Skip to content

Commit 38cb7ad

Browse files
authored
blog: Add one for transient root with composefs (#42)
* blog: Add one for transient root with composefs See content. Signed-off-by: Colin Walters <walters@verbum.org> * blog: Fix broken link in sealed-images-building post The .github/workflows/build-sealed.yml file no longer exists in the redhat-cop/rhel-bootc-examples repo, causing the link checker CI to fail with a 404. Drop the hyperlink and keep the prose description. Signed-off-by: Colin Walters <walters@verbum.org> --------- Signed-off-by: Colin Walters <walters@verbum.org>
1 parent ced6e0c commit 38cb7ad

3 files changed

Lines changed: 38 additions & 2 deletions

File tree

config.toml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,3 +71,6 @@ footer = ""
7171

7272
[extra.authors.jeckersb]
7373
name = "John Eckersberg"
74+
75+
[extra.authors.cgwalters]
76+
name = "Colin Walters"
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
+++
2+
title = "Video: sealed bootc with transient /etc and /var"
3+
date = 2026-06-05
4+
slug = "2026-jun-05-transient-root-etc-var"
5+
6+
[extra]
7+
author = "cgwalters"
8+
+++
9+
10+
# Video: sealed bootc with transient /etc and /var
11+
12+
I recorded a short demo of the new composefs mount configuration
13+
support that landed in [bootc#2201](https://github.com/bootc-dev/bootc/pull/2201).
14+
15+
[![Video: sealed bootc with transient /etc and /var](https://img.youtube.com/vi/VJYLtUOCqgA/0.jpg)](https://youtu.be/VJYLtUOCqgA)
16+
17+
The PR adds a `/usr/lib/bootc/setup-root-conf.toml` file that image
18+
authors can ship in their container image to control how the
19+
composefs-backed root filesystem is mounted at boot:
20+
21+
- `[root] transient = true` wraps the composefs lower in a tmpfs
22+
overlay, so all writes to `/` are discarded on reboot.
23+
- `[etc] mount = "transient"|"overlay"|"bind"|"none"` controls how
24+
`/etc` is mounted from the deployment state directory.
25+
- `[var] mount = "none"|"bind"` controls whether `/var` is
26+
bind-mounted from persistent state. When set to `none`, `/var` is left as an
27+
empty composefs directory, and `systemd.volatile=state` on the
28+
kernel command line causes bootc to automatically skip the bind-mount
29+
so systemd can place a fresh tmpfs there.
30+
31+
This builds directly on the
32+
[sealed images series](@/blog/2026-may-04-sealed-images-security-chain.md):
33+
with a transient root and `/etc`, each boot starts from a clean,
34+
verified image with no persistent mutation to the OS layer.

content/blog/2026-may-06-sealed-images-building.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -180,8 +180,7 @@ $ just build # build the sealed image
180180

181181
## Secret handling in CI
182182

183-
The examples repository includes a
184-
[GitHub Actions workflow](https://github.com/redhat-cop/rhel-bootc-examples/blob/main/sealing/.github/workflows/build-sealed.yml)
183+
The examples repository includes a GitHub Actions workflow
185184
that demonstrates how to handle key material in CI. The db private
186185
key is stored as a GitHub Actions secret and written to a temporary
187186
file during the build.

0 commit comments

Comments
 (0)