{"id":121243,"date":"2020-11-27T08:00:00","date_gmt":"2020-11-27T08:00:00","guid":{"rendered":"https:\/\/fedoramagazine.org\/?p=32281"},"modified":"2020-11-27T08:00:00","modified_gmt":"2020-11-27T08:00:00","slug":"getting-started-with-fedora-coreos","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2020\/11\/27\/getting-started-with-fedora-coreos\/","title":{"rendered":"Getting started with Fedora CoreOS"},"content":{"rendered":"

This has been called the age of DevOps, and operating systems seem to be getting a little bit less attention than tools are. However, this doesn’t mean that there has been no innovation in operating systems. [Edit: The diversity of offerings from the plethora of distributions based on the Linux kernel is a fine example of this.] Fedora CoreOS<\/a> has a specific philosophy of what an operating system should be in this age of DevOps. <\/p>\n

<\/span> <\/p>\n

Fedora CoreOS’ philosophy<\/h3>\n

Fedora CoreOS (FCOS) came from the merging of CoreOS Container Linux and Fedora Atomic Host. It is a minimal and monolithic OS focused on running containerized applications. Security being a first class citizen, FCOS provides automatic updates and comes with SELinux hardening.<\/p>\n

For automatic updates to work well they need to be very robust. The goal being that servers running FCOS won’t break after an update. This is achieved by using different release streams (stable, testing and next). Each stream is released every 2 weeks and content is promoted from one stream to the other (next -> testing -> stable). That way updates landing in the stable stream have had the opportunity to be tested over a long period of time.<\/p>\n

Getting Started<\/h3>\n

For this example let’s use the stable stream and a QEMU base image that we can run as a virtual machine. You can use coreos-installer<\/a> to download that image.<\/p>\n

From your (Workstation) terminal, run the following commands after updating the link to the image. [Edit: On Silverblue the container based coreos tools are the simplest method to try. Instructions can be found at https:\/\/docs.fedoraproject.org\/en-US\/fedora-coreos\/tutorial-setup\/<\/a> , in particular “Setup with Podman or Docker”.]<\/p>\n

$ sudo dnf install coreos-installer\n$ coreos-installer download --image-url https:\/\/builds.coreos.fedoraproject.org\/prod\/streams\/stable\/builds\/32.20200907.3.0\/x86_64\/fedora-coreos-32.20200907.3.0-qemu.x86_64.qcow2.xz\n$ xz -d fedora-coreos-32.20200907.3.0-qemu.x86_64.qcow2.xz\n$ ls\nfedora-coreos-32.20200907.3.0-qemu.x86_64.qcow2<\/pre>\n
Create a configuration<\/h4>\n
To customize a FCOS system, you need to provide a configuration file that will be used by Ignition<\/a> to provision the system. You may use this file to configure things like creating a user, adding a trusted SSH key, enabling systemd services, and more.<\/p>\n
The following configuration creates a ‘core’<\/em> user and adds an SSH key to the authorized_keys file. It is also creating a systemd service that uses podman<\/a> to run a simple hello world container.<\/p>\n
version: \"1.0.0\"\nvariant: fcos\npasswd: users: - name: core ssh_authorized_keys: - ssh-ed25519 my_public_ssh_key_hash fcos_key\nsystemd: units: - contents: | [Unit] Description=Run a hello world web service After=network-online.target Wants=network-online.target [Service] ExecStart=\/bin\/podman run --pull=always --name=hello --net=host -p 8080:8080 quay.io\/cverna\/hello ExecStop=\/bin\/podman rm -f hello [Install] WantedBy=multi-user.target enabled: true name: hello.service<\/pre>\n
After adding your SSH key in the configuration save it as config.yaml<\/em>. Next use the Fedora CoreOS Config Transpiler (fcct) tool to convert this YAML configuration into a valid Ignition configuration (JSON format).<\/p>\n
Install fcct<\/em> directly from Fedora’s repositories or get the binary from GitHub<\/a>.<\/p>\n
$ sudo dnf install fcct\n$ fcct -output config.ign config.yaml<\/pre>\n
Install and run Fedora CoreOS<\/h4>\n
To run the image, you can use the libvirt stack. To install it on a Fedora system using the dnf package manager<\/p>\n
$ sudo dnf install @virtualization<\/pre>\n
Now let’s create and run a Fedora CoreOS virtual machine<\/p>\n
$ chcon --verbose unconfined_u:object_r:svirt_home_t:s0 config.ign\n$ virt-install --name=fcos \\\n--vcpus=2 \\\n--ram=2048 \\\n--import \\\n--network=bridge=virbr0 \\\n--graphics=none \\\n--qemu-commandline=\"-fw_cfg name=opt\/com.coreos\/config,file=${PWD}\/config.ign\" \\\n--disk=size=20,backing_store=${PWD}\/fedora-coreos-32.20200907.3.0-qemu.x86_64.qcow2<\/pre>\n
Once the installation is successful, some information is displayed and a login prompt is provided.<\/p>\n
Fedora CoreOS 32.20200907.3.0\nKernel 5.8.10-200.fc32.x86_64 on an x86_64 (ttyS0)\nSSH host key: SHA256:BJYN7AQZrwKZ7ZF8fWSI9YRhI++KMyeJeDVOE6rQ27U (ED25519)\nSSH host key: SHA256:W3wfZp7EGkLuM3z4cy1ZJSMFLntYyW1kqAqKkxyuZrE (ECDSA)\nSSH host key: SHA256:gb7\/4Qo5aYhEjgoDZbrm8t1D0msgGYsQ0xhW5BAuZz0 (RSA)\nens2: 192.168.122.237 fe80::5054:ff:fef7:1a73\nIgnition: user provided config was applied\nIgnition: wrote ssh authorized keys file for user: core<\/pre>\n
The Ignition configuration file did not provide any password for the core<\/em> user, therefore it is not possible to login directly via the console. (Though, it is possible to configure a password for users via Ignition configuration.)<\/p>\n
Use Ctrl + ] key combination to exit the virtual machine’s console. Then check if the hello.service is running.<\/p>\n
$ curl http:\/\/192.168.122.237:8080\nHello from Fedora CoreOS!<\/pre>\n
Using the preconfigured SSH key, you can also access the VM and inspect the services running on it.<\/p>\n
$ ssh core@192.168.122.237\n$ systemctl status hello\n\u25cf hello.service - Run a hello world web service\nLoaded: loaded (\/etc\/systemd\/system\/hello.service; enabled; vendor preset: enabled)\nActive: active (running) since Wed 2020-10-28 10:10:26 UTC; 42s ago<\/pre>\n
zincati, rpm-ostree and automatic updates<\/h4>\n
The zincati service drives rpm-ostreed with automatic updates.
Check which version of Fedora CoreOS is currently running on the VM, and check if Zincati has found an update.<\/p>\n
$ ssh core@192.168.122.237\n$ rpm-ostree status\nState: idle\nDeployments:\n\u25cf ostree:\/\/fedora:fedora\/x86_64\/coreos\/stable\nVersion: 32.20200907.3.0 (2020-09-23T08:16:31Z)\nCommit: b53de8b03134c5e6b683b5ea471888e9e1b193781794f01b9ed5865b57f35d57\nGPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0\n$ systemctl status zincati\n\u25cf zincati.service - Zincati Update Agent\nLoaded: loaded (\/usr\/lib\/systemd\/system\/zincati.service; enabled; vendor preset: enabled)\nActive: active (running) since Wed 2020-10-28 13:36:23 UTC; 7s ago\n\u2026\nOct 28 13:36:24 cosa-devsh zincati[1013]: [INFO ] initialization complete, auto-updates logic enabled\nOct 28 13:36:25 cosa-devsh zincati[1013]: [INFO ] target release '32.20201004.3.0' selected, proceeding to stage it ... zincati reboot ...<\/pre>\n
After the restart, let’s remote login once more to check the new version of Fedora CoreOS.<\/p>\n
$ ssh core@192.168.122.237\n$ rpm-ostree status\nState: idle\nDeployments:\n\u25cf ostree:\/\/fedora:fedora\/x86_64\/coreos\/stable\nVersion: 32.20201004.3.0 (2020-10-19T17:12:33Z)\nCommit: 64bb377ae7e6949c26cfe819f3f0bd517596d461e437f2f6e9f1f3c24376fd30\nGPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0\nostree:\/\/fedora:fedora\/x86_64\/coreos\/stable\nVersion: 32.20200907.3.0 (2020-09-23T08:16:31Z)\nCommit: b53de8b03134c5e6b683b5ea471888e9e1b193781794f01b9ed5865b57f35d57\nGPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0<\/pre>\n
rpm-ostree status<\/em> now shows 2 versions of Fedora CoreOS, the one that came in the QEMU image, and the latest one received from the update. By having these 2 versions available, it is possible to rollback to the previous version using the rpm-ostree rollback<\/em> command.<\/p>\n
Finally, you can make sure that the hello service is still running and serving content.<\/p>\n
$ curl http:\/\/192.168.122.237:8080\nHello from Fedora CoreOS!\n<\/pre>\n
More information: Fedora CoreOS updates<\/a><\/p>\n
Deleting the Virtual Machine<\/h4>\n
To clean up afterwards, the following commands will delete the VM and associated storage.<\/p>\n
$ virsh destroy fcos\n$ virsh undefine --remove-all-storage fcos<\/pre>\n
Conclusion<\/h3>\n
Fedora CoreOS provides a solid and secure operating system tailored to run applications in containers. It excels in a DevOps environment which encourages the hosts to be provisioned using declarative configuration files. Automatic updates and the ability to rollback to a previous version of the OS, bring a peace of mind during the operation of a service.<\/p>\n
Learn more about Fedora CoreOS by following the tutorials available in the project’s documentation<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
This has been called the age of DevOps, and operating systems seem to be getting a little bit less attention than tools are. However, this doesn’t mean that there has been no innovation in operating systems. [Edit: The diversity of offerings from the plethora of distributions based on the Linux kernel is a fine example […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[161,444,45,622,42,43,46,47,1243],"class_list":["post-121243","post","type-post","status-publish","format-standard","hentry","category-fedora-os","tag-coreos","tag-devops","tag-fedora","tag-fedora-coreos","tag-for-developers","tag-for-system-administrators","tag-magazine","tag-news","tag-os"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/121243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=121243"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/121243\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=121243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=121243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=121243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}