1RPM-OSTREE(1) rpm-ostree RPM-OSTREE(1)
2
6 rpm-ostree - Hybrid image/package system for host operating system
7 updates
8
10 rpm-ostree {COMMAND} [OPTIONS...]
11
13 rpm-ostree is a hybrid image and package system; as the name suggests,
14 it uses OSTree for the image side, and RPM for the package side. It
15 supports composing RPMs server-side into an OSTree commit (like an
16 image), and clients can replicate that bit-for-bit, with fast
17 incremental updates. Additionally, the hybrid nature comes to the fore
18 with client-side package layering and overrides.
19 On an rpm-ostree managed system, the traditional yum (if installed) and
21 rpm tools operate in a read-only state; the RPM database is stored in
22 /usr/share/rpm which is underneath a read-only bind mount.
23 Instead of live package-by-package upgrades, the underlying OSTree
25 layer replicates a complete filesystem tree from a compose server into
26 a new deployment, available on the next reboot. One benefit of this is
27 that there will always be a previous deployment, available for
28 rollback. This also makes it easier to reliably "queue" an update
29 without destabilizing the running system at all. (Currently though
30 there's an experimental livefs command that supports changing the
31 running filesystem).
32 Note in this "pure replication" model, there is no per-client packaging
34 overhead. Dependency resolution, SELinux labeling, all of the scripts
35 etc. were run on the server side and captured in the OSTree commit.
36
38 cancel
39 Cancel a pending transaction. Exits successfully and does nothing
40 if no transaction is running. Note that it is fully safe to cancel
41 transactions such as upgrade in general.
42 db
44 Gives information pertaining to rpm data within the file system
45 trees within the ostree commits. There are three sub-commands:
46 diff to see how the packages are different between the trees in two
48 revs. If no revs are provided, the booted commit is compared to the
49 pending commit. If only a single rev is provided, the booted commit
50 is compared to that rev. The --format=diff option uses - for
51 removed packages, + for added packages, and finally ! for the old
52 version of an updated package, with a following = for the new
53 version.
54 list to see which packages are within the commit(s) (works like yum
56 list). At least one commit must be specified, but more than one or
57 a range will also work.
58 version to see the rpmdb version of the packages within the commit
60 (works like yum version nogroups). At least one commit must be
61 specified, but more than one or a range will also work.
62 deploy
64 Takes version, branch, or commit ID as an argument, and creates a
65 new deployment using it, setting it up as the default for the next
66 boot. Unlike most other commands, this will automatically fetch and
67 traverse the origin history to find the target. By design, this has
68 no effect on your running filesystem tree. You must reboot for any
69 changes to take effect.
70 This will also queue an update for any layered packages.
72 --unchanged-exit-77 to exit status 77 to indicate that the system
74 is already on the specified commit. This tristate return model is
75 intended to support idempotency-oriented systems automation tools
76 like Ansible.
77 --reboot or -r to initiate a reboot after the upgrade is prepared.
79 --preview download enough metadata to inspect the RPM diff, but do
81 not actually create a new deployment.
82 --cache-only or -C to perform the operation without trying to
84 download the target tree from the remote nor the latest packages.
85 --download-only to only download the target ostree and layered RPMs
87 without actually performing the deployment. This can be used with a
88 subsequent --cache-only invocation to perform the operation
89 completely offline.
90 install
92 Takes one or more packages as arguments. The packages are fetched
93 from the enabled repositories in /etc/yum.repos.d/ and are
94 overlayed on top of a new deployment. It is also possible to
95 specify a local RPM package that resides on the host. Overlayed
96 packages can later be removed with the uninstall command.
97 If this is the first time a machine-local change is made, note that
99 this will change rpm-ostree to operate in full hybrid mode.
100 Concretely, rpm-ostree will also start fetching all enabled rpm-md
101 (yum) repositories and use those for package updates every time
102 rpm-ostree upgrade is invoked, as well as during other operations
103 such as rebase.
104 rpm-ostree remembers these requests even if a later host update
106 includes those packages already: if the packages are subsequently
107 dropped out again, rpm-ostree will go back to layering them.
108 Note that by default, specifying a package that is already in the
110 base layer is an error unless the --allow-inactive option is
111 provided. This can be useful when anticipating the removal of a
112 base package.
113 --idempotent to do nothing if a package request is already present
115 instead of erroring out.
116 --reboot or -r to initiate a reboot after the deployment is
118 prepared.
119 --dry-run or -n to exit after printing the transaction rather than
121 downloading the packages and creating a new deployment.
122 --allow-inactive to allow requests for packages that are already in
124 the base layer.
125 --cache-only or -C to perform the operation without trying to
127 download the latest packages.
128 --download-only to only download the target layered RPMs without
130 actually performing the deployment. This can be used with a
131 subsequent --cache-only invocation to perform the operation
132 completely offline.
133 --apply-live will perform a subsequent apply-live operation to
135 apply changes to the booted deployment.
136 uninstall
138 Takes one or more packages as arguments. The packages are removed
139 from the set of packages that are currently overlayed. The
140 remaining packages in the set (if any) are fetched from the enabled
141 repositories in /etc/yum.repos.d/ and are overlayed on top of a new
142 deployment.
143 --reboot or -r to initiate a reboot after the deployment is
145 prepared.
146 --dry-run or -n to exit after printing the transaction rather than
148 downloading the packages and creating a new deployment.
149 rebase
151 Switch to a different base image, while preserving all of the state
152 that upgrade does, such as /etc changes, any layered RPM packages,
153 etc.
154 For rebasing to container images, the syntax uses ostree container
156 image references, which combine container image transports (see man
157 skopeo) along with a required integrity scheme. The ostree model
158 encourages container images to be signed, because they must be
159 ultimately trusted.
160 ostree-image-signed:docker://quay.io/exampleos/custom:latest - this
162 will pull from a remote registry, and error out if the container
163 backend does not require signatures.
164 ostree-unverified-registry:quay.io/exampleos/custom:latest - this
166 will pull from a remote registry, and no signature will be
167 required. In practice, this is just a shorthand for
168 ostree-unverified-image:docker://quay.io/exampleos/custom:latest.
169 ostree-unverified-image:oci:/path/to/dir.oci Fetch from a local
171 unsigned OCI directory (integrity of this directory may have been
172 verified out of band).
173 For rebasing to OSTree branches, the full syntax is rebase
175 REMOTENAME:BRANCHNAME. Alternatively, you can use the --branch or
176 --remote options mentioned below. With the argument syntax,
177 specifying just BRANCHNAME will reuse the same remote. You may also
178 omit one of REMOTENAME or BRANCHNAME (keeping the colon). In the
179 former case, the branch refers to a local branch; in the latter
180 case, the same branch will be used on a different remote.
181 This will also queue an update for any layered packages.
183 --branch or -b to pick a branch name.
185 --remote or -m to pick a remote name.
187 --cache-only or -C to perform the rebase without trying to download
189 the target tree from the remote nor the latest packages.
190 --download-only to only download the target ostree and layered RPMs
192 without actually performing the deployment. This can be used with a
193 subsequent --cache-only invocation to perform the operation
194 completely offline.
195 rollback
197 OSTree manages an ordered list of bootloader entries, called
198 "deployments". The entry at index 0 is the default bootloader
199 entry. Each entry has a separate /etc, but they all share a single
200 /var. You can use the bootloader to choose between entries by
201 pressing Tab to interrupt startup.
202 This command then changes the default bootloader entry. If the
204 current default is booted, then set the default to the previous
205 entry. Otherwise, make the currently booted tree the default.
206 --reboot or -r to initiate a reboot after rollback is prepared.
208 status
210 Gives information pertaining to the current deployment in use.
211 Lists the names and refspecs of all possible deployments in order,
212 such that the first deployment in the list is the default upon
213 boot. The deployment marked with * is the current booted
214 deployment, and marking with 'r' indicates the most recent upgrade
215 (the newest deployment version).
216 upgrade
218 Download the latest version of the current tree, and deploy it,
219 setting it up as the default for the next boot. By design, this has
220 no effect on your running filesystem tree. You must reboot for any
221 changes to take effect.
222 --unchanged-exit-77 to exit status 77 to indicate that the system
224 is already up to date. This tristate return model is intended to
225 support idempotency-oriented systems automation tools like Ansible.
226 --reboot or -r to initiate a reboot after upgrade is prepared.
228 --allow-downgrade to permit deployment of chronologically older
230 trees.
231 --preview to download only /usr/share/rpm in order to do a
233 package-level diff between the two versions.
234 --check to just check if an upgrade is available, without
236 downloading it or performing a package-level diff. Using this flag
237 will force an update of the RPM metadata from the enabled repos in
238 /etc/yum.repos.d/, if there are any layered packages.
239 --cache-only or -C to perform the upgrade without trying to
241 download the latest tree from the remote nor the latest packages.
242 --download-only to only download the target ostree and layered RPMs
244 without actually performing the deployment. This can be used with a
245 subsequent --cache-only invocation to perform the operation
246 completely offline.
247 override
249 Provides subcommands for overriding (modifying) the base OSTree
250 layer. Such modifications should be done with care and are normally
251 not intended to be long-lasting. For example, one might replace a
252 base package with its older version to avoid a regression.
253 Overrides are automatically carried over during new deployments.
254 The subcommands are:
255 remove to remove base packages.
257 replace to replace base packages. Requires explicitly specifying a
259 set of RPMs to install via HTTP or local file paths. On Fedora
260 systems, it is also supported to pull from the Fedora Koji/Bodhi
261 systems. For example, rpm-ostree override replace
262 https://objstore.int.example.com/hotfixes/kernel.rpm, rpm-ostree
263 override replace ./podman.rpm, rpm-ostree override replace
264 https://bodhi.fedoraproject.org/updates/FEDORA-2020-XXXXXXX or
265 rpm-ostree override replace
266 https://koji.fedoraproject.org/koji/buildinfo?buildID=XXXXXXX
267 reset to reset previous overrides. Currently, the full NEVRA of the
269 target packages must be specified.
270 refresh-md
272 Download the latest rpm repo metadata if necessary and generate the
273 cache.
274 kargs
276 Without options, display current default kernel arguments. Modify
277 arguments using the following parameters which will create a new
278 deployment with the modified kernel arguments. Previous deployments
279 are never changed.
280 --editor to use an editor to modify the kernel arguments.
282 --append to append a kernel argument. For example,
284 --append=panic=1.
285 --append-if-missing to append a kernel argument if it is not
287 present.
288 --delete to delete a kernel argument. For example,
290 --delete=panic=1.
291 --delete-if-present to delete a kernel argument if it is already
293 present. For example, --delete-if-present=panic=1.
294 --replace to replace an existing kernel argument, it allows you to
296 pass a KEY=VALUE. Also, it supports "KEY=VALUE=NEWVALUE" to replace
297 the value of an argumnet only if one value exist for that argument.
298 For example, --replace=panic=1. or --replace=panic=1=0.
299 --unchanged-exit-77 to exit status 77 to indicate that the kernel
301 arguments have not changed.
302 By default, modifications are applied to the kernel arguments of
304 the default deployment to get the final arguments. Use
305 --deploy-index or --import-proc-cmdline to instead base them off of
306 a specific deployment or the current boot.
307 cleanup
309 Commands such as upgrade create new deployments, which affect the
310 next boot, and take up additional storage space. In some cases, you
311 may want to undo and clean up these operations. This command
312 supports both removing additional deployments such as the "pending"
313 deployment (the next boot) as well as the default rollback
314 deployment. Use -p/--pending to remove the pending deployment, and
315 -r/--rollback to remove the rollback.
316 The -b/--base option does not affect finished deployments, but will
318 clean up any transient allocated space that may result from
319 interrupted operations. If you want to free up disk space safely,
320 use this option first.
321 The -m/--repomd option cleans up cached RPM repodata and any
323 partially downloaded (but not imported) packages.
324 NOTE: the cleanup will not affect any deployments that have been
326 "pinned" via the ostree admin pin operation.
327 reload
329 Some configuration and state data such as /etc/ostree/remotes.d
330 changes may not be reflected until a daemon reload is invoked. Use
331 this command to initiate a reload.
332 usroverlay
334 Mount a writable overlay filesystem on /usr which is active only
335 for the remainder of the system boot. This is intended for
336 development, testing, and debugging. Changes will not persist
337 across upgrades, or rebooting in general.
338 One important goal of this is to support traditional rpm -Uvh
340 /path/to/rpms or equivalent where changes are applied live.
341 However, an intended future feature for rpm-ostree will be a
342 variant of rpm-ostree override which also supports applying changes
343 live, for the cases which one wants persistence as well.
344 This command is equivalent to ostree admin unlock.
346 initramfs
348 By default, the primary use case mode for rpm-ostree is to
349 replicate an initramfs as part of a base layer. However, some use
350 cases require locally regenerating it to add configuration or
351 drivers. Use rpm-ostree initramfs to inspect the current status.
352 Use --enable to turn on client side initramfs regeneration. This
354 runs dracut to create the new initramfs. A new deployment will be
355 generated with this new initramfs, and after reboot, further
356 upgrades will continue regenerating. You must reboot for the new
357 initramfs to take effect.
358 To append additional custom arguments to the initramfs program
360 (currently dracut), use --arg. For example, --arg=-I
361 --arg=/etc/someconfigfile.
362 The --disable option will disable regeneration. You must reboot for
364 the change to take effect.
365 Note that for the simpler use case of adding a few files to the
367 initramfs, you can use rpm-ostree initramfs-etc instead. It is more
368 lightweight and does not involve running dracut.
369 initramfs-etc
371 Add configuration (/etc) files into the initramfs without
372 regenerating the entire initramfs. This is useful to be able to
373 configure services backing the root block device as well as
374 early-boot services like systemd and journald.
375 Use --track to start tracking a specific file. Can be specified
377 multiple times. A new deployment will be generated. Use --untrack
378 or --untrack-all to stop tracking files.
379 When there are tracked files, any future created deployment (e.g.
381 when doing an upgrade) will ensure that they are synced. You can
382 additionally use --force-sync to simply generate a new deployment
383 with the latest versions of tracked files without upgrading.
384 apply-live
386 Given a target OSTree commit (defaults to the pending deployment),
387 create a transient overlayfs filesystem for the booted /usr, and
388 synchronize the changes from the source to the booted filesystem
389 tree. By default, to ensure safety, only package additions are
390 allowed.
391 --reset to reset the filesystem tree to the booted commit.
393 --target may be used to target an arbitrary OSTree commit. This is
395 an advanced feature, exposed mainly for testing.
396 --allow-replacement enables live updates and removals for existing
398 packages.
399 Example 1. Install postgresql live
401 $ rpm-ostree install postgresql-server
403 $ rpm-ostree apply-live
404 $ systemctl start postgresql # Some setup required
405 This is also the same as:
408 $ rpm-ostree install -A postgresql-server
410 Currently, this just synchronizes the filesystem; no systemd units
412 are restarted for example.
413 A major implicit benefit of the overlayfs approach is that if
415 something goes wrong in the middle of a apply-live operation, a
416 system reboot will implicitly remove the overlay, restoring the
417 system to the pristine deployment state.
418 ex
420 This command offers access to experimental features; command line
421 stability is not guaranteed. The available subcommands will be
422 listed by invoking rpm-ostree ex.
423
425 compose
426 Entrypoint for tree composition; most typically used on servers to
427 prepare trees for replication by client systems. The tree
428 subcommand processes a treefile, installs packages, and commits the
429 result to an OSTree repository. There are also split commands
430 install, postprocess, and commit.
431
433 rpm-ostreed.conf(5) ostree(1), rpm(8)
434rpm-ostree RPM-OSTREE(1)