Fedora CoreOS (FCOS) is a minimal operating system designed for running containerized workloads securely, at scale. This operating system building blocks are the great CoreOS and Fedora Atomic. It has a feature of automated updates and is immutable to ensure the OS is stable and reliable. The OS automatically updates itself with the latest OS improvements, bug fixes, and security updates with rpm-ostree.
Unlike other Linux operating systems, Fedora CoreOS (FCOS) has no install-time configuration. Every FCOS system begins with a generic disk image. For each deployment mechanism (cloud VM, local VM, bare metal), configuration can be supplied at first boot. FCOS reads and applies the configuration file with Ignition.
When doing Fedora CoreOS installation on bare metal, or as a Virtual Machine with an ISO file, the Ignition will inject the configuration at install time. But for the deployments being done in a cloud environment, Ignition will gather the configuration via the cloud’s user-data mechanism.
Run/Install Fedora CoreOS (FCOS) on KVM / OpenStack
In this guide we’ll see how one can run Fedora CoreOS(FCOS) in OpenStack and KVM virtualization environment. Below is the standard process of provisioning immutable Fedora CoreOS infrastructure on OpenStack / KVM.
- You start by writing a Fedora CoreOS Config (FCC) – This is a YAML file that specifies the desired configuration of a machine.
- You’ll then use the Fedora CoreOS Config Transpiler to validate your FCC and convert it to an Ignition config.
- Final step is launching a Fedora CoreOS machine and passing the generated Ignition config. after the machine has booted successfully for provisioning to be started.
Step 1: Download the latest QCOW2 image
There two ways of downloading FCOS images for both OpenStack and KVM.
Option 1) Using coreos-installer
coreos-installer is a program to assist with installing Fedora CoreOS (FCOS) and Red Hat Enterprise Linux CoreOS (RHCOS). This tool can be used to download the latest images for FCOS.
Install coreos-installer on Fedora:
### Fedora Workstation / Server ###
sudo dnf -y install coreos-installer
### Fedora COreOS ###
rpm-ostree install coreos-installer
Check command download options:
$ coreos-installer download --help
coreos-installer-download 0.11.0
Download a CoreOS image
USAGE:
coreos-installer download [OPTIONS]
OPTIONS:
-s, --stream <name> Fedora CoreOS stream [default: stable]
-a, --architecture <name> Target CPU architecture [default: x86_64]
-p, --platform <name> Fedora CoreOS platform name [default: metal]
-f, --format <name> Image format [default: raw.xz]
-u, --image-url <URL> Manually specify the image URL
-C, --directory <path> Destination directory [default: .]
-d, --decompress Decompress image and don't save signature
--insecure Skip signature verification
--stream-base-url <URL> Base URL for Fedora CoreOS stream metadata
--fetch-retries <N> Fetch retries, or "infinite" [default: 0]
-h, --help Prints help information
List Fedora CoreOS images available for download:
$ coreos-installer list-stream
Architecture Platform Format
aarch64 aws vmdk.xz
aarch64 metal 4k.raw.xz
aarch64 metal iso
aarch64 metal pxe
aarch64 metal raw.xz
aarch64 openstack qcow2.xz
aarch64 qemu qcow2.xz
x86_64 aliyun qcow2.xz
x86_64 aws vmdk.xz
x86_64 azure vhd.xz
x86_64 azurestack vhd.xz
x86_64 digitalocean qcow2.gz
x86_64 exoscale qcow2.xz
x86_64 gcp tar.gz
x86_64 ibmcloud qcow2.xz
x86_64 metal 4k.raw.xz
x86_64 metal iso
x86_64 metal pxe
x86_64 metal raw.xz
x86_64 nutanix qcow2.xz
x86_64 openstack qcow2.xz
x86_64 qemu qcow2.xz
x86_64 virtualbox ova
x86_64 vmware ova
x86_64 vultr raw.xz
Download image for OpenStack:
coreos-installer download --stream stable --platform openstack --decompress --format qcow2.xzCommand execution output:
Downloading Fedora CoreOS stable x86_64 openstack image (qcow2.xz) and signature
> Read disk 662.0 MiB/662.0 MiB (100%)
gpg: Signature made Wed 27 Apr 2022 02:29:28 AM EAT
gpg: using RSA key 787EA6AE1147EEE56C40B30CDB4639719867C58F
gpg: Good signature from "Fedora (35) <[email protected]>" [ultimate]
./fedora-coreos-35.20220410.3.1-openstack.x86_64.qcow2Confirm file created is in your current working directory:
$ ls fedora-coreos-*-openstack.x86_64.qcow2
fedora-coreos-35.20220410.3.1-openstack.x86_64.qcow2
For Openstack you need to upload Fedora CoreOS image to OpenStack Glance service:
openstack image create "fcos" \
--file fedora-coreos-35.20220410.3.1-openstack.x86_64.qcow2 \
--disk-format qcow2 --container-format bare \
--publicConfirm that the image is uploaded:
$ openstack image list
+--------------------------------------+-----------------+--------+
| ID | Name | Status |
+--------------------------------------+-----------------+--------+
| 6576c788-19e1-4de4-bf63-a769763cd00d | fcos | active |
+--------------------------------------+-----------------+--------+Qemu / KVM:
coreos-installer download --stream stable --platform qemu --decompress --format qcow2.xz
Command output example:
Downloading Fedora CoreOS stable x86_64 qemu image (qcow2.xz) and signature
> Read disk 657.6 MiB/657.6 MiB (100%)
gpg: Signature made Wed 27 Apr 2022 02:23:48 AM EAT
gpg: using RSA key 787EA6AE1147EEE56C40B30CDB4639719867C58F
gpg: Good signature from "Fedora (35) <[email protected]>" [ultimate]
./fedora-coreos-35.20220410.3.1-qemu.x86_64.qcow2Option 2) Downloading FCOS images manually
Copy the latest image URL from the FCOS download page for your platform.
OpenStack:
wget <image-url> -O fedora-coreos-openstack.qcow2.xz
unxz fedora-coreos-openstack.qcow2.xzQEMU / KVM:
wget <image-url> -O fedora-coreos-qemu.qcow2.xz
unxz fedora-coreos-qemu.qcow2.xzFor Openstack you need to upload Fedora CoreOS image to OpenStack Glance service:
openstack image create "fcos" \
--file fedora-coreos-openstack.qcow2 \
--disk-format qcow2 --container-format bare \
--publicConfirm that the image is uploaded:
$ openstack image list
+--------------------------------------+-----------------+--------+
| ID | Name | Status |
+--------------------------------------+-----------------+--------+
| 6576c788-19e1-4de4-bf63-a769763cd00d | fcos | active |
+--------------------------------------+-----------------+--------+Step 2: Create Fedora CoreOS Config (FCC)
FCC is a YAML file that has the desired configuration of a machine. The FCCs support all Ignition functionality, and also provide additional syntax (“sugar”) that makes it easier to specify typical configuration changes.
This is my basic YAML configuration file to add SSH key to the default core user.
$ vim fcos.fcc
variant: fcos
version: 1.0.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-rsa <ssh-pub-key>Where:
- core is the name of FCOS user
- <ssh-pub-key> is the contents of your public key
Full details of FCC and its specifications are covered FCOS Provisioning and Configuration page.
Step 3: Convert FCC to Ignition config
We’ll now use the Fedora CoreOS Config Transpiler to validate our FCC and convert it to an Ignition config.
### Podman ###
podman pull quay.io/coreos/fcct
podman run -i --rm quay.io/coreos/fcct --pretty --strict <fcos.fcc > fcos.ign
### Docker ###
docker pull quay.io/coreos/fcct
docker run -i --rm quay.io/coreos/fcct --pretty --strict <fcos.fcc > fcos.ignReplace fcos.fcc with the name of FCC file and fcos.ign with the name of ignition file to be created.
You can manually validate ignition configuration file with:
### Podman ###
podman run --rm -i quay.io/coreos/ignition-validate - < fcos.ign
### Docker ###
docker run --rm -i quay.io/coreos/ignition-validate - < fcos.ignStep 4: Launch a Fedora CoreOS machine
Once you have ignition file ready, you can create a Fedora CoreOS machine by passing the Ignition config created.
On OpenStack
OpenStack CLI: Configure and Use OpenStack CLI
openstack server create \
--image fcos \
--key-name <your-openstack-key-name> \
--flavor m1.small \
--security-group <your-security-group> \
--network private \
--user-data fcos.ign \
fcosReplace:
- <your-openstack-key-name> with the name of your SSH key uploaded to OpenStack.
- <your-security-group> with the ID of your security group uploaded to OpenStack
Immediate output as build starts
+-------------------------------------+---------------------------------------------+
| Field | Value |
+-------------------------------------+---------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | ru6YiFeRLWn5 |
| config_drive | |
| created | 2020-01-24T19:27:11Z |
| flavor | m1.small (1) |
| hostId | |
| id | 6402494f-a2b1-4b6d-b462-7bc54d38d53b |
| image | fcos (6576c788-19e1-4de4-bf63-a769763cd00d) |
| key_name | jmutai |
| name | fcos |
| progress | 0 |
| project_id | 06bcc3c56ab1489282b65681e782d7f6 |
| properties | |
| security_groups | name='7fffea2a-b756-473a-a13a-219dd0f1913a' |
| status | BUILD |
| updated | 2020-01-24T19:27:11Z |
| user_id | 336acbb7421f47f8be4891eabf0c9cc8 |
| volumes_attached | |
+-------------------------------------+---------------------------------------------+Check VM status:
$ openstack server list --name fcos
+--------------------------------------+------+--------+---------------------+-------+----------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+------+--------+---------------------+-------+----------+
| 6402494f-a2b1-4b6d-b462-7bc54d38d53b | fcos | ACTIVE | private=10.10.1.126 | fcos | m1.small |
+--------------------------------------+------+--------+---------------------+-------+----------+Let’s see if we can ping the VM:
$ ping -c 3 10.10.1.126
PING 10.10.1.126 (10.10.1.126) 56(84) bytes of data.
64 bytes from 10.10.1.126: icmp_seq=1 ttl=64 time=0.320 ms
64 bytes from 10.10.1.126: icmp_seq=2 ttl=64 time=0.297 ms
64 bytes from 10.10.1.126: icmp_seq=3 ttl=64 time=0.373 ms
--- 10.10.1.126 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.297/0.330/0.373/0.031 msCan we ssh to the instance?
$ ssh [email protected]
Warning: Permanently added '10.10.1.126' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/centos/.ssh/id_rsa':
Fedora CoreOS 31.20200113.3.1
Tracker: https://github.com/coreos/fedora-coreos-trackerCheck OS release:
$ cat /etc/os-release
NAME=Fedora
VERSION="35.20220410.3.1 (CoreOS)"
ID=fedora
VERSION_ID=35
VERSION_CODENAME=""
....
$ uname -aOn KVM / QEMU
Copy downloaded image to Virtual machines installation directory, e.g:
sudo cp fedora-coreos-qemu.qcow2 /var/lib/libvirt/images/fedora-coreos-qemu.qcow2With virt-install:
sudo virt-install -n fcos --vcpus 2 -r 2048 \
--os-variant=fedora31 --import \
--network bridge=virbr0 \
--disk=/var/lib/libvirt/images/fedora-coreos-qemu.qcow2,format=qcow2,bus=virtio \
--noautoconsole \
--qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/path/to/fcos.ign"Or using variables:
IGNITION_CONFIG="/path/to/example.ign"
IMAGE="/path/to/image.qcow2"
VM_NAME="fcos"
VCPUS="2"
RAM_MB="2048"
DISK_GB="10"
sudo virt-install --connect="qemu:///system" \
--name="${VM_NAME}" \
--vcpus="${VCPUS}" \
--memory="${RAM_MB}" \
--os-variant="fedora-coreos-$STREAM" \
--import \
--graphics=none \
--disk="size=${DISK_GB},backing_store=${IMAGE}" \
--qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=${IGNITION_CONFIG}"Installing Software packages on Fedora CoreOS
There is restriction in the number of packages you can install on Fedora CoreOS. The primary way of updating Fedora CoreOS and installing applications is rpm-ostree.
rpm-ostree works by modifying your FCOS installation to extend the packages from which Silverblue is composed. Package layering creates a new “deployment“, or bootable filesystem root, and the system must be rebooted after a package has been layered. This preserves rollback and the transactional model.
- First, generate rpm repo metadata:
$ sudo rpm-ostree refresh-md
Enabled rpm-md repositories: updates fedora
Updating metadata for 'updates'... done
rpm-md repo 'updates'; generated: 2020-01-24T14:56:09Z
Updating metadata for 'fedora'... done
rpm-md repo 'fedora'; generated: 2019-10-23T22:52:47Z
Importing rpm-md... done- A package can be installed on Silverblue using:
$ sudo rpm-ostree install <package name>
Example:
$ sudo rpm-ostree install vim
Checking out tree f480038... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2020-01-24T14:56:09Z
rpm-md repo 'fedora' (cached); generated: 2019-10-23T22:52:47Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 13 packages (20.0 MB)
Downloading from 'fedora'... done
Downloading from 'updates'... done
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
......A reboot is required after packages installation:
sudo systemctl rebootInstalling on bare metal
If you’re interested in installing FCOS on bare metal with ISO or PXE boot, follow the Bare Metal Installation Instructions to write Fedora CoreOS to disk. Ignition is injected at install time.
Stay connected as we’ll have more guides on Fedora CoreOS. In the meantime, check other guides:
