What is Fedora libostree (Silverblue/Kinoite/Sericia)?
Fedora Linux’s libostree variants such as Fedora Silverblue (GNOME desktop environment) and Fedora Kinoite (KDE desktop environment) as well as Fedora Sericia (Sway window manager) are new variants of Fedora Linux that use the rpm-ostree command to perform atomic upgrades.
Consider a normal Fedora Linux installation. During an upgrade, a package manager such as DNF grabs the packages, combines them then installs them on your system. A libostree or “image-based” OS, on the other hand, is an immutable system. It fetches the image and “layers” it on top of the current one during an upgrade, providing more robust and reliable system upgrades.
“It is immutable, you can’t change it tho?” No, there are parts and workarounds that you can use to change your system in a way that you desire. Although it is not as customizable as Fedora Workstation. Hence, this article provides a comprehensive description and methods of modifications and setup that you can do in your Fedora Silverblue for optimization and some changes that you can do.
Notes
I highly suggest avoiding layering as much as possible to the system image. Furthermore, I encourage you to read the information above the command first before execution. Moreover, I also suggest not rebooting unless said so, since this will make the process lengthy as opposed to how long it should be.
It is also noted that not every step is necessary, although it can be beneficial or may be some use later. I also highly recommend the cheatsheet that Fedora’s Team Silverblue provided, which you can get here:
You can also obtain the files and scripts in my GitHub repo here.
First libostree Post-Installation Tasks
There are some basic tasks that you should do after the first boot.
System Update
After installation, you may have an outdated system, depending on how far you were from the current release, so the first thing to do is to upgrade the system:
flatpak upgrade
Flatpaks are updated first since GNOME Software automatically calls rpm-ostree upgrade after booting up. Although you can check the upgrades with:
rpm-ostree upgrade --check
or
rpm-ostree upgrade --preview
Mount External Drives
If you have an external drive, you can mount it with:
sudo mount /dev/sdX <dir>
You can find the drive using lsblk or fdisk -l
If you want to automatically mount the drives on boot, you can modify /etc/fstab you will need the UUID of the device and its mount point (<dir>), you can find the UUID with lsblk -f. Then you can include the new entry to fstab with a format of:
UUID=<uuid> [TAB] <dir> [TAB] <filesystem_format> [SPACE] <options> [SPACE] <dump> [SPACE] <fsck>
Here, I suggest using defaults for options, 0 for dump and fsck to disable the checking during boot to avoid increasing the boot time and potential errors upon failure of the drive. For further information, ArchWiki provides comprehensive fstab documentation. Be sure to input the correct UUID or your system might not boot.
Third-Party Repositories
Flatpak Setup
Fedora has its own Flatpak repository where it filters some of the applications, hence, I suggest installing Flathub which comes with more applications including the proprietary ones:
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
Afer this, do the first reboot.
Reinstalling Versioned Third-Party Repositories
Versioned third party repository packages that rely on a given Fedora release can cause a problem during a major version upgrade, hence I recommend to replace it with a non-versioned ones.
rpm-ostree update --uninstall <versioned-third-party-repo> --uninstall <versioned-third-party-repo> --install <unversioned-third-party-repo> --install <unversioned-third-party-repo>
You can include as many –uninstall <versioned-third-party-repo> and –install <unversioned-third-party-repo> as needed. Then do the second reboot.
Codecs and Drivers
OpenH264 or ffmpeg-libs
Fedora disables the automatic install of openh264 by default, for this reason:
Upstream Firefox versions download and install the OpenH264 plugin by default automatically. Due to it’s binary nature, Fedora disables this automatic download.
https://fedoraproject.org/wiki/OpenH264
But you can still install it manually with:
rpm-ostree install mozilla-openh264 gstreamer1-plugin-openh264
Upon reboot, open Firefox and press Ctrl + Shift + A then enable the OpenH264 Plugins.
Flatpak Modifications
Flatpaks are sandboxed and they may not work as expected. These are some solutions to the errors that might arise.
Theming on libostree systems
Since Flatpaks are sandboxed, they cannot access the GTK theme you’ve installed in your system. One solution is to install the Flatpak version of the GTK theme you are using, which you can find with:
flatpak search gtk3
Or override the themes directory which depends on how the theme was installed:
# choose one, you can do all of them but I don't recommend doing it # if installed in home dir sudo flatpak override --system --filesystem=$HOME/.themes # if installed in home dir # if layered in your system sudo flatpak override --system --filesystem=/usr/share/themes # or whatever sudo flatpak override --system --filesystem=xdg-data/themes
Permissions on libostree systems
As another Reddit user (u/IceOleg) suggested, you can disable the access to home and host dir with:
flatpak override --user --nofilesystem=home flatpak override --user --nofilesystem=host
The home and host directories can be given back to some applications that might need it later on. Managing Flatpak permissions in the command line can be tedious. Hence, I and u/GunnarRoxen recommend installing Flatseal, which is a good utility for managing permissions:
flatpak install flathub com.github.tchx84.Flatseal
If you do not want all of the modifications made, you can reset the changes with:
sudo flatpak override --system --reset
You can also remove the ‐‐system flag and use ‐‐user instead for user-wide changes, but in this case do not use sudo. It is also possible to reset changes for a specific app with:
flatpak override --reset <app>
Theming Extended
In some cases where themes do not apply (especially GTK4), you can force it by including it in $HOME/.profile and in the settings (settings.ini):
Do not copy and execute the below command. Replace <theme_name> with the name of the theme. One of the things I’ve learned is to not mindlessly copy and paste commands from the internet, especially long and suspicious commands.
echo "export GTK_THEME=<theme_name>" >> $HOME/.profile; if [ ! -d $HOME/.config/environment.d/ ]; then mkdir -p $HOME/.config/environment.d/; fi; echo "GTK_THEME=<theme-name>" >> $HOME/.config/environment.d/gtk_theme.conf; echo "GTK_THEME=<theme-name>" >> $HOME/.config/gtk-4.0/settings.ini
Explanation
The very long command above is a one-liner version of a script that will write “export GTK_THEME=theme_name” to $HOME/.profile:
echo "export GTK_THEME=<theme-name>" >> $HOME/.profile
Then create $HOME/.config/environment.d/gtk_theme.conf file:
if [ ! -d $HOME/.config/environment.d/ ]; then mkdir -p $HOME/.config/environment.d/ fi echo "GTK_THEME=<theme_name>" >> $HOME/.config/environment.d/gtk_theme.conf
And append “GTK_THEME=<theme_name>” at the end of the gtk_theme.conf. And finally, append GTK_THEME=<theme_name> to settings.ini config.
Extreme Method
If all of the other methods failed, you can do this as a last resort:
sudo flatpak override --system --env=GTK_THEME='<theme_name>'
libostree System Optimizations
Disabling NetworkManager-wait-online.service
One of the main contributors to long boot times, especially if you do not always have an internet connection, is NetworkManager-wait-online.service. It can take from 10 seconds to a minute or two, but you can also disable it since:
[The NetworkManager-wait-online] service simply waits, doing absolutely nothing, until the network is connected, and when this happens, it changes its state so that other services that depend on the network can be launched to start doing their thing.
https://askubuntu.com/questions/1018576/what-does-networkmanager-wait-online-service-do/1133545#1133545
In some multi-user environments, it is part of the boot-up process that can come from the network. For this case, systemd defaults to wait for the network to come online before taking certain steps. Disabling it can decrease the boot time by at least 15 to 20 seconds or a minute:
sudo systemctl disable NetworkManager-wait-online.service
Masking it is not recommend, since, as explained by u/chrisawi:
… wait-online services are WantedBy=network-online.target, so they do nothing unless another service explicitly pulls that target in because it can’t handle starting before the network is up. The nfs services are a typical example, see: systemctl list-dependencies ‐‐reverse network-online.target. It might be better to disable such services than to leave them potentially broken.
https://www.reddit.com/r/Fedora/comments/zkp5y4/comment/j00xfdh/?utm_source=share&utm_medium=web2x&context=3
Removing Unnecessary GNOME Flatpaks from libostree systems
Not all of the pre-installed applications are necessary thus you can safely remove some of them. You can completely remove a Flatpak with:
flatpak uninstall --system --delete-data <app>
Here are some of the pre-installed Flatpaks that you can remove:
- Calculator: org.gnome.Calculator
- Calendar: org.gnome.Calendar
- Connections: org.gnome.Connections
- Contacts: org.gnome.Contacts
- PDF reader: org.gnome.Evince
- Logs: org.gnome.Logs
- Maps: org.gnome.Maps
- Weather: org.gnome.Weather
- Disk usage analyzer: org.gnome.baobab
Disable Gnome Software on libostree systems
By default, GNOME Software autostarts to invoke rpm-ostree upgrade ‐‐check which takes at least 100MB of RAM up to 900MB. You can remove it from the autostart in /etc/xdg/autostart/org.gnome.Software.desktop with:
sudo rm /etc/xdg/autostart/org.gnome.Software.desktop
Disable dm-crypt workqeues for SSD user to improve performance on libostree systems
Quoting the Arch Wiki:
Solid state drive users should be aware that, by default, discarding internal read and write workqueue commands are not enabled by the device-mapper, i.e. block-devices are mounted without the no_read_workqueue and no_write_workqueue option unless you override the default.
https://wiki.archlinux.org/title/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
The no_read_workqueue and no_write_workqueue flags were introduced by internal Cloudflare research Speeding up Linux disk encryption made while investigating overall encryption performance. One of the conclusions is that internal dm-crypt read and write queues decrease performance for SSD drives. While queuing disk operations makes sense for spinning drives, bypassing the queue and writing data synchronously doubled the throughput and cut the SSD drives’ IO await operations latency in half. The patches were upstreamed and are available since linux 5.9 and up [5].
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/md/dm-crypt.c?id=39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877
The same changes were proposed to be the default for Fedora Silverblue (fedora-silverblue/issue-tracker#338). Although it is still open as tracked in Redhat’s Bugzilla, it also has been the default in Linux zen-kernel since this commit.
There are two ways to disable this in Fedora Silverblue:
Option A: /ETC/CRYPTTAB
I do not recommend this method, but if you want to use this, you can change the “discard” in /etc/crypttab with no-read-workqueue,no-write-workqueue. The output of sudo cat /etc/crypttab should look like this:
luks-UUID UUID=<uuid> none no-read-workqueue,no-write-workqueue
Then do the fourth reboot.
Option B: Cryptsetup
Fedora Linux uses LUKS2, hence I recommend using cryptsetup. To begin, find the device with lsblk -p, the one with the name of /dev/mapper/luks-<uuid> is the one encrypted, for example:
❯ lsblk -p NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS /dev/zram0 252:0 0 7.5G 0 disk [SWAP] /dev/nvme0n1 259:0 0 476.9G 0 disk ├─/dev/nvme0n1p1 259:1 0 600M 0 part /boot/efi ├─/dev/nvme0n1p2 259:2 0 1G 0 part /boot └─/dev/nvme0n1p3 259:3 0 475.4G 0 part └─/dev/mapper/luks-<uuid> 253:0 0 475.3G 0 crypt /var/home ...
In my case it is the /dev/nvme0n1p3. Then verify it with:
sudo cryptsetup isLuks /dev/<device> && echo SUCCESS
Where <device> is the device name, e.g. nvme0n1p3, if it echoed success then the device is encrypted. Then get the name of the encrypted device with:
sudo dmsetup info luks-<uuid>
Which should output something like this:
❯ sudo dmsetup info luks-e88105e1-690f-423e-a168-a9f9a2e613e9 Name: luks-e88105e1-690f-423e-a168-a9f9a2e613e9 State: ACTIVE Read Ahead: 256 Tables present: LIVE Open count: 1 Event number: 0 Major, minor: 253, 0 Number of targets: 1 UUID: CRYPT-LUKS2-e88105e1690f423ea168a9f9a2e613e9-luks-e88105e1-690f-423e-a168-a9f9a2e613e9
Note that my UUID will be different from your UUID. Take the name, in this case, luks-e88105e1-690f-423e-a168-a9f9a2e613e9, and execute the command:
sudo cryptsetup --perf-no_read_workqueue --perf-no_write_workqueue --persistent refresh <name>
Then do the fourth reboot.
Removing base image packages on libostree systems
I do not recommend this, but you can do this if you want to. Note that you need to reset your system before you can go and rebase to another version if you proceed in this step. Refer here.
u/VVine6 recommended some packages that can be removed from the base image, which includes VM host support and GNOME classic shell which can be removed with:
rpm-ostree override remove open-vm-tools-desktop open-vm-tools qemu-guest-agent spice-vdagent spice-webdavd virtualbox-guest-additions gnome-shell-extension-apps-menu gnome-classic-session gnome-shell-extension-window-list gnome-shell-extension-background-logo gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu
Later on, before rebasing all of the removed packages need to be included back in which case, you can reset the overrides with:
rpm-ostree override reset
This ends the general setup and modifications, you can do the final reboot here and use your system. However, for laptop users, you can continue and proceed with the section belows which also covers installation of Fish and VSCode, as well as some neat tips.
Laptop Users
Set battery threshold for laptop users
I recommend setting the battery threshold to at least 80% to decrease wear on the battery. You can do this by echoing the threshold to /sys/class/power_supply/BAT0/charge_control_end_threshold. However, this resets every reboot, so it is a good idea to make a systemd service for it or download the service here:
[Unit] Description=Set the battery charge threshold After=multi-user.target StartLimitBurst=0 [Service] Type=oneshot Restart=on-failure ExecStart=/usr/bin/env bash 'echo 80 > /sys/class/power_supply/BAT0/charge_control_end_threshold' [Install] WantedBy=multi-user.target
Save this as battery-threshold.service in /etc/systemd/system/ and enable it with:
sudo systemctl enable battery-threshold.service
Keyboard backlight
In some laptops, the keyboard backlight may not work out of the box, but you can toggle it with brightnessctl. First, find the keyboard backlight in /sys/class/leds by listing the directories, it usually has a name like ::kbd_backlight/brightness which can be in one or more directories, for example, in Asus laptops it is usually named as /sys/class/leds/asus::kbd_backlight/brightness, then you use brightnessctl which is already installed.
To find the current brightness:
brightnessctl --device='<device>::kbd_backlight' info
If it is set to 0, it is disabled, in 1 it is in lowest, and as the number increment, the brightness increases. You can set the brightness by brightnessctl ‐‐device='<device>::kbd_backlight’ set 3, for example, in Asus laptops it is:
brightnessctl --device='asus::kbd_backlight' set 3
You can bind the command to a key using GNOME’s default keyboard shortcut or other applications, but most of the time, keyboard backlights work out of the box.
Set suspend to deep sleep
In some laptops, the battery drains rapidly when suspended under s2idle, particularly those with Alder Lake CPUs, if this is the case you can suspend using deep sleep, although it may increase the wake time. To fix this, you can set the kernel parameters with mem_sleep_default=deep:
sudo grubby --update-kernel=ALL --args="mem_sleep_default=deep"
Do a reboot, then check it with cat /sys/power/mem_sleep and should output something like this:
s2idle [deep]
Customizations
Use Fish as default shell
What is Fish?
Fish (friendly interactive shell) is a smart and user-friendly command line shell that works on Linux, macOS, and other operating systems. Use it for everyday work in your terminal and for scripting. Scripts written in Fish are less cryptic than their equivalent Bash versions.
https://github.com/fish-shell/fish-shell
Fish comes with out-of-the-box useful features such as:
- Syntax highlighting
- Web based configuration
- Inline searchable history
- Inline autosuggestion
- Tab completion using manpage data
Install Fish
To install Fish:
rpm-ostree install fish
Then to allow toolbox to use it:
toolbox run sudo dnf install fish
Set Fish as default shell
Since Fedora Linux does not include chsh in the base image of Silverblue due to its setuid root, after reboot use:
sudo usermod --shell /usr/bin/fish $USER
Customize Fish (basics)
Fish comes with web-based configuration which can be access with:
fish_config
This will give a GUI where you can set your prompt, color of syntax highlighting, aliases, and functions. You can also disable the welcome message:
set -U fish_greeting
Tips and Tricks
Contrast current modifications of configs with the default
This can be helpful in debugging as suggested by u/VVine6
sudo ostree admin config-diff | sort | grep -v system.control
The output will list files as Removed, Added or Modified. The defaults are available in /usr/etc in the very same path, so to revert a modification or a removal simple copy the file over.
Miscellaneous
VSCode
There are three ways to install via Flatpak (not covered here), toolbx or layering.
Toolbx Installation
Create a toolbx with:
toolbox create
You can specify the version or distro you want to use with -r and -d, respectively. Then go inside the toolbx and update the system:
sudo dnf update
Then import the GPG keys and create the repository for VSCode:
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc sudo sh -c 'echo -e "[code]nname=Visual Studio Codenbaseurl=https://packages.microsoft.com/yumrepos/vscodenenabled=1ngpgcheck=1ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/vscode.repo'
Finally, update the metadata and install it with:
sudo dnf check-update && sudo dnf install code.
Installation in toolbx will not provide a desktop icon, to create one:
touch $HOME/.local/share/applications/code.desktop
And append the following lines of code:
[Desktop Entry] Type=Application Version=1.0 # you can replace the version Name=Visual Studio Code Exec=toolbox run code Icon=com.visualstudio.code Terminal=false
If you used a toolbx with different name, change Exec to:
toolbox --container <name-of-toolbox> run code
Layering
Since the filesystem is immutable, you cannot import the GPG, unless you do specific changes which are not covered here. Thus, you can only create a repository for VSCode with:
sudo sh -c 'echo -e "[code]nname=Visual Studio Codenbaseurl=https://packages.microsoft.com/yumrepos/vscodenenabled=1ngpgcheck=1ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/vscode.repo'
Then refresh the metadata and install code with:
rpm-ostree refresh-md && rpm-ostree install code
Block telemetry
VSCode contains telemetry, to block some of them block some of the domains in your /etc/hosts by setting it to loopback (127.0.0.1) by appending:
127.0.0.1 dc.services.visualstudio.com 127.0.0.1 dc.trafficmanager.net 127.0.0.1 vortex.data.microsoft.com 127.0.0.1 weu-breeziest-in.cloudapp.net 127.0.0.1 mobile.events.data.microsoft.com
Then in $HOME/.config/Code/User/settings.json, include:
"telemetry.telemetryLevel": "off"
Conclusion and Acknowledgements
These are some modifications that can be done for Fedora Silverblue. I greatly appreciate the Fedora community from where the other tips and tricks came from, most of my knowledge came from the large knowledge base of the community, this article was written in debt to their knowledge. You can get the scripts and the files from my repo here.
