Fedora OSTree (Silverblue/Kinoite) Post-Installation Setup, Modifications, and Tips and Tricks

What is Fedora libostree (Silverblue/Kinoite/Sericia)?

Fedora Linux’s libostree variants such as Fedora Silverblue (GNOME desktop environment) and Fedora Kinoite (KDE desktop environment) as well as Fedora Sericia (Sway window manager) are new variants of Fedora Linux that use the rpm-ostree command to perform atomic upgrades.

Consider a normal Fedora Linux installation. During an upgrade, a package manager such as DNF grabs the packages, combines them then installs them on your system. A libostree or “image-based” OS, on the other hand, is an immutable system. It fetches the image and “layers” it on top of the current one during an upgrade, providing more robust and reliable system upgrades.

“It is immutable, you can’t change it tho?” No, there are parts and workarounds that you can use to change your system in a way that you desire. Although it is not as customizable as Fedora Workstation. Hence, this article provides a comprehensive description and methods of modifications and setup that you can do in your Fedora Silverblue for optimization and some changes that you can do.

Notes

I highly suggest avoiding layering as much as possible to the system image. Furthermore, I encourage you to read the information above the command first before execution. Moreover, I also suggest not rebooting unless said so, since this will make the process lengthy as opposed to how long it should be.

It is also noted that not every step is necessary, although it can be beneficial or may be some use later. I also highly recommend the cheatsheet that Fedora’s Team Silverblue provided, which you can get here:

You can also obtain the files and scripts in my GitHub repo here.


First libostree Post-Installation Tasks

There are some basic tasks that you should do after the first boot.

System Update

After installation, you may have an outdated system, depending on how far you were from the current release, so the first thing to do is to upgrade the system:

flatpak upgrade

Flatpaks are updated first since GNOME Software automatically calls rpm-ostree upgrade after booting up. Although you can check the upgrades with:

rpm-ostree upgrade --check 

or

rpm-ostree upgrade --preview

Mount External Drives

If you have an external drive, you can mount it with:

sudo mount /dev/sdX <dir>

You can find the drive using lsblk or fdisk -l

If you want to automatically mount the drives on boot, you can modify /etc/fstab you will need the UUID of the device and its mount point (<dir>), you can find the UUID with lsblk -f. Then you can include the new entry to fstab with a format of:

UUID=<uuid> [TAB] <dir> [TAB] <filesystem_format> [SPACE] <options> [SPACE] <dump> [SPACE] <fsck>

Here, I suggest using defaults for options, 0 for dump and fsck to disable the checking during boot to avoid increasing the boot time and potential errors upon failure of the drive. For further information, ArchWiki provides comprehensive fstab documentation. Be sure to input the correct UUID or your system might not boot.

Third-Party Repositories

Flatpak Setup

Fedora has its own Flatpak repository where it filters some of the applications, hence, I suggest installing Flathub which comes with more applications including the proprietary ones:

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

Afer this, do the first reboot.

Reinstalling Versioned Third-Party Repositories

Versioned third party repository packages that rely on a given Fedora release can cause a problem during a major version upgrade, hence I recommend to replace it with a non-versioned ones.

rpm-ostree update --uninstall <versioned-third-party-repo> --uninstall <versioned-third-party-repo> --install <unversioned-third-party-repo> --install <unversioned-third-party-repo>

You can include as many –uninstall <versioned-third-party-repo> and –install <unversioned-third-party-repo> as needed. Then do the second reboot.

Codecs and Drivers

OpenH264 or ffmpeg-libs

Fedora disables the automatic install of openh264 by default, for this reason:

Upstream Firefox versions download and install the OpenH264 plugin by default automatically. Due to it’s binary nature, Fedora disables this automatic download.

https://fedoraproject.org/wiki/OpenH264

But you can still install it manually with:

rpm-ostree install mozilla-openh264 gstreamer1-plugin-openh264

Upon reboot, open Firefox and press Ctrl + Shift + A then enable the OpenH264 Plugins.

Flatpak Modifications

Flatpaks are sandboxed and they may not work as expected. These are some solutions to the errors that might arise.

Theming on libostree systems

Since Flatpaks are sandboxed, they cannot access the GTK theme you’ve installed in your system. One solution is to install the Flatpak version of the GTK theme you are using, which you can find with:

flatpak search gtk3

Or override the themes directory which depends on how the theme was installed:

# choose one, you can do all of them but I don't recommend doing it # if installed in home dir
sudo flatpak override --system --filesystem=$HOME/.themes # if installed in home dir # if layered in your system
sudo flatpak override --system --filesystem=/usr/share/themes # or whatever
sudo flatpak override --system --filesystem=xdg-data/themes

Permissions on libostree systems

As another Reddit user (u/IceOleg) suggested, you can disable the access to home and host dir with:

flatpak override --user --nofilesystem=home
flatpak override --user --nofilesystem=host

The home and host directories can be given back to some applications that might need it later on. Managing Flatpak permissions in the command line can be tedious. Hence, I and u/GunnarRoxen recommend installing Flatseal, which is a good utility for managing permissions:

flatpak install flathub com.github.tchx84.Flatseal

If you do not want all of the modifications made, you can reset the changes with:

sudo flatpak override --system --reset

You can also remove the ‐‐system flag and use ‐‐user instead for user-wide changes, but in this case do not use sudo. It is also possible to reset changes for a specific app with:

flatpak override --reset <app>

Theming Extended

In some cases where themes do not apply (especially GTK4), you can force it by including it in $HOME/.profile and in the settings (settings.ini):

Do not copy and execute the below command. Replace <theme_name> with the name of the theme. One of the things I’ve learned is to not mindlessly copy and paste commands from the internet, especially long and suspicious commands.

echo "export GTK_THEME=<theme_name>" >> $HOME/.profile; if [ ! -d $HOME/.config/environment.d/ ]; then mkdir -p $HOME/.config/environment.d/; fi; echo "GTK_THEME=<theme-name>" >> $HOME/.config/environment.d/gtk_theme.conf; echo "GTK_THEME=<theme-name>" >> $HOME/.config/gtk-4.0/settings.ini

Explanation

The very long command above is a one-liner version of a script that will write “export GTK_THEME=theme_name” to $HOME/.profile:

echo "export GTK_THEME=<theme-name>" >> $HOME/.profile

Then create $HOME/.config/environment.d/gtk_theme.conf file:

if [ ! -d $HOME/.config/environment.d/ ]; then mkdir -p $HOME/.config/environment.d/
fi echo "GTK_THEME=<theme_name>" >> $HOME/.config/environment.d/gtk_theme.conf

And append “GTK_THEME=<theme_name>” at the end of the gtk_theme.conf. And finally, append GTK_THEME=<theme_name> to settings.ini config.

Extreme Method

If all of the other methods failed, you can do this as a last resort:

sudo flatpak override --system --env=GTK_THEME='<theme_name>'

libostree System Optimizations

Disabling NetworkManager-wait-online.service

One of the main contributors to long boot times, especially if you do not always have an internet connection, is NetworkManager-wait-online.service. It can take from 10 seconds to a minute or two, but you can also disable it since:

[The NetworkManager-wait-online] service simply waits, doing absolutely nothing, until the network is connected, and when this happens, it changes its state so that other services that depend on the network can be launched to start doing their thing.

https://askubuntu.com/questions/1018576/what-does-networkmanager-wait-online-service-do/1133545#1133545

In some multi-user environments, it is part of the boot-up process that can come from the network. For this case, systemd defaults to wait for the network to come online before taking certain steps. Disabling it can decrease the boot time by at least 15 to 20 seconds or a minute:

sudo systemctl disable NetworkManager-wait-online.service

Masking it is not recommend, since, as explained by u/chrisawi:

… wait-online services are WantedBy=network-online.target, so they do nothing unless another service explicitly pulls that target in because it can’t handle starting before the network is up. The nfs services are a typical example, see: systemctl list-dependencies ‐‐reverse network-online.target. It might be better to disable such services than to leave them potentially broken.

https://www.reddit.com/r/Fedora/comments/zkp5y4/comment/j00xfdh/?utm_source=share&utm_medium=web2x&context=3

Removing Unnecessary GNOME Flatpaks from libostree systems

Not all of the pre-installed applications are necessary thus you can safely remove some of them. You can completely remove a Flatpak with:

flatpak uninstall --system --delete-data <app>

Here are some of the pre-installed Flatpaks that you can remove:

  1. Calculator: org.gnome.Calculator
  2. Calendar: org.gnome.Calendar
  3. Connections: org.gnome.Connections
  4. Contacts: org.gnome.Contacts
  5. PDF reader: org.gnome.Evince
  6. Logs: org.gnome.Logs
  7. Maps: org.gnome.Maps
  8. Weather: org.gnome.Weather
  9. Disk usage analyzer: org.gnome.baobab

Disable Gnome Software on libostree systems

By default, GNOME Software autostarts to invoke rpm-ostree upgrade ‐‐check which takes at least 100MB of RAM up to 900MB. You can remove it from the autostart in /etc/xdg/autostart/org.gnome.Software.desktop with:

sudo rm /etc/xdg/autostart/org.gnome.Software.desktop

Disable dm-crypt workqeues for SSD user to improve performance on libostree systems

Quoting the Arch Wiki:

Solid state drive users should be aware that, by default, discarding internal read and write workqueue commands are not enabled by the device-mapper, i.e. block-devices are mounted without the no_read_workqueue and no_write_workqueue option unless you override the default.

https://wiki.archlinux.org/title/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance

The no_read_workqueue and no_write_workqueue flags were introduced by internal Cloudflare research Speeding up Linux disk encryption made while investigating overall encryption performance. One of the conclusions is that internal dm-crypt read and write queues decrease performance for SSD drives. While queuing disk operations makes sense for spinning drives, bypassing the queue and writing data synchronously doubled the throughput and cut the SSD drives’ IO await operations latency in half. The patches were upstreamed and are available since linux 5.9 and up [5].

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/md/dm-crypt.c?id=39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877

The same changes were proposed to be the default for Fedora Silverblue (fedora-silverblue/issue-tracker#338). Although it is still open as tracked in Redhat’s Bugzilla, it also has been the default in Linux zen-kernel since this commit.

There are two ways to disable this in Fedora Silverblue:

Option A: /ETC/CRYPTTAB

I do not recommend this method, but if you want to use this, you can change the “discard” in /etc/crypttab with no-read-workqueue,no-write-workqueue. The output of sudo cat /etc/crypttab should look like this:

luks-UUID UUID=<uuid> none no-read-workqueue,no-write-workqueue

Then do the fourth reboot.

Option B: Cryptsetup

Fedora Linux uses LUKS2, hence I recommend using cryptsetup. To begin, find the device with lsblk -p, the one with the name of /dev/mapper/luks-<uuid> is the one encrypted, for example:

❯ lsblk -p
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
/dev/zram0 252:0 0 7.5G 0 disk [SWAP]
/dev/nvme0n1 259:0 0 476.9G 0 disk ├─/dev/nvme0n1p1 259:1 0 600M 0 part /boot/efi
├─/dev/nvme0n1p2 259:2 0 1G 0 part /boot
└─/dev/nvme0n1p3 259:3 0 475.4G 0 part └─/dev/mapper/luks-<uuid> 253:0 0 475.3G 0 crypt /var/home
...

In my case it is the /dev/nvme0n1p3. Then verify it with:

sudo cryptsetup isLuks /dev/<device> && echo SUCCESS 

Where <device> is the device name, e.g. nvme0n1p3, if it echoed success then the device is encrypted. Then get the name of the encrypted device with:

sudo dmsetup info luks-<uuid>

Which should output something like this:

❯ sudo dmsetup info luks-e88105e1-690f-423e-a168-a9f9a2e613e9
Name: luks-e88105e1-690f-423e-a168-a9f9a2e613e9
State: ACTIVE
Read Ahead: 256
Tables present: LIVE
Open count: 1
Event number: 0
Major, minor: 253, 0
Number of targets: 1
UUID: CRYPT-LUKS2-e88105e1690f423ea168a9f9a2e613e9-luks-e88105e1-690f-423e-a168-a9f9a2e613e9

Note that my UUID will be different from your UUID. Take the name, in this case, luks-e88105e1-690f-423e-a168-a9f9a2e613e9, and execute the command:

sudo cryptsetup --perf-no_read_workqueue --perf-no_write_workqueue --persistent refresh <name>

Then do the fourth reboot.

Removing base image packages on libostree systems

I do not recommend this, but you can do this if you want to. Note that you need to reset your system before you can go and rebase to another version if you proceed in this step. Refer here.

u/VVine6 recommended some packages that can be removed from the base image, which includes VM host support and GNOME classic shell which can be removed with:

rpm-ostree override remove open-vm-tools-desktop open-vm-tools qemu-guest-agent spice-vdagent spice-webdavd virtualbox-guest-additions gnome-shell-extension-apps-menu gnome-classic-session gnome-shell-extension-window-list gnome-shell-extension-background-logo gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu

Later on, before rebasing all of the removed packages need to be included back in which case, you can reset the overrides with:

rpm-ostree override reset

This ends the general setup and modifications, you can do the final reboot here and use your system. However, for laptop users, you can continue and proceed with the section belows which also covers installation of Fish and VSCode, as well as some neat tips.

Laptop Users

Set battery threshold for laptop users

I recommend setting the battery threshold to at least 80% to decrease wear on the battery. You can do this by echoing the threshold to /sys/class/power_supply/BAT0/charge_control_end_threshold. However, this resets every reboot, so it is a good idea to make a systemd service for it or download the service here:

[Unit]
Description=Set the battery charge threshold
After=multi-user.target
StartLimitBurst=0 [Service]
Type=oneshot
Restart=on-failure
ExecStart=/usr/bin/env bash 'echo 80 > /sys/class/power_supply/BAT0/charge_control_end_threshold' [Install]
WantedBy=multi-user.target

Save this as battery-threshold.service in /etc/systemd/system/ and enable it with:

sudo systemctl enable battery-threshold.service

Keyboard backlight

In some laptops, the keyboard backlight may not work out of the box, but you can toggle it with brightnessctl. First, find the keyboard backlight in /sys/class/leds by listing the directories, it usually has a name like ::kbd_backlight/brightness which can be in one or more directories, for example, in Asus laptops it is usually named as /sys/class/leds/asus::kbd_backlight/brightness, then you use brightnessctl which is already installed.

To find the current brightness:

brightnessctl --device='<device>::kbd_backlight' info

If it is set to 0, it is disabled, in 1 it is in lowest, and as the number increment, the brightness increases. You can set the brightness by brightnessctl ‐‐device='<device>::kbd_backlight’ set 3, for example, in Asus laptops it is:

brightnessctl --device='asus::kbd_backlight' set 3

You can bind the command to a key using GNOME’s default keyboard shortcut or other applications, but most of the time, keyboard backlights work out of the box.

Set suspend to deep sleep

In some laptops, the battery drains rapidly when suspended under s2idle, particularly those with Alder Lake CPUs, if this is the case you can suspend using deep sleep, although it may increase the wake time. To fix this, you can set the kernel parameters with mem_sleep_default=deep:

sudo grubby --update-kernel=ALL --args="mem_sleep_default=deep"

Do a reboot, then check it with cat /sys/power/mem_sleep and should output something like this:

s2idle [deep]

Customizations

Use Fish as default shell

What is Fish?

Fish (friendly interactive shell) is a smart and user-friendly command line shell that works on Linux, macOS, and other operating systems. Use it for everyday work in your terminal and for scripting. Scripts written in Fish are less cryptic than their equivalent Bash versions.

https://github.com/fish-shell/fish-shell

Fish comes with out-of-the-box useful features such as:

  1. Syntax highlighting
  2. Web based configuration
  3. Inline searchable history
  4. Inline autosuggestion
  5. Tab completion using manpage data
Credits to Sid Mohanty for demonstration of Fish in their article.

Install Fish

To install Fish:

rpm-ostree install fish

Then to allow toolbox to use it:

toolbox run sudo dnf install fish

Set Fish as default shell

Since Fedora Linux does not include chsh in the base image of Silverblue due to its setuid root, after reboot use:

sudo usermod --shell /usr/bin/fish $USER

Customize Fish (basics)

Fish comes with web-based configuration which can be access with:

fish_config

This will give a GUI where you can set your prompt, color of syntax highlighting, aliases, and functions. You can also disable the welcome message:

set -U fish_greeting

Tips and Tricks

Contrast current modifications of configs with the default

This can be helpful in debugging as suggested by u/VVine6

sudo ostree admin config-diff | sort | grep -v system.control

The output will list files as Removed, Added or Modified. The defaults are available in /usr/etc in the very same path, so to revert a modification or a removal simple copy the file over.

Miscellaneous

VSCode

There are three ways to install via Flatpak (not covered here), toolbx or layering.

Toolbx Installation

Create a toolbx with:

toolbox create

You can specify the version or distro you want to use with -r and -d, respectively. Then go inside the toolbx and update the system:

sudo dnf update

Then import the GPG keys and create the repository for VSCode:

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
sudo sh -c 'echo -e "[code]nname=Visual Studio Codenbaseurl=https://packages.microsoft.com/yumrepos/vscodenenabled=1ngpgcheck=1ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/vscode.repo'

Finally, update the metadata and install it with:

sudo dnf check-update && sudo dnf install code.

Installation in toolbx will not provide a desktop icon, to create one:

touch $HOME/.local/share/applications/code.desktop

And append the following lines of code:

[Desktop Entry]
Type=Application
Version=1.0 # you can replace the version
Name=Visual Studio Code
Exec=toolbox run code
Icon=com.visualstudio.code
Terminal=false

If you used a toolbx with different name, change Exec to:

toolbox --container <name-of-toolbox> run code

Layering

Since the filesystem is immutable, you cannot import the GPG, unless you do specific changes which are not covered here. Thus, you can only create a repository for VSCode with:

sudo sh -c 'echo -e "[code]nname=Visual Studio Codenbaseurl=https://packages.microsoft.com/yumrepos/vscodenenabled=1ngpgcheck=1ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/vscode.repo'

Then refresh the metadata and install code with:

rpm-ostree refresh-md && rpm-ostree install code

Block telemetry

VSCode contains telemetry, to block some of them block some of the domains in your /etc/hosts by setting it to loopback (127.0.0.1) by appending:

127.0.0.1	dc.services.visualstudio.com
127.0.0.1	dc.trafficmanager.net
127.0.0.1	vortex.data.microsoft.com
127.0.0.1	weu-breeziest-in.cloudapp.net
127.0.0.1	mobile.events.data.microsoft.com

Then in $HOME/.config/Code/User/settings.json, include:

"telemetry.telemetryLevel": "off"

Conclusion and Acknowledgements

These are some modifications that can be done for Fedora Silverblue. I greatly appreciate the Fedora community from where the other tips and tricks came from, most of my knowledge came from the large knowledge base of the community, this article was written in debt to their knowledge. You can get the scripts and the files from my repo here.

Discover more from UBERCLOUD

Subscribe now to keep reading and get access to the full archive.

Continue reading