-
Notifications
You must be signed in to change notification settings - Fork 8
CoreOS
Status: installed under Proxmox, but needs useful workload for example
WARNING!
Apr 1 2024: regarding XZ backdoor (see https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users) my CoreOS installation (
stable
- slowest stream!) SEEMS to be NOT vulnerable by latest XZ. Please note that it is unclear if there are any yet unknown backdoors in older XZ versions.Here are details:
$ rpm-ostree status fedora:fedora/x86_64/coreos/stable Version: 39.20240309.3.0 (2024-03-23T00:39:35Z) Commit: 0d3740b2c05724aa74d57a27fca2f257d7d691daa2b6bb370cd45655190e0f64 GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C $ rpm -qi xz Name : xz Version : 5.4.4 Release : 1.fc39 Architecture: x86_64 Install Date: Sat Mar 23 00:37:05 2024 Size : 2066126 Signature : RSA/SHA256, Wed Aug 2 16:06:17 2023, Key ID 75cf5ac418b8e74c Source RPM : xz-5.4.4-1.fc39.src.rpm Build Date : Wed Aug 2 16:04:18 2023 Build Host : buildvm-x86-26.iad2.fedoraproject.org ...However if you are using faster streams (
testing
or evennext
) you may have problem...
Important note:
- CoreOS is often used for original product before it was acquired by RedHat. Its distribution is referenced as
Container Linux
.- current CoreOS is based on Fedora and is often referenced as FCOS Explaining article is there: https://medium.com/omi-uulm/journey-from-coreos-to-fedora-coreos-8af46cc9d8ae
Similar to MicroOS - minimal distribution for containers.
WARNING!
Both SUSE MicroOS and FCOS has issues with proper firewall supports
- there are issues to making firewall work properly with containers so both teams simply say that firewall is not needed (which is rubbish excuse) For MicroOS see:
- https://forums.opensuse.org/t/no-firewall-in-aeon-microos/168791/5
- https://bugzilla.opensuse.org/show_bug.cgi?id=1213627). For FCOS see:
- https://github.com/coreos/fedora-coreos-tracker/issues/467
- https://www.portainer.io/blog/from-zero-to-production-with-fedora-coreos-portainer-and-wordpress-in-7-easy-steps
Visited:
Trying under Proxmox:
curl -fLOJ https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/39.20240309.3.0/x86_64/fedora-coreos-39.20240309.3.0-qemu.x86_64.qcow2.xz
xz -d fedora-coreos-39.20240309.3.0-qemu.x86_64.qcow2.xz
qemu-img info fedora-coreos-39.20240309.3.0-qemu.x86_64.qcow2
image: fedora-coreos-39.20240309.3.0-qemu.x86_64.qcow2
file format: qcow2
virtual size: 10 GiB (10737418240 bytes)
disk size: 1.58 GiB
...
Important is virtual size 10 GiB
Now I created VM in Proxmox:
- OS:
- DVD: Do not use any media
- System:
- GPU: SPICE
- Firmware: BIOS, Q35
- enable Qemu Agent
- 1 CPU (I have only 2 cores on hose, otherwise you should use more cores)
-
host
CPU passthrough
-
- Disks:
- SCSI (Virtio SCSI single)
- Storage
local
(needed for QCOW2) - Size: 10GB (to match image size)
- Format: qcow2
- Cache:
writeback (unsafe)
- Discard
- CPU
- 1 core (I use Host cores - 1)
- Type:
host
- Memory: 4GB
- Network
- VirtIO
- disabled firewall
When empty VM is created we will
VMID=125 # replace with your VMID!
ls -lh /var/lib/vz/images/$VMID/vm-$VMID-disk-0.qcow2
cp fedora-coreos-39.20240309.3.0-qemu.x86_64.qcow2 /var/lib/vz/images/$VMID/vm-$VMID-disk-0.qcow2
qm rescan
VM 125 (scsi0): size of disk 'local:125/vm-125-disk-0.qcow2' updated from 32G to 10G
# you can see that I create 32GB image instead of 10GB, but dont' mind
Now before first boot we have to expand Fedora disk (it will resize FS automatically - but ONLY on first boot)
qm disk resize $VMID scsi0 30G
Now very important:
- create snapshot until it is too late!
- CoreOS allows configuration only on first boot - including setting up Users...
- If ignition fails for any reason you have to start from beginning - now you will find snapshot handy
# create snapshot called 'before-boot'
qm snapshot $VMID before-boot
snapshotting 'drive-scsi0' (local:125/vm-125-disk-0.qcow2)
qm listsnapshot $VMID
`-> before-boot 2024-03-30 09:14:06 no-description
`-> current You are here!
But we are NOT done:
- there is no SSH account available until you provide credentials using so called Ignition
- https://docs.fedoraproject.org/en-US/fedora-coreos/producing-ign/
- https://coreos.github.io/ignition/examples/#add-users
To create "Ignition" configuration we have to:
- generate SSH key-pair on your Client machine, for example:
ssh-keygen -t ed25519 # answered destination file as: /home/USERNAME/.ssh/id_ed25519_coreos
- next note public ssh key (in .pub) file, in my case:
cat ~/.ssh/id_ed25519_coreos.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBZD2p///I6TSpWPz5GZd+RFSqC6T5+81cdo5S7LhA4 hpaluch@zotac
- I used
ed25519
to avoid copying long public SSH keys... - now we have to install 1 tool, in case of openSUSE LEAP 15.5 using:
sudo zypper in python3-yamllint butane
- NOTE: openSUSE has
butane
RPM package but it is too old... It will just throw errorError translating config: No translator exists for variant fcos with version 1.5.0
- now we have to create input YAML file, following https://docs.fedoraproject.org/en-US/fedora-coreos/producing-ign/
- be sure to replace SSH public key with content of your
~/.ssh/id_ed25519_coreos.pub
- my example file called
example.yaml
:
variant: fcos
version: 1.5.0
passwd:
users:
- name: core
ssh_authorized_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBZD2p///I6TSpWPz5GZd+RFSqC6T5+81cdo5S7LhA4 hpaluch@zotac'
Validate it with:
yamllint example.yaml
``
You can safely ignore "error" "line too long".
Now we have to install latest `butane` tool, in my case:
```shell
curl -fLOJ https://github.com/coreos/butane/releases/download/v0.20.0/butane-x86_64-unknown-linux-gnu
chmod +x butane-x86_64-unknown-linux-gnu
./butane-x86_64-unknown-linux-gnu --version
Butane 0.20.0
Now we can transform input YAML file to required JSON output:
./butane-x86_64-unknown-linux-gnu --pretty --strict example.yaml > example.ign
One simple way to "validate" output JSON is to pass it through jq
tool:
jq < example.ign
There should be no error reported...
Here is full content of my example.ign
- if you want to just replace
SSH key you can skip Butane step:
{
"ignition": {
"version": "3.4.0"
},
"passwd": {
"users": [
{
"name": "core",
"sshAuthorizedKeys": [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBZD2p///I6TSpWPz5GZd+RFSqC6T5+81cdo5S7LhA4 login@dom"
]
}
]
}
}
Now we have to follow: https://docs.fedoraproject.org/en-US/fedora-coreos/provisioning-qemu/ to pass this configuration file to Proxmox VE (QEMU):
- I copied my
example.ign
to Proxmox:/etc/local/example.ign
- now we have to append custom arguments to our VM with:
# ensure that you will modify right VM! qm config $VMID qm set $VMID --args '-fw_cfg name=opt/com.coreos/config,file=/etc/local/example.ign'
Tip: to be able to watch and log boot messages we can add serial port to VM and use
qm terminal
to watch it.
qm set $VMID --serial0 socket
Now we will start logging, start VM and watch messages on its virtual serial port:
script ~/coreos-install.log
echo $VMID
# will be likely empty, because command "script" invokes new shell, define it again:
VMID=125
qm start $VMID
qm terminal $VMID
If everything works properly, you should see messages like this:
Fedora CoreOS 39.20240309.3.0
Kernel 6.7.7-200.fc39.x86_64 on an x86_64 (ttyS0)
.. ssh host keys omitted ...
enp6s18: 192.168.0.100 ...
Ignition: ran on 2024/03/30 14:49:23 UTC (this boot)
Ignition: user-provided config was applied
Ignition: wrote ssh authorized keys file for user: core
Now you can try to login to target IP (192.168.0.100 in my example) with
username core
and SSH key. Here is excerpt from my ~/.ssh/config
:
Host coreos
HostName 192.168.0.100
HostKeyAlias coreos
User core
IdentityFile ~/.ssh/id_ed25519_coreos
IdentitiesOnly yes
And simply try ssh coreos
Tip: you can use sudo Command
to run Command
as root
Basic overview of filesystem:
$ lsblk -f -o name,fstype,label,fsavail,fsuse%,mountpoints
NAME FSTYPE LABEL FSAVAIL FSUSE% MOUNTPOINTS
sda
├─sda1
├─sda2 vfat EFI-SYSTEM
├─sda3 ext4 boot 218.6M 31% /boot
└─sda4 xfs root 27.2G 8% /var
/sysroot/ostree/deploy/fedora-coreos/var
/usr
/etc
/
/sysroot
$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda4 30G 2.3G 28G 8% /sysroot
devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs 982M 168K 982M 1% /dev/shm
tmpfs 393M 844K 392M 1% /run
tmpfs 982M 0 982M 0% /tmp
/dev/sda3 350M 109M 219M 34% /boot
tmpfs 197M 12K 197M 1% /run/user/1000
# there are many invisible sub-volumes (???)
mount | fgrep sda4
/dev/sda4 on /sysroot type xfs (ro,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/sda4 on / type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/sda4 on /etc type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/sda4 on /usr type xfs (ro,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/sda4 on /sysroot/ostree/deploy/fedora-coreos/var type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/sda4 on /var type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
Trivial container play:
$ podman pull busybox
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/busybox latest ba5dc23f65d4 10 months ago 4.5 MB
$ podman run --name bb1 busybox /bin/sh -c "date;sleep 3;date"
Sat Mar 30 15:58:23 UTC 2024
Sat Mar 30 15:58:26 UTC 2024
# container exits after 3 seconds:
$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
419e9ae11a0a docker.io/library/busybox:latest /bin/sh -c date;s... 26 seconds ago Exited (0) 23 seconds ago bb1
TODO: Something more useful - with networking...
Installing additional packages:
- use
rpm-ostree
instead ofyum
ordnf
-
rpm-ostree
basically provides 'snapshot like' experience... - use rpm-ostree search PACKAGE` to search for PACKAGE
- to install Midnight Commander, try:
rpm-ostree search mc sudo rpmostree install mc vim-enhanced Changes queued for next boot. Run "systemctl reboot" to start a reboot
Now notice that there is Layered packages
layer:
$ rpm-ostree status
State: idle
AutomaticUpdatesDriver: Zincati
DriverState: active; periodically polling for updates (last checked Sat 2024-03-30 15:16:40 UTC)
Deployments:
fedora:fedora/x86_64/coreos/stable
Version: 39.20240309.3.0 (2024-03-23T00:39:35Z)
BaseCommit: 0d3740b2c05724aa74d57a27fca2f257d7d691daa2b6bb370cd45655190e0f64
GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
Diff: 66 added
LayeredPackages: mc vim-enhanced
● fedora:fedora/x86_64/coreos/stable
Version: 39.20240309.3.0 (2024-03-23T00:39:35Z)
Commit: 0d3740b2c05724aa74d57a27fca2f257d7d691daa2b6bb370cd45655190e0f64
GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
To apply changes you have to run sudo systemctl reboot
(same as in MicroOS).
TODO:
- Study
- There are very short examples
- official docs are here: https://docs.fedoraproject.org/en-US/fedora-coreos/
- github source (asciidoc): https://github.com/coreos/fedora-coreos-docs/
- interesting problem and solution: https://github.com/coreos/bugs/issues/2068
- again firewall
Copyright © Henryk Paluch. All rights reserved.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License