bootc-dev · evan-goode · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026
diff --git a/crates/initramfs/src/lib.rs b/crates/initramfs/src/lib.rs
@@ -217,6 +217,7 @@ fn overlay_state(
     state: impl AsFd,
     source: &str,
     mode: Option<rustix::fs::Mode>,
+    mount_attr_flags: Option<MountAttrFlags>,
 ) -> Result<()> {
     let upper = ensure_dir(state.as_fd(), "upper", mode)?;
     let work = ensure_dir(state.as_fd(), "work", mode)?;
@@ -230,16 +231,26 @@ fn overlay_state(
     let fs = fsmount(
         overlayfs.as_fd(),
         FsMountFlags::FSMOUNT_CLOEXEC,
-        MountAttrFlags::empty(),
+        mount_attr_flags.unwrap_or(MountAttrFlags::empty()),
     )?;
 
     mount_at_wrapper(fs, base, ".").context("Moving mount")
 }
 
 /// Mounts a transient overlayfs with passed in fd as the lowerdir
 #[context("Mounting transient overlayfs")]
-pub fn overlay_transient(base: impl AsFd, mode: Option<rustix::fs::Mode>) -> Result<()> {
-    overlay_state(base, prepare_mount(mount_tmpfs()?)?, "transient", mode)
+pub fn overlay_transient(
+    base: impl AsFd,
+    mode: Option<rustix::fs::Mode>,
+    mount_attr_flags: Option<MountAttrFlags>,
+) -> Result<()> {
+    overlay_state(
+        base,
+        prepare_mount(mount_tmpfs()?)?,
+        "transient",
+        mode,
+        mount_attr_flags,
+    )
 }
 
 #[context("Opening rootfs")]
@@ -307,8 +318,9 @@ pub fn mount_subdir(
             open_dir(&state, subdir)?,
             "overlay",
             None,
+            None,
         ),
-        MountType::Transient => overlay_transient(open_dir(&new_root, subdir)?, None),
+        MountType::Transient => overlay_transient(open_dir(&new_root, subdir)?, None, None),
     }
 }
 
@@ -371,7 +383,7 @@ pub fn setup_root(args: Args) -> Result<()> {
     }
 
     if config.root.transient {
-        overlay_transient(&new_root, None)?;
+        overlay_transient(&new_root, None, None)?;
     }
 
     match composefs::mount::mount_at(&sysroot_clone, &new_root, "sysroot") {

diff --git a/crates/lib/src/bootc_composefs/state.rs b/crates/lib/src/bootc_composefs/state.rs
@@ -20,6 +20,7 @@ use ostree_ext::container::deploy::ORIGIN_CONTAINER;
 use rustix::{
     fd::AsFd,
     fs::{Mode, OFlags, StatVfsMountFlags, open},
+    mount::MountAttrFlags,
     path::Arg,
 };
 
@@ -329,7 +330,7 @@ pub(crate) async fn write_composefs_state(
     Ok(())
 }
 
-pub(crate) fn composefs_usr_overlay() -> Result<()> {
+pub(crate) fn composefs_usr_overlay(access_mode: FilesystemOverlayAccessMode) -> Result<()> {
     let status = get_composefs_usr_overlay_status()?;
     if status.is_some() {
         println!("An overlayfs is already mounted on /usr");
@@ -342,9 +343,14 @@ pub(crate) fn composefs_usr_overlay() -> Result<()> {
     let usr_metadata = usr.metadata(".").context("Getting /usr metadata")?;
     let usr_mode = Mode::from_raw_mode(usr_metadata.permissions().mode());
 
-    overlay_transient(usr, Some(usr_mode))?;
+    let mount_attr_flags = match access_mode {
+        FilesystemOverlayAccessMode::ReadOnly => Some(MountAttrFlags::MOUNT_ATTR_RDONLY),
+        FilesystemOverlayAccessMode::ReadWrite => None,
+    };
 
-    println!("A writeable overlayfs is now mounted on /usr");
+    overlay_transient(usr, Some(usr_mode), mount_attr_flags)?;
+
+    println!("A {} overlayfs is now mounted on /usr", access_mode);
     println!("All changes there will be discarded on reboot.");
 
     Ok(())

diff --git a/crates/lib/src/cli.rs b/crates/lib/src/cli.rs
@@ -46,6 +46,7 @@ use crate::bootc_composefs::{
 use crate::deploy::{MergeState, RequiredHostSpec};
 use crate::podstorage::set_additional_image_store;
 use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
+use crate::spec::FilesystemOverlayAccessMode;
 use crate::spec::Host;
 use crate::spec::ImageReference;
 use crate::status::get_host;
@@ -261,6 +262,16 @@ pub(crate) struct StatusOpts {
     pub(crate) verbose: bool,
 }
 
+/// Add a transient overlayfs on /usr
+#[derive(Debug, Parser, PartialEq, Eq)]
+pub(crate) struct UsrOverlayOpts {
+    /// Mount the overlayfs as read-only. A read-only overlayfs is useful since it may be remounted
+    /// as read/write in a private mount namespace and written to while the mount point remains
+    /// read-only to the rest of the system.
+    #[clap(long)]
+    pub(crate) read_only: bool,
+}
+
 #[derive(Debug, clap::Subcommand, PartialEq, Eq)]
 pub(crate) enum InstallOpts {
     /// Install to the target block device.
@@ -741,11 +752,11 @@ pub(crate) enum Opt {
     ///
     /// Shows bootc system state. Outputs YAML by default, human-readable if terminal detected.
     Status(StatusOpts),
-    /// Add a transient writable overlayfs on `/usr`.
+    /// Add a transient overlayfs on `/usr`.
     ///
     /// Allows temporary package installation that will be discarded on reboot.
     #[clap(alias = "usroverlay")]
-    UsrOverlay,
+    UsrOverlay(UsrOverlayOpts),
     /// Install the running container to a target.
     ///
     /// Takes a container image and installs it to disk in a bootable format.
@@ -1402,13 +1413,16 @@ async fn edit(opts: EditOpts) -> Result<()> {
 }
 
 /// Implementation of `bootc usroverlay`
-async fn usroverlay() -> Result<()> {
+async fn usroverlay(access_mode: FilesystemOverlayAccessMode) -> Result<()> {
     // This is just a pass-through today.  At some point we may make this a libostree API
     // or even oxidize it.
-    Err(Command::new("ostree")
-        .args(["admin", "unlock"])
-        .exec()
-        .into())
+    let args = match access_mode {
+        // In this context, "--transient" means "read-only overlay"
+        FilesystemOverlayAccessMode::ReadOnly => ["admin", "unlock", "--transient"].as_slice(),
+
+        FilesystemOverlayAccessMode::ReadWrite => ["admin", "unlock"].as_slice(),
+    };
-    let args = match access_mode {
-        // In this context, "--transient" means "read-only overlay"
-        FilesystemOverlayAccessMode::ReadOnly => ["admin", "unlock", "--transient"].as_slice(),
-
-        FilesystemOverlayAccessMode::ReadWrite => ["admin", "unlock"].as_slice(),
-    };
+    let args: &[&str] = if access_mode == FilesystemOverlayAccessMode::ReadOnly {
+        // In this context, "--transient" means "read-only overlay"
+        &["admin", "unlock", "--transient"]
+    } else {
+        &["admin", "unlock"]
+    };
-    let args = match access_mode {
-        // In this context, "--transient" means "read-only overlay"
-        FilesystemOverlayAccessMode::ReadOnly => ["admin", "unlock", "--transient"].as_slice(),
-
-        FilesystemOverlayAccessMode::ReadWrite => ["admin", "unlock"].as_slice(),
-    };
+    let args: &[&str] = if access_mode == FilesystemOverlayAccessMode::ReadOnly {
+        // In this context, "--transient" means "read-only overlay"
+        &["admin", "unlock", "--transient"]
+    } else {
+        &["admin", "unlock"]
+    };
+    Err(Command::new("ostree").args(args).exec().into())
 }
 
 /// Perform process global initialization. This should be called as early as possible
@@ -1519,12 +1533,17 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
             Ok(())
         }
         Opt::Edit(opts) => edit(opts).await,
-        Opt::UsrOverlay => {
+        Opt::UsrOverlay(opts) => {
             use crate::store::Environment;
             let env = Environment::detect()?;
+            let access_mode = if opts.read_only {
+                FilesystemOverlayAccessMode::ReadOnly
+            } else {
+                FilesystemOverlayAccessMode::ReadWrite
+            };
             match env {
-                Environment::OstreeBooted => usroverlay().await,
-                Environment::ComposefsBooted(_) => composefs_usr_overlay(),
+                Environment::OstreeBooted => usroverlay(access_mode).await,
+                Environment::ComposefsBooted(_) => composefs_usr_overlay(access_mode),
                 _ => anyhow::bail!("usroverlay only applies on booted hosts"),
             }
         }

diff --git a/docs/src/host-v1.schema.json b/docs/src/host-v1.schema.json
@@ -30,7 +30,8 @@
         "rollback": null,
         "rollbackQueued": false,
         "staged": null,
-        "type": null
+        "type": null,
+        "usrOverlay": null
       }
     }
   },
@@ -220,6 +221,54 @@
         }
       ]
     },
+    "FilesystemOverlay": {
+      "description": "Details of an overlay filesystem: read-only or read/write, persistent or transient.",
+      "type": "object",
+      "properties": {
+        "accessMode": {
+          "description": "Whether the overlay is read-only or read/write",
+          "$ref": "#/$defs/FilesystemOverlayAccessMode"
+        },
+        "persistence": {
+          "description": "Whether the overlay will persist across reboots",
+          "$ref": "#/$defs/FilesystemOverlayPersistence"
+        }
+      },
+      "required": [
+        "accessMode",
+        "persistence"
+      ]
+    },
+    "FilesystemOverlayAccessMode": {
+      "description": "The permissions mode of a /usr overlay",
+      "oneOf": [
+        {
+          "description": "The overlay is mounted read-only",
+          "type": "string",
+          "const": "readOnly"
+        },
+        {
+          "description": "The overlay is mounted read/write",
+          "type": "string",
+          "const": "readWrite"
+        }
+      ]
+    },
+    "FilesystemOverlayPersistence": {
+      "description": "The persistence mode of a /usr overlay",
+      "oneOf": [
+        {
+          "description": "Changes are temporary and will be lost on reboot",
+          "type": "string",
+          "const": "transient"
+        },
+        {
+          "description": "Changes persist across reboots",
+          "type": "string",
+          "const": "persistent"
+        }
+      ]
+    },
     "HostSpec": {
       "description": "The host specification",
       "type": "object",
@@ -301,6 +350,17 @@
               "type": "null"
             }
           ]
+        },
+        "usrOverlay": {
+          "description": "The state of the overlay mounted on /usr",
+          "anyOf": [
+            {
+              "$ref": "#/$defs/FilesystemOverlay"
+            },
+            {
+              "type": "null"
+            }
+          ]
         }
       }
     },

diff --git a/docs/src/man/bootc-container-ukify.8.md b/docs/src/man/bootc-container-ukify.8.md
@@ -27,6 +27,10 @@ Any additional arguments after `--` are passed through to ukify unchanged.
 
     Default: /
 
+**--allow-missing-verity**
+
+    Make fs-verity validation optional in case the filesystem doesn't support it
+
 <!-- END GENERATED OPTIONS -->
 
 # EXAMPLES

diff --git a/docs/src/man/bootc-install-to-disk.8.md b/docs/src/man/bootc-install-to-disk.8.md
@@ -165,7 +165,7 @@ its DPS type GUID, without requiring an explicit `root=` kernel argument.
 
     Default: false
 
-**--insecure**
+**--allow-missing-verity**
 
     Make fs-verity validation optional in case the filesystem doesn't support it
 

diff --git a/docs/src/man/bootc-install-to-existing-root.8.md b/docs/src/man/bootc-install-to-existing-root.8.md
@@ -225,7 +225,7 @@ of migrating the fstab entries. See the "Injecting kernel arguments" section abo
 
     Default: false
 
-**--insecure**
+**--allow-missing-verity**
 
     Make fs-verity validation optional in case the filesystem doesn't support it
 

diff --git a/docs/src/man/bootc-install-to-filesystem.8.md b/docs/src/man/bootc-install-to-filesystem.8.md
@@ -125,7 +125,7 @@ is currently expected to be empty by default.
 
     Default: false
 
-**--insecure**
+**--allow-missing-verity**
 
     Make fs-verity validation optional in case the filesystem doesn't support it
 

diff --git a/docs/src/man/bootc-usr-overlay.8.md b/docs/src/man/bootc-usr-overlay.8.md
@@ -1,16 +1,16 @@
 # NAME
 
-bootc-usr-overlay - Adds a transient writable overlayfs on `/usr` that
-will be discarded on reboot
+bootc-usr-overlay - Adds a transient overlayfs on `/usr` that will be discarded
+on reboot
 
 # SYNOPSIS
 
 **bootc usr-overlay** \[*OPTIONS...*\]
 
 # DESCRIPTION
 
-Adds a transient writable overlayfs on `/usr` that will be discarded
-on reboot.
+Adds a transient overlayfs on `/usr` that will be discarded on reboot. The
+overlayfs is read/write by default.
 
 ## USE CASES
 
@@ -31,7 +31,13 @@ Almost always, a system process will hold a reference to the open mount
 point. You can however invoke `umount -l /usr` to perform a "lazy
 unmount".
 
+# OPTIONS
+
 <!-- BEGIN GENERATED OPTIONS -->
+**--read-only**
+
+    Mount the overlayfs as read-only. A read-only overlayfs is useful since it may be remounted as read/write in a private mount namespace and written to while the mount point remains read-only to the rest of the system
+
 <!-- END GENERATED OPTIONS -->
 
 # VERSION

diff --git a/docs/src/man/bootc.8.md b/docs/src/man/bootc.8.md
@@ -30,7 +30,7 @@ pulled and `bootc upgrade`.
 | **bootc rollback** | Change the bootloader entry ordering; the deployment under `rollback` will be queued for the next boot, and the current will become rollback.  If there is a `staged` entry (an unapplied, queued upgrade) then it will be discarded |
 | **bootc edit** | Apply full changes to the host specification |
 | **bootc status** | Display status |
-| **bootc usr-overlay** | Add a transient writable overlayfs on `/usr` |
+| **bootc usr-overlay** | Add a transient overlayfs on `/usr` |
 | **bootc install** | Install the running container to a target |
 | **bootc container** | Operations which can be executed as part of a container build |
 | **bootc composefs-finalize-staged** |  |

diff --git a/tmt/plans/integration.fmf b/tmt/plans/integration.fmf
@@ -182,8 +182,15 @@ execute:
     test:
       - /tmt/tests/tests/test-34-user-agent
 
+/plan-35-upgrade-preflight-disk-check:
+  summary: Verify pre-flight disk space check rejects images with inflated layer sizes
+  discover:
+    how: fmf
+    test:
+      - /tmt/tests/tests/test-35-upgrade-preflight-disk-check
+
 /plan-36-rollback:
-  summary: Test bootc rollback functionality through image switch and rollback cycle
+  summary: Test bootc rollback functionality
   discover:
     how: fmf
     test: