Skip to content

Immutable system images with OSTree

OSTree (also known as libostree) is the mechanism that enables AutoSD to function as an image-based, immutable operating system. In AutoSD 10, the bootc project manages OS updates on top of OSTree, providing a container-native workflow for deploying and updating system images.

Content-addressed storage

OSTree relies on a content-addressed object store with branches (or refs) that track different states of an image or different images for one or more systems. Each deployment is composed of a set of hard links into the repository. Deduplication is inherent to this model. An upgrade process only uses disk space proportional to the new files, plus some constant overhead.

In AutoSD, OSTree facilitates an A/B update model that is filesystem-based rather than partition-based. This model saves disk space for the system, supports the ability to have more than two versions of the system, and preserves the atomicity of updates and the possibility of rollbacks.

Updates with bootc

AutoSD 10 uses bootc to manage system updates on top of OSTree. Rather than interacting with OSTree commands directly, you update the system by using standard container operations:

  • bootc switch – Switches to a different container image as the OS source
  • bootc update – Pulls the latest version of the current container image

Bootc handles the underlying OSTree commit management, deployment staging, and rollback tracking automatically. For more information about building images, see Automotive Image Builder tool. For step-by-step build instructions, see Building bootc images. For details on pushing images and managing updates through a container registry, see Registry-based distribution.

Security and reliability

In an OSTree model, OS read-only content resides in the /usr directory. OSTree creates a read-only bind mount to prevent inadvertent corruption. In AutoSD, OSTree is combined with composefs to make the OS fully tamperproof against attacks and accidental corruption. For more information about composefs, see Tamperproofing with composefs.

Composefs also improves performance in OSTree-based systems with faster reads and better deduplication. A single writable /var directory is shared between deployments for a given OS. The OSTree core code does not touch content in this directory.

Automated rollback

Each deployment has its own writable copy of the configuration store /etc. During upgrades, OSTree performs a basic three-way diff and applies any local changes to the new copy while leaving the old copy untouched.

GreenBoot deprecation

GreenBoot was removed in Automotive Image Builder 1.1.6 and is not available in AutoSD 10. The automated rollback mechanism for AutoSD 10 is not yet documented and will be described in a future update.

Low-bandwidth updates

As a content-addressed object store, on-disk deduplication is inherent to OSTree and downloads are efficient. Binary diffs between two references in an OSTree repository enable byte-level differences between two versions of a single image or between two separate images. This results in a bandwidth-efficient update mechanism.

By using OSTree through bootc, AutoSD delivers an image-based, immutable operating system. Combined with composefs, AutoSD is tamperproof and supports atomic A/B updates and rollbacks. Together with a bandwidth-efficient update mechanism, you can dynamically install containerized applications and manage the application lifecycle independently from the underlying OS lifecycle.

To learn more about OSTree, see the OSTree project documentation.

© Red Hat