uCore

What is this?

You should be familiar with Fedora CoreOS, as this is an OCI image of CoreOS with "batteries included". More specifically, it's an opinionated, custom CoreOS image, built daily with some commonly used tools added in. The idea is to make a lightweight server image including most used services or the building blocks to host them.

WARNING: This image has not been heavily tested, though the underlying components have. Please take a look at the included modifications and help test if this project interests you.

Features

• Starts with a Fedora CoreOS image
• Removes these stock packages:
  • toolbox
  • zincati
• Adds the following:
  • cockpit
  • distrobox
  • duperemove
  • moby-engine, docker-compose and podman-compose
  • tailscale and wireguard-tools
• Sets automatic staging of updates for system
• Sets 60 second service stop timeout for reasonably fast shutdowns
• Enables password based SSH auth (required for locally running cockpit web interface)

One can layer packages directly on a machine running uCore or use this image as a base for further customized OCI builds.

This image should be suitable for use on bare metal or on virtual machines where you wish to run containerized workloads.

Note: per cockpit instructions the cockpit-ws RPM is not installed, rather it is available as a podman container.

Tips and Tricks

These images are immutable, you can't, and really shouldn't, install packages like in a mutable "normal" distribution.

CoreOS expects the user to run services using podman. moby-engine, the free Docker implementation, is installed for those who desire docker instead of podman.

To maintain this image's suitability as a minimal container host, most add-on services are not auto-enabled.

To activate any of the pre-installed cockpit, docker, or tailscaled services:

sudo systemctl enable --now SERVICENAME.service

NOTE: CoreOS cautions against running podman and docker containers at the same time. Thus, docker.socket is disabled by default to prevent accidental activate of docker daemon, given podman is the default.

Users may use distrobox to run images of mutable distributions where applications can be installed with traditional package managers. This may be useful for installing interactive utilities such has htop, nmap, etc. As stated above, however, services should run as containers.

It's a good idea to become familar with the Fedora CoreOS Documentation as well as the CoreOS rpm-ostree docs. Note especially, this image is only possible due to ostree native containers.

How to Install

Prerequsites

This image is not currently avaialable for direct install. The user must follow the CoreOS installation guide. There are varying methods of installation for bare metal, cloud providers, and virtualization platforms.

All CoreOS installation methods require the user to produce an Ignition file. This Ignition file should, at mimimum, set a password and SSH key for the default user (default username is core).

Install and Rebase

To rebase an Fedora CoreOS machine to the latest uCore (stable):

1. Install CoreOS via desired installation method
2. After you reboot you should pin the working deployment which allows you to rollback if required.
3. SSH to the freshly installed CoreOS system and rebase the OS, then reboot:

sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/ucore:stable

Verification

These images are signed with sisgstore's cosign. You can verify the signature by downloading the cosign.pub key from this repo and running the following command:

cosign verify --key cosign.pub ghcr.io/ublue-os/ucore