Support booting with an empty root, phase 1
Summary
The general goal of this proposal is to enable Fedora to build a full working root filesystem from scratch, based only on the content of a /usr partition. This is currently not working in Fedora, mainly because of the need of relying /etc too.
The goal for phase 1 is to move default config packages currently installed in /etc to /usr/etc or /usr/share/factory/etc, ie in the /usr partition. In this way default /usr partition will come with pre-loaded default configs that can be then copied in /etc when the root is created.
/usr where to store /etc is not fully fleshed out yet. We will update the exact path based on feedback from those discussions. For this point on, let's assume it's /usr/etc.In the next phases we want to enforce packages to ship tmpfiles.d configs to generate any file and folder outside of /usr that might be missing. Eventually as last phase forbid packages to install anything outside /usr, but instead provide tmpfiles configs to do so.
Owner
- Name: Your Name
- Email: <your email address so we can contact you, invite you to meetings, etc. Please provide your Bugzilla email address if it is different from your email in FAS>
Current status
- Targeted release: <VERSION>/ Fedora Linux <VERSION>
- Last updated: 2025-07-16
- [<link to devel-announce post will be added by Wrangler> Announced]
- [<will be assigned by the Wrangler> Discussion thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
In the world of Confidential Computing, a major concern is how to ensure that the root disk is not tampered by the hypervisor/host. Because the host/hypervisor is not trusted, the OS cannot rely on it to have an encrypted root disk partition. This means that the guest OS should ideally be able to create an encrypted root partition by itself at first boot. Note that having an encrypted root is useful in the case of confidential VMs, but not strictly related to this proposal.
There are multiple ways to achieve root disk encryption at first boot, the most interesting one is described in Fitting Everything Together and currently being implemented in the Particle OS project. The core idea is to just rely on a verity-protected /usr partition, and create the root at first boot with systemd-repart. At first boot, /usr will be automatically mounted by systemd-veritysetup, and systemd-tmpfiles together with systemd-sysusers will be able to create all the required files to allow all the installed packages to properly start.
However, as visible also in https://github.com/systemd/particleos/blob/main/mkosi.extra/usr/lib/tmpfiles.d/etc.conf and https://github.com/systemd/particleos/blob/main/mkosi.finalize currently no distro is able to boot with /usr only. /etc needs to be copied into /usr, and then at boot symlinked/copied back. Otherwise the system won't properly boot. The focus of this proposal is to enable Fedora to be able to boot only with a pre-populated /usr partition.
Therefore the first phase of this proposal is to propose configs not to be stored into /etc, but rely on /usr/etc.
After phase 1, Fedora should be able to fully boot without an existing root with the default shipped packages.
Next phases will include
phase 2: enforcing packages to ship systemd-tmpfiles snippets to automatically generate folders outside of /usr. In this way, when the root is created systemd-tmpfiles will be able to create the required folders to avoid the package to break.
phase 3: packages supporting empty /var
phase 4: gradually forbid packages to install anything outside /usr.
For phase 1, the goal is to simply rely on /usr/etc instead of /etc. All packages should relocate configs in the former location, which will enable initramfs to copy/symlink such files into the encrypted root created on first boot.
More specifically:
- default config files shipped by packages go into /usr/etc instead of /etc
- at install time, a symlink /usr/etc -> /etc is added for backward compatibility
- at build time, add a warning if the package still ships into /etc
Fedora-rawhide (20250716) ships 434 packages, 114 of which write into /etc:
rpm -qla | grep '^/etc/' | xargs rpm -qf | sort -u
abattis-cantarell-vf-fonts-0.301-14.fc42.noarch
adwaita-mono-fonts-49.0-1.fc43.noarch
adwaita-sans-fonts-49.0-1.fc43.noarch
alternatives-1.33-1.fc43.x86_64
audit-4.1.0-1.fc43.x86_64
audit-libs-4.1.0-1.fc43.x86_64
audit-rules-4.1.0-1.fc43.x86_64
authselect-1.6.0-1.fc43.x86_64
authselect-libs-1.6.0-1.fc43.x86_64
avahi-0.9~rc2-3.fc43.x86_64
bash-5.2.37-3.fc43.x86_64
bash-completion-2.16-1.fc42.noarch
bluez-5.83-2.fc43.x86_64
ca-certificates-2024.2.69_v8.0.401-5.fc42.noarch
chrony-4.7-2.fc43.x86_64
coreutils-common-9.7-4.fc43.x86_64
crypto-policies-20250714-1.gitcd6043a.fc43.noarch
cyrus-sasl-lib-2.1.28-30.fc42.x86_64
dbus-common-1.16.0-3.fc42.noarch
dhcp-client-4.4.3-21.fc43.x86_64
dnf5-5.2.15.0-1.fc43.x86_64
dracut-107-3.fc43.x86_64
e2fsprogs-1.47.3-1.fc43.x86_64
elfutils-debuginfod-client-0.193-2.fc43.x86_64
fedora-gpg-keys-43-0.2.noarch
fedora-release-common-43-0.16.noarch
fedora-repos-43-0.2.noarch
fedora-repos-rawhide-43-0.2.noarch
file-5.46-5.fc43.x86_64
filesystem-3.18-44.fc43.x86_64
firewalld-2.3.1-2.fc43.noarch
fonts-filesystem-2.0.5-22.fc43.noarch
fwupd-2.0.12-1.fc43.x86_64
gawk-5.3.2-1.fc43.x86_64
glibc-2.41.9000-20.fc43.x86_64
gnupg2-2.4.8-2.fc43.x86_64
gnupg2-gpgconf-2.4.8-2.fc43.x86_64
google-noto-sans-mono-vf-fonts-20250701-2.fc43.noarch
google-noto-sans-vf-fonts-20250701-2.fc43.noarch
google-noto-serif-vf-fonts-20250701-2.fc43.noarch
grep-3.12-1.fc43.x86_64
groff-base-1.23.0-8.fc42.x86_64
grub2-common-2.12-37.fc43.noarch
grub2-efi-x64-2.12-37.fc43.x86_64
grub2-tools-2.12-37.fc43.x86_64
grub2-tools-extra-2.12-37.fc43.x86_64
grub2-tools-minimal-2.12-37.fc43.x86_64
gzip-1.13-3.fc42.x86_64
kbd-2.8.0-2.fc43.x86_64
kmod-34.2-1.fc43.x86_64
krb5-libs-1.21.3-6.fc43.x86_64
less-679-1.fc43.x86_64
libattr-2.5.2-5.fc42.x86_64
libblockdev-3.3.1-2.fc43.x86_64
libdnf5-5.2.15.0-1.fc43.x86_64
libdnf5-plugin-expired-pgp-keys-5.2.15.0-1.fc43.x86_64
liberation-mono-fonts-2.1.5-13.fc42.noarch
liberation-sans-fonts-2.1.5-13.fc42.noarch
liberation-serif-fonts-2.1.5-13.fc42.noarch
libgcrypt-1.11.1-1.fc43.x86_64
libnl3-3.11.0-4.fc43.x86_64
libpwquality-1.4.5-13.fc43.x86_64
libreport-filesystem-2.17.15-6.fc43.noarch
libsemanage-3.9-0.rc2.1.fc43.x86_64
libssh-config-0.11.2-1.fc43.noarch
libtirpc-1.3.6-1.rc3.fc42.2.x86_64
logrotate-3.22.0-3.fc42.x86_64
man-db-2.13.1-1.fc43.x86_64
mdadm-4.3-7.fc43.x86_64
mtools-4.0.49-1.fc43.x86_64
nano-8.5-1.fc43.x86_64
nano-default-editor-8.5-1.fc43.noarch
ncurses-base-6.5-6.20250614.fc43.noarch
NetworkManager-1.53.91-1.fc43.x86_64
nftables-services-1.1.3-2.fc43.noarch
nilfs-utils-2.2.11-6.fc42.x86_64
nss-3.113.0-1.fc43.x86_64
openldap-2.6.10-2.fc43.x86_64
openssh-10.0p1-4.fc43.x86_64
openssh-clients-10.0p1-4.fc43.x86_64
openssh-server-10.0p1-4.fc43.x86_64
openssl-libs-3.5.1-1.fc43.x86_64
p11-kit-0.25.5-8.fc43.x86_64
pam-1.7.1-1.fc43.x86_64
passim-0.1.10-1.fc43.x86_64
pkcs11-provider-1.0-1.fc43.x86_64
pkgconf-2.3.0-2.fc42.x86_64
plymouth-24.004.60-19.fc43.x86_64
policycoreutils-3.9-0.rc2.1.fc43.x86_64
polkit-126-5.fc43.x86_64
polkit-pkla-compat-0.1-30.fc42.x86_64
popt-1.19-8.fc42.x86_64
rpm-5.99.91-1.fc43.x86_64
samba-common-4.22.3-2.fc43.noarch
selinux-policy-42.1-1.fc43.noarch
selinux-policy-targeted-42.1-1.fc43.noarch
setup-2.15.0-25.fc43.noarch
shadow-utils-4.17.4-1.fc43.x86_64
shim-x64-15.8-3.x86_64
sssd-client-2.11.0-2.fc43.x86_64
sssd-common-2.11.0-2.fc43.x86_64
sssd-kcm-2.11.0-2.fc43.x86_64
sssd-krb5-common-2.11.0-2.fc43.x86_64
sudo-1.9.17-3.p1.fc43.x86_64
systemd-257.7-1.fc43.x86_64
systemd-networkd-257.7-1.fc43.x86_64
systemd-resolved-257.7-1.fc43.x86_64
systemd-udev-257.7-1.fc43.x86_64
tpm2-tss-4.1.3-7.fc43.x86_64
udisks2-2.10.90-3.fc43.x86_64
util-linux-2.41.1-10.fc43.x86_64
util-linux-core-2.41.1-10.fc43.x86_64
vim-minimal-9.1.1537-2.fc43.x86_64
xz-5.8.1-1.fc43.x86_64
So these should be the initial target.
Feedback
Benefit to Fedora
After phase 1, we will have a standard place where all package configs are located and being able of booting a standard Fedora image. After the last phase, Fedora would be ideally capable of booting by only relying on /usr (without /usr/etc).
If this proposal is applied (and enforced), we would have strict and clear guidelines for packages on where to install configs, making packages more robust (if config is missing, recreate it) instead of failing if some fail is removed, ie root is formatted.
Scope
- Proposal owners:
This is a large change because it affects all packages of the distribution, but it's mostly on package owners. Proposal owners should just refine the proposal?
- Other developers:
Package owners should ensure all configs end up under /usr and not in `/etc.
- Release engineering: #Releng issue number
Release engineering should ensure all packages do not ship configs in /etc.
- Policies and guidelines: N/A (not needed for this Change)
Policy has to be updated to enforce such mechanism. It should happen before implementation is done.
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
I believe this proposal aligna with the Fedora Strategy
Upgrade/compatibility impact
It should not affect previous versions of Fedora, if a symlink from /usr/etc to /etc is added.
Early Testing (Optional)
Do you require 'QA Blueprint' support? N
How To Test
Because this change (phase 1) applies to all packages, there is no need to rely on a special hardware, configuration or package.
The steps to check if such approach work is to install any package (or check the current ones) and see that the files they ship are not stored directly on /etc but on /usr/etc, with a symling to the former folder for backwards compatibility.
User Experience
In phase 1, the user will not notice any difference, except that files in /etc are symlinks to /usr/etc
Dependencies
This changes involves all packages.
Contingency Plan
If the feature is not complete by the development freeze, it's not big deal as some packages will contain configs in /usr and others in /etc. Fedora would be still unable to boot without root.
- Contingency mechanism: N/A?
- Contingency deadline: N/A?
- Blocks release? No?
Documentation
Documentation will have to be written.
Release Notes
Fedora packages are now shipping configs into /usr/etc (TBD) instead of /etc. A symlink will still be present to link the former with the latter location.
