1.0.3-1.ph5.noarch
  python3-sphinxcontrib-jsmath-1.0.1-1.ph5.noarch
  python3-sphinxcontrib-qthelp-1.0.3-1.ph5.noarch
  python3-sphinxcontrib-serializinghtml-1.1.4-1.ph5.noarch
  python3-typing-3.7.4.3-1.ph5.noarch
  systemd-libs-247.3-1.ph5.x86_64
  systemd-pam-247.3-1.ph5.x86_64
  systemd-rpm-macros-247.3-1.ph5.noarch
  systemd-udev-247.3-1.ph5.x86_64
  Run "systemctl reboot" to start a reboot

In fact, we can repeat the rollback operation as many times as we want before reboot. On each execution, it’s going to change the order. It will not delete any image.
However, an upgrade will keep the current default image and will eliminate the other image, whichever that is. So if Photon installation rolled back to an older build, an upgrade will keep that, eliminate the newer version and will replace it with an even newer version at the next upgrade.

The boot order moved back to original:

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree status
State: idle
Deployments:
  ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2021-02-20T07:15:43Z)
Commit: 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f
  Diff: 63 upgraded, 20 added

● ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2020-11-04T02:21:47Z)
Commit: 820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88

The current bootable image path moved also back to the original value:

root@photon-host-def [ ~ ]# ostree admin config-diff --print-current-dir
/ostree/deploy/photon/deploy/47899767bdd4276266383fce13c4a26a51ca0304ae754609283d75f7d8aad36e.0

Installing Packages

You can add more packages onto the system that are not part of the commit composed on the server.

rpm-ostree install <packages>

Example:

rpm-ostree install https://kojipkgs.fedoraproject.org//packages/wget/1.19.5/5.fc29/x86_64/wget-1.19.5-5.fc29.x86_64.rpm

Uninstalling Packages

To remove layered packages installed from a repository, use

rpm-ostree uninstall <pkg>

To remove layered packages installed from a local package, you must specify the full NEVRA of the package.

For example:

rpm-ostree uninstall ltrace-0.7.91-16.fc22.x86_64

To uninstall a package that is a part of the base layer, use

rpm-ostree override remove <pkg>

For example:

rpm-ostree override remove firefox

Deleting a deployed filetree

It is possible to delete a deployed tree. You won’t need to do that normally, as upgrading to a new image will delete the old one, but if for some reason deploying failed (loss of power, networking issues), you’ll want to delete the partially deployed image.
The only supported index is 1. (If multiple bootable images will be supported in the future, a larger than one, zero-based index of the image to delete will be supported).
You cannot delete the default bootable filetree, so passing 0 will result in an error.

root@photon-host-def [ ~ ]# ostree admin undeploy -v 1
OT: Using bootloader: OstreeBootloaderGrub2
Transaction complete; bootconfig swap: yes deployment count change: -1
Deleted deployment a31a843985e314a9e70bcf09afe8d59f7351817d9fb743c2b6dab84f20833650

root@photon-host-cus1 [ ~ ]# ostree admin undeploy -v 0
OT: Deployment cf357c0f376decb3bae42326737db7e36bcf3568ab901c33dc57800c3718f07b.0 unlocked=0
error: Cannot undeploy currently booted deployment 0

Now, we can see that the newer image is gone, the deployment directory for commit a31a has been removed.

root@photon-host-def [ ~ ]# rpm-ostree status
  State: idle
  AutomaticUpdates: disabled
  Deployments:
  * ostree://photon-2:photon/5.0/x86_64/minimal
      Version: 5.0_minimal (2019-09-18T12:48:03Z)
  Commit: cf357c0f376decb3bae42326737db7e36bcf3568ab901c33dc57800c3718f07b
  
  root@photon-host-cus1 [ ~ ]# ls /ostree/deploy/photon/deploy/
  cf357c0f376decb3bae42326737db7e36bcf3568ab901c33dc57800c3718f07b.0
  cf357c0f376decb3bae42326737db7e36bcf3568ab901c33dc57800c3718f07b.0.origin 

However the commit is still there in the OSTree repo.

root@photon-7c2d910d79e9 [ ~ ]# ostree log 965c
  commit 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f
  ContentChecksum:  9bc85673bd8d5599d61a02a99accce9bc9b72612c7a3cebd35427875f6514288
  Date:  2021-02-20 07:15:43 +0000
  Version: 5.0_minimal
  (no subject)

But there is nothing to rollback to.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree rollback
Moving '820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88.0' to be first deployment
Transaction complete; bootconfig swap: yes; deployment count change: 0
Run "systemctl reboot" to start a reboot

If we were to upgrade again, it would bring these packages back, but let’s just check the differences.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree upgrade --check-diff
  ⠚ Receiving metadata objects: 0/(estimating) -/s 0 bytes... 
  Receiving metadata objects: 0/(estimating) -/s 0 bytes... done
  No updates available.

Version skipping upgrade

Let’s assume that after a while, VMware releases version 2 that removes sudo and adds bison and tar. Now, an upgrade will skip version 1 and go directly to 2. Let’s first look at what packages are pulled (notice sudo missing, as expected), then upgrade with reboot option.

root@photon-host-def [ ~ ]# rpm-ostree upgrade --check-diff
Updating from: photon:photon/5.0/x86_64/minimal

7 metadata, 13 content objects fetched; 1287 KiB transferred in 0 seconds
+bison-3.0.2-2.ph1.x86_64
+gawk-4.1.0-2.ph1.x86_64
+tar-1.27.1-1.ph1.x86_64
+wget-1.15-1.ph1.x86_64

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree upgrade -r
⠒ Receiving metadata objects: 0/(estimating) -/s 0 bytes... 
Receiving metadata objects: 0/(estimating) -/s 0 bytes... done
No upgrade available.

After reboot, let’s check the booting filetrees, the current dir for the current filetree and look at commit differences:

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree status
State: idle
Deployments:
● ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2020-11-04T02:21:47Z)
Commit: 820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88

  ostree://photon:photon/5.0/x86_64/minimal
    Version: 5.0_minimal (2021-02-20T07:15:43Z)
Commit: 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f


root@photon-7c2d910d79e9 [ ~ ]# ostree admin config-diff --print-current-dir
/ostree/deploy/photon/deploy/820b584a6f90bf6b9b8cb6aad8c093064b88d0ab686be8130baa03d68917ad88.0


root@photon-host-cus1 [ ~ ]# rpm-ostree db diff  8b4b e663
ostree diff commit old: rollback deployment (8b4b9d4ec033d1eb816711bfdda595d1013fecbe5cd340f6a619cdc9d83a3bf2)
ostree diff commit new: booted deployment (e663b2872efa01d80e4c34c823431472beb653373af32de83c7d2480316b8a6a)

root@photon-host-cus1 [ ~ ]# rpm-ostree db diff  82bc 092e
error: Refspec '82bc' not found
Interesting fact: The metadata for commit 82bc has been removed from the local repo.

Tracking parent commits

OSTree will display limited commit history - maximum 2 levels, so if you want to traverse the history even though it may not find a commitment by its ID, you can refer to its parent using ‘^’ suffix, grandfather via ‘^^’ and so on. We know that 82bc is the parent of 092e:

root@photon-host-def [ ~ ]# rpm-ostree db diff  092e^ 092e
  error: No such metadata object 82bca728eadb7292d568404484ad6889c3f6303600ca8c743a4336e0a10b3817.commit
  error: Refspec '82cb' not found
  root@photon-host-def [ ~ ]# rpm-ostree db diff  092e^^ 092e
  error: No such metadata object 82bca728eadb7292d568404484ad6889c3f6303600ca8c743a4336e0a10b3817.commit

So commit 092e knows who its parent is, but its metadata is no longer in the local repo, so it cannot traverse further to its parent to find an existing grandfather.

Resetting a branch to a previous commit

We can reset the head of a branch in a local repo to a previous commit, for example corresponding to version 0 (3.0_minimal).

root@photon-7c2d910d79e9 [ ~ ]# ostree reset photon:photon/5.0/x86_64/minimal 965c

Now if we look again at the branch commit history, the head is at version 0.

root@photon-7c2d910d79e9 [ ~ ]# ostree log photon/5.0/x86_64/minimal
commit 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f
ContentChecksum:  9bc85673bd8d5599d61a02a99accce9bc9b72612c7a3cebd35427875f6514288
Date:  2021-02-20 07:15:43 +0000
Version: 5.0_minimal
(no subject)

Note: The outputs listed above are only for reference. The version numbers in the outputs might vary from the actual outputs.

6 - Creating a Server

Photon OS includes a rpm-ostree-repo package that can be installed on a VM.

This package provides an automated script that creates a repo tree that acts as a server.

Run the following commands to create a server:

tdnf install rpm-ostree-repo

A script is created, which provides options to create a server.

Script to create a Photon OSTree repo Usage:

/usr/bin/rpm-ostree-server/mkostreerepo -r=<repo path> 
/usr/bin/rpm-ostree-server/mkostreerepo -r=<repo path> -p=<json treefile>
/usr/bin/rpm-ostree-server/mkostreerepo -c -r=<repo path> -p=<json treefile>
-r|--repopath   <Provide repo path> 
-p|--jsonfile   <Provide Json file> 
-c|--customrepo <Provide custom repo file inside repo path directory>

Note

  • Use PATH=$PATH:/usr/bin/rpm-ostree-server and then use mkostreerepo from any directory for ease of use.
  • mkostreerepo is used to create the fresh tree for ostree.
  • mkostreerepo is also used to update a new commit to the existing tree.
  • You can also use custom repo as to create/append the tree.

Run the following command to initiate the script, choose different help options to create a server.

mkostreerepo

Manually Composing your OSTree repo

Use the following commands to initialize a new repo and to compose it.

root [ ~ ]# cd /srv/rpm-ostree
root [ /srv/rpm-ostree ]# ostree --repo=repo init --mode=archive-z2
root [ /srv/rpm-ostree ]# rpm-ostree compose tree --repo=repo photon-base.json

You can now deploy a host. For more information, see File oriented server operations and Package oriented server operations to learn how to create your own customized file tree.

7 - Installing a Photon RPM-OStree host against a custom server repository

Organizations that maintain their own OSTree servers create custom image trees suited to their needs from which hosts can be deployed and upgraded. One single server may make available several branches to install, for example “base”, “minimal” and “full”. Or, if you think in terms of Windows OS SKUs - “Home”, “Professional” or “Enterprise” edition.

So in fact there are two pieces of information the OSTree host installer needs - the server URL and the branch ref. Also, there are two ways to pass this info - manually via keyboard, when prompted and automated, by reading from a config file.

Manual install of a custom host

Installing a Photon RPM-OSTree host that will pull from a server repository of your choice is very similar to the way we installed the host against the default server repo in this document.

We will follow the same steps, selecting “Photon OSTree Host”, and after assigning a host name like photon-host and a root password, this time we will click on “Custom RPM-OSTree Server”.

PhotonHostCustom

An additional screen will ask for the URL of server repo - just enter the IP address or fully qualified domain name of the server installed in the previous step.

PhotonHostCustomURL

Once this is done and the installation finished, reboot and you are ready to use it. You may verify - just like in this document - that you can get an rpm-ostree status. The value for the CommitID should be identical to the host that installed from default repo, if the server has been installed fresh, from the same ISO.

Automated install of a custom host via kickstart

Photon supports automated install that will not interact with the user, in other words installer will display its progress, but will not prompt for any keys to be clicked, and will boot at the end of installation.

If not familiar with the way kickstart works, visit Kickstart Support in Photon OS. The kickstart json config for OSTree is similar to minimal or full, except for these settings that should sound familiar:

    ...
    "type": "ostree_host",
    "ostree_repo_url": "http://192.168.218.249",
    "ostree_repo_ref": "photon/5.0/x86_64/minimal",
    ...

See sample kickstart configuration in sample_ks_ostree_client_from_server file for ostree deployement from official photon-os ostree server.

Or, for default installation

    ....
    "type": "ostree_host",
    "default_repo": true,
    ....

See sample kickstart configuration in sample_ks_ostree_client_from_default file for ostree deployment.

If the server is a future version of Photon OS, say Photon OS 5.0, and the administrator composed trees for the included json files, the ostree_repo_ref will take either value: photon/5.0/x86_64/base, photon/5.0/x86_64/minimal, or photon/5.0/x86_64/full.

In most situations, kickstart file is accessed via http from PXE boot. That enables booting from network and end to end install of hosts from pre-defined server URL and branch without assistance from user.

8 - Automatic Updates

Automatic updates are disabled by default.

To verify this, run the status command.

root@photon-7c2d910d79e9 [ ~ ]# rpm-ostree status 
State: idle
Deployments:
● ostree://photon:photon/5.0/x86_64/minimal
   Version: 5.0_minimal (2021-02-20T07:15:43Z)
Commit: 965c1abeb048e1a8ff77e9cd34ffccc5e3356176cda3332b4ff0e7a6c66b661f

Enable Automatic Updates

  1. Run the following command:
$ systemctl restart rpm-ostreed
  1. To enable automatic background updates, edit the /etc/rpm-ostreed.conf, and include the below lines in the Daemon section:

    [Daemon]
    AutomaticUpdatePolicy=stage
    #IdleExitTimeout=60
    
  2. Run the following commands:

    $ systemctl reload rpm-ostreed
    $ systemctl enable rpm-ostree-automatic.timer --now  
    $ systemctl restart rpm-ostree-automatic
    
  3. Verify that the automatic update feature has been enabled:

    $ rpm-ostree status -v 
          State: idle
    
          AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 16min ago
    
  4. On the server machine, perform another commit on the base tree.

Automatic updates are now enabled and will automatically update the host system.

9 - File Oriented Server Operations

In this section, we will checkout a filetree into a writable directory structure on disk, make several file changes and commit the changes back into the repository. Then we will download this commit and apply at the host. As you may have guessed, this chapter is mostly about OSTree - the base technology. I’ve not mentioned anything about packages, although it is quite possible to install packages (after all, packages are made of files, right?) and commit without the help of rpm-ostree, but it’s too much of a headache and not worth the effort, since rpm-ostree does it simpler and better.

When would you want to do that? When you want for all your hosts to get an application or configuration customization that is not encapsulated as part of a package upgrade.

Starting a fresh OSTree repo

If you want to start fresh with your own branch and/or versioning scheme, you can delete the OSTree repo created during the Photon 3.0 RPM-OSTree server install and re-create it empty.

root [ /srv/rpm-ostree ]# rm -rf repo/*

root [ /srv/rpm-ostree ]# ostree --repo=repo init --mode=archive-z2

root [ /srv/rpm-ostree ]# ls repo
config  objects  refs  state  tmp  uncompressed-objects-cache

root [ /srv/rpm-ostree ]# cat repo/config
[core]
repo_version=1
mode=archive-z2

Creating summary metadata

A newer ostree feature, available in Photon OS 2.0 and higher, allows the OSTree server admin to create server summary metadata, that includes among other things the list of available branches and the list of static deltas, so they could be discovered by hosts. To create a summary, run this command after you committed for your branches:

root [ /srv/rpm-ostree ]# ostree summary -u "This is BigData's OSTree server, it has three branches"

We will find out later how the hosts query for branches list.

10 - Package Oriented Server Operations

Now that we have a Photon RPM-OSTree server up and running (if not, see how to install), we will learn how to provide the desired set of packages as input and instruct rpm-ostree to compose a filetree, that will result in creation (or update) of an OSTree repo.
The simplest way to explain is to take a look at the files installed by the Photon RPM-OSTree server during setup.

root [ ~ ]# cd /srv/rpm-ostree/
root [ /srv/rpm-ostree ]# ls -l
total 16
-rw-r--r-- 1 root root 7356 Aug 28 19:06 ostree-httpd.conf
-rw-r--r-- 1 root root 1085 Aug 28 19:06 photon-base.json
lrwxrwxrwx 1 root root   35 Aug 28 19:06 photon-extras-ostree.repo -> /etc/yum.repos.d/photon-extras.repo
lrwxrwxrwx 1 root root   32 Aug 28 19:06 photon-iso-ostree.repo -> /etc/yum.repos.d/photon-iso.repo
lrwxrwxrwx 1 root root   28 Aug 28 19:06 photon-ostree.repo -> /etc/yum.repos.d/photon.repo
lrwxrwxrwx 1 root root   36 Aug 28 19:06 photon-updates-ostree.repo -> /etc/yum.repos.d/photon-updates.repo
drwxr-xr-x 7 root root 4096 Aug 20 22:27 repo

JSON configuration file

How can we tell rpm-ostree what packages we want to include, where to get them from and how to compose the filetree? There is JSON file for that. Let’s take a look at photon-base.json used by the Photon OS team.

root [ /srv/rpm-ostree ]# cat photon-base.json
{
    "comment": "Photon Minimal OSTree",

    "osname": "photon",

    "ref": "photon/5.0/x86_64/minimal",

    "automatic_version_prefix": "5.0_minimal",

    "repos": ["photon"],

    "selinux": false,

    "initramfs-args": ["--no-hostonly"],

    "bootstrap_packages": ["filesystem"],

    "documentation": false,

    "packages": ["glibc", "zlib", "binutils", "gmp", "mpfr", "libgcc", "libstdc++","libgomp",
                "pkg-config", "ncurses", "bash", "bzip2", "cracklib", "cracklib-dicts", "shadow",
                "procps-ng", "iana-etc", "readline", "coreutils", "bc", "libtool", "net-tools",
                "findutils", "xz", "grub2", "grub2-pc", "grub2-efi", "iproute2", "util-linux", "linux",
                "attr", "libcap", "kmod", "expat", "dbus", "file",
                "sed", "grep", "cpio", "gzip",
                "openssl", "ca-certificates", "curl",
                "systemd",
                "openssh", "iptables",
                "photon-release",
                "vim", "photon-repos",
                "docker", "bridge-utils",
                "dracut", "dracut-tools", "rpm-ostree", "nss-altfiles", "which"]
}

There are some mandatory settings, some optional. I’m only going to explain the most important ones for our use case. osname and ref should be familiar, they have been explained in previous sections OSname and Refspec. Basicaly, we are asking rpm-ostree to compose a tree for photon OS and photon/3.0/x86_64/minimal branch.

For more information, see the OS Tree Documentation.

Package addition, removal, upgrade

packages is the list of packages that are to be added, in this case, in the “minimal” installation profile, on top of the packages already included by default. This is not quite the identical set of RPMS you get when you select the minimal profile in the ISO installer, but it’s pretty close and that’s why it’s been named the same. Let’s add to the list three new packages: gawk, sudo and wget using vim photon-base.json

!!!Warning: do not remove any packages from the default list, even an “innocent” one, as it may bring the system to an unstable condition. During my testing, I’ve removed “which”; it turns out it was used to figure out the grub booting roots: on reboot, the system was left hanging at grub prompt.

RPMS repository

But where are these packages located? RPM-OStree uses the same standard RPMS repositories, that yum installs from.

root [ /srv/rpm-ostree ]# ls /etc/yum.repos.d/
photon-debuginfo.repo  photon-extras.repo  photon-iso.repo  photon-updates.repo  photon.repo

Going back to our JSON file, repos is a multi-value setting that tells RPM-OSTree in what RPMS repositories to look for packages. In this case, it looks in the current directory for a “photon” repo configuration file, that is a .repo file starting with a [photon] section. There is such a file: photon-ostree.repo, that is in fact a link to photon.repo in /etc/yum.repos.d directory.

root [ /srv/rpm-ostree ]# cat /etc/yum.repos.d/photon.repo 
[photon]
name=VMware Photon Linux 5.0(x86_64)
baseurl=https://packages.vmware.com/photon/5.0/photon_release_$releasever_$basearch
gpgkey=file:///etc/pki/rpm-gpg/VMWARE-RPM-GPG-KEY
gpgcheck=1
enabled=1
skip_if_unavailable=True

In this case, rpm-ostree is instructed to download its packages in RPM format from the VMware Photon Packages URL, which is the location of an online RPMS repo maintained by the VMware Photon OS team. To ensure those packages can be validated as being genuine and signed by VMware, the signature is checked against the official VMware public key.

So what’s in an RPMS repository? If we point the browser to packages.vmware.com/photon/photon_publish_rpms/, we can see there are three top directories:

  • noarch - where all packages that don’t depend on the architecture reside. Those may contain scripts, platform neutral source files, configuration.
  • x86_64 - platform dependent packages for Intel 32 and 64 bits CPUs.
  • repodata - internal repo management data, like a catalog of all packages, and for every package its name, id, version, architecture and full path file/directory list. There is also a compressed XML file containing the history of changelogs extracted from github, as packages in RPM format were built by Photon OS team members from sources.

Fortunately, in order to compose a tree, you don’t need to download the packages from the online repository (which is time consuming - in the order of minutes), unless there are some new ones or updated versions of them, added by the Photon team after shipping 1.0 version or the 1.0 Refresh. A copy of the starter RPMS repository (as of 1.0 shipping date) has been included on the CD-ROM and you can access it.

root [ /srv/rpm-ostree ]# mount /dev/cdrom
root [ /srv/rpm-ostree ]# ls /mnt/cdrom/RPMS
noarch  repodata  x86_64

All you have to do now is to replace the "repos": ["photon"] entry by "repos": ["photon-iso"], which will point to the RPMS repo on CD-ROM, rather than the online repo. This way, composing saves time, bandwidth and reduces to zero the risk of failure because of a networking issue.

root [ /srv/rpm-ostree ]# cat /etc/yum.repos.d/photon-iso.repo
[photon-iso]
name=VMWare Photon Linux ISO 5.0(x86_64)
baseurl=file:///mnt/cdrom/RPMS
gpgkey=file:///etc/pki/rpm-gpg/VMWARE-RPM-GPG-KEY
gpgcheck=1
enabled=0
skip_if_unavailable=True

There are already in current directory links created to all repositories in /etc/yum.repos.d, so they are found when tree compose command is invoked. You may add any other repo to the list and include packages found in that repo to be part of the image.

Composing a tree

After so much preparation, we can execute a tree compose. We have only added 3 new packages and changed the RPMS repo source. Assuming that the JSON file is editted, run the following:

root [ /srv/rpm-ostree ]# rpm-ostree compose tree --repo=repo photon-base.json
Previous commit: 2940e10c4d90ce6da572cbaeeff7b511cab4a64c280bd5969333dd2fca57cfa8

Downloading metadata [=========================================================================] 100%

Transaction: 117 packages
  Linux-PAM-1.1.8-2.ph5.x86_64
  attr-2.4.47-1.ph5.x86_64
  ...
  gawk-4.1.0-2.ph5.x86_64
  ...
  sudo-1.8.11p1-4.ph5.x86_64
  ...
  wget-1.15-1.ph5.x86_64
  which-2.20-1.ph5.x86_64
  xz-5.0.5-2.ph5.x86_64
  zlib-1.2.8-2.ph5.x86_64
Installing packages [==========================================================================] 100%
Writing '/var/tmp/rpm-ostree.TVO089/rootfs.tmp/usr/share/rpm-ostree/treefile.json'
Preparing kernel
Creating empty machine-id
Executing: /usr/bin/dracut -v --tmpdir=/tmp -f /var/tmp/initramfs.img 4.0.9 --no-hostonly
...
*** Including module: bash ***
*** Including module: kernel-modules ***
*** Including module: resume ***
*** Including module: rootfs-block ***
*** Including module: terminfo ***
*** Including module: udev-rules ***
Skipping udev rule: 91-permissions.rules
Skipping udev rule: 80-drivers-modprobe.rules
*** Including module: ostree ***
*** Including module: systemd ***
*** Including module: usrmount ***
*** Including module: base ***
/etc/os-release: line 1: Photon: command not found
*** Including module: fs-lib ***
*** Including module: shutdown ***
*** Including modules done ***
*** Installing kernel module dependencies and firmware ***
*** Installing kernel module dependencies and firmware done ***
*** Resolving executable dependencies ***
*** Resolving executable dependencies done***
*** Stripping files ***
*** Stripping files done ***
*** Store current command line parameters ***
*** Creating image file ***
*** Creating image file done ***
Image: /var/tmp/initramfs.img: 11M
========================================================================
Version: dracut-041-1.ph5

Arguments: -v --tmpdir '/tmp' -f --no-hostonly

dracut modules:
bash
kernel-modules
resume
rootfs-block
terminfo
udev-rules
ostree
systemd
usrmount
base
fs-lib
shutdown
========================================================================
drwxr-xr-x  12 root     root            0 Sep  1 00:52 .
crw-r--r--   1 root     root       5,   1 Sep  1 00:52 dev/console
crw-r--r--   1 root     root       1,  11 Sep  1 00:52 dev/kmsg
...   (long list of files removed)
========================================================================
Initializing rootfs
Migrating /etc/passwd to /usr/lib/
Migrating /etc/group to /usr/lib/
Moving /usr to target
Linking /usr/local -> ../var/usrlocal
Moving /etc to /usr/etc
Placing RPM db in /usr/share/rpm
Ignoring non-directory/non-symlink '/var/tmp/rpm-ostree.TVO089/rootfs.tmp/var/lib/nss_db/Makefile'
Ignoring non-directory/non-symlink '/var/tmp/rpm-ostree.TVO089/rootfs.tmp/var/cache/ldconfig/aux-cache'
Ignoring non-directory/non-symlink '/var/tmp/rpm-ostree.TVO089/rootfs.tmp/var/log/btmp'
Ignoring non-directory/non-symlink '/var/tmp/rpm-ostree.TVO089/rootfs.tmp/var/log/lastlog'
Ignoring non-directory/non-symlink '/var/tmp/rpm-ostree.TVO089/rootfs.tmp/var/log/wtmp'
Moving /boot
Using boot location: both
Copying toplevel compat symlinks
Adding tmpfiles-ostree-integration.conf
Committing '/var/tmp/rpm-ostree.TVO089/rootfs.tmp' ...
photon/1.0/x86_64/minimal => c505f4bddb4381e8b5213682465f1e5bb150a18228aa207d763cea45c6a81bbe

We’ve omitted a large portion of the logging output, however you can see that the new filetree adds to the top of the previous (initial) commit 2940e10c4d and produces a new commit c505f4bddb. Our packages gawk-4.1.0-2.ph5.x86_64, sudo-1.8.11p1-4.ph5.x86_64 and wget-1.15-1.ph5.x86_64 have been added.

During compose, rpm-ostree checks out the file tree into its uncompressed form, applies the package changes, places the updated RPM repo into /usr/share/rpm and calls ostree to commit its changes back into the OSTree repo. If we were to look at the temp directory during this time:

root [ /srv/rpm-ostree ]# ls /var/tmp/rpm-ostree.TVO089/rootfs.tmp
bin   dev   lib    media  opt     proc  run   srv  sysroot  usr
boot  home  lib64  mnt    ostree  root  sbin  sys  tmp      var

If we repeat the command, and there is no change in the JSON file settings and no change in metadata, rpm-ostree will figure out that nothing has changed and stop. You can force however to redo the whole composition.

root [ /srv/rpm-ostree ]# rpm-ostree compose tree --repo=repo photon-base.json
Previous commit: c505f4bddb4381e8b5213682465f1e5bb150a18228aa207d763cea45c6a81bbe

Downloading metadata [=========================================================================] 100%


No apparent changes since previous commit; use --force-nocache to override

This takes several minutes. Then why is the RPM-OSTree server installing so fast, in 45 seconds on my SSD? The server doesn’t compose the tree, it uses a pre-created OSTree repo that is stored on the CD-ROM. It comes of course at the expense of larger CD-ROM size. This OSTree repo is created from the same set of RPMS on the CD-ROM, so if you compose fresh, you will get the same exact tree, with same commit ID for the “minimal” ref.

Automatic version prefix

If you recall the filetree version explained earlier, this is where it comes into play. When a tree is composed from scratch, the first version (0) associated to the initial commit is going to get that human readable value. Any subsequent compose operation will auto-increment to .1, .2, .3 and so on.
It’s a good idea to start a versioning scheme of your own, so that your customized Photon builds that may get different packages of your choice don’t get the same version numbers as the official Photon team builds coming from VMware’s OSTree Packages repository. There is no conflict, it’s just confusing to have same name for different commits coming from different repos.
So if you work for a company named Big Data Inc., you may want to switch to a new versioning scheme “automatic_version_prefix”: “1.0_bigdata”.

Installing package updates

If you want to provide hosts with the package updates that VMware periodically releases, all that you need to do is to add the photon-updates.repo to the list of repos in photon-base.json and then re-compose the usual way.

"repos": ["photon", "photon-updates"],

Even though you may have not modified the “packages” section in the json file, the newer versions of existing packages will be included in the new image and then downloaded by the host the usual way. Note that upgrading a package shows differently than adding (+) or removing (-). You may still see packages added (or removed) though because they are new dependencies (or no longer dependencies) for the newer versions of other packages, as libssh2 in the example below.

root [ ~ ]# rpm-ostree upgrade --check-diff
Updating from: photon:photon/5.0/x86_64/minimal

8 metadata, 13 content objects fetched; 1002 KiB transferred in 0 seconds
!bridge-utils-1.5-2.ph5.x86_64
=bridge-utils-1.5-3.ph5.x86_64
!bzip2-1.0.6-5.ph5.x86_64
=bzip2-1.0.6-6.ph5.x86_64
!curl-7.47.1-2.ph5.x86_64
=curl-7.51.0-2.ph5.x86_64
!docker-1.11.0-5.ph5.x86_64
=docker-1.12.1-1.ph5.x86_64
...
+libssh2-1.8.0-1.ph5.x86_64
...

root [ ~ ]# rpm-ostree upgrade
Updating from: photon:photon/1.0/x86_64/minimal

258 metadata, 1165 content objects fetched; 76893 KiB transferred in 8 seconds
Copying /etc changes: 6 modified, 0 removed, 14 added
Transaction complete; bootconfig swap: yes deployment count change: 1
Changed:
  bridge-utils 1.5-2.ph5 -> 1.5-3.ph5
  bzip2 1.0.6-5.ph5 -> 1.0.6-6.ph5
  curl 7.47.1-2.ph5 -> 7.51.0-2.ph5
  docker 1.11.0-5.ph5 -> 1.12.1-1.ph5
  ...
Added:
  libssh2-1.8.0-1.ph5.x86_64
Upgrade prepared for next boot; run "systemctl reboot" to start a reboot

Now if we want to see what packages have been updated and what issues have been fixed, just run at the host the command that we learned about in chapter 5.4.

root [ ~ ]# rpm-ostree db diff 56ef 396e
ostree diff commit old: 56e (56ef687f1319604b7900a232715718d26ca407de7e1dc89251b206f8e255dcb4)
ostree diff commit new: 396 (396e1116ad94692b8c105edaee4fa12447ec3d8f73c7b3ade4e955163d517497)
Upgraded:
 bridge-utils-1.5-3.ph5.x86_64
* Mon Sep 12 2016 user1 <user1@vmware.com> 1.5-3
-	Update patch to fix-2.

 bzip2-1.0.6-6.ph5.x86_64
* Fri Oct 21 2016 user2 <user2@vmware.com> 1.0.6-6
-       Fixing security bug CVE-2016-3189.

 curl-7.51.0-2.ph5.x86_64
* Wed Nov 30 2016 user3 <user3@vmware.com> 7.51.0-2
-   Enable sftp support.

* Wed Nov 02 2016 user4 <user4@vmware.com> 7.51.0-1
-   	Upgrade curl to 7.51.0

* Thu Oct 27 2016 user4 <user4@vmware.com> 7.47.1-4
-   	Patch for CVE-2016-5421

* Mon Sep 19 2016 user3 <user3@vmware.com> 7.47.1-3
-   	Applied CVE-2016-7167.patch.

 docker-1.12.1-1.ph5.x86_64
* Wed Sep 21 2016 user3 <user3@vmware.com> 1.12.1-1
-   Upgraded to version 1.12.1

* Mon Aug 22 2016 user1 <user1@vmware.com> 1.12.0-2
-   Added bash completion file

* Tue Aug 09 2016 user4 <user4@vmware.com> 1.12.0-1
-   Upgraded to version 1.12.0

* Tue Jun 28 2016 user4 <user4@vmware.com> 1.11.2-1
-   Upgraded to version 1.11.2
...
Added:
 libssh2-1.8.0-1.ph5.x86_64

Composing for a different branch

RPM-OSTree makes it very easy to create and update new branches, by composing using json config files that include the Refspec as the new branch name, the list of packages and the other settings we are now familiar with. Photon OS RPM-OSTRee Server installer adds two extra files photon-minimal.json and photon-full.json in addition to photon-base.json, that correspond almost identically to the minimal and full profiles installed via tdnf. It also makes ‘photon-base’ a smaller set of starter branch.

Of course, you can create your own config files for your branches with desired lists of packages. You may compose on top of the existing tree, or you can start fresh your own OSTRee repo, using your own customized versioning.

Note: The outputs listed above are only for reference. The version numbers in the outputs might vary from the actual outputs.

11 - Remotes

In Chapter 3 we talked about the Refspec that contains a photon: prefix, that is the name of a remote. When a Photon host is installed, a remote is added - which contains the URL for an OSTree repository that is the origin of the commits we are going to pull from and deploy filetrees, in our case the Photon RPM-OSTree server we installed the host from. This remote is named photon, which may be confusing, because it’s also the OS name and part of the Refspec (branch) path.

Listing remotes

A host repo can be configured to switch between multiple remotes to pull from, however only one remote is the “active” one at a time. We can list the remotes created so far, which brings back the expected result.

root@photon-7c2d910d79e9 [ ~ ]# ostree remote list
photon

We can inquiry about the URL for that remote name, which for the default host is the expected Photon OS online OSTree repo.

root@photon-host-def [ ~ ]# ostree remote show-url photon
https://<host-name>:8080/repo

But where is this information stored? The repo’s config file has it.

root@photon-host-def [ ~ ]# cat /ostree/repo/config 
[core]
repo_version=1
mode=bare

[remote "photon"]
url=http:<Server-IP-Address:port>/repo
gpg-verify=false

If same command is executed on the custom host we’ve installed, it’s going to reveal the URL of the Photon RPM-OSTree server connected to during setup.

root@photon-7c2d910d79e9 [ ~ ]# ostree remote show-url photon
https://packages.vmware.com/photon/rpm-ostree/base/5.0/x86_64/repo

GPG signature verification

You may wonder what is the purpose of gpg-verify=false in the config file, associated with the specific remote. This will instruct any host update to skip the signing verification for the updates that come from server, resulted from tree composed locally at the server, as they are not signed. Without this, host updating will fail.

There is a whole chapter about signing, importing keys and so on that I will not get into, but the idea is that signing adds an extra layer of security, by validating that everything you download comes from the trusted publisher and has not been altered. That is the case for all Photon OS artifacts downloaded from VMware official site. All OVAs and packages, either from the online RPMS repositories or included in the ISO file - are signed by VMware. We’ve seen a similar setting gpgcheck=1 in the RPMS repo configuration files that tdnf uses to validate or not the signature for all packages downloaded to be installed.

Switching repositories

Since mapping name/url is stored in the repo’s config file, in principle you can re-assign a different URL, connecting the host to a different server. The next upgrade will get the latest commit chain from the new server.
If we edit photon-host-def’s repo config and replace the VMware Photon Packages URL by photon-srv1’s IP address, all original packages in the original 5.0_minimal version will be preserved, but any new package change (addition, removal, upgrade) added after that (in 5.0_minimal.1, 5.0_minimal.2) will be reverted and all new commits from photon-srv1 (that may have same version) will be applied. This is because the two repos are identical copies, so they have the same original commit ID as a common ancestor, but they diverge from there.

If the old and new repo have nothing in common (no common ancestor commit), this will undo even the original commit, so all commits from the new tree will be applied.
A better solution would be to add a new remote that will identify where the commits come from.

Adding and removing remotes

A cleaner way to switch repositories is to add remotes that point to different servers. Let us add another server that we will refer to as photon2, along with (optional) the refspecs for branches that it provides (we will see later that in the newer OSTree versions, we don’t need to know the branch names, they could be queried at run-time).

root@photon-host-cus [ ~ ]# ostree remote add --repo=/ostree/repo -v --no-gpg-verify photon2 http://10.197.103.204:8080 photon/5.0/x86_64/minimal photon/5.0/x86_64/full
root@photon-host-cus [ ~ ]# ostree remote list
photon
photon2
root@photon-host-cus [ ~ ]# ostree remote show-url photon2
http://10.0.0.86

Where is this information stored? There is an extra config file created per each remote:

root@photon-host-cus [ ~ ]# cat /etc/ostree/remotes.d/photon2.conf 
[remote "photon2"]
url=http://10.0.0.86
branches=photon/5.0/x86_64/minimal;photon/5.0/x86_64/full;
gpg-verify=false

You may have guessed what is the effect of --no-gpg-verify option.
Obviously, remotes could also be deleted.

root@photon-host-cus [ ~ ]# ostree remote delete photon2
root@photon-host-cus [ ~ ]# ostree remote list
photon

List available branches

If a host has been deployed from a specific branch and would like to switch to a different one, maybe from a different server, how would it know what branches are available? In git, you would run git remote show origin or git remote -a (although last command would not show all branches, unless you ran git fetch first).

In Photon OS, the hosts are able to query the server, if summary metadata has been generated, as we’ve seen in Creating summary metadata. This command lists all branches available for remote photon2.

root@photon-host-cus [ ~ ]# ostree remote refs photon2 
photon2:photon/5.0/x86_64/base
photon2:photon/5.0/x86_64/full
photon2:photon/5.0/x86_64/minimal

Switching branches (rebasing)

If you have an installed Photon 4.0 that you want to carry to 5.0, you need to rebase it.

See rebasing.

12 - Running container applications between bootable images

In this chapter, we want to test a docker application and make sure that all the settings and downloads done in one bootable filetree are going to be saved into writable folders and be available in the other image, in other words after reboot from the other image, everything is available exactly the same way.
We are going to do this twice: first, to verify an existing bootable image installed in parallel and then create a new one.

Downloading a docker container appliance

Photon OS comes with docker package installed and configured, but we expect that the docker daemon is inactive (not started). Configuration file /usr/lib/systemd/system/docker.service is read-only (remember /usr is bound as read-only).

root@sample-host-def [ ~ ]# systemctl status docker
* docker.service - Docker Daemon
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled)
   Active: inactive (dead)

root@sample-host-def [ ~ ]# cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

Now let’s enable docker daemon to start at boot time - this will create a symbolic link into writable folder /etc/systemd/system/multi-user.target.wants to its systemd configuration, as with all other systemd controlled services.

root@sample-host-def [ ~ ]# systemctl enable docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service -> /lib/systemd/system/docker.service.

root@sample-host-def [ ~ ]# ls -l /etc/systemd/system/multi-user.target.wants
total 0
lrwxrwxrwx 1 root root 34 Sep 10 10:48 docker.service -> /lib/systemd/system/docker.service
lrwxrwxrwx 1 root root 36 Sep  4 04:59 iptables.service -> /lib/systemd/system/iptables.service
lrwxrwxrwx 1 root root 35 Sep  4 04:59 machines.target -> /lib/systemd/system/machines.target
lrwxrwxrwx 1 root root 36 Sep  4 04:59 remote-fs.target -> /lib/systemd/system/remote-fs.target
lrwxrwxrwx 1 root root 39 Sep  4 04:59 sshd-keygen.service -> /lib/systemd/system/sshd-keygen.service
lrwxrwxrwx 1 root root 32 Sep  4 04:59 sshd.service -> /lib/systemd/system/sshd.service
lrwxrwxrwx 1 root root 44 Sep  4 04:59 systemd-networkd.service -> /lib/systemd/system/systemd-networkd.service
lrwxrwxrwx 1 root root 44 Sep  4 04:59 systemd-resolved.service -> /lib/systemd/system/systemd-resolved.service

To verify that the symbolic link points to a file in a read-only directory, try to make a change in this file using vim and save. you’ll get an error: /usr/lib/systemd/system/docker.service" E166: Can't open linked file for writing.

Finally, let’s start the daemon, check again that is active.

root@sample-host-def [ ~ ]# systemctl start docker

root@sample-host-def [ ~ ]# systemctl status -l docker
* docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-09-10 10:54:32 UTC; 14s ago
     Docs: https://docs.docker.com
 Main PID: 2553 (dockerd)
    Tasks: 35 (limit: 4711)
   Memory: 148.2M
   CGroup: /system.slice/docker.service
           |-2553 /usr/bin/dockerd
           `-2566 docker-containerd --config /var/run/docker/containerd/containerd.toml

Sep 10 10:54:31 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:31.421759662Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc420312f90, CONNECTING" module=grpc
Sep 10 10:54:31 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:31.421935355Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc420312f90, READY" module=grpc
Sep 10 10:54:31 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:31.421980614Z" level=info msg="Loading containers: start."
Sep 10 10:54:31 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:31.886520281Z" level=info msg="Default bridge
(docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.027763113Z" level=info msg="Loading containers: done."
Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.468277184Z" level=info msg="Docker daemon"
commit=6d37f41 graphdriver(s)=overlay2 version=18.06.2-ce
Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.468441587Z" level=info msg="Daemon has completed initialization"
Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.684925824Z" level=warning msg="Could not register builder git source: failed to find git binary: exec: \"git\": executable file not found in $PATH"
Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.691070166Z" level=info msg="API listen on /var/run/docker.sock"
Sep 10 10:54:32 photon-76718dd2fa33 systemd[1]: Started Docker Application Container Engine.

We’ll ask docker to run Ubuntu Linux in a container. Since it’s not present locally, it’s going to be downloaded first from the official docker repository https://hub.docker.com/_/ubuntu/.

root@sample-host-def [ ~ ]# docker ps -a
CONTAINER ID        IMAGE            COMMAND      CREATED           STATUS              PORTS       NAMES

root@sample-host-def [ ~ ]# docker run -it ubuntu
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
35c102085707: Pull complete
251f5509d51d: Pull complete
8e829fe70a46: Pull complete
6001e1789921: Pull complete
Digest: sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90
Status: Downloaded newer image for ubuntu:latest

When downloading is complete, it comes to Ubuntu root prompt with assigned host name 7029a64e7aa3, that is actually the Container ID. Let’s verify it’s indeed the expected OS.

root@sample-host-def [ ~ ]# docker run -it ubuntu
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
d3a1f33e8a5a: Pull complete
c22013c84729: Pull complete
d74508fb6632: Pull complete
91e54dfb1179: Already exists
library/ubuntu:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:fde8a8814702c18bb1f39b3bd91a2f82a8e428b1b4e39d1963c5d14418da8fba
Status: Downloaded newer image for ubuntu:latest

root@7029a64e7aa3:/# cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
root@7029a64e7aa3:/#

Now let’s write a file into Ubuntu home directory

echo "Ubuntu file" >> /home/myfile
root@7029a64e7aa3:/home# cat /home/myfile
Ubuntu file

We’ll exit back to the Photon prompt and if it’s stopped, we will re-start it.

root@7029a64e7aa3:/# exit
exit

root@sample-host-def [ ~ ]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                       PORTS               NAMES
7029a64e7aa3        ubuntu              "/bin/bash"         6 minutes ago       Exited (0) 11 seconds ago                        gifted_dijkstra

root@photon-host-cus1 [ ~ ]# docker start  7029a64e7aa3
7029a64e7aa3

root@photon-host-cus1 [ ~ ]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                       PORTS               NAMES
7029a64e7aa3        ubuntu              "/bin/bash"         7 minutes ago       Up 21 seconds                                    gifted_dijkstra

Rebooting into an existing image

Now let’s reboot the machine and select the other image. First, we’ll verify that the docker daemon is automatically started.

root@photon-host-cus1 [ ~ ]# systemctl status docker
* docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-09-10 10:54:32 UTC; 13min ago
     Docs: https://docs.docker.com
 Main PID: 2553 (dockerd)
    Tasks: 55 (limit: 4711)
   Memory: 261.3M
   CGroup: /system.slice/docker.service
           |-2553 /usr/bin/dockerd
   ...

Next, is the Ubuntu OS container still there?

root@photon-host-cus1 [ ~ ]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                       PORTS               NAMES
7029a64e7aa3        ubuntu              "/bin/bash"         9 minutes ago       Up 2 minutes                                     gifted_dijkstra

It is, so let’s start it, attach and verify that our file is persisted, then add another line to it and save, exit.

root@photon-host-cus1 [ ~ ]# docker start -i  7029a64e7aa3
root@7029a64e7aa3:/# cat /home/myfile
Ubuntu file
root@7029a64e7aa3:/# echo "booted into existing image" >> /home/myfile
root@7029a64e7aa3:/# exit
exit

Reboot into a newly created image

Let’s upgrade and replace the .0 image by a .4 build that contains git and also perl_YAML (because it is a dependency of git).

root@photon-host-cus1 [ ~ ]# rpm-ostree status
  TIMESTAMP (UTC)         VERSION               ID             OSNAME     REFSPEC
* 2015-09-04 00:36:37     5.0_minimal     092e21d292     photon     photon:photon/x86_64/minimal
  2015-08-20 22:27:43     5.0_minimal       2940e10c4d     photon     photon:photon/x86_64/minimal

root@photon-host-cus1 [ ~ ]# rpm-ostree upgrade
Updating from: photon:photon/tp2/x86_64/minimal

43 metadata, 209 content objects fetched; 19992 KiB transferred in 0 seconds
Copying /etc changes: 5 modified, 0 removed, 19 added
Transaction complete; bootconfig swap: yes deployment count change: 0
Freed objects: 16.2 MB
Added:
  git-2.1.2-1.ph5tp2.x86_64
  perl-YAML-1.14-1.ph5tp2.noarch
Upgrade prepared for next boot; run "systemctl reboot" to start a reboot

root@photon-host-cus1 [ ~ ]# rpm-ostree status
  TIMESTAMP (UTC)         VERSION               ID             OSNAME     REFSPEC
  2015-09-06 18:12:08     5.0_minimal     d16aebd803     photon     photon:photon/x86_64/minimal
* 2015-09-04 00:36:37     5.0_minimal     092e21d292     photon     photon:photon/x86_64/minimal

After reboot from 5.0_minimal. build, let’s check that the 3-way /etc merge succeeded as expected. The docker.service slink is still there, and docker demon restarted at boot.

root@photon-host-cus1 [ ~ ]# ls -l /etc/systemd/system/multi-user.target.wants/docker.service
lrwxrwxrwx 1 root root 38 Sep  6 12:50 /etc/systemd/system/multi-user.target.wants/docker.service -> /usr/lib/systemd/system/docker.service

root@photon-host-cus1 [ ~ ]# systemctl status docker
* docker.service - Docker Daemon
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled)
   Active: active (running) since Sun 2015-09-06 12:56:33 UTC; 1min 27s ago
 Main PID: 292 (docker)
   CGroup: /system.slice/docker.service
           `-292 /bin/docker -d -s overlay
   ...

Let’s revisit the Ubuntu container. Is the container still there? is myfile persisted?

root@photon-host-cus1 [ ~ ]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                    PORTS               NAMES
7029a64e7aa3        ubuntu              "/bin/bash"         5 days ago          Exited (0) 5 days ago                         gifted_dijkstra
55825c961f95        ubuntu              "/bin/bash"         5 days ago          Exited (127) 5 days ago                       distracted_shannon

root@photon-host-cus1 [ ~ ]# docker start 57dcac5d0490

root@57dcac5d0490:/# cat /home/myfile
Ubuntu file
booted into existing image
root@57dcac5d0490:/# echo "booted into new image" >> /home/myfile

13 - Install or rebase to Photon OS

Photon OS 5.0 provides full RPM-OSTree functionality, it lets the user drive it, rather than provide a pre-defined solution as part of the installation.

The number of packages included in the RPMS repo in Photon OS 5.0 increased significantly, compared to 1.0. To keep the ISO at reasonable size, the previous versions no longer include the compressed ostree.repo file, that helped optimize both the server and host install in 1.0 or 1.0 Rev2. That decision affected the OSTree features we ship out of the box. Customer could achieve the same results by several additional simple steps, that will be explained in this chapter. In addition, there is a new way to create a host raw image at server.

Composing your own RPM-OSTree Server

You can compose your own RPM-OSTRee server in the following two ways:

  1. By Manually executing the below command:
root [ /srv/rpm-ostree ]# ostree --repo=repo init --mode=archive-z2
root [ /srv/rpm-ostree ]# rpm-ostree compose tree --repo=repo photon-base.json
  1. By installing rpm-ostree-repo package . This provides the script to create the repo tree which act as server by executing a single command.

Installing an RPM-OSTree host

Automated host install is supported, as explained in Automated install of a custom host via kickstart.

Rebasing a host from Photon 1.0 to 5.0

If kickstart sounds too complicated and we still want to go the UI way there is a workaround that requires an extra step. Also, if you have an installed Photon 1.0 or 1.0 Rev2 that you want to carry to 5.0, you need to rebase it. Notice that we didn’t say “upgrade”.

Practically, the OSTree repo will switch to a different branch on a different server, following the new server’s branch versioning scheme. The net result is that the lots of packages will get changed to newer versions listed in the newer OSTree repo, which has been composed from a newer Photon OS 5.0 RPMS repo. Again, we didn’t say “upgraded”, neither the rebase command output, that lists “changed” packages. Some obsolete packages will be removed, new packages will be added, either because they didn’t exist in older repo, or because the new config file includes them.
The OS name is the same (Photon), so the content in /var and /etc will be transferred over.

  1. To install fresh, deploy a Photon OS host default, as described in the section Installing A Host Against the Default Server Repository. Of course, if you already have an existing Photon OS 4.0 host that you want to move to 5.0, skip this step.

  2. Edit /ostree/repo/config and substitute the url, providing the IP address for the Photon OS RPM-OSTree server installed above. This was explained in the “Switching Repositories” section of the Remotes document.
    Ostree should confirm that is the updated server IP for the “photon” remote.

root@ostree-host [ ~ ]# ostree remote show-url photon
http://10.20.30.175:8000/repo
  1. Rebase your host to the new 5.0 server and Refspec.
root@ostree-host [ ~ ]# ostree remote add photon-5 http://10.20.30.204:8000/repo --no-gpg-verify
root@ostree-host [ ~ ]# rpm-ostree rebase photon-5:photon/5.0/x86_64/minimal

Rebasing to photon-5:photon/5.0/x86_64/minimal
⠉ Receiving objects: 99% (1541/1549) 478.3 kB/s 107.1 MB
Receiving objects: 99% (1541/1549) 478.3 kB/s 107.1 MB... done
Staging deployment... done
Upgraded:
  docker 18.06.2-3.ph5 -> 18.06.2-4.ph5
  gmp 6.1.2-2.ph5 -> 6.1.2-3.ph5
  gobject-introspection 1.58.0-2.ph5 -> 1.58.0-3.ph5
  gzip 1.9-1.ph5 -> 1.9-2.ph5
  linux 4.19.65-3.ph5 -> 4.19.69-1.ph5
  mpfr 4.0.1-1.ph5 -> 4.0.1-2.ph5
  ostree 2019.2-1.ph5 -> 2019.2-2.ph5
  ostree-grub2 2019.2-1.ph5 -> 2019.2-2.ph5
  ostree-libs 2019.2-1.ph5 -> 2019.2-2.ph5
  zlib 1.2.11-1.ph5 -> 1.2.11-2.ph5
Added:
  efibootmgr-15-1.ph5.x86_64
  efivar-36-1.ph5.x86_64
  tar-1.30-3.ph5.x86_64
Run "systemctl reboot" to start a reboot
  1. Check the status
root@ostree-host [ ~ ]# rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
* ostree://photon-1:photon/5.0/x86_64/minimal
                Version: 5.0_minimal (2019-09-18T08:22:15Z)
            BaseCommit: c8f2b116b067d7695f9033bf2a99505198269354e157c0f2d5b78266cb874239
        LayeredPackages: createrepo_c rpm wget

  ostree://photon:photon/5.0/x86_64/minimal
                Version: 5.0_minimal.1 (2017-01-11T02:18:42)
            BaseCommit: 28dc49ecb4604c0bc349e4445adc659491a1874c01198e6253a261f4d59708b7
        LayeredPackages: createrepo_c rpm wget

You may now reboot to the new Photon OS 5.0 image.

Creating a host raw image

It is now possible to run at server a script that is part of RPM-OStree package, to create a host raw mage.