Fedora CoreOS (FCOS) is a minimal operating system designed for running containerized workloads securely, at scale. This operating system building blocks are the great CoreOS and Fedora Atomic. It has a feature of automated updates and is immutable to ensure the OS is stable and reliable. The OS automatically updates itself with the latest OS improvements, bug fixes, and security updates with rpm-ostree.
Unlike other Linux operating systems, Fedora CoreOS (FCOS) has no install-time configuration. Every FCOS system begins with a generic disk image. For each deployment mechanism (cloud VM, local VM, bare metal), configuration can be supplied at first boot. FCOS reads and applies the configuration file with Ignition.
When doing Fedora CoreOS installation on bare metal, or as a Virtual Machine with an ISO file, the Ignition will inject the configuration at install time. But for the deployments being done in a cloud environment, Ignition will gather the configuration via the cloud’s user-data mechanism.
Run/Install Fedora CoreOS (FCOS) on KVM / OpenStack
In this guide we’ll see how one can run Fedora CoreOS(FCOS) in OpenStack and KVM virtualization environment. Below is the standard process of provisioning immutable Fedora CoreOS infrastructure on OpenStack / KVM.
- You start by writing a Fedora CoreOS Config (FCC) – This is a YAML file that specifies the desired configuration of a machine.
- You’ll then use the Fedora CoreOS Config Transpiler to validate your FCC and convert it to an Ignition config.
- Final step is launching a Fedora CoreOS machine and passing the generated Ignition config. after the machine has booted successfully for provisioning to be started.
Step 1: Download the latest QCOW2 image
Head over to the FCOS download page to retrieve the latest image suitable for QEMU.
OpenStack:
wget https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/31.20200113.3.1/x86_64/fedora-coreos-31.20200113.3.1-openstack.x86_64.qcow2.xz -O fedora-coreos-openstack.qcow2.xz
unxz fedora-coreos-openstack.qcow2.xzQEMU / KVM:
wget https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/31.20200113.3.1/x86_64/fedora-coreos-31.20200113.3.1-qemu.x86_64.qcow2.xz -O fedora-coreos-qemu.qcow2.xz
unxz fedora-coreos-qemu.qcow2.xz
For Openstack you need to upload Fedora CoreOS image to OpenStack Glance service:
openstack image create "fcos"
--file fedora-coreos-openstack.qcow2
--disk-format qcow2 --container-format bare
--publicConfirm that the image is uploaded:
$ openstack image list
-------------------------------------- ----------------- --------
| ID | Name | Status |
-------------------------------------- ----------------- --------
| 6576c788-19e1-4de4-bf63-a769763cd00d | fcos | active |
-------------------------------------- ----------------- -------- Step 2: Create Fedora CoreOS Config (FCC)
FCC is a YAML file that has the desired configuration of a machine. The FCCs support all Ignition functionality, and also provide additional syntax (“sugar”) that makes it easier to specify typical configuration changes.
This is my basic YAML configuration file to add SSH key to the default core user.
$ vim fcos.fcc
variant: fcos
version: 1.0.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-rsa xx...
Where:
- core is the name of FCOS user
- xx… is the contents of your public key
Full details of FCC and its specifications are covered FCOS Provisioning and Configuration page.
Step 3: Convert FCC to Ignition config
We’ll now use the Fedora CoreOS Config Transpiler to validate our FCC and convert it to an Ignition config.
--- Podman ---
$ podman pull quay.io/coreos/fcct:v0.2.0
$ podman run -i --rm quay.io/coreos/fcct:v0.2.0 -pretty -strict fcos.ign
--- Docker ---
$ docker pull quay.io/coreos/fcct:v0.2.0
$ docker run -i --rm quay.io/coreos/fcct:v0.2.0 -pretty -strict fcos.ignReplace fcos.fcc with the name of FCC file and fcos.ign with the name of ignition file to be created.
You can manually validate ignition configuration file with:
--- Podman ---
$ podman run --rm -i quay.io/coreos/ignition-validate - < fcos.ign
--- Docker ---
$ docker run --rm -i quay.io/coreos/ignition-validate - < fcos.ignStep 4: Launch a Fedora CoreOS machine
Once you have ignition file ready, you can create a Fedora CoreOS machine by passing the Ignition config created.
On OpenStack
OpenStack CLI: Configure and Use OpenStack CLI
$ openstack server create
--image fcos
--key-name
--flavor m1.small
--security-group
--network private
--user-data fcos.ign
fcosReplace:
- with the name of your SSH key uploaded to OpenStack.
- with the ID of your security group uploaded to OpenStack
Immediate output as build starts
------------------------------------- ---------------------------------------------
| Field | Value |
------------------------------------- ---------------------------------------------
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | ru6YiFeRLWn5 |
| config_drive | |
| created | 2020-01-24T19:27:11Z |
| flavor | m1.small (1) |
| hostId | |
| id | 6402494f-a2b1-4b6d-b462-7bc54d38d53b |
| image | fcos (6576c788-19e1-4de4-bf63-a769763cd00d) |
| key_name | jmutai |
| name | fcos |
| progress | 0 |
| project_id | 06bcc3c56ab1489282b65681e782d7f6 |
| properties | |
| security_groups | name='7fffea2a-b756-473a-a13a-219dd0f1913a' |
| status | BUILD |
| updated | 2020-01-24T19:27:11Z |
| user_id | 336acbb7421f47f8be4891eabf0c9cc8 |
| volumes_attached | |
------------------------------------- --------------------------------------------- Check VM status:
$ openstack server list --name fcos
-------------------------------------- ------ -------- --------------------- ------- ----------
| ID | Name | Status | Networks | Image | Flavor |
-------------------------------------- ------ -------- --------------------- ------- ----------
| 6402494f-a2b1-4b6d-b462-7bc54d38d53b | fcos | ACTIVE | private=10.10.1.126 | fcos | m1.small |
-------------------------------------- ------ -------- --------------------- ------- ---------- Let’s see if we can ping the VM:
$ ping -c 3 10.10.1.126
PING 10.10.1.126 (10.10.1.126) 56(84) bytes of data.
64 bytes from 10.10.1.126: icmp_seq=1 ttl=64 time=0.320 ms
64 bytes from 10.10.1.126: icmp_seq=2 ttl=64 time=0.297 ms
64 bytes from 10.10.1.126: icmp_seq=3 ttl=64 time=0.373 ms
--- 10.10.1.126 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.297/0.330/0.373/0.031 ms
Can we ssh to the instance?
$ ssh [email protected]
Warning: Permanently added '10.10.1.126' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/centos/.ssh/id_rsa':
Fedora CoreOS 31.20200113.3.1
Tracker: https://github.com/coreos/fedora-coreos-tracker
Check OS release:
$ cat /etc/os-release
NAME=Fedora
VERSION="31.20200113.3.1 (CoreOS)"
ID=fedora
VERSION_ID=31
VERSION_CODENAME=""
PLATFORM_ID="platform:f31"
PRETTY_NAME="Fedora CoreOS 31.20200113.3.1"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:31"
HOME_URL="https://getfedora.org/coreos/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-coreos/"
SUPPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
BUG_REPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=31
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=31
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="CoreOS"
VARIANT_ID=coreos
OSTREE_VERSION='31.20200113.3.1'
$ uname -a
Linux host-10-10-1-126 5.4.8-200.fc31.x86_64 #1 SMP Mon Jan 6 16:44:18 UTC 2020 x86_64 x86_64 x86_64 GNU/LinuxOn KVM / QEMU
Copy downloaded image to Virtual machines installation directory, e.g:
sudo cp fedora-coreos-qemu.qcow2 /var/lib/libvirt/images/fedora-coreos-qemu.qcow2With virt-install:
$ virt-install -n fcos --vcpus 2 -r 2048
--os-variant=fedora31 --import
--network bridge=virbr0
--disk=/var/lib/libvirt/images/fedora-coreos-qemu.qcow2,format=qcow2,bus=virtio
--noautoconsole
--qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/path/to/fcos.ign"
Installing Software packages on Fedora CoreOS
There is restriction in the number of packages you can install on Fedora CoreOS. The primary way of updating Fedora CoreOS and installing applications is rpm-ostree.
rpm-ostree works by modifying your FCOS installation to extend the packages from which Silverblue is composed. Package layering creates a new “deployment“, or bootable filesystem root, and the system must be rebooted after a package has been layered. This preserves rollback and the transactional model.
- First, generate rpm repo metadata:
$ sudo rpm-ostree refresh-md
Enabled rpm-md repositories: updates fedora
Updating metadata for 'updates'... done
rpm-md repo 'updates'; generated: 2020-01-24T14:56:09Z
Updating metadata for 'fedora'... done
rpm-md repo 'fedora'; generated: 2019-10-23T22:52:47Z
Importing rpm-md... done- A package can be installed on Silverblue using:
$ sudo rpm-ostree install
Example:
$ sudo rpm-ostree install vim
Checking out tree f480038... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2020-01-24T14:56:09Z
rpm-md repo 'fedora' (cached); generated: 2019-10-23T22:52:47Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 13 packages (20.0 MB)
Downloading from 'fedora'... done
Downloading from 'updates'... done
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
......A reboot is required after packages installation:
$ sudo systemctl rebootIf you’re interested in installing FCOS on bare metal with ISO or PXE boot, follow the Bare Metal Installation Instructions to write Fedora CoreOS to disk. Ignition is injected at install time.
Stay connected as we’ll have more guides on Fedora CoreOS. In the meantime, check other guides:
Manage Packages on Fedora Silverblue with Toolbox, rpm-ostree & Flatpak
How To run Docker Containers using Podman and Libpod
Setup Docker Container Registry with Podman & Let’s Encrypt SSL
