mkosi VS ostree

I work with a free and open-source software community called Fedora Project. I had the opportunity to moderate the talk of one of the maintainers of the Systemd suite during the annual contributor conference, Flock To Fedora 2023 where he talked about a tool named Mkosi.

For testing i prefer systemd-nspawn containers with mkosi. A neat tool for running your other fav. distro in a terminal. Works like a charm and integrates nicely in your system. Eg. logs and systemd services or CI testing.

- https://github.com/systemd/mkosi

- man:systemd-nspawn(1)

- man:machinectl(1)

you're gonna have to build this on an x86 pc. sudo dnf install arch-install-scripts bubblewrap gdisk qemu-user-static rsync systemd-container python3 -m pip install --user git+https://github.com/systemd/mkosi.git git clone https://github.com/leifliddy/asahi-fedora-usb.git cd asahi-fedora-usb

There's also mkosi: https://github.com/systemd/mkosi. This one outputs an iso or similar image file and supports many base distributions.

[1] https://github.com/systemd/mkosi/issues/376

System's mkosi is worth checking out too: https://github.com/systemd/mkosi I don't think it generates docker/OCI images directly, but it definitely can generate a tarball of the final image contents and then crane of a similar tool could package it up into an appropriate image. For just docker usage it's probably overkill, the main advantage would be it can build other image types like adding a kernel and init to be a fully bootable iso of VM image.

Constellation ensures that all K8s nodes run on AMD-based Confidential VMs (CVMs). CVMs are strongly isolated from the host and remain encrypted in memory at runtime. Constellation also ensures that all nodes run the same minimal mkosi-based node image.

At first glance I thought your project is a frontend for mkosi but then I saw that you support non-systemd targets too. Mentioning it here because it may be relevant to other users/developers.

Ansible makes mutable changes to the OS, task by task.

Nix is immutable. A new change is made entirely new, and only after the build is successful, all packages are "symlinked" to the current system.

Fedora Silverblue is based on ostree [1]. It works similarly like git, but on your root tree. But it requires you to reboot the whole system for the changes to take effect. Since Nix is just symlinked packages, you don't need to reboot the system.

More detailed explanation here [2].

[1]: https://github.com/ostreedev/ostree

[2]: https://dataswamp.org/~solene/2023-07-12-intro-to-immutable-...

This one is for the ostree bug currently ongoing: https://github.com/ostreedev/ostree/issues/2900

This sounds related to the ostree bug.

I definitely agree that immutability offers considerable value in regards to improving security. But arguably it's insufficient to pull the win over mutable Fedora due to the losses caused by the inability to install the kernel-hardened package and the lack of UKI (Unified Kernel Image) support.

Other hardening guides mention a Unified Kernel Image as another measure to further improve security. Unfortunately, once more, this is (currently) not supported on Fedora Silverblue. I haven't seen it being done on openSUSE Aeon either. Though, once again, I'd love to be corrected!

The fedora crew is working on it through ostree though, so both fedora Silverblue and flatpak will be getting it (as well as true immutability) in the future: https://github.com/ostreedev/ostree/issues/2867

Aside from what has already been mentioned, Unified Kernel Image isn't supported (yet).