Install / Run Fedora CoreOS (FCOS) on KVM / OpenStack

Posted on 40 views

Fedora CoreOS (FCOS) is a minimal operating system designed for running containerized workloads securely, at scale. This operating system building blocks are the great CoreOS and Fedora Atomic. It has a feature of automated updates and is immutable to ensure the OS is stable and reliable. The OS automatically updates itself with the latest OS improvements, bug fixes, and security updates with rpm-ostree.

introducing-fedora-coreos

Unlike other Linux operating systems, Fedora CoreOS (FCOS) has no install-time configuration. Every FCOS system begins with a generic disk image. For each deployment mechanism (cloud VM, local VM, bare metal), configuration can be supplied at first boot. FCOS reads and applies the configuration file with Ignition.

When doing Fedora CoreOS installation on bare metal, or as a Virtual Machine with an ISO file, the Ignition will inject the configuration at install time. But for the deployments being done in a cloud environment, Ignition will gather the configuration via the cloud’s user-data mechanism.

Run/Install Fedora CoreOS (FCOS) on KVM / OpenStack

In this guide we’ll see how one can run Fedora CoreOS(FCOS) in OpenStack and KVM virtualization environment. Below is the standard process of provisioning immutable Fedora CoreOS infrastructure on OpenStack / KVM.

  1. You start by writing a Fedora CoreOS Config (FCC) – This is a YAML file that specifies the desired configuration of a machine.
  2. You’ll then use the Fedora CoreOS Config Transpiler to validate your FCC and convert it to an Ignition config.
  3. Final step is launching a Fedora CoreOS machine and passing the generated Ignition config. after the machine has booted successfully for provisioning to be started.

Step 1: Download the latest QCOW2 image

There two ways of downloading FCOS images for both OpenStack and KVM.

Option 1) Using coreos-installer

coreos-installer is a program to assist with installing Fedora CoreOS (FCOS) and Red Hat Enterprise Linux CoreOS (RHCOS). This tool can be used to download the latest images for FCOS.

Install coreos-installer on Fedora:

### Fedora Workstation / Server ###
sudo dnf -y install coreos-installer

### Fedora COreOS ###
rpm-ostree install coreos-installer

Check command download options:

$ coreos-installer download --help
coreos-installer-download 0.11.0
Download a CoreOS image

USAGE:
    coreos-installer download [OPTIONS]

OPTIONS:
    -s, --stream             Fedora CoreOS stream [default: stable]
    -a, --architecture       Target CPU architecture [default: x86_64]
    -p, --platform           Fedora CoreOS platform name [default: metal]
    -f, --format             Image format [default: raw.xz]
    -u, --image-url           Manually specify the image URL
    -C, --directory          Destination directory [default: .]
    -d, --decompress               Decompress image and don't save signature
        --insecure                 Skip signature verification
        --stream-base-url     Base URL for Fedora CoreOS stream metadata
        --fetch-retries         Fetch retries, or "infinite" [default: 0]
    -h, --help                     Prints help information

List Fedora CoreOS images available for download:

$ coreos-installer list-stream
Architecture  Platform      Format
aarch64       aws           vmdk.xz
aarch64       metal         4k.raw.xz
aarch64       metal         iso
aarch64       metal         pxe
aarch64       metal         raw.xz
aarch64       openstack     qcow2.xz
aarch64       qemu          qcow2.xz
x86_64        aliyun        qcow2.xz
x86_64        aws           vmdk.xz
x86_64        azure         vhd.xz
x86_64        azurestack    vhd.xz
x86_64        digitalocean  qcow2.gz
x86_64        exoscale      qcow2.xz
x86_64        gcp           tar.gz
x86_64        ibmcloud      qcow2.xz
x86_64        metal         4k.raw.xz
x86_64        metal         iso
x86_64        metal         pxe
x86_64        metal         raw.xz
x86_64        nutanix       qcow2.xz
x86_64        openstack     qcow2.xz
x86_64        qemu          qcow2.xz
x86_64        virtualbox    ova
x86_64        vmware        ova
x86_64        vultr         raw.xz

Download image for OpenStack:

coreos-installer download --stream stable --platform openstack --decompress  --format qcow2.xz

Command execution output:

Downloading Fedora CoreOS stable x86_64 openstack image (qcow2.xz) and signature
> Read disk 662.0 MiB/662.0 MiB (100%)
gpg: Signature made Wed 27 Apr 2022 02:29:28 AM EAT
gpg:                using RSA key 787EA6AE1147EEE56C40B30CDB4639719867C58F
gpg: Good signature from "Fedora (35) " [ultimate]
./fedora-coreos-35.20220410.3.1-openstack.x86_64.qcow2

Confirm file created is in your current working directory:

$ ls fedora-coreos-*-openstack.x86_64.qcow2
fedora-coreos-35.20220410.3.1-openstack.x86_64.qcow2

For Openstack you need to upload Fedora CoreOS image to OpenStack Glance service:

openstack image create "fcos" \
    --file fedora-coreos-35.20220410.3.1-openstack.x86_64.qcow2 \
    --disk-format qcow2 --container-format bare \
    --public

Confirm that the image is uploaded:

$ openstack image list
+--------------------------------------+-----------------+--------+
| ID                                   | Name            | Status |
+--------------------------------------+-----------------+--------+
| 6576c788-19e1-4de4-bf63-a769763cd00d | fcos            | active |
+--------------------------------------+-----------------+--------+

Qemu / KVM:

coreos-installer download --stream stable --platform qemu --decompress  --format qcow2.xz

Command output example:

Downloading Fedora CoreOS stable x86_64 qemu image (qcow2.xz) and signature
> Read disk 657.6 MiB/657.6 MiB (100%)
gpg: Signature made Wed 27 Apr 2022 02:23:48 AM EAT
gpg:                using RSA key 787EA6AE1147EEE56C40B30CDB4639719867C58F
gpg: Good signature from "Fedora (35) " [ultimate]
./fedora-coreos-35.20220410.3.1-qemu.x86_64.qcow2

Option 2) Downloading FCOS images manually

Copy the latest image URL from the FCOS download page for your platform.

OpenStack:

wget  -O fedora-coreos-openstack.qcow2.xz
unxz fedora-coreos-openstack.qcow2.xz

QEMU / KVM:

wget   -O fedora-coreos-qemu.qcow2.xz
unxz fedora-coreos-qemu.qcow2.xz

For Openstack you need to upload Fedora CoreOS image to OpenStack Glance service:

openstack image create "fcos" \
    --file fedora-coreos-openstack.qcow2 \
    --disk-format qcow2 --container-format bare \
    --public

Confirm that the image is uploaded:

$ openstack image list
+--------------------------------------+-----------------+--------+
| ID                                   | Name            | Status |
+--------------------------------------+-----------------+--------+
| 6576c788-19e1-4de4-bf63-a769763cd00d | fcos            | active |
+--------------------------------------+-----------------+--------+

Step 2: Create Fedora CoreOS Config (FCC)

FCC is a YAML file that has the desired configuration of a machine. The FCCs support all Ignition functionality, and also provide additional syntax (“sugar”) that makes it easier to specify typical configuration changes.

This is my basic YAML configuration file to add SSH key to the default core user.

$ vim fcos.fcc 
variant: fcos
version: 1.0.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa 

Where:

  • core is the name of FCOS user
  •  is the contents of your public key

Full details of FCC and its specifications are covered FCOS Provisioning and Configuration page.

Step 3: Convert FCC to Ignition config

We’ll now use the Fedora CoreOS Config Transpiler to validate our FCC and convert it to an Ignition config.

### Podman ###
podman pull quay.io/coreos/fcct
podman run -i --rm quay.io/coreos/fcct --pretty --strict  fcos.ign

### Docker ###
docker pull quay.io/coreos/fcct
docker run -i --rm quay.io/coreos/fcct --pretty --strict  fcos.ign

Replace fcos.fcc with the name of FCC file and fcos.ign with the name of ignition file to be created.

You can manually validate ignition configuration file with:

### Podman ###
podman run --rm -i quay.io/coreos/ignition-validate - < fcos.ign

### Docker ###
docker run --rm -i quay.io/coreos/ignition-validate - < fcos.ign

Step 4: Launch a Fedora CoreOS machine

Once you have ignition file ready, you can create a Fedora CoreOS machine by passing the Ignition config created.

On OpenStack

OpenStack CLI: Configure and Use OpenStack CLI

openstack server create \
 --image fcos \
 --key-name  \
 --flavor m1.small \
 --security-group    \
 --network private  \
 --user-data fcos.ign \
 fcos

Replace:

  •  with the name of your SSH key uploaded to OpenStack.
  •  with the ID of your security group uploaded to OpenStack

Immediate output as build starts

+-------------------------------------+---------------------------------------------+
| Field                               | Value                                       |
+-------------------------------------+---------------------------------------------+
| OS-DCF:diskConfig                   | MANUAL                                      |
| OS-EXT-AZ:availability_zone         |                                             |
| OS-EXT-SRV-ATTR:host                | None                                        |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None                                        |
| OS-EXT-SRV-ATTR:instance_name       |                                             |
| OS-EXT-STS:power_state              | NOSTATE                                     |
| OS-EXT-STS:task_state               | scheduling                                  |
| OS-EXT-STS:vm_state                 | building                                    |
| OS-SRV-USG:launched_at              | None                                        |
| OS-SRV-USG:terminated_at            | None                                        |
| accessIPv4                          |                                             |
| accessIPv6                          |                                             |
| addresses                           |                                             |
| adminPass                           | ru6YiFeRLWn5                                |
| config_drive                        |                                             |
| created                             | 2020-01-24T19:27:11Z                        |
| flavor                              | m1.small (1)                                |
| hostId                              |                                             |
| id                                  | 6402494f-a2b1-4b6d-b462-7bc54d38d53b        |
| image                               | fcos (6576c788-19e1-4de4-bf63-a769763cd00d) |
| key_name                            | jmutai                                      |
| name                                | fcos                                        |
| progress                            | 0                                           |
| project_id                          | 06bcc3c56ab1489282b65681e782d7f6            |
| properties                          |                                             |
| security_groups                     | name='7fffea2a-b756-473a-a13a-219dd0f1913a' |
| status                              | BUILD                                       |
| updated                             | 2020-01-24T19:27:11Z                        |
| user_id                             | 336acbb7421f47f8be4891eabf0c9cc8            |
| volumes_attached                    |                                             |
+-------------------------------------+---------------------------------------------+

Check VM status:

$ openstack server list  --name fcos
+--------------------------------------+------+--------+---------------------+-------+----------+
| ID                                   | Name | Status | Networks            | Image | Flavor   |
+--------------------------------------+------+--------+---------------------+-------+----------+
| 6402494f-a2b1-4b6d-b462-7bc54d38d53b | fcos | ACTIVE | private=10.10.1.126 | fcos  | m1.small |
+--------------------------------------+------+--------+---------------------+-------+----------+

Let’s see if we can ping the VM:

$ ping -c 3 10.10.1.126
PING 10.10.1.126 (10.10.1.126) 56(84) bytes of data.
64 bytes from 10.10.1.126: icmp_seq=1 ttl=64 time=0.320 ms
64 bytes from 10.10.1.126: icmp_seq=2 ttl=64 time=0.297 ms
64 bytes from 10.10.1.126: icmp_seq=3 ttl=64 time=0.373 ms

--- 10.10.1.126 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.297/0.330/0.373/0.031 ms

Can we ssh to the instance?

$ ssh [email protected]
Warning: Permanently added '10.10.1.126' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/centos/.ssh/id_rsa': 
Fedora CoreOS 31.20200113.3.1
Tracker: https://github.com/coreos/fedora-coreos-tracker

Check OS release:

$ cat /etc/os-release 
NAME=Fedora
VERSION="35.20220410.3.1 (CoreOS)"
ID=fedora
VERSION_ID=35
VERSION_CODENAME=""
....

$ uname -a

On KVM / QEMU

Copy downloaded image to Virtual machines installation directory, e.g:

sudo cp fedora-coreos-qemu.qcow2 /var/lib/libvirt/images/fedora-coreos-qemu.qcow2

With virt-install:

sudo virt-install -n fcos --vcpus 2 -r 2048 \
  --os-variant=fedora31 --import \
  --network bridge=virbr0 \
  --disk=/var/lib/libvirt/images/fedora-coreos-qemu.qcow2,format=qcow2,bus=virtio \
  --noautoconsole \
  --qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/path/to/fcos.ign"

Or using variables:

IGNITION_CONFIG="/path/to/example.ign"
IMAGE="/path/to/image.qcow2"
VM_NAME="fcos"
VCPUS="2"
RAM_MB="2048"
DISK_GB="10"

sudo virt-install --connect="qemu:///system" \
  --name="$VM_NAME" \
  --vcpus="$VCPUS" \
  --memory="$RAM_MB" \
  --os-variant="fedora-coreos-$STREAM" \
  --import \
  --graphics=none \
  --disk="size=$DISK_GB,backing_store=$IMAGE" \
  --qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=$IGNITION_CONFIG"

Installing Software packages on Fedora CoreOS

There is restriction in the number of packages you can install on Fedora CoreOS. The primary way of updating Fedora CoreOS and installing applications is rpm-ostree.

rpm-ostree works by modifying your FCOS installation to extend the packages from which Silverblue is composed. Package layering creates a new “deployment“, or bootable filesystem root, and the system must be rebooted after a package has been layered. This preserves rollback and the transactional model.

  • First, generate rpm repo metadata:
$ sudo rpm-ostree refresh-md 
Enabled rpm-md repositories: updates fedora
Updating metadata for 'updates'... done
rpm-md repo 'updates'; generated: 2020-01-24T14:56:09Z
Updating metadata for 'fedora'... done
rpm-md repo 'fedora'; generated: 2019-10-23T22:52:47Z
Importing rpm-md... done
  • A package can be installed on Silverblue using:
$ sudo rpm-ostree install 
Example:
$ sudo rpm-ostree install vim
Checking out tree f480038... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2020-01-24T14:56:09Z
rpm-md repo 'fedora' (cached); generated: 2019-10-23T22:52:47Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 13 packages (20.0 MB)
Downloading from 'fedora'... done
Downloading from 'updates'... done
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
......

A reboot is required after packages installation:

sudo systemctl reboot

Installing on bare metal

If you’re interested in installing FCOS on bare metal with ISO or PXE boot, follow the Bare Metal Installation Instructions to write Fedora CoreOS to disk. Ignition is injected at install time.

Stay connected as we’ll have more guides on Fedora CoreOS. In the meantime, check other guides:

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.