How does OSTree help manage Edge devices?<\/h2>\n
If you need to deploy hundreds of operating systems to edge devices, safe in the knowledge that you can easily manage future updates and maintenance, an OSTree\u2019s immutable and image-based operating system is ready for the task.<\/p>\n
OSTree<\/a> functions like git, but for operating system binaries. It has git-like content-addressed repositories. The ability to commit and branch entire root filesystem trees resembles the way you submit changes in git. With OSTree, you build an operating system with pre-installed packages, known as an operating system image. After you build the operating system image, it is possible to track it, sign it, test it, and deploy it. These images function as immutable file system trees. When the time comes to change or update, you simply build a new image and deploy it. By atomically switching between different versions of images, you are completely replacing filesystem trees.<\/p>\n OSTree also has a simple CLI that you can use for managing simple workflows, for example, for switching between different versions of images\/filesystem trees.<\/p>\n As a standalone tool, the base OSTree CLI is not the most feature-rich utility for managing repository content. To make life easier, in the following demo, we will use rpm-ostree<\/a><\/em>. rpm-ostree<\/em> is a hybrid image\/package system that combines the standard OSTree technology as a base image format and accepts RPM on both the client and server-side.<\/p>\n rpm-ostree<\/em> integrates with Fedora IoT. In comparison to other ecosystems, instead of installing packages via DNF, you install packages with rpm-ostree<\/em>. After rebooting all changes are applied to a new version of the image.<\/p>\n You can also upgrade or install a new Fedora IoT image with the rpm-ostree<\/em> utility.<\/p>\n Pulp<\/a> is a platform that handles content management workflows. Using Pulp, you can sync packages from remote repositories such as an RPM server, PyPI, Docker Hub, Ansible Galaxy, and many more. You can host and modify synced packages in repositories inside the Pulp server. You can publish repositories that contain packages available for deployment to production environments.<\/p>\n In our scenario, Pulp provides a platform for storing particular versions of OSTree content, promoting approved content through the content management lifecycle, for example from dev<\/em> to test<\/em>, and from test<\/em> to prod<\/em>. Pulp also provides a method for publishing content that is consumed by edge devices. Using Pulp, you can pull the latest packages, test, and publish only when safe to do so. Pulp ensures the safety, security, and repeatability of your content supply chain.<\/p>\n The following diagram provides a simplified overview of Pulp. On the left are shown different content types that are mirrored into Pulp from remote sources. These repositories are then served, for instance, to different CI\/CD or production environments.<\/p>\n Pulp creates a new repository version automatically when updating or removing packages in a repository. You can distribute each repository version independently.<\/p>\n Pulp has a plugin-based architecture, which means that you must add a plugin for each content type you want to use. For managing OSTree content, you need the OSTree plugin<\/a>. You can then mirror content from a remote repository, import content from a local tarball, and modify content within a Pulp repository while preserving the integrity of the original content. You can move commits and refs from one repository to another or delete them. Pulp ensures that you are safe to experiment while your production environment remains pinned to a particular version.<\/p>\n In this section, let\u2019s look at how to build an image with an OSTree commit.<\/p>\n We start by booting a new virtual machine (VM) that will have an installed Fedora-IoT OS. For the purposes of this example, it is best to have the same version of the OS installed as the running edge devices have.<\/p>\n All commands in this section are executed on the main admin VM (Fedora IoT 35 OS). On this admin VM, we will build the images that we will then distribute to the edge devices.<\/p>\n In this example a nano editor package is installed on all edge devices.\u00a0We need to build an image containing a commit with the package.<\/p>\n Create a blueprint file that describes what changes you want to make to the image as shown here:<\/p>\n Push this blueprint to the os build composer utility, which is a tool for composing operating system images. composer-cli<\/em> communicates with osbuild composer<\/em> through the CLI:<\/p>\n Build a new image:<\/p>\n The composer will use resources available in your current OS (such as a default operating system version).<\/p>\n Regularly check the status of the build:<\/p>\n When the build finishes, download the image:<\/p>\n The downloaded image is basically an OSTree repository packed into a tarball. When you extract the archived content, you will notice that one ref is referencing the checksum of a commit. You can find it inside the refs\/heads\/<\/em> directory.<\/p>\n All commands shown in this section are executed on the main admin VM (Fedora IoT 35 OS).<\/p>\n Now configure a proxy server or SSH port forwarding to enable network communication between the VM and Pulp. Ensure that you can ping the Pulp server from the VM.<\/p>\n First, create a new OSTree repository:<\/p>\n The following command will import the tarball created in the previous section into Pulp:<\/p>\n Publish the parsed commit as a remote OSTree repository hosted by Pulp:<\/p>\n Try to fetch the commit checksum from the ref:<\/p>\n The Edge device can be another VM or a real device running Fedora IoT.<\/p>\n All commands shown in this section are executed on an Edge device (Fedora IoT 35 OS).<\/p>\n The nano package should NOT come pre-installed with the official bare Fedora IoT 35 image. Verify that by attempting to run nano<\/em> inside your terminal.<\/p>\n In Fedora IoT, updates are retrieved from the URL defined in \/etc\/ostree\/remotes.d\/fedora-iot.conf<\/strong>. This file can be modified manually or by adding a new remote repository. Learn more at Adding and Removing Remote Repositories<\/a>.<\/p>\n You can automate the upgrade procedure with an upgrade policy that will be configured at the beginning of deployment. This is done by writing a kickstart file that will boot up an edge device into a headless state. However, for demonstrative purposes, let\u2019s act like a villain and update the aforementioned configuration file manually to have the following content:<\/p>\n Do not forget to replace the variable ${PULP_BASE_ADDR}<\/em> with a valid base path to the pulp server.<\/p>\n The following command shows you that some packages are going to be installed:<\/p>\n Reboot the edge device:<\/p>\n \u2026rebooting\u2026<\/em><\/p>\n Log in to the edge VM via ssh, and check the presence of the nano package that comes from Pulp:<\/p>\nWhere do Fedora-IoT Images feature?<\/h2>\n
Where and how does Pulp come into this?<\/h2>\n
![\"\"](\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2022\/04\/updating-edge-devices-with-ostree-and-pulp.png\")
<\/a>Putting it all together<\/h2>\n
Building a Customized Fedora-IoT Image<\/h3>\n
Before you begin:<\/h4>\n
\n
$ systemctl is-active sshd<\/pre>\n
\n
$ sudo rpm-ostree install osbuild-composer composer-cli\n$ sudo systemctl enable --now osbuild-composer.socket<\/pre>\n
\n
\n$ cat install-nano.toml name = \"nano-commit\"\ndescription = \"Installing nano\"\nversion = \"0.0.1\" [[packages]]\nname = \"nano\"\nversion = \"*\"<\/pre>\n
$ composer-cli blueprints push install-nano.toml<\/pre>\n
$ composer-cli compose start-ostree nano-commit fedora-iot-commit --ref fedora\/stable\/x86_64\/iot<\/pre>\n
$ composer-cli compose status<\/pre>\n
$ composer-cli compose image ${IMAGE_UUID}<\/pre>\nPublishing the Customized Image with Pulp<\/h3>\n
Before you begin:<\/h4>\n
\n
$ python3 -m venv venv && source venv\/bin\/activate\n$ pip install pulp-cli-ostree<\/pre>\n
\n
$ pulp config create && pulp status<\/pre>\n
\n$ pulp ostree repository create --name fedora-iot<\/pre>\n
$ pulp ostree repository import-commits --name fedora-iot --file ${IMAGE_TARBALL_C1} --repository_name repo<\/pre>\n$ pulp ostree distribution create --name fedora-iot --base-path fedora-iot --repository fedora-iot<\/pre>\n
$ curl http:\/\/${PULP_BASE_ADDR}\/pulp\/content\/pulp-fedora-iot\/refs\/heads\/fedora\/stable\/x86_64\/iot<\/pre>\nDistributing the Customized Image to an Edge Device<\/strong><\/h3>\n
Before you begin:<\/h4>\n
\n
$ systemctl is-active sshd<\/pre>\n
\n[remote \"fedora-iot\"]\nurl=http:\/\/${PULP_BASE_ADDR}\/pulp\/content\/pulp-fedora-iot\/refs\/heads\/fedora\/stable\/x86_64\/iot\ngpg-verify=false\nref=fedora\/stable\/x86_64\/iot<\/pre>\n$ rpm-ostree upgrade<\/pre>\n
$ systemctl reboot<\/pre>\n
$ nano<\/pre>\n