LWN: Comments on "Growing pains for Fedora CoreOS" https://lwn.net/Articles/857933/ This is a special feed containing comments posted to the individual LWN article titled "Growing pains for Fedora CoreOS". en-us Fri, 19 Sep 2025 20:22:27 +0000 Fri, 19 Sep 2025 20:22:27 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net Growing pains for Fedora CoreOS https://lwn.net/Articles/859962/ https://lwn.net/Articles/859962/ geuder Today I get a motd <font class="Code"> <pre> ############################################################################ WARNING: This system is using cgroups v1. For increased reliability it is strongly recommended to migrate this system and your workloads to use cgroups v2. For instructions on how to adjust kernel arguments to use cgroups v2, see: https://docs.fedoraproject.org/en-US/fedora-coreos/kernel-args/ To disable this warning, use: sudo systemctl disable coreos-check-cgroups.service ############################################################################ </pre> </font> So they are proceeding, but as expected that won't work fully automatically in all cases. Wed, 16 Jun 2021 12:54:47 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858704/ https://lwn.net/Articles/858704/ raven667 <div class="FormattedComment"> In this situation you&#x27;d be doing all your changes on the test system first, right? It&#x27;s not that much of a departure as there would often be a difference between what is running in test and what is in prod, test can&#x27;t guarantee repro of problems found in prod unless you reset it back to the versions used in prod. There is value in finding upgrade related problems in test first, but as you note the initial advice is probably targeted more toward admins with dozens or hundreds of systems where having a small cadre running bleeding edge code is relatively low risk to the overall system health. The quality benefits of going from prod-only to prod &amp; qa to prod, qa &amp; test to prod, qa, test &amp; dev environments are diminishing while the cost increases but its the scalability of work that goes up the most which is mainly of benefit to larger organizations.<br> </div> Wed, 09 Jun 2021 05:02:19 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858645/ https://lwn.net/Articles/858645/ geuder <div class="FormattedComment"> <font class="QuotedText">&gt; encouraging everyone to run `next` and `testing` on a percentage of their systems.</font><br> <p> Good point.<br> <p> However, we have (only) 2 instances, not 200. One is for production and one for testing (of our systems, not of FCOS). Running our testing system with a different version than the production system does not sound like a great idea. All test results would basically be possibly non-reproducable.<br> <p> So we would need to run a 3rd one just for FCOS testing, a 50% overhead. And of course someone would need to check the instance at every update and run some test set. Which is a bit a against the idea of having automatic updates.<br> <p> Well, no free lunch, I know...<br> <br> </div> Tue, 08 Jun 2021 17:00:45 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858352/ https://lwn.net/Articles/858352/ geuder <div class="FormattedComment"> But some day 34 will no longer be current and that day FCOS stable needs to make a bigger jump with your logic of being equivalent.<br> </div> Fri, 04 Jun 2021 15:46:26 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858351/ https://lwn.net/Articles/858351/ dustymabe <div class="FormattedComment"> <font class="QuotedText">&gt; How often do you actually use a barrier release?</font><br> <p> The barrier releases and a link to the reason behind it are kept in <a rel="nofollow" href="https://github.com/coreos/fedora-coreos-streams/blob/main/updates/stable.json">https://github.com/coreos/fedora-coreos-streams/blob/main...</a> Usually about once every 6 months or so. <br> </div> Fri, 04 Jun 2021 14:47:55 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858349/ https://lwn.net/Articles/858349/ dustymabe <div class="FormattedComment"> <font class="QuotedText">&gt; Automatic updates, new features and full backwards compatibility are an unsolvable equation.</font><br> <p> Part of the way we try to make automatic updates more reliable is by offering 3 different update streams (`next`, `testing`, and `stable`) to our users and encouraging everyone to run `next` and `testing` on a percentage of their systems. If you&#x27;re &quot;testing&quot; nodes encounter a problem you can report it and we can hopefully get it fixed before the much larger pool of &quot;stable&quot; nodes are affected.<br> <p> More info at <a rel="nofollow" href="https://docs.fedoraproject.org/en-US/fedora-coreos/update-streams/">https://docs.fedoraproject.org/en-US/fedora-coreos/update...</a><br> </div> Fri, 04 Jun 2021 14:44:43 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858289/ https://lwn.net/Articles/858289/ zdzichu <q>So is that really true??? No such number is being advertised AFAIK, but internally it is there and I guess at some point in the future it will change. With potentially surprising effects to those who have used it.</q> <p> Yes, that's true. I would expect “stable” branch is equivalent of current stable Fedora release (which today is 34), but there are Fedora features missing in FCOS.</p> Fri, 04 Jun 2021 13:27:09 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858275/ https://lwn.net/Articles/858275/ geuder <font class="QuotedText"> &gt; Do you have a bit more detail on this? I'm guessing it was something around short names i.e. just `busybox` and not `docker.io/busybox` or so? </font><br><br> That was also my understanding after seeing the original error because I have noticed the need to change that in my (very rare) manual use of podman. I did neither debug nor fix the problem myself and our git log tells <font class="Code"> <pre> source /etc/os-release cat &lt;&lt;EOF &gt;/usr/local/foo/Dockerfile -FROM f${VERSION_ID}/fedora-toolbox:latest +FROM registry.fedoraproject.org/fedora-toolbox:latest RUN dnf install foo EOF </pre> </font> (This code is being run on CoreOS)<br><br> So I wonder what they did there. Before before the code fetched <code>f34/fedora-toolbox:latest</code>, I believe from <code>docker.io</code>. Now they fetch <code>fedora-toolbox:latest</code> from <code>registry.fedoraproject.org</code>. Where did the version number go??? Of course lwn is not a code review site for the code of our company, but interesting in the context of this article is <font class="Code"> <pre> $ grep VERSION_\\\|VARIANT /etc/os-release VERSION_ID=34 VERSION_CODENAME="" VARIANT="CoreOS" VARIANT_ID=coreos </pre> </font> The article quoted without correction<br><br> <font class="QuotedText"> &gt; I think this is the fundamental difference here, Fedora CoreOS does not have a version number. It has 3 streams, stable, testing and next, </font><br><br> So is that really true??? No such number is being advertised AFAIK, but internally it is there and I guess at some point in the future it will change. With potentially surprising effects to those who have used it. Fri, 04 Jun 2021 09:37:08 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858265/ https://lwn.net/Articles/858265/ dbnichol <div class="FormattedComment"> Oh, that&#x27;s neat. The ref switch is simple but pretty ugly. I hadn&#x27;t considered anything besides &quot;I want to be at the head of the ref&quot;, but having a client that negotiates specific commits is nice.<br> <p> How often do you actually use a barrier release?<br> </div> Fri, 04 Jun 2021 05:32:56 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858262/ https://lwn.net/Articles/858262/ bgilbert Fedora CoreOS has a <a href="https://github.com/coreos/fedora-coreos-tracker/blob/main/metadata/updates/specifications.md#glossary">barrier release</a> mechanism that does something similar: all updates that traverse the barrier release must update to exactly that release before updating any further. The Fedora CoreOS <a href="https://coreos.github.io/zincati/">update client</a> selects the target OS release from a graph of permissible updates maintained outside of the ostree, so barrier releases can be accomplished without an ostree ref switch. Fri, 04 Jun 2021 03:12:59 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858218/ https://lwn.net/Articles/858218/ walters <div class="FormattedComment"> <font class="QuotedText">&gt; We only recently had a small breakage in our FCOS-based system: Podman used to have some defaults where it pulled images from. Our code worked. The defaults changed (or were removed, don&#x27;t remember from the top of my head) in some automatic update and our code stopped working. </font><br> <p> That&#x27;s a really great example of a bug on the risk/reward spectrum around automatic updates and a relatively &quot;fresh&quot; Linux userspace.<br> <p> Do you have a bit more detail on this? I&#x27;m guessing it was something around short names i.e. just `busybox` and not `docker.io/busybox` or so? Has it been fixed since? Did you engage with an upstream issue? How hard was the workaround?<br> <p> Personally I think it&#x27;s all around worse for everyone if admins stay on relatively frozen userspace or we try to lump things like this even around e.g. 6 month windows because I think in practice if it&#x27;s just every 6 months, a good number of people fall out of habit of upgrading at all (when it requires manual intervention) and drop off the train entirely. And that&#x27;s bad because you&#x27;re not applying critical kernel security updates etc. that are particularly relevant with containers.<br> <p> </div> Thu, 03 Jun 2021 19:29:29 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858202/ https://lwn.net/Articles/858202/ dbnichol For Endless we use something referred to as a checkpoint release to help handle some of these upgrade issues when you have a rolling automatic ostree process. Normally, the <a href="https://github.com/endlessm/eos-updater/">updater</a> pulls the tip of the ostree ref and deploys that. However, if the commit has some additional metadata, it will see that there's a new ref it should follow, but only after deploying and booting into the tip of the current ref. This allows us to stuff some migration code into the commits on the old ref and ensure it'll run before something tries to upgrade to the current ref. This is the only way we can truly remove old features or ensure systems are prepared for a major change. In a way it acts like a traditional upgrade tool. Thu, 03 Jun 2021 17:55:25 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858193/ https://lwn.net/Articles/858193/ highvoltage <div class="FormattedComment"> So, some new Fedora sub-project isn&#x27;t quite ready for prime-time yet? Must be a very, very slow news day :)<br> </div> Thu, 03 Jun 2021 17:07:05 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858184/ https://lwn.net/Articles/858184/ mattdm <div class="FormattedComment"> <font class="QuotedText">&gt; Maybe some selected automatic updates should bundle bigger changes and be announced as higher risk in advance???</font><br> <p> That&#x27;s basically what a Fedora Linux release is.<br> </div> Thu, 03 Jun 2021 15:38:43 +0000 Growing pains for Fedora CoreOS https://lwn.net/Articles/858063/ https://lwn.net/Articles/858063/ geuder <div class="FormattedComment"> Automatic updates, new features and full backwards compatibility are an unsolvable equation.<br> <p> We only recently had a small breakage in our FCOS-based system: Podman used to have some defaults where it pulled images from. Our code worked. The defaults changed (or were removed, don&#x27;t remember from the top of my head) in some automatic update and our code stopped working. Just a little detail, but it demonstrated that basically after every automatic upgrade you need to test your system and be prepared to fix something.<br> <p> Of course that&#x27;s not completely different from manually upgraded systems, especially if you run something that others might consider fragile code or just not consider at all.<br> <p> For a rolling distro additional difficulty are how/when to do these bigger changes which are more likely to break something.<br> <p> Maybe some selected automatic updates should bundle bigger changes and be announced as higher risk in advance???<br> </div> Thu, 03 Jun 2021 05:42:09 +0000