@@ -123,7 +123,79 @@

     -   [Security Policy](photon_admin/default-security-policy-of-photon-os.md)

         -   [Default Firewall Settings](photon_admin/default-firewall-settings.md)

         -   [Default Permissions and umask](photon_admin/default-permissions-and-umask.md)

-        -   [Disabling TLS 1.0 to Improve Transport Layer Security](photon_admin/disabling-tls-1.0.md)      

+        -   [Disabling TLS 1.0 to Improve Transport Layer Security](photon_admin/disabling-tls-1.0.md)

+    - [Photon RPM OSTree](photon_admin/Photon-RPM-OSTree-a-simple-guide.md)

+        - [Introduction](photon_admin/Photon-RPM-OSTree-1-Introduction.md)

+            - [RPM-OSTree Overview](photon_admin/Photon-RPM-OSTree-1-Introduction.md#rpm-ostree-overview)

+            - [Why use RPM-OSTree in Photon?](photon_admin/Photon-RPM-OSTree-1-Introduction.md#why-use-rpm-ostree-in-photon)

+            - [Photon with RPM-OSTree installation profiles](photon_admin/Photon-RPM-OSTree-1-Introduction.md#photon-with-rpm-ostree-installation-profiles)

+            - [Terminology](photon_admin/Photon-RPM-OSTree-1-Introduction.md#terminology)

+            - [Sample code](photon_admin/Photon-RPM-OSTree-1-Introduction.md#sample-code)

+            - [How to read this book](photon_admin/Photon-RPM-OSTree-1-Introduction.md#how-to-read-this-book)

+            - [RPM-OSTree in Photon OS 3.0](photon_admin/Photon-RPM-OSTree-1-Introduction.md#rpm-ostree-in-photon-os-30)

+        - [Installing a Photon RPM-OSTree host against default server repository](photon_admin/Photon-RPM-OSTree-2-Installing-a-host-against-default-server-repository.md)

+            - [Who is this for?](photon_admin/Photon-RPM-OSTree-2-Installing-a-host-against-default-server-repository.md#who-is-this-for)

+            - [Installing the ISO, step by step](photon_admin/Photon-RPM-OSTree-2-Installing-a-host-against-default-server-repository.md#installing-the-iso)

+        - [Concepts in action](photon_admin/Photon-RPM-OStree-3-Concepts-in-action.md)

+            - [Querying the deployed filetrees](photon_admin/Photon-RPM-OStree-3-Concepts-in-action.md#querying-the-deployed-filetrees)

+            - [Bootable filetree version](photon_admin/Photon-RPM-OStree-3-Concepts-in-action.md#bootable-filetree-version)

+            - [Commit ID](photon_admin/Photon-RPM-OStree-3-Concepts-in-action.md#commit-id)

+            - [OSname](photon_admin/Photon-RPM-OStree-3-Concepts-in-action.md#osname)

+            - [Refspec](photon_admin/Photon-RPM-OStree-3-Concepts-in-action.md#refspec)

+            - [Deployments](photon_admin/Photon-RPM-OStree-3-Concepts-in-action.md#deployments)

+        - [Querying for commit, file and package metadata](photon_admin/Photon-RPM-OSTree-4-Querying-for-commit-file-and-package-metadata.md)

+            - [Commit history](photon_admin/Photon-RPM-OSTree-4-Querying-for-commit-file-and-package-metadata.md#commit-history)

+            - [Listing file mappings](photon_admin/Photon-RPM-OSTree-4-Querying-for-commit-file-and-package-metadata.md#listing-file-mappings)

+            - [Listing configuration changes](photon_admin/Photon-RPM-OSTree-4-Querying-for-commit-file-and-package-metadata.md#listing-configuration-changes)

+            - [Listing packages](photon_admin/Photon-RPM-OSTree-4-Querying-for-commit-file-and-package-metadata.md#listing-packages)

+            - [Querying for package details](photon_admin/Photon-RPM-OSTree-4-Querying-for-commit-file-and-package-metadata.md#querying-for-package-details)

+            - [Why am I unable to install, update or delete packages?](photon_admin/Photon-RPM-OSTree-4-Querying-for-commit-file-and-package-metadata.md#why-am-i-unable-to-install-update-or-delete-packages)

+        - [Host updating operations](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md)

+            - [Upgrade overview](photon_admin/photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#upgrade-overview)

+            - [Incremental upgrade](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#incremental-upgrade)

+            - [Listing file differences](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#listing-file-differences)

+            - [Listing package differences](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#listing-package-differences)

+            - [Rollback](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#rollback)

+            - [Installing Packages](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#installing-packages)

+            - [Uninstalling Packages](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#uninstalling-packages)

+            - [Deleting a deployed filetree](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#deleting-a-deployed-filetree)

+            - [Version skipping upgrade](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#version-skipping-upgrade)

+            - [Tracking parent commits](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#tracking-parent-commits)

+            - [Resetting a branch to a previous commit](photon_admin/Photon-RPM-OSTree-5-Host-updating-operations.md#resetting-a-branch-to-a-previous-commit)

+        - [Installing a Photon RPM-OSTree Package](photon_admin/Photon-RPM-OSTree-6-Installing-a-server.md)

+            - [Composing your first OSTree repo](photon_admin/Photon-RPM-OSTree-6-Installing-a-server.md#composing-your-first-OSTree-repo)

+        - [Installing a Photon RPM-OStree host against a custom server repository](photon_admin/Photon-RPM-OSTree-7-Installing-a-host-against-a-custom-server-repository.md)

+            - [Manual install of a custom host](photon_admin/Photon-RPM-OSTree-7-Installing-a-host-against-a-custom-server-repository.md#manual-install-of-a-custom-host)

+            - [Automated install of a custom host via kickstart](photon_admin/Photon-RPM-OSTree-7-Installing-a-host-against-a-custom-server-repository.md#automated-install-of-a-custom-host-via-kickstart)

+        - [Automatic Updates](photon_admin/RPM-OSTree-AutoUpdate.md)

+            - [Enable Automatic Updates](photon_admin/RPM-OSTree-AutoUpdate.md#enable-automatic-updates)

+        - [File oriented server operations](photon_admin/Photon-RPM-OStree-8-File-oriented-server-operations.md)

+            - [Starting a fresh OSTree repo](photon_admin/Photon-RPM-OStree-8-File-oriented-server-operations.md#starting-a-fresh-ostree-repo)

+            - [Creating summary metadata](photon_admin/Photon-RPM-OStree-8-File-oriented-server-operations.md#creating-summary-metadata)

+        - [Package oriented server operations](photon_admin/Photon-RPM-OSTree-9-Package-oriented-server-operations.md)

+            - [JSON configuration file](photon_admin/Photon-RPM-OSTree-9-Package-oriented-server-operations.mdjson-configuration-file)

+            - [Package addition, removal, upgrade](photon_admin/Photon-RPM-OSTree-9-Package-oriented-server-operations.md#package-addition-removal-upgrade)

+            - [RPMS repository](photon_admin/Photon-RPM-OSTree-9-Package-oriented-server-operations.md#rpms-repository)

+            - [Composing a tree](photon_admin/Photon-RPM-OSTree-9-Package-oriented-server-operations.md#composing-a-tree)

+            - [Automatic version prefix](photon_admin/Photon-RPM-OSTree-9-Package-oriented-server-operations.md#automatic-version-prefix)

+            - [Installing package updates](photon_admin/Photon-RPM-OSTree-9-Package-oriented-server-operations.md#installing-package-updates)

+            - [Creating server metadata](photon_admin/Photon-RPM-OSTree-9-Package-oriented-server-operations.md#creating-server-metadata)

+            - [Starting a fresh OSTree repo](photon_admin/Photon-RPM-OSTree-9-Package-oriented-server-operations.md#starting-a-fresh-ostree-repo)

+        - [Remotes](photon_admin/Photon-RPM-OSTree-10-Remotes.md)

+            - [Listing remotes](photon_admin/Photon-RPM-OSTree-10-Remotes.md#listing-remotes)

+            - [GPG signature verification](photon_admin/Photon-RPM-OSTree-10-Remotes.md#gpg-signature-verification)

+            - [Switching repositories](photon_admin/Photon-RPM-OSTree-10-Remotes.md#switching-repositories)

+            - [Adding and removing remotes](photon_admin/Photon-RPM-OSTree-10-Remotes.md#adding-and-removing-remotes)

+            - [List available branches](photon_admin/Photon-RPM-OSTree-10-Remotes.md#list-available-branches)

+        - [Running container applications between bootable images](photon_admin/Photon-RPM-OSTree-11-Running-container-applications-between-bootable-images.md)

+            - [Downloading a docker container appliance](photon_admin/Photon-RPM-OSTree-11-Running-container-applications-between-bootable-images.md#downloading-a-docker-container-appliance)

+            - [Rebooting into an existing image](photon_admin/Photon-RPM-OSTree-11-Running-container-applications-between-bootable-images.md#rebooting-into-an-existing-image)

+            - [Reboot into a newly created image](photon_admin/Photon-RPM-OSTree-11-Running-container-applications-between-bootable-images.md#reboot-into-a-newly-created-image)

+        - [Install or rebase to Photon OS 3.0](photon_admin/Photon-RPM-OSTree-Install-or-rebase-to-Photon-OS-2.0.md)

+            - [Composing your own RPM-OSTree Server](photon_admin/Photon-RPM-OSTree-Install-or-rebase-to-Photon-OS-2.0.md#composing-your-own-rpm-ostree-server)

+            - [Installing an RPM-OSTree host](photon_admin/Photon-RPM-OSTree-Install-or-rebase-to-Photon-OS-2.0.md#installing-an-rpm-ostree-host)

+            - [Rebasing a host from Photon 1.0 to 3.0](photon_admin/Photon-RPM-OSTree-Install-or-rebase-to-Photon-OS-2.0.md#rebasing-a-host-from-photon-10-to-20)

+            - [Creating a host raw image](photon_admin/Photon-RPM-OSTree-Install-or-rebase-to-Photon-OS-2.0.md#creating-a-host-raw-image)      

 - [User Guide](photon_user/README.md)

     - [Setting Up a Network PXE Boot Server](photon_user/PXE-boot.md)

     - [Working with Kickstart](photon_user/kickstart.md)

new file mode 100644

Binary files /dev/null and b/docs/images/photon-os-finish.png differ

new file mode 100644

Binary files /dev/null and b/docs/images/rpmostree-custom.png differ

new file mode 100644

Binary files /dev/null and b/docs/images/rpmostree-default.png differ

new file mode 100644

Binary files /dev/null and b/docs/images/rpmostree-grub.png differ

new file mode 100644

Binary files /dev/null and b/docs/images/rpmostree-install-options.png differ

new file mode 100644

Binary files /dev/null and b/docs/images/rpmostree-login-root.png differ

new file mode 100644

Binary files /dev/null and b/docs/images/rpmostree-url.png differ

new file mode 100644

@@ -0,0 +1,68 @@

+# Introduction

+

+## RPM-OSTree Overview

+

+OSTree is a tool to manage bootable, immutable, versioned filesystem trees. Unlike traditional package managers like rpm or dpkg that know how to install, uninstall, configure packages, OSTree has no knowledge of the relationship between files. But when you add rpm capabilities on top of OSTree, it becomes RPM-OSTree, meaning a filetree replication system that is also package-aware.

+

+The idea behind it is to use a client/server architecture to keep your Linux installed machines (physical or VM) in sync with the latest bits, in a predictable and reliable manner. To achieve that, OSTree uses a git-like repository that records the changes to any file and replicate them to any subscriber.  

+

+A system administrator or an image builder developer takes a base Linux image, prepares the packages and other configuration on a server box, executes a command to compose a filetree that the host machines will download and then incrementally upgrade whenever a new change has been committed.

+You may read more about OSTree [here](https://wiki.gnome.org/Projects/OSTree).

+

+## Why use RPM-OSTree in Photon?

+

+There are several important benefits:

+* Reliable, efficient: The filetree replication is simple, reliable and efficient. It will only transfer deltas over the network. If you have deployed two almost identical bootable images on same box (differing just by several files), it will not take twice the space. The new tree will have a set of hardlinks to the old tree and only the different files will have a separate copy stored to disk.

+* Atomic: the filetree replication is atomic. At the end of a deployment, you are either booting from one deployment, or the other. There is no "partial deployed bootable image". If anything bad happens during replication or deployment- power loss, network failure, your machine boots from the old image. There is even a tool option to cleanup old deployed (successfully or not) image.

+* Manageable: You are provided simple tools to figure out exactly what packages have been installed, to compare files, configuration and package changes between versions.

+* Predictable, repeatable: A big headache for a system administrator is to maintain a farm of computers with different packages, files and configuration installed in different order, that will result in exponential set of test cases. With RPM-OStree, you get identical, predictable installed systems. 

+

+As drawbacks, I would mention:

+* Some applications configured by user on host may have compatibility issues if they save configuration or download into read only directories like /usr.

+* People not used with "read only" file systems will be disappointed that they could no longer use RPM, yum, tdnf to install whatever they want. Think of this as an "enterprise policy". They may circumvent this by customizing the target directory to a writable directory like /var or using rpm to install packages and record them using a new RPM repository in a writable place.

+* Administrators need to be aware about the directories re-mapping specific to OSTree and plan accordingly.

+

+## Photon with RPM-OSTree installation profiles

+Photon takes advantage of RPM-OSTree and offers several installation choices:

+* Photon RPM-OSTree server - used to compose customized Photon OS installations and to prepare updates. I will call it for short 'server'.

+* Photon RPM-OSTree host connected to a default online server repository via http or https, maintained by VMware Photon OS team, where future updates will be published. This will create a minimal installation profile, but with the option to self-upgrade. I will call it for short 'default host'.

+* Photon RPM-OSTree host connected to a custom server repository. It requires a Photon RPM-OSTree Server installed in advance. I will call it for short 'custom host'.

+

+## Terminology

+

+In this section, the term *OSTree* refers to the general use of this technology, the format of the repository or replication protocol. 

+

+The term *RPM-OSTree* emphasizes the layer that adds RedHat Package Manager compatibility on both ends - at server and at host. However, since Photon OS is an RPM-based Linux, there are places in the documentation and even in the installer menus where *OSTree* may be used instead of *RPM-OSTree* when the distinction is not obvious or does not matter in that context.

+

+When `ostree` and `rpm-ostree` are encountered, they refer to the usage of the specific Unix commands.   

+

+Finally, *Photon RPM-OSTree* is the application or implementation of the RPM-OStree system into Photon OS, materialized into two options: Photon Server and Photon Host (or client). *Server* or *Host* may be used with or without the *Photon* and/or *RPM-OStree* qualifier, but it means the same thing. 

+

+## Sample code

+

+Codes samples used throughout the book are small commands that can be typed at shell command prompt and do not require downloading additional files. As an alternative, one can remote connect via ssh, so cut & paste sample code from outside sources or copy files via scp will work. See the Photon Administration guide to learn [how to enable ssh](..\photon_troubleshoot\permitting-root-login-with-ssh.md). 

+The samples assume that the following VMs have been installed - see the steps in the next chapters:

+* A default host VM named **photon-host-def**.

+* Two server VMs named **photon-srv1** and **photon-srv2**.

+* Two custom host VMs named **photon-host-cus1** and **photon-host-cus2**, connected each to the corresponding server during install.

+

+## How to read this book

+

+The RPM OSTree guide is structured to be used both as a sequential read and as a reference documentation.   

+If you are just interested in deploying a host system and keeping it up to date, then read [Installing a Photon RPM-OSTree host against default server repository](Photon-RPM-OSTree-2-Installing-a-host-against-default-server-repository.md) and [Host updating operations](Photon-RPM-OSTree-5-Host-updating-operations.md).

+

+If you want to install your own server and experiment with customizing packages for your Photon hosts, then read [Installing a Photon RPM-OSTree server](Photon-RPM-OSTree-6-Installing-a-server.md) onwards. There are references to the concepts discussed throughout the book, if you need to understand them better.  

+However, if you want to read page by page, information is presented from simple to complex, although as with any technical book, we occasionally run into the chicken and egg problem - forward references to concepts that have yet to be explained later. In other cases, concepts are introduced and presented in great detail that may be seem hard to follow at first, but I promise they will make sense in the later pages when you get to use them.

+

+## RPM OSTree in Photon OS 3.0

+

+This book is relevant to RPM OSTree in Photon OS 3.0.

+

+Version 3.0 supports the following features:

+

+- Upgrade

+- Rollback

+- Remote, compose, and rebase server

+- Installation and uninstallation of packages with URL

+- Installation and uninstallation of packages from default repos

+- Automatic updates

new file mode 100644

@@ -0,0 +1,97 @@

+# Remotes

+

+In Chapter 3 we talked about the Refspec that contains a **photon:** prefix, that is the name of a remote. When a Photon host is installed, a remote is added - which contains the URL for an OSTree repository that is the origin of the commits we are going to pull from and deploy filetrees, in our case the Photon RPM-OSTree server we installed the host from. This remote is named **photon**, which may be confusing, because it's also the OS name and part of the Refspec (branch) path.

+

+## Listing remotes

+

+A host repo can be configured to switch between multiple remotes to pull from, however only one remote is the "active" one at a time. We can list the remotes created so far, which brings back the expected result.

+

+```

+root@photon-host-def [ ~ ]# ostree remote list

+photon

+photon-1

+```

+We can inquiry about the URL for that remote name, which for the default host is the expected Photon OS online OSTree repo.

+```

+root@photon-host-def [ ~ ]# ostree remote show-url photon

+https://<host-name>:8080/repo

+```

+But where is this information stored? The repo's config file has it.

+```

+root@photon-host-def [ ~ ]# cat /ostree/repo/config 

+[core]

+repo_version=1

+mode=bare

+

+[remote "photon"]

+url=http:<Server-IP-Address:port>/repo

+gpg-verify=false

+```

+

+If same command is executed on the custom host we've installed, it's going to reveal the URL of the Photon RPM-OSTree server connected to during setup.

+```

+root@photon-host-cus [ ~ ]# ostree remote show-url photon

+http://10.197.103.175:8000/repo

+```

+

+## GPG signature verification

+

+You may wonder what is the purpose of ```gpg-verify=false``` in the config file, associated with the specific remote. This will instruct any host update to skip the signing verification for the updates that come from server, resulted from tree composed locally at the server, as they are not signed. Without this, host updating will fail.  

+

+There is a whole chapter about signing, importing keys and so on that I will not get into, but the idea is that signing adds an extra layer of security, by validating that everything you download comes from the trusted publisher and has not been altered. That is the case for all Photon OS artifacts downloaded from VMware official site. All OVAs and packages, either from the online RPMS repositories or included in the ISO file - are signed by VMware. We've seen a similar setting ```gpgcheck=1``` in the RPMS repo configuration files that tdnf uses to validate or not the signature for all packages downloaded to be installed.

+

+

+## Switching repositories

+

+Since mapping name/url is stored in the repo's config file, in principle you can re-assign a different URL, connecting the host to a different server. The next upgrade will get the latest commit chain from the new server.   

+If we edit photon-host-def's repo config and replace the bintray URL by photon-srv1's IP address, all original packages in the original 3.0_minimal version will be preserved, but any new package change (addition, removal, upgrade) added after that (in 3.0_minimal.1, 3.0_minimal.2) will be reverted and all new commits from photon-srv1 (that may have same version) will be applied. This is because the two repos are identical copies, so they have the same original commit ID as a common ancestor, but they diverge from there.  

+  

+If the old and new repo have nothing in common (no common ancestor commit), this will undo even the original commit, so all commits from the new tree will be applied.  

+A better solution would be to add a new remote that will identify where the commits come from.

+

+## Adding and removing remotes

+

+A cleaner way to switch repositories is to add remotes that point to different servers. Let us add another server that we will refer to as **photon2**, along with (optional) the refspecs for branches that it provides (we will see later that in the newer OSTree versions, we don't need to know the branch names, they could be [queried at run-time](Photon-RPM-OSTree-10-Remotes.md#listing-available-branches)). 

+

+```

+root@photon-host-cus [ ~ ]# ostree remote add --repo=/ostree/repo -v --no-gpg-verify photon2 http://10.197.103.204:8080 photon/3.0/x86_64/minimal photon/3.0/x86_64/full

+root@photon-host-cus [ ~ ]# ostree remote list

+photon

+photon2

+root@photon-host-cus [ ~ ]# ostree remote show-url photon2

+http://10.118.101.86

+```

+Where is this information stored? There is an extra config file created per each remote:

+```

+root@photon-host-cus [ ~ ]# cat /etc/ostree/remotes.d/photon2.conf 

+[remote "photon2"]

+url=http://10.118.101.86

+branches=photon/3.0/x86_64/minimal;photon/2.0/x86_64/full;

+gpg-verify=false

+```

+You may have guessed what is the effect of ```--no-gpg-verify option```.  

+Obviously, remotes could also be deleted.

+```

+root@photon-host-cus [ ~ ]# ostree remote delete photon2

+root@photon-host-cus [ ~ ]# ostree remote list

+photon

+```

+

+## List available branches

+

+If a host has been deployed from a specific branch and would like to switch to a different one, maybe from a different server, how would it know what branches are available? In git, you would run ```git remote show origin``` or ```git remote -a``` (although last command would not show all branches, unless you ran ```git fetch``` first).  

+

+Fortunately, in Photon OS 3.0 and higher, the hosts are able to query the server, if summary metadata has been generated, as we've seen in [Creating summary metadata](Photon-RPM-OSTree-8-File-oriented-server-operations.md#creating-summary-metadata).  This command lists all branches available for remote **photon2**.

+

+```

+root@photon-host-cus [ ~ ]# ostree remote refs photon2 

+photon2:photon/3.0/x86_64/base

+photon2:photon/3.0/x86_64/full

+photon2:photon/3.0/x86_64/minimal

+```

+

+## Switching branches (rebasing)

+

+If you have an installed Photon 1.0 or 1.0 Rev2 that you want to carry to 3.0, you need to rebase it.

+

+See [Rebasing a host from Photon 1.0 to 3.0](Photon-RPM-OSTree-Install-or-rebase-to-Photon-OS-2.0.md#rebasing-a-host-from-photon-10-to-20).

new file mode 100644

@@ -0,0 +1,268 @@

+# Running container applications between bootable images

+

+In this chapter, we want to test a docker application and make sure that all the settings and downloads done in one bootable filetree are going to be saved into writable folders and be available in the other image, in other words after reboot from the other image, everything is available exactly the same way.   

+We are going to do this twice: first, to verify an existing bootable image installed in parallel and then create a new one.

+

+## Downloading a docker container appliance

+

+Photon OS comes with docker package installed and configured, but we expect that the docker daemon is inactive (not started). Configuration file /usr/lib/systemd/system/docker.service is read-only (remember /usr is bound as read-only). 

+```

+root@sample-host-def [ ~ ]# systemctl status docker

+* docker.service - Docker Daemon

+   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled)

+   Active: inactive (dead)

+

+root@sample-host-def [ ~ ]# cat /usr/lib/systemd/system/docker.service

+[Unit]

+Description=Docker Application Container Engine

+Documentation=https://docs.docker.com

+After=network-online.target

+Wants=network-online.target

+

+[Service]

+Type=notify

+# the default is not to use systemd for cgroups because the delegate issues still

+# exists and systemd currently does not support the cgroup feature set required

+# for containers run by docker

+ExecStart=/usr/bin/dockerd

+ExecReload=/bin/kill -s HUP $MAINPID

+# Having non-zero Limit*s causes performance problems due to accounting overhead

+# in the kernel. We recommend using cgroups to do container-local accounting.

+LimitNOFILE=infinity

+LimitNPROC=infinity

+LimitCORE=infinity

+# Uncomment TasksMax if your systemd version supports it.

+# Only systemd 226 and above support this version.

+#TasksMax=infinity

+TimeoutStartSec=0

+# set delegate yes so that systemd does not reset the cgroups of docker containers

+Delegate=yes

+# kill only the docker process, not all processes in the cgroup

+KillMode=process

+# restart the docker process if it exits prematurely

+Restart=on-failure

+StartLimitBurst=3

+StartLimitInterval=60s

+

+[Install]

+WantedBy=multi-user.target

+```

+

+Now let's enable docker daemon to start at boot time - this will create a symbolic link into writable folder /etc/systemd/system/multi-user.target.wants to its systemd configuration, as with all other systemd controlled services. 

+

+```

+root@sample-host-def [ ~ ]# systemctl enable docker

+Created symlink /etc/systemd/system/multi-user.target.wants/docker.service -> /lib/systemd/system/docker.service.

+

+root@sample-host-def [ ~ ]# ls -l /etc/systemd/system/multi-user.target.wants

+total 0

+lrwxrwxrwx 1 root root 34 Sep 10 10:48 docker.service -> /lib/systemd/system/docker.service

+lrwxrwxrwx 1 root root 36 Sep  4 04:59 iptables.service -> /lib/systemd/system/iptables.service

+lrwxrwxrwx 1 root root 35 Sep  4 04:59 machines.target -> /lib/systemd/system/machines.target

+lrwxrwxrwx 1 root root 36 Sep  4 04:59 remote-fs.target -> /lib/systemd/system/remote-fs.target

+lrwxrwxrwx 1 root root 39 Sep  4 04:59 sshd-keygen.service -> /lib/systemd/system/sshd-keygen.service

+lrwxrwxrwx 1 root root 32 Sep  4 04:59 sshd.service -> /lib/systemd/system/sshd.service

+lrwxrwxrwx 1 root root 44 Sep  4 04:59 systemd-networkd.service -> /lib/systemd/system/systemd-networkd.service

+lrwxrwxrwx 1 root root 44 Sep  4 04:59 systemd-resolved.service -> /lib/systemd/system/systemd-resolved.service

+```

+To verify that the symbolic link points to a file in a read-only directory, try to make a change in this file using vim and save. you'll get an error: "/usr/lib/systemd/system/docker.service" E166: Can't open linked file for writing".  

+

+Finally, let's start the daemon, check again that is active.

+

+```

+root@sample-host-def [ ~ ]# systemctl start docker

+

+root@sample-host-def [ ~ ]# systemctl status -l docker

+* docker.service - Docker Application Container Engine

+   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: disabled)

+   Active: active (running) since Tue 2019-09-10 10:54:32 UTC; 14s ago

+     Docs: https://docs.docker.com

+ Main PID: 2553 (dockerd)

+    Tasks: 35 (limit: 4711)

+   Memory: 148.2M

+   CGroup: /system.slice/docker.service

+           |-2553 /usr/bin/dockerd

+           `-2566 docker-containerd --config /var/run/docker/containerd/containerd.toml

+

+Sep 10 10:54:31 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:31.421759662Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc420312f90, CONNECTING" module=grpc

+Sep 10 10:54:31 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:31.421935355Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc420312f90, READY" module=grpc

+Sep 10 10:54:31 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:31.421980614Z" level=info msg="Loading containers: start."

+Sep 10 10:54:31 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:31.886520281Z" level=info msg="Default bridge

+(docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"

+Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.027763113Z" level=info msg="Loading containers: done."

+Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.468277184Z" level=info msg="Docker daemon"

+commit=6d37f41 graphdriver(s)=overlay2 version=18.06.2-ce

+Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.468441587Z" level=info msg="Daemon has completed initialization"

+Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.684925824Z" level=warning msg="Could not register builder git source: failed to find git binary: exec: \"git\": executable file not found in $PATH"

+Sep 10 10:54:32 photon-76718dd2fa33 dockerd[2553]: time="2019-09-10T10:54:32.691070166Z" level=info msg="API listen on /var/run/docker.sock"

+Sep 10 10:54:32 photon-76718dd2fa33 systemd[1]: Started Docker Application Container Engine.

+```

+

+We'll ask docker to run Ubuntu Linux in a container. Since it's not present locally, it's going to be downloaded first from the official docker repository https://hub.docker.com/_/ubuntu/.

+

+```

+root@sample-host-def [ ~ ]# docker ps -a

+CONTAINER ID        IMAGE            COMMAND      CREATED           STATUS              PORTS       NAMES

+

+root@sample-host-def [ ~ ]# docker run -it ubuntu

+Unable to find image 'ubuntu:latest' locally

+latest: Pulling from library/ubuntu

+35c102085707: Pull complete

+251f5509d51d: Pull complete

+8e829fe70a46: Pull complete

+6001e1789921: Pull complete

+Digest: sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90

+Status: Downloaded newer image for ubuntu:latest

+```

+

+When downloading is complete, it comes to Ubuntu root prompt with assigned host name 7029a64e7aa3, that is actually the Container ID. Let's verify it's indeed the expected OS.

+

+```

+root@sample-host-def [ ~ ]# docker run -it ubuntu

+Unable to find image 'ubuntu:latest' locally

+latest: Pulling from library/ubuntu

+d3a1f33e8a5a: Pull complete

+c22013c84729: Pull complete

+d74508fb6632: Pull complete

+91e54dfb1179: Already exists

+library/ubuntu:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.

+Digest: sha256:fde8a8814702c18bb1f39b3bd91a2f82a8e428b1b4e39d1963c5d14418da8fba

+Status: Downloaded newer image for ubuntu:latest

+

+root@7029a64e7aa3:/# cat /etc/os-release

+NAME="Ubuntu"

+VERSION="18.04.3 LTS (Bionic Beaver)"

+ID=ubuntu

+ID_LIKE=debian

+PRETTY_NAME="Ubuntu 18.04.3 LTS"

+VERSION_ID="18.04"

+HOME_URL="https://www.ubuntu.com/"

+SUPPORT_URL="https://help.ubuntu.com/"

+BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"

+PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"

+VERSION_CODENAME=bionic

+UBUNTU_CODENAME=bionic

+root@7029a64e7aa3:/#

+```

+Now let's write a file into Ubuntu home directory

+

+```

+echo "Ubuntu file" >> /home/myfile

+root@7029a64e7aa3:/home# cat /home/myfile

+Ubuntu file

+```

+

+We'll exit back to the Photon prompt and if it's stopped, we will re-start it.

+

+```

+root@7029a64e7aa3:/# exit

+exit

+

+root@sample-host-def [ ~ ]# docker ps -a

+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                       PORTS               NAMES

+7029a64e7aa3        ubuntu              "/bin/bash"         6 minutes ago       Exited (0) 11 seconds ago                        gifted_dijkstra

+

+root@photon-host-cus1 [ ~ ]# docker start  7029a64e7aa3

+7029a64e7aa3

+

+root@photon-host-cus1 [ ~ ]# docker ps -a

+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                       PORTS               NAMES

+7029a64e7aa3        ubuntu              "/bin/bash"         7 minutes ago       Up 21 seconds                                    gifted_dijkstra

+```

+

+## Rebooting into an existing image

+

+Now let's reboot the machine and select the other image. First, we'll verify that the docker daemon is automaically started.

+

+```

+root@photon-host-cus1 [ ~ ]# systemctl status docker

+* docker.service - Docker Application Container Engine

+   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: disabled)

+   Active: active (running) since Tue 2019-09-10 10:54:32 UTC; 13min ago

+     Docs: https://docs.docker.com

+ Main PID: 2553 (dockerd)

+    Tasks: 55 (limit: 4711)

+   Memory: 261.3M

+   CGroup: /system.slice/docker.service

+           |-2553 /usr/bin/dockerd

+   ...

+```

+

+Next, is the Ubuntu OS container still there?

+

+```

+root@photon-host-cus1 [ ~ ]# docker ps -a

+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                       PORTS               NAMES

+7029a64e7aa3        ubuntu              "/bin/bash"         9 minutes ago       Up 2 minutes                                     gifted_dijkstra

+```

+

+It is, so let's start it, attach and verify that our file is persisted, then add another line to it and save, exit.

+

+```

+root@photon-host-cus1 [ ~ ]# docker start -i  7029a64e7aa3

+root@7029a64e7aa3:/# cat /home/myfile

+Ubuntu file

+root@7029a64e7aa3:/# echo "booted into existing image" >> /home/myfile

+root@7029a64e7aa3:/# exit

+exit

+```

+

+## Reboot into a newly created image

+

+Let's upgrade and replace the .0 image by a .3 build that contains git and also perl_YAML (because it is a dependency of git).

+

+```

+root@photon-host-cus1 [ ~ ]# rpm-ostree status

+  TIMESTAMP (UTC)         VERSION               ID             OSNAME     REFSPEC

+* 2015-09-04 00:36:37     1.0_tp2_minimal.2     092e21d292     photon     photon:photon/tp2/x86_64/minimal

+  2015-08-20 22:27:43     1.0_tp2_minimal       2940e10c4d     photon     photon:photon/tp2/x86_64/minimal

+

+root@photon-host-cus1 [ ~ ]# rpm-ostree upgrade

+Updating from: photon:photon/tp2/x86_64/minimal

+

+43 metadata, 209 content objects fetched; 19992 KiB transferred in 0 seconds

+Copying /etc changes: 5 modified, 0 removed, 19 added

+Transaction complete; bootconfig swap: yes deployment count change: 0

+Freed objects: 16.2 MB

+Added:

+  git-2.1.2-1.ph3tp2.x86_64

+  perl-YAML-1.14-1.ph3tp2.noarch

+Upgrade prepared for next boot; run "systemctl reboot" to start a reboot

+

+root@photon-host-cus1 [ ~ ]# rpm-ostree status

+  TIMESTAMP (UTC)         VERSION               ID             OSNAME     REFSPEC

+  2015-09-06 18:12:08     1.0_tp2_minimal.3     d16aebd803     photon     photon:photon/tp2/x86_64/minimal

+* 2015-09-04 00:36:37     1.0_tp2_minimal.2     092e21d292     photon     photon:photon/tp2/x86_64/minimal

+```

+

+After reboot from 1.0_tp2_minimal.3 build, let's check that the 3-way /etc merge succeeded as expected. The docker.service slink is still there, and docker demon restarted at boot.

+

+```

+root@photon-host-cus1 [ ~ ]# ls -l /etc/systemd/system/multi-user.target.wants/docker.service

+lrwxrwxrwx 1 root root 38 Sep  6 12:50 /etc/systemd/system/multi-user.target.wants/docker.service -> /usr/lib/systemd/system/docker.service

+

+root@photon-host-cus1 [ ~ ]# systemctl status docker

+* docker.service - Docker Daemon

+   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled)

+   Active: active (running) since Sun 2015-09-06 12:56:33 UTC; 1min 27s ago

+ Main PID: 292 (docker)

+   CGroup: /system.slice/docker.service

+           `-292 /bin/docker -d -s overlay

+   ...

+```

+

+Let's revisit the Ubuntu container. Is the container still there? is myfile persisted?

+

+```

+root@photon-host-cus1 [ ~ ]# docker ps -a

+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                    PORTS               NAMES

+7029a64e7aa3        ubuntu              "/bin/bash"         5 days ago          Exited (0) 5 days ago                         gifted_dijkstra

+55825c961f95        ubuntu              "/bin/bash"         5 days ago          Exited (127) 5 days ago                       distracted_shannon

+

+root@photon-host-cus1 [ ~ ]# docker start 57dcac5d0490

+

+root@57dcac5d0490:/# cat /home/myfile

+Ubuntu file

+booted into existing image

+root@57dcac5d0490:/# echo "booted into new image" >> /home/myfile

+```

new file mode 100644

@@ -0,0 +1,40 @@

+# Installing a host against default server repository

+

+RPM-OSTree Host default server repo installation option in Photon 3.0 will setup a profile similar to Photon Minimal, with the added benefit of being able to self-upgrade.   

+

+## Who is this for?

+

+The RPM-OSTree 'default host' is the easiest way to deploy a Photon RPM-OSTree host from ISO/cdrom, without the need to deploy and maintain an RPM-OSTree server. It is targeted at the user who relies on VMware Photon OS team to keep his or her system up-to-date, configured to get its updates from the official Photon 3.0 OSTree repository.

+

+This is also the fastest way to install a host, as we've included in the ISO/cdrom an identical copy of the Photon 3.0 "starter" RPM-OSTree repository that is published online by VMware Photon OS team. So rather than pulling from the online repository, the installer pulls the repo from cdrom, which saves bandwidth and also reduces to zero the chances of failing due to a networking problem. After successful installation, any updates are going to be pulled from the official online repository, when Photon OS team will make them available.    

+

+**Note**: It is also possible to install an RPM-OSTree host against the official online repo via PXE boot, without the benefit of fast, local pull from cdrom. This will be covered in the PXE boot/kickstart chapter, as it requires additional configuration.

+

+## Installing the ISO

+

+User will first download [Photon 3.0 ISO file](https://bintray.com/artifact/download/vmware/photon/photon-1.0-13c08b6.iso) that contains the installer, which is able to deploy any of the supported Photon installation profiles.

+

+There are some steps common to all Photon installation profiles, starting with adding a VM in VMware Fusion, Workstation or ESXi, selecting the OS family, then customizing for disk size, CPU, memory size, network interface etc. (or leaving the defaults) and selecting the ISO image as cdrom. The installer will launch, that will go through disk partitioning and accepting the license agreement screens, followed by selecting an installation profile.

+These steps are described at the page linked below, so I won't repeat them, just that instead of setting up a Photon Minimal profile, we will install a Photon OSTree host:   

+

+[Running Project Photon on Fusion](Running-Project-Photon-on-Fusion.md).

+

+Select the **Photon OSTree Host** option.

+

+![PhotonChooseHost](../images/rpmostree-install-options.png)

+

+Continue with setting up a host name like **photon1-def** and a root password, re-confirm.

+Then, select "Default OSTree Server" and continue.

+

+![PhotonChooseHostDefault](../images/rpmostree-default.png)

+

+![PhotonHostDefaultFinish](../images/photon-os-finish.png)

+

+When installation is over, the VM will reboot and will show in grub VMWare Photon/Linux 3.0_minimal (ostree), which will reassure that it's booting from an OSTree image!  

+

+![PhotonHostFirstRebootGrub](../images/rpmostree-grub.png)  

+

+Boot, login and you are ready to use it.

+

+To upgrade your host, see [Host updating operations](Photon-RPM-OSTree-5-Host-updating-operations.md).

+

new file mode 100644

@@ -0,0 +1,345 @@

+# Querying For Commit File and Package Metadata

+

+There are several ostree and rpm-ostree commands that list file or package data based on either the Commit ID, or Refspec. If Refspec is passed as a parameter, it's the same as passing the most recent commit ID (head) for that branch.

+

+## Commit history

+

+For a host that is freshly installed, there is only one commit in the history for the only branch.

+

+```

+root@photon-host [ ~ ]# ostree log photon/3.0/x86_64/minimal

+commit a31a843985e314a9e70bcf09afe8d59f7351817d9fb743c2b6dab84f20833650

+ContentChecksum:  e91261daf8d60074f334a7ebf81d3b930c3fc88c765f994f79ab2445296f03c5

+Date:  2019-08-29 11:20:19 +0000

+Version: 3.0_minimal

+```

+

+This commit has no parent; if there was an older commit, it would have been listed too. We can get the same listing (either nicely formatted or raw variant data) by passing the Commit ID. Just the first several hex digits will suffice to identify the commit ID. We can either request to be displayed in a pretty format, or raw - the actual C struct.

+

+```

+root@photon-host [ ~ ]# ostree log a31a

+commit a31a843985e314a9e70bcf09afe8d59f7351817d9fb743c2b6dab84f20833650

+ContentChecksum:  e91261daf8d60074f334a7ebf81d3b930c3fc88c765f994f79ab2445296f03c5

+Date:  2019-08-29 11:20:19 +0000

+Version: 3.0_minimal

+```

+

+```

+root@photon-host [ ~ ]# ostree log a31a --raw

+commit a31a843985e314a9e70bcf09afe8d59f7351817d9fb743c2b6dab84f20833650

+({'rpmostree.inputhash': <'a3e8f3f6ef6e93c2ed6ce9edd1e9e80c93a36ecda0fed0d78f607e6ec3179d04'>, 'rpmostree.rpmmd-repos': <[{'id': <'photon'>, 'timestamp': <uint64 1567077533>}]>, 'version': <'3.0_minimal'>, 'rpmostree.rpmdb.pkglist': <[('Linux-PAM', '0', '1.3.0', '1.ph3', 'x86_64'), ('attr', '0', '2.4.48', '1.ph3', 'x86_64'), ('autogen-libopts', '0', '5.18.16', '1.ph3', 'x86_64'), ('bash', '0', '4.4.18', '1.ph3', 'x86_64'), ('bc', '0', '1.07.1', '1.ph3', 'x86_64'), ('binutils', '0', '2.31.1', '6.ph3', 'x86_64'), ('bridge-utils', '0', '1.6', '1.ph3', 'x86_64'), ('bubblewrap', '0', '0.3.0', '2.ph3', 'x86_64'), ('bzip2', '0', '1.0.6', '10.ph3', 'x86_64'), ('bzip2-libs', '0', '1.0.6', '10.ph3', 'x86_64'), ('ca-certificates', '0', '20190521', '1.ph3', 'x86_64'), ('ca-certificates-pki', '0', '20190521', '1.ph3', 'x86_64'), ('coreutils', '0', '8.30', '1.ph3', 'x86_64'), ('cpio', '0', '2.12', '4.ph3', 'x86_64'), ('cracklib', '0', '2.9.6', '8.ph3', 'x86_64'), ('cracklib-dicts', '0', '2.9.6', '8.ph3', 'x86_64'), ('curl', '0', '7.61.1', '4.ph3', 'x86_64'), ('curl-libs', '0', '7.61.1', '4.ph3', 'x86_64'), ('dbus', '0', '1.13.6', '1.ph3', 'x86_64'), ('device-mapper', '0', '2.02.181', '1.ph3', 'x86_64'), ('device-mapper-libs', '0', '2.02.181', '1.ph3', 'x86_64'), ('docker', '0', '18.06.2', '3.ph3', 'x86_64'), ('dracut', '0', '048', '1.ph3', 'x86_64'), ('dracut-tools', '0', '048', '1.ph3', 'x86_64'), ('e2fsprogs-libs', '0', '1.44.3', '2.ph3', 'x86_64'), ('elfutils', '0', '0.176', '1.ph3', 'x86_64'), ('elfutils-libelf', '0', '0.176', '1.ph3', 'x86_64'), ('expat', '0', '2.2.6', '2.ph3', 'x86_64'), ('expat-libs', '0', '2.2.6', '2.ph3', 'x86_64'), ('file', '0', '5.34', '1.ph3', 'x86_64'), ('file-libs', '0', '5.34', '1.ph3', 'x86_64'), ('filesystem', '0', '1.1', '4.ph3', 'x86_64'), ('findutils', '0', '4.6.0', '5.ph3', 'x86_64'), ('flex', '0', '2.6.4', '2.ph3', 'x86_64'), ('fuse', '0', '2.9.7', '5.ph3', 'x86_64'), ('gc', '0', '8.0.0', '1.ph3', 'x86_64'), ('glib', '0', '2.58.0', '4.ph3', 'x86_64'), ('glib-networking', '0', '2.59.1', '2.ph3', 'x86_64'), ('glibc', '0', '2.28', '4.ph3', 'x86_64'), ('glibc-iconv', '0', '2.28', '4.ph3', 'x86_64'), ('gmp', '0', '6.1.2', '2.ph3', 'x86_64'), ('gnupg', '0', '2.2.17', '1.ph3', 'x86_64'), ('gnutls', '0', '3.6.3', '3.ph3', 'x86_64'), ('gobject-introspection', '0', '1.58.0', '2.ph3', 'x86_64'), ('gpgme', '0', '1.11.1', '2.ph3', 'x86_64'), ('grep', '0', '3.1', '1.ph3', 'x86_64'), ('grub2', '0', '2.02', '13.ph3', 'x86_64'), ('grub2-efi', '0', '2.02', '13.ph3', 'x86_64'), ('grub2-pc', '0', '2.02', '13.ph3', 'x86_64'), ('guile', '0', '2.0.13', '2.ph3', 'x86_64'), ('gzip', '0', '1.9', '1.ph3', 'x86_64'), ('iana-etc', '0', '2.30', '2.ph3', 'noarch'), ('icu', '0', '61.1', '1.ph3', 'x86_64'), ('iproute2', '0', '4.18.0', '2.ph3', 'x86_64'), ('iptables', '0', '1.8.3', '1.ph3', 'x86_64'), ('js', '0', '1.8.5', '2.ph3', 'x86_64'), ('json-c', '0', '0.13.1', '1.ph3', 'x86_64'), ('json-glib', '0', '1.4.4', '1.ph3', 'x86_64'), ('kmod', '0', '25', '1.ph3', 'x86_64'), ('krb5', '0', '1.17', '1.ph3', 'x86_64'), ('libapparmor', '0', '2.13', '7.ph3', 'x86_64'), ('libarchive', '0', '3.3.3', '3.ph3', 'x86_64'), ('libassuan', '0', '2.5.1', '1.ph3', 'x86_64'), ('libcap', '0', '2.25', '8.ph3', 'x86_64'), ('libdb', '0', '5.3.28', '2.ph3', 'x86_64'), ('libffi', '0', '3.2.1', '6.ph3', 'x86_64'), ('libgcc', '0', '7.3.0', '4.ph3', 'x86_64'), ('libgcrypt', '0', '1.8.3', '2.ph3', 'x86_64'), ('libgomp', '0', '7.3.0', '4.ph3', 'x86_64'), ('libgpg-error', '0', '1.32', '1.ph3', 'x86_64'), ('libgsystem', '0', '2015.2', '2.ph3', 'x86_64'), ('libksba', '0', '1.3.5', '1.ph3', 'x86_64'), ('libltdl', '0', '2.4.6', '3.ph3', 'x86_64'), ('libmodulemd', '0', '2.4.0', '1.ph3', 'x86_64'), ('libpsl', '0', '0.20.2', '1.ph3', 'x86_64'), ('librepo', '0', '1.10.2', '1.ph3', 'x86_64'), ('libseccomp', '0', '2.4.0', '1.ph3', 'x86_64'), ('libselinux', '0', '2.8', '1.ph3', 'x86_64'), ('libsepol', '0', '2.8', '1.ph3', 'x86_64'), ('libsolv', '0', '0.6.35', '1.ph3', 'x86_64'), ('libsoup', '0', '2.64.0', '2.ph3', 'x86_64'), ('libssh2', '0', '1.9.0', '1.ph3', 'x86_64'), ('libstdc++', '0', '7.3.0', '4.ph3', 'x86_64'), ('libtasn1', '0', '4.13', '1.ph3', 'x86_64'), ('libtool', '0', '2.4.6', '3.ph3', 'x86_64'), ('libunistring', '0', '0.9.10', '1.ph3', 'x86_64'), ('libxml2', '0', '2.9.9', '1.ph3', 'x86_64'), ('libyaml', '0', '0.2.1', '2.ph3', 'x86_64'), ('linux', '0', '4.19.65', '3.ph3', 'x86_64'), ('m4', '0', '1.4.18', '2.ph3', 'x86_64'), ('mpfr', '0', '4.0.1', '1.ph3', 'x86_64'), ('ncurses', '0', '6.1', '1.ph3', 'x86_64'), ('ncurses-libs', '0', '6.1', '1.ph3', 'x86_64'), ('ncurses-terminfo', '0', '6.1', '1.ph3', 'x86_64'), ('net-tools', '0', '1.60', '11.ph3', 'x86_64'), ('nettle', '0', '3.4', '1.ph3', 'x86_64'), ('npth', '0', '1.6', '1.ph3', 'x86_64'), ('nspr', '0', '4.21', '1.ph3', 'x86_64'), ('nss-altfiles', '0', '2.23.0', '1.ph3', 'x86_64'), ('nss-libs', '0', '3.44', '2.ph3', 'x86_64'), ('openssh', '0', '7.8p1', '5.ph3', 'x86_64'), ('openssh-clients', '0', '7.8p1', '5.ph3', 'x86_64'), ('openssh-server', '0', '7.8p1', '5.ph3', 'x86_64'), ('openssl', '0', '1.0.2s', '1.ph3', 'x86_64'), ('ostree', '0', '2019.2', '1.ph3', 'x86_64'), ('ostree-grub2', '0', '2019.2', '1.ph3', 'x86_64'), ('ostree-libs', '0', '2019.2', '1.ph3', 'x86_64'), ('pcre', '0', '8.42', '1.ph3', 'x86_64'), ('pcre-libs', '0', '8.42', '1.ph3', 'x86_64'), ('photon-release', '0', '3.0', '3.ph3', 'noarch'), ('photon-repos', '0', '3.0', '3.ph3', 'noarch'), ('pinentry', '0', '1.1.0', '1.ph3', 'x86_64'), ('pkg-config', '0', '0.29.2', '2.ph3', 'x86_64'), ('polkit', '0', '0.113', '5.ph3', 'x86_64'), ('popt', '0', '1.16', '5.ph3', 'x86_64'), ('procps-ng', '0', '3.3.15', '1.ph3', 'x86_64'), ('python3', '0', '3.7.3', '2.ph3', 'x86_64'), ('python3-libs', '0', '3.7.3', '2.ph3', 'x86_64'), ('readline', '0', '7.0', '2.ph3', 'x86_64'), ('rpm-libs', '0', '4.14.2', '4.ph3', 'x86_64'), ('rpm-ostree', '0', '2019.3', '1.ph3', 'x86_64'), ('sed', '0', '4.5', '1.ph3', 'x86_64'), ('shadow', '0', '4.6', '3.ph3', 'x86_64'), ('shadow-tools', '0', '4.6', '3.ph3', 'x86_64'), ('sqlite-libs', '0', '3.27.2', '3.ph3', 'x86_64'), ('systemd', '0', '239', '13.ph3', 'x86_64'), ('util-linux', '0', '2.32', '1.ph3', 'x86_64'), ('util-linux-libs', '0', '2.32', '1.ph3', 'x86_64'), ('vim', '0', '8.1.0388', '4.ph3', 'x86_64'), ('which', '0', '2.21', '5.ph3', 'x86_64'), ('xz', '0', '5.2.4', '1.ph3', 'x86_64'), ('xz-libs', '0', '5.2.4', '1.ph3', 'x86_64'), ('zchunk', '0', '1.1.1', '1.ph3', 'x86_64'), ('zchunk-libs', '0', '1.1.1', '1.ph3', 'x86_64'), ('zlib', '0', '1.2.11', '1.ph3', 'x86_64')]>}, @ay [], @a(say) [], '', '', uint64 1567077619, [byte 0x1e, 0x0a, 0x85, 0x20, 0xa8, 0xe0, 0x18, 0x6a, 0x88, 0x15, 0xc0, 0xd9, 0xb0, 0xab, 0xc9, 0x98, 0x94, 0xa1, 0xfb, 0x0a, 0x48, 0xdf, 0xa0, 0x73, 0x32, 0x02, 0x9a, 0xdf, 0x49, 0xed, 0x13, 0x8d], [byte 0x44, 0x6a, 0x0e, 0xf1, 0x1b, 0x7c, 0xc1, 0x67, 0xf3, 0xb6, 0x03, 0xe5, 0x85, 0xc7, 0xee, 0xee, 0xb6, 0x75, 0xfa, 0xa4, 0x12, 0xd5, 0xec, 0x73, 0xf6, 0x29, 0x88, 0xeb, 0x0b, 0x6c, 0x54, 0x88])

+```

+

+## Listing file mappings

+

+This command lists the file relations between the original source Linux Photon filetree and the deployed filetree. The normal columns include file type type (regular file, directory, link), permissions in chmod octal format, userID, groupID, file size, file name. 

+```

+root@photon-host [ ~ ]# ostree ls photon/3.0/x86_64/minimal

+d00755 0 0      0 /

+l00777 0 0      0 /bin -> usr/bin

+l00777 0 0      0 /home -> var/home

+l00777 0 0      0 /lib -> usr/lib

+l00777 0 0      0 /lib64 -> usr/lib

+l00777 0 0      0 /media -> run/media

+l00777 0 0      0 /mnt -> var/mnt

+l00777 0 0      0 /opt -> var/opt

+l00777 0 0      0 /ostree -> sysroot/ostree

+l00777 0 0      0 /root -> var/roothome

+l00777 0 0      0 /sbin -> usr/sbin

+l00777 0 0      0 /srv -> var/srv

+l00777 0 0      0 /tmp -> sysroot/tmp

+d00755 0 0      0 /boot

+d00755 0 0      0 /dev

+d00755 0 0      0 /proc

+d00755 0 0      0 /run

+d00755 0 0      0 /sys

+d00755 0 0      0 /sysroot

+d00755 0 0      0 /usr

+d00755 0 0      0 /var

+```

+

+Extra columns can be added like checksum (-C) and extended attributes (-X). 

+

+```

+root@photon-host [ /usr/share/man/man1 ]# ostree ls photon/3.0/x86_64/minimal -C

+d00755 0 0      0 1e0a8520a8e0186a8815c0d9b0abc99894a1fb0a48dfa07332029adf49ed138d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /

+l00777 0 0      0 389846c2702216e1367c8dfb68326a6b93ccf5703c89c93979052a9bf359608e /bin -> usr/bin

+l00777 0 0      0 4344c10bf4931483f918496534f12ed9b50dc6a2cead35e3cd9dd898d6ac9414 /home -> var/home

+l00777 0 0      0 f11902ca9d69a80df33918534a3e443251fd0aa7f94b76301e1f55e52aed29dd /lib -> usr/lib

+l00777 0 0      0 f11902ca9d69a80df33918534a3e443251fd0aa7f94b76301e1f55e52aed29dd /lib64 -> usr/lib

+l00777 0 0      0 75317a3df11447c470ffdd63dde045450ca97dfb2a97a0f3f6a21a5da66f737c /media -> run/media

+l00777 0 0      0 97c55dbe24e8f3aecfd3f3e5b3f44646fccbb39799807d37a217e9c871da108b /mnt -> var/mnt

+l00777 0 0      0 46b1abbd27a846a9257a8d8c9fc4b384ac0888bdb8ac0d6a2d5de72715bd5092 /opt -> var/opt

+l00777 0 0      0 d37269e3f46023fd0275212473e07011894cdf4148cbf3fb5758a7e9471dad8e /ostree -> sysroot/ostree

+l00777 0 0      0 6f800e74eed172661278d1e1f09e389a6504dcd3358618e1c1618f91f9d33601 /root -> var/roothome

+l00777 0 0      0 e0bead7be9323b06bea05cb9b66eb151839989e3a4e5d1a93e09a36919e91818 /sbin -> usr/sbin

+l00777 0 0      0 5d4250bba1ed300f793fa9769474351ee5cebd71e8339078af7ebfbe6256d9b5 /srv -> var/srv

+l00777 0 0      0 364fbd62f91ca1e06eb7dbd50c93de8976f2cea633658e2dbe803ce6f7490c09 /tmp -> sysroot/tmp

+d00755 0 0      0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /boot

+d00755 0 0      0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /dev

+d00755 0 0      0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /proc

+d00755 0 0      0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /run

+d00755 0 0      0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /sys

+d00755 0 0      0 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /sysroot

+d00755 0 0      0 ef1c0980e0d77f64e7f250a3e48f0b24e9285fc0716b80520dac6f98c148324a 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /usr

+d00755 0 0      0 a3a987e053ea5a116f1e75a31cd7557fc6e57a3ae09e64171d7fea17ef71ec3e 446a0ef11b7cc167f3b603e585c7eeeeb675faa412d5ec73f62988eb0b6c5488 /var

+```

+

+By default, only the top folders are listed, but -R will list recursively. Instead of listing over 10,000 files, let's filter to just all files that contain 'rpm-ostree', 'rpmostree' or 'RpmOstree', that must belong to **rpm-ostree** package itself.

+

+```

+root@photon-host [ /usr/share/rpm-ostree ]# ostree ls photon/3.0/x86_64/minimal -R | grep -e '[Rr]pm-\?[Oo]stree'

+-00755 0 0 749000 /usr/bin/rpm-ostree

+d00755 0 0      0 /usr/bin/rpm-ostree-host

+-00644 0 0   1069 /usr/bin/rpm-ostree-host/function.inc

+-00755 0 0  10507 /usr/bin/rpm-ostree-host/mk-ostree-host.sh

+-00644 0 0    209 /usr/etc/rpm-ostreed.conf

+-00644 0 0   1530 /usr/etc/dbus-1/system.d/org.projectatomic.rpmostree1.conf

+l00777 0 0      0 /usr/lib/librpmostree-1.so.1 -> librpmostree-1.so.1.0.0

+-00755 0 0 5278496 /usr/lib/librpmostree-1.so.1.0.0

+-00644 0 0   2312 /usr/lib/girepository-1.0/RpmOstree-1.0.typelib

+-00755 0 0     22 /usr/lib/kernel/install.d/00-rpmostree-skip.install

+d00755 0 0      0 /usr/lib/rpm-ostree

+-00755 0 0 1640704 /usr/lib/rpm-ostree/libdnf.so.2

+-00644 0 0    622 /usr/lib/rpm-ostree/rpm-ostree-0-integration.conf

+d00755 0 0      0 /usr/lib/sysimage/rpm-ostree-base-db

+-00644 0 0 544768 /usr/lib/sysimage/rpm-ostree-base-db/Basenames

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Conflictname

+-00644 0 0 110592 /usr/lib/sysimage/rpm-ostree-base-db/Dirnames

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Enhancename

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Filetriggername

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Group

+-00644 0 0  12288 /usr/lib/sysimage/rpm-ostree-base-db/Installtid

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Name

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Obsoletename

+-00644 0 0 2625536 /usr/lib/sysimage/rpm-ostree-base-db/Packages

+-00644 0 0  86016 /usr/lib/sysimage/rpm-ostree-base-db/Providename

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Recommendname

+-00644 0 0  69632 /usr/lib/sysimage/rpm-ostree-base-db/Requirename

+-00644 0 0  20480 /usr/lib/sysimage/rpm-ostree-base-db/Sha1header

+-00644 0 0  16384 /usr/lib/sysimage/rpm-ostree-base-db/Sigmd5

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Suggestname

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Supplementname

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Transfiletriggername

+-00644 0 0   8192 /usr/lib/sysimage/rpm-ostree-base-db/Triggername

+-00644 0 0    263 /usr/lib/systemd/system/rpm-ostree-bootstatus.service

+-00644 0 0    257 /usr/lib/systemd/system/rpm-ostreed-automatic.service

+-00644 0 0    227 /usr/lib/systemd/system/rpm-ostreed-automatic.timer

+-00644 0 0    272 /usr/lib/systemd/system/rpm-ostreed.service

+-00644 0 0    102 /usr/lib/systemd/system-preset/40-rpm-ostree-auto.preset

+-00644 0 0    622 /usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf

+-00644 0 0   1082 /usr/lib/tmpfiles.d/rpm-ostree-1-autovar.conf

+-00755 0 0     53 /usr/libexec/rpm-ostreed

+-00644 0 0   3049 /usr/share/bash-completion/completions/rpm-ostree

+-00644 0 0  15997 /usr/share/dbus-1/interfaces/org.projectatomic.rpmostree1.xml

+-00644 0 0    133 /usr/share/dbus-1/system-services/org.projectatomic.rpmostree1.service

+-00644 0 0   6160 /usr/share/polkit-1/actions/org.projectatomic.rpmostree1.policy

+d00755 0 0      0 /usr/share/rpm-ostree

+-00644 0 0   1169 /usr/share/rpm-ostree/treefile.json

+```

+

+**atomic** is really an alias for rpm-ostree command. The last file **treefile.json** is not installed by the rpm-ostree package, it is actually downloaded from the server, as we will see in the next chapter. For now, let us notice **"osname" : "photon",  "ref" : "photon/1.0/x86_64/minimal",  "automatic_version_prefix" : "1.0_minimal"**, that matches what we have known so far, and also the **"documentation" : false** setting, that explains why there are no manual files installed for rpm-ostree, and in fact for any package.

+

+```

+root@photon-host [ /usr/share/rpm-ostree ]# ls -l /usr/share/man/man1 

+total 0

+```

+

+## Listing configuration changes

+

+To diff the current /etc configuration versus default /etc (from the base image), this command will show the **M**odified, **A**dded and **D**eleted files:

+```

+root@photon-host [ ~ ]# ostree admin config-diff

+M    ssh/sshd_config

+M    machine-id

+M    fstab

+M    hosts

+M    mtab

+M    shadow

+A    ssh/ssh_host_rsa_key

+A    ssh/ssh_host_rsa_key.pub

+A    ssh/ssh_host_dsa_key

+A    ssh/ssh_host_dsa_key.pub

+A    ssh/ssh_host_ecdsa_key

+A    ssh/ssh_host_ecdsa_key.pub

+A    ssh/ssh_host_ed25519_key

+A    ssh/ssh_host_ed25519_key.pub

+A    udev/hwdb.bin

+A    resolv.conf

+A    hostname

+A    localtime

+A    .pwd.lock

+A    .updated

+```

+

+## Listing packages

+

+The following is the rpm-ostree command that lists all the packages for that branch, extracted from RPM database.   

+```

+root@photon-host [ ~ ]# rpm-ostree db list photon/3.0/x86_64/minimal

+ostree commit: photon/3.0/x86_64/minimal (a31a843985e314a9e70bcf09afe8d59f7351817d9fb743c2b6dab84f20833650)

+ Linux-PAM-1.3.0-1.ph3.x86_64

+ attr-2.4.48-1.ph3.x86_64

+ autogen-libopts-5.18.16-1.ph3.x86_64

+ bash-4.4.18-1.ph3.x86_64

+ bc-1.07.1-1.ph3.x86_64

+ binutils-2.31.1-6.ph3.x86_64

+ bridge-utils-1.6-1.ph3.x86_64

+ bubblewrap-0.3.0-2.ph3.x86_64

+ bzip2-1.0.6-10.ph3.x86_64

+ bzip2-libs-1.0.6-10.ph3.x86_64

+ ca-certificates-20190521-1.ph3.x86_64

+ ca-certificates-pki-20190521-1.ph3.x86_64

+ coreutils-8.30-1.ph3.x86_64

+ cpio-2.12-4.ph3.x86_64

+ cracklib-2.9.6-8.ph3.x86_64

+ cracklib-dicts-2.9.6-8.ph3.x86_64

+ curl-7.61.1-4.ph3.x86_64

+ curl-libs-7.61.1-4.ph3.x86_64

+ dbus-1.13.6-1.ph3.x86_64

+ device-mapper-2.02.181-1.ph3.x86_64

+ device-mapper-libs-2.02.181-1.ph3.x86_64

+ docker-18.06.2-3.ph3.x86_64

+ dracut-048-1.ph3.x86_64

+ dracut-tools-048-1.ph3.x86_64

+ e2fsprogs-libs-1.44.3-2.ph3.x86_64

+ elfutils-0.176-1.ph3.x86_64

+ elfutils-libelf-0.176-1.ph3.x86_64

+ expat-2.2.6-2.ph3.x86_64

+ expat-libs-2.2.6-2.ph3.x86_64

+ file-5.34-1.ph3.x86_64

+ file-libs-5.34-1.ph3.x86_64

+ filesystem-1.1-4.ph3.x86_64

+ findutils-4.6.0-5.ph3.x86_64

+ flex-2.6.4-2.ph3.x86_64

+ fuse-2.9.7-5.ph3.x86_64

+ gc-8.0.0-1.ph3.x86_64

+ glib-2.58.0-4.ph3.x86_64

+ glib-networking-2.59.1-2.ph3.x86_64

+ glibc-2.28-4.ph3.x86_64

+ glibc-iconv-2.28-4.ph3.x86_64

+ gmp-6.1.2-2.ph3.x86_64

+ gnupg-2.2.17-1.ph3.x86_64

+ gnutls-3.6.3-3.ph3.x86_64

+ gobject-introspection-1.58.0-2.ph3.x86_64

+ gpgme-1.11.1-2.ph3.x86_64

+ grep-3.1-1.ph3.x86_64

+ grub2-2.02-13.ph3.x86_64

+ grub2-efi-2.02-13.ph3.x86_64

+ grub2-pc-2.02-13.ph3.x86_64

+ guile-2.0.13-2.ph3.x86_64

+ gzip-1.9-1.ph3.x86_64

+ iana-etc-2.30-2.ph3.noarch

+ icu-61.1-1.ph3.x86_64

+ iproute2-4.18.0-2.ph3.x86_64

+ iptables-1.8.3-1.ph3.x86_64

+ js-1.8.5-2.ph3.x86_64

+ json-c-0.13.1-1.ph3.x86_64

+ json-glib-1.4.4-1.ph3.x86_64

+ kmod-25-1.ph3.x86_64

+ krb5-1.17-1.ph3.x86_64

+ libapparmor-2.13-7.ph3.x86_64

+ libarchive-3.3.3-3.ph3.x86_64

+ libassuan-2.5.1-1.ph3.x86_64

+ libcap-2.25-8.ph3.x86_64

+ libdb-5.3.28-2.ph3.x86_64

+ libffi-3.2.1-6.ph3.x86_64

+ libgcc-7.3.0-4.ph3.x86_64

+ libgcrypt-1.8.3-2.ph3.x86_64

+ libgomp-7.3.0-4.ph3.x86_64

+ libgpg-error-1.32-1.ph3.x86_64

+ libgsystem-2015.2-2.ph3.x86_64

+ libksba-1.3.5-1.ph3.x86_64

+ libltdl-2.4.6-3.ph3.x86_64

+ libmodulemd-2.4.0-1.ph3.x86_64

+ libpsl-0.20.2-1.ph3.x86_64

+ librepo-1.10.2-1.ph3.x86_64

+ libseccomp-2.4.0-1.ph3.x86_64

+ libselinux-2.8-1.ph3.x86_64

+ libsepol-2.8-1.ph3.x86_64

+ libsolv-0.6.35-1.ph3.x86_64

+ libsoup-2.64.0-2.ph3.x86_64

+ libssh2-1.9.0-1.ph3.x86_64

+ libstdc++-7.3.0-4.ph3.x86_64

+ libtasn1-4.13-1.ph3.x86_64

+ libtool-2.4.6-3.ph3.x86_64

+ libunistring-0.9.10-1.ph3.x86_64

+ libxml2-2.9.9-1.ph3.x86_64

+ libyaml-0.2.1-2.ph3.x86_64

+ linux-4.19.65-3.ph3.x86_64

+ m4-1.4.18-2.ph3.x86_64

+ mpfr-4.0.1-1.ph3.x86_64

+ ncurses-6.1-1.ph3.x86_64

+ ncurses-libs-6.1-1.ph3.x86_64

+ ncurses-terminfo-6.1-1.ph3.x86_64

+ net-tools-1.60-11.ph3.x86_64

+ nettle-3.4-1.ph3.x86_64

+ npth-1.6-1.ph3.x86_64

+ nspr-4.21-1.ph3.x86_64