Composefs

Fedora CoreOS introduced composefs enabled by default starting in Fedora 41. Composefs is an overlay filesystem where the data comes from the usual ostree deployement, and metadata are in the composefs file. The result is a truely read-only root (/) filesystem, increasing the system integrity and robustness.

This is a first step towards a full verification of filesystem integrity, even at runtime.

What does it change?

The main visible change will be that the root filesystem (/) is now small and full (a few MB, 100% used).

Known issues

Top-level directories

Another consequence is that it is now impossible to create top-level directories in /. A common use case for those top level directories is to use them as mount points. We recommend using sub directories in /var instead. Currently, the only way around that is to disable composefs as shown below.

Disable composefs

Composefs can be disabled through a kernel argument: ostree.prepare-root.composefs=0.

Disabling composefs at provisionning

variant: fcos
version: 1.6.0
kernel_arguments:
  should_exist:
    - ostree.prepare-root.composefs=0

Disabling composefs on a running FCOS system

$ sudo rpm-ostree kargs --append='ostree.prepare-root.composefs=0'

Note that a reboot is required for the change to take effect.

Links

Enabling composefs by default for CoreOS and IoT

Want to help? Learn how to contribute to Fedora Docs ›