Immutable Bookworm

[pwzhangzz]

Recently many of my friends have expressed an interest in Fedora Silverblue; however, it seems pretty easy and actually straightforward to extend Debian into a similarly "immutable" OS.

There is nothing new or fancy about an immutable Debian. But what I have been doing is to create a custom live bkworm iso and boot from this customized live iso file, which can reside in HD/SSD or a usb stick. This process is very simple. One step better than silverblue, this immutable Debian system can be optionally made with persistency (via multiple boot). The persistency can also be stored in the main machine or in a portable usb. But our main goal is to create an immutable bkworm iso without the need for persistency. That is, truly immutable.

(to be continued)

[wizard10000]

I'm gonna move this to General Debian - I don't think it's off-topic at all. I also took the [Off-Topic] out of the thread title

[pbear]

For anyone interested, a link to Silverblue. Frankly, I don't see any advantage for a solo user, but might be convenient for a household or small firm. Bear in mind, container apps mean large updates.

[None1975]

For anyone interested, a link to Silverblue. Frankly, I don't see any advantage for a solo user, but might be convenient for a household or small firm. Bear in mind, container apps mean large updates.

Fedora no longer supports BIOS systems. UEFI only (this applies to new installations). Therefore, I see no purpose here in promoting this product, the quality of which is very questionable.

[Augie77]

For anyone interested, a link to Silverblue. Frankly, I don't see any advantage for a solo user, but might be convenient for a household or small firm. Bear in mind, container apps mean large updates.

Been reading on this and frankly, I see no use for this for home users or even small businesses.

[unix_joe]

For anyone interested, a link to Silverblue. Frankly, I don't see any advantage for a solo user, but might be convenient for a household or small firm. Bear in mind, container apps mean large updates.

Been reading on this and frankly, I see no use for this for home users or even small businesses.

The immutable desktop is an enterprise solution being pushed by the two largest companies with enterprise contracts (Red Hat/SuSE) who have to meet certain standards for cloud deployment. Kiosks, FIPS, finance, secure government, etc. In fact, it meets a certain use case for a major project I'm assisting at work and we will use Fedora Gnome Atomic.

The people who use immutable distributions are almost certainly going to access them through a web browser on their MacBooks.

It's not really intended as a solution for people who would use a baremetal desktop Linux install, or need to edit doas.conf or a hosts file. We are a rounding error.

[bin]

It's called Endless OS https://www.endlessos.org/os and in some circles it is popular. In fairness it's probably not going to appeal to the mainstream linux community but that is not its target audience. If you want a linux 'appliance' then it's worth a look provided you can tolerate Gnome an all Flatpak environment. Think of it more as an android type of experience.

[pwzhangzz]

As I mentioned in a separate thread, we have been running a pro-bono project to help retired professionals use Linux desktops for over a decade. Most of our students have experience using Windows at work. but they were always assisted by IT people. Once on their own, most don't know how to run the computer. Plus, Windows itself is almost totally useless because it has nothing. You need to at least pay Microsoft for the Office subscription in order to do even the basic things. Most of our students don't want to pare money for any thing (does anyone not understand what the word "retired" means?) Most of them are especially allergic to giving out credit number for perpetual charges. Because of our very limited manpower, we cannot spend time on individual students. What we have been doing is to prepare highly customized live usb, and use the same live usb for all the students. Since we have to constantly adjust the content of the live usb to satisfy students' need, the live usb is created with a persistence partition to preserve changes. After some time, the persistence is merged into the original live iso and a new live usb with a fresh persistence partition is created. If enough user experiences can be collected, the live iso can do away with the persistence partition. However, some persistence can still be provided to save user data and for updating application programs (such as LibreOffice and Google Chrome). This is the idea of an "immutable bkworm", or at least the poor person's version thereof. I cannot make enough emphasis on the word "bookworm"; this is 100 percent pure Debian (it is no different from I help you install bkworm and do the necessary post-installation customizations, except that the process is streamlined) and we will always keep it that way.

It is much more convenient to prepare the live_iso/persistence_partition iterations on an HD/SSD/NVME. This is what I would like to discuss first.

[pwzhangzz]

It is much more convenient to prepare the live_iso/persistence_partition iterations on an HD/SSD/NVME. This is what I would like to discuss first.

Again, since our main goal is to put together a newbie-friendly "immutable bkworm", our approach in creating a live "usb" is different from the conventional approach. It is done in an HD not a usb.

Preparatory steps:

1. Use gparted to create two ext4 partitions, labeled "persistence" and "iso", respectively

2. Create a file named "persistence.conf" in the persistence partition, with the content of "/ union"

3. Use gnome files or any other tool to mount the live iso file, then copy the /live folder to the iso partition

4. Edit the 40_custom file in the /etc/grub.d folder as follows:

Code: Select all

# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

menuentry "Debian 12 ISO with persistence" {
        search --no-floppy --label --set=iso_partition iso
	set root=$iso_partition
rmmod tpm
linux /live/vmlinuz-6.1.0-18-amd64 boot=live components persistence quiet splash
initrd /live/initrd.img-6.1.0-18-amd64
}
menuentry "Debian 12 ISO" {
        search --no-floppy --label --set=iso_partition iso
	set root=$iso_partition
rmmod tpm
linux /live/vmlinuz-6.1.0-18-amd64 boot=live components quiet splash
initrd /live/initrd.img-6.1.0-18-amd64
}

Then do a sudo update-grub you should be able to boot from the live iso file, with or without persistence

After running the persistence live iso for a while, you can merge the persistence partition with the original live iso file to create a new live iso file:

Code: Select all

sudo mkdir /liveusb /overlay
sudo mount -o loop,ro /media/ryzen/d-live\ 12.5.0\ gn\ amd64/live/filesystem.squashfs /liveusb
sudo mount -t overlay overlay -o lowerdir=/liveusb,upperdir=/media/ryzen/persistence/rw,workdir=/media/ryzen/persistence/work /overlay/ 
sudo mksquashfs /overlay newfilesystem.squashfs -comp xz

The key element in this process is to modify the original/official live iso file by reducing its size and making it more newbie/idiot-friendly. I will provide a couple of examples when time permits.

Just a side note that most of our students, because of their age, are keenly aware of computer viruses, a read-only computer system ("immutable"), is an attractive incentive for them to move away from Windows. Especially they are using their computers to watch Netflix, YouTube, etc., which require them to be connected to the internet essentially all day long.

[pwzhangzz]

To update the initrd.img of the bkworm live iso*, the following steps can be used:

Code: Select all

export kernel_ver='6.1.0-18-amd64'
sudo mkinitramfs -v -o '/boot/initrd.img'-${kernel_ver}  ${kernel_ver}

One of the critical advantages of using bkworm in making an "immutable OS" is that, after more than two and half years of the equivalent of (open and public!) alphas, betas, RCs, etc via Sid and/or Testing, Bkworm is a very mature and very stable operating system.

viewtopic.php?t=149947

If the live iso can put together competently (i.e., with massive amounts of user experiences), there is really not much need to update Bkworm. But it is very doable.

Meanwhile, look forward to the immutable Trixie!

* a live iso with persistence can be regularly updated (& remasterized) except the initrd.img file, which must be done manually

[pbear]

Been thinking about this for a couple days. A few comments.

1. Your project isn't anything like Silverblue. And while 'static' is one dictionary definition of immutable, it's not the definition Fedora is using. Rather, their form of immutable has to do with not permitting clients to customize their systems (which complicates IT support). Notably, Silverblue users get security updates, where a live system doesn't, indeed can't update the kernel (unless something has changed since the last time I looked).

2. People not sufficiently savvy to maintain Windows have no business running Linux. Just getting wifi working has become a nightmare, as many OEMs have switched to Realtek chips (not supported by the kernel). Likewise other peripherals like cameras, printers and scanners. Not to mention software not available, e.g., gaming, Photoshop, and tax prep. As for Word, come now. You must know LibreOffice is available for Windows.

3. Don't what you're thinking, but what you wrote about security when running a live session is backwards. Malware can do anything the user can do. In a Debian live session, the user has sudo powers and can do pretty much anything, e.g., encrypting all the user's files. Wouldn't help to take persistence out of the equation. If the files are mounted (e.g., manually using File Manager), they're in the line of fire. Is it likely? No, so far the black hats generally haven't found Linux desktop users worth the time. It's misleading, though, to imply a live session is safer.

4. Not sure what you're trying to do can be done, but if I were setting up clients (friends or family) for something like Silverblue, (i) I'd install the usual way, making myself admin and the client a standard user (no sudo privileges); (ii) have separate partitions for system and data (with client files in the latter, of course); (iii) set up some mechanism for updating the system occasionally (monthly should be sufficient); (iv) set up a mechanism for remote support. I realize you don't have the bandwidth to support this. In that case, clients not-tech-savvy have no business running Linux.

5. If I were trying to do something like what you're doing, I wouldn't use live + persistence. I'd create a master installed system with modifications (basically, a respin), distribute that, and periodically update it with a script which rsyncs changes from a repo hosted at SourceForge or similar. Again, client files would be in a separate data partition.

Just my $0.02's worth.

[sunrat]

Maybe look at how Vanilla OS do it. I'm not going to though as it's based on Ubuntu (yuk) with Gnome (poo).

[pbear]

Hadn't heard of before. A review. Not something I'd recommend, but much closer to what Silverblue is about.

[pwzhangzz]

Actually what I meant by "immutable bookworm" is nothing more than a live iso (just a fancier name), typically created by the live-build package. However, because my technical level is so low I have not been able to create a live iso to suit our needs using the lb package. The above mentioned iterative approach definitely sounds low-tech but we have been able to successfully deploy it to help our students for more than a decade (started with Ubuntu now with Debian, for some reason have not been successful with Fedora or Red Hat clones.) We are not going back to Ubuntu but Any help or suggestions with regard to Fedora/RedHat will be appreciated.

As I mentioned above, a read-only "immutable" OS is very attractive to our students who are retired professionals many with advanced degrees. Many have seen the movie "Groundhog day"; every morning Bill Murray woke up by the alarm clock, it went back to exactly yesterday. Similarly, when you turn off an "immutable" system, all the garbages, viruses, and what have you that your visited web sites sneaked into your system will be gone. Of course, the exact technical term for this is a "live iso", but no one will give a dame about you are talking about. No one will remember it.

[pwzhangzz]

One of the best advantages of this iterative live_iso/persistence_partition/overlay approach over the conventional live build tool in making an "immutable" live iso is that this low-tech approach allows the guest-additions to be easily incorporated in the live iso (just like any other customizations). Any challenges? Please!

A live iso, which can be easily mounted to a vbox vm and booted from there, is probably the easiest way to show a Debian desktop, especially for Windows users. It is also super snappy. However, a live iso without the guest-additions installed will not do Debian justice.

[cfb]

Unless you have already done so, I really think you should familiarize with openSUSE Aeon (currently RC2) and Fedora Silverblue.
Especially the openSUSE offering seems to be able to take care of itself once installed.

I have been running Fedora Silverblue on one of my laptops for a couple of years now and it works very well. It does require some manual work when upgrading to a new version. openSUSE Aeon, on the other hand, is a rolling distribution.

[steve_v]

There's always GNU Guix . Declarative reproducible configuration, atomic updates with rollback to any previous state, unprivileged per-user package management and version tracking with garbage collection... Ticks plenty of boxes from where I'm sitting, and so do fun things like:

Code: Select all

guix system image --image-type=qcow2 my-cool-os-definition.scm

The not-Debian (and FLOSS-only) hair shirt would probably itch a bit, but it might just be worth it for the features on offer. IMO reproducible > immutable in most scenarios I'd be likely to encounter, and state rollback (with or without overlayfs root) hits the amnesiac/live image angle pretty well too.

Also yes, this is at least a little bit of a troll. Guix is very cool, but if one is struggling with building a Debian live spin then learning Scheme and a package everything manager designed by a Kardashev type II cat civilisation probably isn't the first option to reach for. Still, possibilities abound.

[pbear]

There are many strategies for remastering an installed system to ISO. The easiest I've seen is MX's snapshot tool See section 6.6.4 of their manual.
As you may know, MX-Linux is based directly on Debian. Main quirk is that systemd is installed but not enabled by default.

Caveat: MX's persistence method is a PITA, both to set up and to use. OTOH, if you want an 'immutable' live system, you shouldn't be using persistence (imho).
Instead, set up a simple data partition which the user mounts manually (by clicking in file manager).

[pwzhangzz]

Thank y'll for the suggestions but as I mentioned repeatedly, we are low-tech and it is impossible to change something that has been working for us for more than a decade . (Neither do we want to change, but suggestions for improvements are always welcome) I mentioned Red Hat clone, I actually specifically meant Oracle Linux sans the unbreakable kernel:

viewtopic.php?t=155437&hilit=oracle&start=5

I always keep an Oracle Linux in one of my bootable partitions. No one cared when I mentioned that I am running Linux, many actually looked at me as an outcast. But when I showed them the Oracle logo, I was instantly elevated to the status of a high-tech demigod.

Just realized that Oracle ($320B) is now bigger than IBM ($150B) and Intel ($130B) combined. Wow. No wonder I earned instant respect when I mentioned to my friends that I am "running" Oracle Linux (actually I know next to nothing about Oracle Linux).

We used to have a client (not IT-related) which is one of the largest hospitals in our state. They got stuck in Solaris 9. Their IT people were talking about moving to SuSE (at that time SuSE was the only Linux distro that provided any decent level of corporate support) but the board didn't even allow the issue to be brought to the table. However later on when I told one of the board members about Oracle, he was interested.

Since we are running many of our marquee apps such as LibreOffice, Google Chrome, Gimp, etc., as appimages, there is essentially no apparent difference between Oracle and the Gnome version of Bookworm, as far as our dumb students are concerned. However we ran into our first brick wall in trying to create an Oracle Linux live iso with persistence. Thus, so much for this idea.

But again everyone seems to have ignored an important factor in our choice of bookworm in making our immutable system. As I mentioned, again repeatedly, Debian bookworm went through more than two and half years of open and public testing before it came out, and we have at least made every effort to familiarize ourselves with this product before introducing it to our students. This is the same reason why we are using Sid (not Testing) as our primary OS.

[pbear]

Sorry to have wasted your time. Won't happen again.