From 366aac5ccc181bdefb553dbe616736a7f5aff984 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 5 Jun 2026 15:31:17 -0400 Subject: [PATCH 1/2] blog: Add one for transient root with composefs See content. Signed-off-by: Colin Walters --- config.toml | 3 ++ .../2026-jun-05-transient-root-etc-var.md | 34 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 content/blog/2026-jun-05-transient-root-etc-var.md diff --git a/config.toml b/config.toml index 25729f8..15f60c0 100644 --- a/config.toml +++ b/config.toml @@ -71,3 +71,6 @@ footer = "" [extra.authors.jeckersb] name = "John Eckersberg" + +[extra.authors.cgwalters] +name = "Colin Walters" diff --git a/content/blog/2026-jun-05-transient-root-etc-var.md b/content/blog/2026-jun-05-transient-root-etc-var.md new file mode 100644 index 0000000..49da758 --- /dev/null +++ b/content/blog/2026-jun-05-transient-root-etc-var.md @@ -0,0 +1,34 @@ ++++ +title = "Video: sealed bootc with transient /etc and /var" +date = 2026-06-05 +slug = "2026-jun-05-transient-root-etc-var" + +[extra] +author = "cgwalters" ++++ + +# Video: sealed bootc with transient /etc and /var + +I recorded a short demo of the new composefs mount configuration +support that landed in [bootc#2201](https://github.com/bootc-dev/bootc/pull/2201). + +[![Video: sealed bootc with transient /etc and /var](https://img.youtube.com/vi/VJYLtUOCqgA/0.jpg)](https://youtu.be/VJYLtUOCqgA) + +The PR adds a `/usr/lib/bootc/setup-root-conf.toml` file that image +authors can ship in their container image to control how the +composefs-backed root filesystem is mounted at boot: + +- `[root] transient = true` wraps the composefs lower in a tmpfs + overlay, so all writes to `/` are discarded on reboot. +- `[etc] mount = "transient"|"overlay"|"bind"|"none"` controls how + `/etc` is mounted from the deployment state directory. +- `[var] mount = "none"|"bind"` controls whether `/var` is + bind-mounted from persistent state. When set to `none`, `/var` is left as an + empty composefs directory, and `systemd.volatile=state` on the + kernel command line causes bootc to automatically skip the bind-mount + so systemd can place a fresh tmpfs there. + +This builds directly on the +[sealed images series](@/blog/2026-may-04-sealed-images-security-chain.md): +with a transient root and `/etc`, each boot starts from a clean, +verified image with no persistent mutation to the OS layer. From 944f2f1d3d5f4c5702d8a39e8f23685cfe064701 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 5 Jun 2026 15:48:10 -0400 Subject: [PATCH 2/2] blog: Fix broken link in sealed-images-building post The .github/workflows/build-sealed.yml file no longer exists in the redhat-cop/rhel-bootc-examples repo, causing the link checker CI to fail with a 404. Drop the hyperlink and keep the prose description. Signed-off-by: Colin Walters --- content/blog/2026-may-06-sealed-images-building.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/blog/2026-may-06-sealed-images-building.md b/content/blog/2026-may-06-sealed-images-building.md index 618c883..ab13d72 100644 --- a/content/blog/2026-may-06-sealed-images-building.md +++ b/content/blog/2026-may-06-sealed-images-building.md @@ -180,8 +180,7 @@ $ just build # build the sealed image ## Secret handling in CI -The examples repository includes a -[GitHub Actions workflow](https://github.com/redhat-cop/rhel-bootc-examples/blob/main/sealing/.github/workflows/build-sealed.yml) +The examples repository includes a GitHub Actions workflow that demonstrates how to handle key material in CI. The db private key is stored as a GitHub Actions secret and written to a temporary file during the build.