Fedora CoreOS (FCOS) is a minimal operating system designed for running containerized workloads securely, at scale. This operating system building blocks are the great CoreOS and Fedora Atomic. It has a feature of automated updates and is immutable to ensure the OS is stable and reliable. The OS automatically updates itself with the latest OS improvements, bug fixes, and security updates with rpm-ostree.

Unlike other Linux operating systems, Fedora CoreOS (FCOS) has no install-time configuration. Every FCOS system begins with a generic disk image. For each deployment mechanism (cloud VM, local VM, bare metal), configuration can be supplied at first boot. FCOS reads and applies the configuration file with Ignition.

When doing Fedora CoreOS installation on bare metal, or as a Virtual Machine with an ISO file, the Ignition will inject the configuration at install time. But for the deployments being done in a cloud environment, Ignition will gather the configuration via the cloud’s user-data mechanism.

Run/Install Fedora CoreOS (FCOS) on KVM / OpenStack

In this guide we’ll see how one can run Fedora CoreOS(FCOS) in OpenStack and KVM virtualization environment. Below is the standard process of provisioning immutable Fedora CoreOS infrastructure on OpenStack / KVM.

  1. You start by writing a Fedora CoreOS Config (FCC) – This is a YAML file that specifies the desired configuration of a machine.
  2. You’ll then use the Fedora CoreOS Config Transpiler to validate your FCC and convert it to an Ignition config.
  3. Final step is launching a Fedora CoreOS machine and passing the generated Ignition config. after the machine has booted successfully for provisioning to be started.

Step 1: Download the latest QCOW2 image

There two ways of downloading FCOS images for both OpenStack and KVM.

Using coreos-installer

coreos-installer is a program to assist with installing Fedora CoreOS (FCOS) and Red Hat Enterprise Linux CoreOS (RHCOS). This tool can be used to download the latest images for FCOS.

Install coreos-installer on Fedora:

--- Fedora Workstation / Server --
$ sudo dnf install coreos-installer

--- Fedora COreOS ---
$ rpm-ostree install coreos-installer

Check command download options:

$ coreos-installer download --help
coreos-installer-download 
Download a CoreOS image

USAGE:
    coreos-installer download [OPTIONS]

OPTIONS:
    -s, --stream <name>            Fedora CoreOS stream [default: stable]
        --architecture <name>      Target CPU architecture [default: x86_64]
    -p, --platform <name>          Fedora CoreOS platform name [default: metal]
    -f, --format <name>            Image format [default: raw.xz]
    -u, --image-url <URL>          Manually specify the image URL
    -C, --directory <path>         Destination directory [default: .]
    -d, --decompress               Decompress image and don't save signature
        --insecure                 Skip signature verification
        --stream-base-url <URL>    Base URL for Fedora CoreOS stream metadata
    -h, --help                     Prints help information

List Fedora CoreOS images available for download:

$ coreos-installer list-stream
Architecture  Platform   Format
x86_64        aliyun     qcow2.xz
x86_64        aws        vmdk.xz
x86_64        azure      vhd.xz
x86_64        gcp        tar.gz
x86_64        metal      iso
x86_64        metal      pxe
x86_64        metal      raw.xz
x86_64        openstack  qcow2.xz
x86_64        qemu       qcow2.xz
x86_64        vmware     ova

Download image for OpenStack:

coreos-installer download --stream stable --platform openstack --decompress  --format qcow2.xz

Qemu / KVM:

coreos-installer download --stream stable --platform qemu --decompress  --format qcow2.xz

Command output example:

gpg: Signature made Tue 14 Jan 2020 01:28:28 AM UTC
gpg:                using RSA key 50CB390B3C3359C4
gpg: Good signature from "Fedora (31) <[email protected]>" [ultimate]
> Read disk 431.5 MiB/431.5 MiB (100%)   
./fedora-coreos-31.20200113.3.1-openstack.x86_64.qcow2

Downloading FCOS images manually

Copy the latest image URL from the FCOS download page for your platform.

OpenStack:

wget <image-url> -O fedora-coreos-openstack.qcow2.xz
unxz fedora-coreos-openstack.qcow2.xz

QEMU / KVM:

wget  <image-url> -O fedora-coreos-qemu.qcow2.xz
unxz fedora-coreos-qemu.qcow2.xz

For Openstack you need to upload Fedora CoreOS image to OpenStack Glance service:

openstack image create "fcos" \
    --file fedora-coreos-openstack.qcow2 \
    --disk-format qcow2 --container-format bare \
    --public

Confirm that the image is uploaded:

$ openstack image list
+--------------------------------------+-----------------+--------+
| ID                                   | Name            | Status |
+--------------------------------------+-----------------+--------+
| 6576c788-19e1-4de4-bf63-a769763cd00d | fcos            | active |
+--------------------------------------+-----------------+--------+

Step 2: Create Fedora CoreOS Config (FCC)

FCC is a YAML file that has the desired configuration of a machine. The FCCs support all Ignition functionality, and also provide additional syntax (“sugar”) that makes it easier to specify typical configuration changes.

This is my basic YAML configuration file to add SSH key to the default core user.

$ vim fcos.fcc 
variant: fcos
version: 1.0.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa <ssh-pub-key>

Where:

  • core is the name of FCOS user
  • <ssh-pub-key> is the contents of your public key

Full details of FCC and its specifications are covered FCOS Provisioning and Configuration page.

Step 3: Convert FCC to Ignition config

We’ll now use the Fedora CoreOS Config Transpiler to validate our FCC and convert it to an Ignition config.

--- Podman ---
$ podman pull quay.io/coreos/fcct
$ podman run -i --rm quay.io/coreos/fcct -pretty -strict <fcos.fcc > fcos.ign

--- Docker ---
$ docker pull quay.io/coreos/fcct
$ docker run -i --rm quay.io/coreos/fcct -pretty -strict <fcos.fcc > fcos.ign

Replace fcos.fcc with the name of FCC file and fcos.ign with the name of ignition file to be created.

You can manually validate ignition configuration file with:

--- Podman ---
$ podman run --rm -i quay.io/coreos/ignition-validate - < fcos.ign

--- Docker ---
$ docker run --rm -i quay.io/coreos/ignition-validate - < fcos.ign

Step 4: Launch a Fedora CoreOS machine

Once you have ignition file ready, you can create a Fedora CoreOS machine by passing the Ignition config created.

On OpenStack

OpenStack CLI: Configure and Use OpenStack CLI

$ openstack server create \
 --image fcos \
 --key-name <your-openstack-key-name> \
 --flavor m1.small \
 --security-group  <your-security-group>  \
 --network private  \
 --user-data fcos.ign \
 fcos

Replace:

  • <your-openstack-key-name> with the name of your SSH key uploaded to OpenStack.
  • <your-security-group> with the ID of your security group uploaded to OpenStack

Immediate output as build starts

+-------------------------------------+---------------------------------------------+
| Field                               | Value                                       |
+-------------------------------------+---------------------------------------------+
| OS-DCF:diskConfig                   | MANUAL                                      |
| OS-EXT-AZ:availability_zone         |                                             |
| OS-EXT-SRV-ATTR:host                | None                                        |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None                                        |
| OS-EXT-SRV-ATTR:instance_name       |                                             |
| OS-EXT-STS:power_state              | NOSTATE                                     |
| OS-EXT-STS:task_state               | scheduling                                  |
| OS-EXT-STS:vm_state                 | building                                    |
| OS-SRV-USG:launched_at              | None                                        |
| OS-SRV-USG:terminated_at            | None                                        |
| accessIPv4                          |                                             |
| accessIPv6                          |                                             |
| addresses                           |                                             |
| adminPass                           | ru6YiFeRLWn5                                |
| config_drive                        |                                             |
| created                             | 2020-01-24T19:27:11Z                        |
| flavor                              | m1.small (1)                                |
| hostId                              |                                             |
| id                                  | 6402494f-a2b1-4b6d-b462-7bc54d38d53b        |
| image                               | fcos (6576c788-19e1-4de4-bf63-a769763cd00d) |
| key_name                            | jmutai                                      |
| name                                | fcos                                        |
| progress                            | 0                                           |
| project_id                          | 06bcc3c56ab1489282b65681e782d7f6            |
| properties                          |                                             |
| security_groups                     | name='7fffea2a-b756-473a-a13a-219dd0f1913a' |
| status                              | BUILD                                       |
| updated                             | 2020-01-24T19:27:11Z                        |
| user_id                             | 336acbb7421f47f8be4891eabf0c9cc8            |
| volumes_attached                    |                                             |
+-------------------------------------+---------------------------------------------+

Check VM status:

$ openstack server list  --name fcos
+--------------------------------------+------+--------+---------------------+-------+----------+
| ID                                   | Name | Status | Networks            | Image | Flavor   |
+--------------------------------------+------+--------+---------------------+-------+----------+
| 6402494f-a2b1-4b6d-b462-7bc54d38d53b | fcos | ACTIVE | private=10.10.1.126 | fcos  | m1.small |
+--------------------------------------+------+--------+---------------------+-------+----------+

Let’s see if we can ping the VM:

$ ping -c 3 10.10.1.126
PING 10.10.1.126 (10.10.1.126) 56(84) bytes of data.
64 bytes from 10.10.1.126: icmp_seq=1 ttl=64 time=0.320 ms
64 bytes from 10.10.1.126: icmp_seq=2 ttl=64 time=0.297 ms
64 bytes from 10.10.1.126: icmp_seq=3 ttl=64 time=0.373 ms

--- 10.10.1.126 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.297/0.330/0.373/0.031 ms

Can we ssh to the instance?

$ ssh [email protected]
Warning: Permanently added '10.10.1.126' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/centos/.ssh/id_rsa': 
Fedora CoreOS 31.20200113.3.1
Tracker: https://github.com/coreos/fedora-coreos-tracker

Check OS release:

$ cat /etc/os-release 
NAME=Fedora
VERSION="31.20200113.3.1 (CoreOS)"
ID=fedora
VERSION_ID=31
VERSION_CODENAME=""
PLATFORM_ID="platform:f31"
PRETTY_NAME="Fedora CoreOS 31.20200113.3.1"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:31"
HOME_URL="https://getfedora.org/coreos/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-coreos/"
SUPPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
BUG_REPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=31
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=31
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="CoreOS"
VARIANT_ID=coreos
OSTREE_VERSION='31.20200113.3.1'

$ uname -a
Linux host-10-10-1-126 5.4.8-200.fc31.x86_64 #1 SMP Mon Jan 6 16:44:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

On KVM / QEMU

Copy downloaded image to Virtual machines installation directory, e.g:

sudo cp fedora-coreos-qemu.qcow2 /var/lib/libvirt/images/fedora-coreos-qemu.qcow2

With virt-install:

$ virt-install -n fcos --vcpus 2 -r 2048 \
  --os-variant=fedora31 --import \
  --network bridge=virbr0 \
  --disk=/var/lib/libvirt/images/fedora-coreos-qemu.qcow2,format=qcow2,bus=virtio \
  --noautoconsole \
  --qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/path/to/fcos.ign"

Installing Software packages on Fedora CoreOS

There is restriction in the number of packages you can install on Fedora CoreOS. The primary way of updating Fedora CoreOS and installing applications is rpm-ostree.

rpm-ostree works by modifying your FCOS installation to extend the packages from which Silverblue is composed. Package layering creates a new “deployment“, or bootable filesystem root, and the system must be rebooted after a package has been layered. This preserves rollback and the transactional model.

  • First, generate rpm repo metadata:
$ sudo rpm-ostree refresh-md 
Enabled rpm-md repositories: updates fedora
Updating metadata for 'updates'... done
rpm-md repo 'updates'; generated: 2020-01-24T14:56:09Z
Updating metadata for 'fedora'... done
rpm-md repo 'fedora'; generated: 2019-10-23T22:52:47Z
Importing rpm-md... done
  • A package can be installed on Silverblue using:
$ sudo rpm-ostree install <package name>
Example:
$ sudo rpm-ostree install vim
Checking out tree f480038... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2020-01-24T14:56:09Z
rpm-md repo 'fedora' (cached); generated: 2019-10-23T22:52:47Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 13 packages (20.0 MB)
Downloading from 'fedora'... done
Downloading from 'updates'... done
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
......

A reboot is required after packages installation:

$ sudo systemctl reboot

Installing on bare metal

If you’re interested in installing FCOS on bare metal with ISO or PXE boot, follow the Bare Metal Installation Instructions to write Fedora CoreOS to disk. Ignition is injected at install time.

Stay connected as we’ll have more guides on Fedora CoreOS. In the meantime, check other guides:

Manage Packages on Fedora Silverblue with Toolbox, rpm-ostree & Flatpak

How To run Docker Containers using Podman and Libpod

Setup Docker Container Registry with Podman & Let’s Encrypt SSL

Install Minikube Kubernetes on CentOS 8 / CentOS 7 with KVM