scottk/coreos
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/coreos.git synced 2025-11-01 18:37:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into pcp

Browse Source
This commit is contained in:
Benjamin Sherman
2024-03-13 20:12:00 -05:00
parent bbbe8534d0 dcc6c06f70
commit e992b403d3
36 changed files with 855 additions and 483 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/build-stable.yml vendored Normal file
View File

@@ -0,0 +1,14 @@
name: stable
on:
pull_request:
merge_group:
schedule:
- cron: '40 23 * * *' # 11:45PM UTC everyday (approx 1.5 hours after coreos images publish)
workflow_dispatch:
jobs:
build-stable:
uses: ./.github/workflows/reusable-build.yml
secrets: inherit
with:
coreos_version: stable

14
.github/workflows/build-testing.yml vendored Normal file
View File

@@ -0,0 +1,14 @@
name: testing
on:
pull_request:
merge_group:
schedule:
- cron: '55 23 * * *' # 11:45PM UTC everyday (approx 1.75 hours after coreos images publish)
workflow_dispatch:
jobs:
build-testing:
uses: ./.github/workflows/reusable-build.yml
secrets: inherit
with:
coreos_version: testing

320
.github/workflows/build.yml → .github/workflows/reusable-build.yml vendored
View File

@@ -1,25 +1,17 @@
name: build-ucore
on:
pull_request:
branches:
- main
paths-ignore:
- '**.md'
- '**.txt'
schedule:
- cron: '45 23 * * *' # 11:45PM UTC everyday (approx 1.5 hours after coreos images publish)
push:
branches:
- main
paths-ignore:
- '**.md'
- '**.txt'
workflow_call:
inputs:
coreos_version:
description: 'The CoreOS stream: stable or testing'
required: true
type: string
env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
jobs:
build_info:
name: Get Build Info
workflow_info:
name: Get Workflow Info
runs-on: ubuntu-latest
outputs:
pr_prefix: ${{ steps.pr_prefix.outputs.pr_prefix }}
@@ -38,41 +30,30 @@ jobs:
run: |
echo "${{ toJSON(steps.pr_prefix.outputs) }}"
coreos_versions:
name: Get CoreOS versions
stream_info:
name: Get Stream Info
runs-on: ubuntu-latest
outputs:
stable_linux: ${{ steps.stable.outputs.linux }}
stable_version: ${{ steps.stable.outputs.version }}
testing_linux: ${{ steps.testing.outputs.linux }}
testing_version: ${{ steps.testing.outputs.version }}
linux: ${{ steps.fetch.outputs.linux }}
version: ${{ steps.fetch.outputs.version }}
steps:
- name: Fetch CoreOS stable versions
id: stable
- name: Fetch CoreOS stream versions
id: fetch
run: |
skopeo inspect docker://quay.io/fedora/fedora-coreos:stable > inspect.json
linux=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
echo "linux=$linux" >> $GITHUB_OUTPUT
version=$(jq -r '.["Labels"]["version"]' inspect.json)
echo "version=$version" >> $GITHUB_OUTPUT
- name: Fetch CoreOS testing versions
id: testing
run: |
skopeo inspect docker://quay.io/fedora/fedora-coreos:testing > inspect.json
skopeo inspect docker://quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json
linux=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
echo "linux=$linux" >> $GITHUB_OUTPUT
version=$(jq -r '.["Labels"]["version"]' inspect.json)
echo "version=$version" >> $GITHUB_OUTPUT
- name: Echo outputs
run: |
echo "${{ toJSON(steps.stable.outputs) }}"
echo "${{ toJSON(steps.testing.outputs) }}"
echo "${{ toJSON(steps.fetch.outputs) }}"
build_fcos_zfs:
name: Build CoreOS ZFS
build_fcos:
name: fedora-coreos
runs-on: ubuntu-22.04
if: always() && !cancelled()
needs: [ build_info, coreos_versions]
needs: [workflow_info, stream_info]
permissions:
contents: read
packages: write
@@ -80,18 +61,19 @@ jobs:
strategy:
fail-fast: false
matrix:
image_name:
- fedora-coreos-zfs
coreos_version:
- stable
- testing
pr_prefix:
- ${{ needs.build_info.outputs.pr_prefix }}
nvidia_tag:
- "-nvidia"
- ""
zfs_tag:
- "-zfs"
- ""
include:
- coreos_version: stable
image_version: ${{ needs.coreos_versions.outputs.stable_version }}
- coreos_version: testing
image_version: ${{ needs.coreos_versions.outputs.testing_version }}
- image_name: fedora-coreos
- image_version: ${{ needs.stream_info.outputs.version }}
- pr_prefix: ${{ needs.workflow_info.outputs.pr_prefix }}
exclude:
- nvidia_tag: ""
zfs_tag: ""
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
@@ -103,7 +85,7 @@ jobs:
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
COREOS_VERSION="${{ matrix.coreos_version }}"
COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}${{ matrix.zfs_tag }}"
COMMIT_TAGS=()
BUILD_TAGS=()
@@ -143,7 +125,7 @@ jobs:
labels: |
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md
org.opencontainers.image.description=An OCI image of Fedora CoreOS with ZFS pre-installed
org.opencontainers.image.description=An OCI image of Fedora CoreOS with NVIDIA and/or ZFS pre-installed
org.opencontainers.image.title=${{ matrix.image_name }}
org.opencontainers.image.version=${{ matrix.image_version }}
@@ -153,14 +135,16 @@ jobs:
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./fedora-coreos-zfs/Containerfile
context: ./fedora-coreos-zfs
./fedora-coreos/Containerfile
context: ./fedora-coreos
image: ${{ matrix.image_name }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
build-args: |
COREOS_VERSION=${{ matrix.coreos_version }}
COREOS_VERSION=${{ inputs.coreos_version }}
PR_PREFIX=${{ matrix.pr_prefix }}
NVIDIA_TAG=${{ matrix.nvidia_tag }}
ZFS_TAG=${{ matrix.zfs_tag }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
@@ -168,7 +152,7 @@ jobs:
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v5
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
@@ -176,7 +160,7 @@ jobs:
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
#if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
@@ -198,7 +182,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}
# Sign container
- uses: sigstore/cosign-installer@v3.1.2
- uses: sigstore/cosign-installer@v3.4.0
if: github.event_name != 'pull_request'
- name: Sign container image
@@ -211,15 +195,15 @@ jobs:
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
- name: Echo outputs
#if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
build_main:
name: Build uCore
build_ucore:
name: ucore
runs-on: ubuntu-22.04
if: always() && !cancelled()
needs: [ build_info, coreos_versions]
needs: [workflow_info, stream_info]
permissions:
contents: read
packages: write
@@ -227,21 +211,27 @@ jobs:
strategy:
fail-fast: false
matrix:
image_name:
- ucore
coreos_version:
- stable
- testing
image_suffix:
- "-minimal"
- ""
- "-hci"
nvidia_tag:
- "-nvidia"
- ""
zfs_tag:
- "-zfs"
- ""
pr_prefix:
- ${{ needs.build_info.outputs.pr_prefix }}
include:
- coreos_version: stable
image_version: ${{ needs.coreos_versions.outputs.stable_version }}
- coreos_version: testing
image_version: ${{ needs.coreos_versions.outputs.testing_version }}
- image_base: ucore
- image_version: ${{ needs.stream_info.outputs.version }}
- pr_prefix: ${{ needs.workflow_info.outputs.pr_prefix }}
- image_suffix: "-minimal"
description: An OCI image of Fedora CoreOS with a few extra tools and suitable for running in a VM
- image_suffix: ""
description: An OCI image of Fedora CoreOS with a few extra tools, hardware support, and storage utilities
- image_suffix: "-hci"
description: A hyper-converged infrastructure OCI image of Fedora CoreOS (storage + hypervisor)
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
@@ -253,7 +243,7 @@ jobs:
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
COREOS_VERSION="${{ matrix.coreos_version }}${{ matrix.zfs_tag }}"
COREOS_VERSION="${{ inputs.coreos_version }}${{ matrix.nvidia_tag }}${{ matrix.zfs_tag }}"
COMMIT_TAGS=()
BUILD_TAGS=()
@@ -273,6 +263,10 @@ jobs:
alias_tags=("${COMMIT_TAGS[@]}")
else
if [[ "${COREOS_VERSION}" == "stable" ]]; then
BUILD_TAGS+=("latest")
fi
alias_tags=("${BUILD_TAGS[@]}")
fi
@@ -289,12 +283,12 @@ jobs:
id: meta
with:
images: |
${{ matrix.image_name }}
${{ matrix.image_base }}${{ matrix.image_suffix }}
labels: |
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md
org.opencontainers.image.description=An OCI image of Fedora CoreOS with batteries included
org.opencontainers.image.title=${{ matrix.image_name }}
org.opencontainers.image.description=${{ matrix.description }}
org.opencontainers.image.title=${{ matrix.image_base }}${{ matrix.image_suffix }}
org.opencontainers.image.version=${{ matrix.image_version }}
# Build image using Buildah action
@@ -303,23 +297,26 @@ jobs:
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./main/Containerfile
context: ./main
image: ${{ matrix.image_name }}
./ucore/Containerfile
context: ./ucore
image: ${{ matrix.image_base }}${{ matrix.image_suffix }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
build-args: |
COREOS_VERSION=${{ matrix.coreos_version }}
COREOS_VERSION=${{ inputs.coreos_version }}
PR_PREFIX=${{ matrix.pr_prefix }}
NVIDIA_TAG=${{ matrix.nvidia_tag }}
ZFS_TAG=${{ matrix.zfs_tag }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
extra-args: |
--target=${{ matrix.image_base }}${{ matrix.image_suffix }}
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v5
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
@@ -327,7 +324,7 @@ jobs:
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
#if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
@@ -349,7 +346,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}
# Sign container
- uses: sigstore/cosign-installer@v3.1.2
- uses: sigstore/cosign-installer@v3.4.0
if: github.event_name != 'pull_request'
- name: Sign container image
@@ -362,158 +359,15 @@ jobs:
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
- name: Echo outputs
#if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
build_hci:
name: Build HCI
runs-on: ubuntu-22.04
if: always() && !cancelled()
needs: [ build_info, build_main, coreos_versions]
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image_name:
- ucore
coreos_version:
- stable
- testing
zfs_tag:
- "-zfs"
- ""
pr_prefix:
- ${{ needs.build_info.outputs.pr_prefix }}
include:
- coreos_version: stable
image_version: ${{ needs.coreos_versions.outputs.stable_version }}
- coreos_version: testing
image_version: ${{ needs.coreos_versions.outputs.testing_version }}
check:
name: Check all successful
runs-on: ubuntu-latest
needs: [build_fcos, build_ucore]
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4
- name: Generate tags
id: generate-tags
- name: Exit
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
COREOS_VERSION="${{ matrix.coreos_version }}${{ matrix.zfs_tag }}"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="${GITHUB_SHA::7}"
COMMIT_TAGS+=("pr-${{ github.event.number }}-${COREOS_VERSION}")
COMMIT_TAGS+=("${SHA_SHORT}-${COREOS_VERSION}")
BUILD_TAGS=("${COREOS_VERSION}" "${COREOS_VERSION}-${TIMESTAMP}")
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ format('{0}-hci', matrix.image_name) }}
labels: |
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md
org.opencontainers.image.description=A hyper-converged infrastructure Fedora CoreOS OCI with batteries included
org.opencontainers.image.title=${{ format('{0}-hci', matrix.image_name) }}
org.opencontainers.image.version=${{ matrix.image_version }}
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./hci/Containerfile
context: ./hci
image: ${{ format('{0}-hci', matrix.image_name) }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
build-args: |
COREOS_VERSION=${{ matrix.coreos_version }}
PR_PREFIX=${{ matrix.pr_prefix }}
ZFS_TAG=${{ matrix.zfs_tag }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v5
with:
string: ${{ env.IMAGE_REGISTRY }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
#if: github.event_name != 'pull_request'
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Sign container
- uses: sigstore/cosign-installer@v3.1.2
if: github.event_name != 'pull_request'
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
- name: Echo outputs
#if: github.event_name != 'pull_request'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
run: exit 0

324
README.md
View File

@@ -1,63 +1,106 @@
# uCore
[![build-ucore](https://github.com/ublue-os/ucore/actions/workflows/build.yml/badge.svg)](https://github.com/ublue-os/ucore/actions/workflows/build.yml)
[![stable](https://github.com/ublue-os/ucore/actions/workflows/build-stable.yml/badge.svg)](https://github.com/ublue-os/ucore/actions/workflows/build-stable.yml)
[![testing](https://github.com/ublue-os/ucore/actions/workflows/build-testing.yml/badge.svg)](https://github.com/ublue-os/ucore/actions/workflows/build-testing.yml)
## What is this?
You should be familiar with [Fedora CoreOS](https://getfedora.org/coreos/), as this is an OCI image of CoreOS with "batteries included". More specifically, it's an opinionated, custom CoreOS image, built daily with some commonly used tools added in. The idea is to make a lightweight server image including most used services or the building blocks to host them.
WARNING: This image has **not** been heavily tested, though the underlying components have. Please take a look at the included modifications and help test if this project interests you.
Please take a look at the included modifications and help us test uCore if the project interests you.
## Images & Features
### `ucore`
The uCore project builds four images, each with different tags for different features.
Suitable for running containerized workloads on either baremetal or virtual machines, this image tries to stay lightweight with not too many additions.
The image names are:
- [`fedora-coreos`](#fedora-coreos)
- [`ucore-minimal`](#ucore-minimal)
- [`ucore`](#ucore)
- [`ucore-hci`](#ucore-hci)
The [tag matrix](#tag-matrix) includes combinations of the following:
- `stable` - for an image based on the Fedora CoreOS stable stream
- `testing` - for an image based on the Fedora CoreOS testing stream
- `nvidia` - for an image which includes nvidia driver and container runtime
- `zfs` - for an image which includes zfs driver and tools
### `fedora-coreos`
*NOTE: formerly named `fedora-coreos-zfs`, the previous version of the image did not offer the nvidia option. If on the previous image name, please update with `rpm-ostree rebase`.*
A generic [Fedora CoreOS image](https://quay.io/repository/fedora/fedora-coreos?tab=tags) image with choice of add-on kernel modules:
- [nvidia versions](#tag-matrix) add:
- [nvidia driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently version 535) built from negativo17's akmod package
- [nvidia-container-toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/sample-workload.html) - latest toolkit which supports both root and rootless podman containers and CDI
- [nvidia container selinux policy](https://github.com/NVIDIA/dgx-selinux/tree/master/src/nvidia-container-selinux) - allows using `--security-opt label=type:nvidia_container_t` for some jobs (some will still need `--security-opt label=disable` as suggested by nvidia)
- [ZFS versions](#tag-matrix) add:
- [ZFS driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently pinned to 2.2.x series)
*NOTE: currently, zincati fails to start on systems with OCI based deployments (like uCore). Upstream efforts are active to correct this.*
### `ucore-minimal`
Suitable for running containerized workloads on either bare metal or virtual machines, this image tries to stay lightweight but functional.
- Starts with a [Fedora CoreOS image](https://quay.io/repository/fedora/fedora-coreos?tab=tags)
- Adds the following:
- [cockpit](https://cockpit-project.org)
- [distrobox](https://github.com/89luca89/distrobox)
- guest VM agents (`qemu-guest-agent` and `open-vm-tools`)
- moby-engine(docker), docker-compose and podman-compose
- [cockpit](https://cockpit-project.org) (podman container and system management)
- [firewalld](https://firewalld.org/)
- guest VM agents (`qemu-guest-agent` and `open-vm-tools`))
- [docker-compose](https://github.com/docker/compose) and [podman-compose](https://github.com/containers/podman-compose) *docker(moby-engine) and podman are pre-installed in CoreOS*
- [pcp](https://pcp.io) Performance Co-pilot monitoring
- [tailscale](https://tailscale.com) and [wireguard-tools](https://www.wireguard.com)
- [tmux](https://github.com/tmux/tmux/wiki/Getting-Started)
- Optional ZFS versions also add:
- sanoid/syncoid dependencies - see below for details
- [ZFS](https://openzfs.github.io/openzfs-docs/Getting%20Started/Fedora/index.html)
- udev rules enabling full functionality on some [Realtek 2.5Gbit USB Ethernet](https://github.com/wget/realtek-r8152-linux/) devices
- Optional [nvidia versions](#tag-matrix) add:
- [nvidia driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently version 535) built from negativo17's akmod package
- [nvidia-container-toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/sample-workload.html) - latest toolkit which supports both root and rootless podman containers and CDI
- [nvidia container selinux policy](https://github.com/NVIDIA/dgx-selinux/tree/master/src/nvidia-container-selinux) - allows using `--security-opt label=type:nvidia_container_t` for some jobs (some will still need `--security-opt label=disable` as suggested by nvidia)
- Optional [ZFS versions](#tag-matrix) add:
- [ZFS driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently pinned to 2.2.x series)
- [sanoid/syncoid dependencies](https://github.com/jimsalterjrs/sanoid) - [see below](#zfs) for details
- note: on `ucore-minimal` images, only `pv` is installed
- Disables Zincati auto upgrade/reboot service
- Enables staging of automatic system updates via rpm-ostreed
- Enables password based SSH auth (required for locally running cockpit web interface)
- Disables Zincati auto upgrade/reboot service
- *NOTE: currently, zincati fails to start on systems with OCI based deployments (like uCore). Upstream efforts are active to correct this.*
- Provides public key allowing [SecureBoot](#secureboot) (for ucore signed `nvidia` or `zfs` drivers)
Note: per [cockpit instructions](https://cockpit-project.org/running.html#coreos) the cockpit-ws RPM is **not** installed, rather it is provided as a pre-defined systemd service which runs a podman container.
### `ucore-hci`
### `ucore`
Hyper-Coverged Infrastructure(HCI) refers to storage and virtualization in one place... So this image is suitable for use as a hypervisor, storage server(NAS), as well as running containerized workloads). Accordingingly, it will be a bit larger due to extra hardware support, storage and virtualization packages.
This image builds on `ucore-minimal` but adds drivers, storage tools and utilities making it more useful on bare metal or as a storage server (NAS).
- Starts with `ucore` to give you everything above, plus:
- Starts with a [`ucore-minimal`](#ucore-minimal) image providing everything above, plus:
- Adds the following:
- [cockpit-machines](https://github.com/cockpit-project/cockpit-machines): Cockpit GUI for managing virtual machines
- [cockpit-storaged](https://cockpit-project.org) (udisks2 based storage management)
- [distrobox](https://github.com/89luca89/distrobox) - a [toolbox](https://containertoolbx.org/) alternative
- [duperemove](https://github.com/markfasheh/duperemove)
- intel wifi firmware - CoreOS omits this despite including atheros wifi firmware... hardware enablement FTW
- [mergerfs](https://github.com/trapexit/mergerfs)
- nfs-utils - nfs utils including daemon for kernel NFS server
- [samba](https://www.samba.org/) and samba-usershares to provide SMB sevices
- [snapraid](https://www.snapraid.it/)
- usbutils(and pciutils) - technically pciutils is pulled in by open-vm-tools in ucore-minimal
### `ucore-hci`
Hyper-Coverged Infrastructure(HCI) refers to storage and hypervisor in one place... This image primarily adds libvirt tools for virtualization.
- Starts with a [`ucore`](#ucore) image providing everything above, plus:
- Adds the following:
- [cockpit-machines](https://github.com/cockpit-project/cockpit-machines): Cockpit GUI for managing virtual machines
- [libvirt-client](https://libvirt.org/): `virsh` command-line utility for managing virtual machines
- [libvirt-daemon-kvm](https://libvirt.org/): libvirt KVM hypervisor management
- [mergerfs](https://github.com/trapexit/mergerfs)
- [snapraid](https://www.snapraid.it/)
- udev rules enabling full functionality on some [Realtek 2.5Gbit USB Ethernet](https://github.com/wget/realtek-r8152-linux/) devices
- virt-install: command-line utility for installing virtual machines
Note: Fedora now uses `DefaultTimeoutStop=45s` for systemd services which could cause `libvirtd` to quit before shutting down slow VMs. Consider adding `TimeoutStopSec=120s` as an override for `libvirtd.service` if needed.
### `fedora-coreos-zfs`
- A generic [Fedora CoreOS image](https://quay.io/repository/fedora/fedora-coreos?tab=tags) image
- Adds [ZFS](https://openzfs.github.io/openzfs-docs/Getting%20Started/Fedora/index.html) from the [ucore-kmods image](https://github.com/ublue-os/ucore-kmods)
- Does NOT add sanoid/syncoid dependencies as mentioned above in `ucore` features list
## Tips and Tricks
### Immutability and Podman
@@ -78,10 +121,41 @@ sudo systemctl enable --now SERVICENAME.service
Note: `libvirtd` is enabled by default, but only starts when triggerd by it's socket (eg, using `virsh` or other clients).
### SELinux Troubleshooting
SELinux is an integral part of the Fedora Atomic system design. Due to a few interelated issues, if SELinux is disabled, it's difficult to re-enable.
**We STRONGLY recommend: DO NOT DISABLE SELinux!**
Should you suspect that SELinux is causing a problem, it is easy to enable permissive mode at runtime, which will keep SELinux functioning, provide reporting of problems, but not enforce restrictions.
```bash
# setenforce 0
$ getenforce
Permissive
```
After the problem is resolved, don't forget to re-enable:
```bash
# setenforce 1
$ getenforce
Enforcing
```
Fedora provides useful docs on [SELinux troubleshooting](https://docs.fedoraproject.org/en-US/quick-docs/selinux-troubleshooting/).
### Docker/Moby and Podman
NOTE: CoreOS [cautions against](https://docs.fedoraproject.org/en-US/fedora-coreos/faq/#_can_i_run_containers_via_docker_and_podman_at_the_same_time) running podman and docker containers at the same time. Thus, `docker.socket` is disabled by default to prevent accidental activation of the docker daemon, given podman is the default.
### Podman and FirewallD
Podman and firewalld [can sometimes conflict](https://github.com/ublue-os/ucore/issues/90) such that a `firewall-cmd --reload` removes firewall rules generated by podman.
As of [netavark v1.9.0](https://blog.podman.io/2023/11/new-netavark-firewalld-reload-service/) a service is provided to handle re-adding netavark (Podman) firewall rules after a firewalld reload occurs. If needed, enable like so: `systemctl enable netavark-firewalld-reload.service`
### Distrobox
Users may use [distrobox](https://github.com/89luca89/distrobox) to run images of mutable distributions where applications can be installed with traditional package managers. This may be useful for installing interactive utilities such has `htop`, `nmap`, etc. As stated above, however, *services* should run as containers.
@@ -90,15 +164,149 @@ Users may use [distrobox](https://github.com/89luca89/distrobox) to run images o
It's a good idea to become familar with the [Fedora CoreOS Documentation](https://docs.fedoraproject.org/en-US/fedora-coreos/) as well as the [CoreOS rpm-ostree docs](https://coreos.github.io/rpm-ostree/). Note especially, this image is only possible due to [ostree native containers](https://coreos.github.io/rpm-ostree/container/).
### Sanoid/Syncoid
### NAS - Storage
sanoid/syncoid is a great tool for manual and automated snapshot/transfer of ZFS datasets. However, there is not a current stable RPM, rather they provide [instructions on installing via git](https://github.com/jimsalterjrs/sanoid/blob/master/INSTALL.md#centos).
`ucore` includes a few packages geared towards a storage server which will require individual research for configuration:
- [duperemove](https://github.com/markfasheh/duperemove)
- [mergerfs](https://github.com/trapexit/mergerfs)
- [snapraid](https://www.snapraid.it/)
`ucore` has pre-install all the (lightweight) required dependencies (perl-Config-IniFiles perl-Data-Dumper perl-Capture-Tiny perl-Getopt-Long lzop mbuffer mhash pv), such that a user wishing to use sanoid/syncoid only need install the "sbin" files and create configuration/systemd units for it.
But two others are included, which though common, warrant some explanation:
- nfs-utils - replaces a "light" version typically in CoreOS to provide kernel NFS server
- samba and samba-usershares - to provide SMB sevices
#### NFS
It's suggested to read Fedora's [NFS Server docs](https://docs.fedoraproject.org/en-US/fedora-server/services/filesharing-nfs-installation/) plus other documentation to understand how to setup this service. But here's a few quick tips...
##### Firewall
Unless you've disabled `firewalld`, you'll need to do this:
```bash
sudo firewall-cmd --permanent --zone=FedoraServer --add-service=nfs
sudo firewall-cmd --reload
```
##### SELinux
By default, nfs-server is blocked from sharing directories unless the context is set. So, generically to enable NFS sharing in SELinux run:
For read-only NFS shares:
```bash
sudo semanage fcontext --add --type "public_content_t" "/path/to/share/ro(/.*)?
sudo restorecon -R /path/to/share/ro
```
For read-write NFS shares:
```bash
sudo semanage fcontext --add --type "public_content_rw_t" "/path/to/share/rw(/.*)?
sudo restorecon -R /path/to/share/rw
```
Say you wanted to share all home directories:
```bash
sudo semanage fcontext --add --type "public_content_rw_t" "/var/home(/.*)?
sudo restorecon -R /var/home
```
The least secure but simplest way to let NFS share anything configured, is...
For read-only:
```bash
sudo setsebool -P nfs_export_all_ro 1
```
For read-write:
```bash
sudo setsebool -P nfs_export_all_rw 1
```
There is [more to read](https://linux.die.net/man/8/nfs_selinux) on this topic.
##### Shares
NFS shares are configured in `/etc/exports` or `/etc/exports.d/*` (see docs).
##### Run It
Like all services, NFS needs to be enabled and started:
```bash
sudo systemctl enable --now nfs-server.service
sudo systemctl status nfs-server.service
```
#### Samba
It's suggested to read Fedora's [Samba docs](https://docs.fedoraproject.org/en-US/quick-docs/samba/) plus other documentation to understand how to setup this service. But here's a few quick tips...
##### Firewall
Unless you've disabled `firewalld`, you'll need to do this:
```bash
sudo firewall-cmd --permanent --zone=FedoraServer --add-service=samba
sudo firewall-cmd --reload
```
##### SELinux
By default, samba is blocked from sharing directories unless the context is set. So, generically to enable samba sharing in SELinux run:
```bash
sudo semanage fcontext --add --type "samba_share_t" "/path/to/share(/.*)?
sudo restorecon -R /path/to/share
```
Say you wanted to share all home directories:
```bash
sudo semanage fcontext --add --type "samba_share_t" "/var/home(/.*)?
sudo restorecon -R /var/home
```
The least secure but simplest way to let samba share anything configured, is this:
```bash
sudo setsebool -P samba_export_all_rw 1
```
There is [much to read](https://linux.die.net/man/8/samba_selinux) on this topic.
##### Shares
Samba shares can be manually configured in `/etc/samba/smb.conf` (see docs), but user shares are also a good option.
An example follows, but you'll probably want to read some docs on this, too:
```bash
net usershare add sharename /path/to/share [comment] [user:{R|D|F}] [guest_ok={y|n}]
```
##### Run It
Like all services, Samba needs to be enabled and started:
```bash
sudo systemctl enable --now smb.service
sudo systemctl status smb.service
```
### NVIDIA
If you installed an image with `-nvidia` in the tag, the nvidia kernel module, basic CUDA libraries, and the nvidia-container-toolkit are all are pre-installed.
Note, this does NOT add desktop graphics services to your images, but it DOES enable your compatible nvidia GPU to be used for nvdec, nvenc, CUDA, etc. Since this is CoreOS and it's primarily intended for container workloads the [nvidia container toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html) should be well understood.
Note the included driver is the [latest nvidia driver](https://github.com/negativo17/nvidia-driver/blob/master/nvidia-driver.spec) as bundled by [negativo17](https://negativo17.org/nvidia-driver/). This package was chosen over rpmfusion's due to it's granular packages which allow us to install just the minimal `nvidia-driver-cuda` packages.
#### Other NVIDIA Drivers
If you need an older (or different) driver, consider looking at the [container-toolkit-fcos driver](https://hub.docker.com/r/fifofonix/driver/). It provides pre-bundled container images with nvidia drivers for FCOS, allowing auto-build/loading of the nvidia driver IN podman, at boot, via a systemd service.
If going this path, you likely won't want to use the `ucore` `-nvidia` image, but would use the suggested systemd service. The nvidia container toolkit will still be required but can by layered easily.
### ZFS
The ZFS kernel module and tools are pre-installed, but like other services, ZFS is not pre-configured to load on default.
If you installed an image with `-zfs` in the tag (or `fedora-coreos-zfs`), the ZFS kernel module and tools are pre-installed, but like other services, ZFS is not pre-configured to load on default.
Load it with the command `modprobe zfs` and use `zfs` and `zpool` commands as desired.
@@ -106,7 +314,7 @@ Per the [OpenZFS Fedora documentation](https://openzfs.github.io/openzfs-docs/Ge
> By default ZFS kernel modules are loaded upon detecting a pool. To always load the modules at boot:
```
```bash
echo zfs > /etc/modules-load.d/zfs.conf
```
@@ -114,26 +322,44 @@ echo zfs > /etc/modules-load.d/zfs.conf
The default mountpoint for any newly created zpool `tank` is `/tank`. This is a problem in CoreOS as the root filesystem (`/`) is immutable, which means a directory cannot be created as a mountpoint for the zpool. An example of the problem looks like this:
```
```bash
# zpool create tank /dev/sdb
cannot mount '/tank': failed to create mountpoint: Operation not permitted
```
To avoid this problem, always create new zpools with a specified mountpoint:
```
```bash
# zpool create -m /var/tank tank /dev/sdb
```
If you do forget to specify the mountpoint, or you need to change the mountpoint on an existing zpool:
```
```bash
# zfs set mountpoint=/var/tank tank
```
### Sanoid/Syncoid
sanoid/syncoid is a great tool for manual and automated snapshot/transfer of ZFS datasets. However, there is not a current stable RPM, rather they provide [instructions on installing via git](https://github.com/jimsalterjrs/sanoid/blob/master/INSTALL.md#centos).
`ucore` has pre-install all the (lightweight) required dependencies (perl-Config-IniFiles perl-Data-Dumper perl-Capture-Tiny perl-Getopt-Long lzop mbuffer mhash pv), such that a user wishing to use sanoid/syncoid only need install the "sbin" files and create configuration/systemd units for it.
### SecureBoot
For those wishing to use `nvidia` or `zfs` images with pre-built kmods AND run SecureBoot, the kernel will not load those kmods until the public signing key has been imported as a MOK (Machine-Owner Key).
Do so like this:
```bash
sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
```
The utility will prompt for a password. The password will be used to verify this key is the one you meant to import, after rebooting and entering the UEFI MOK import utility.
## How to Install
### Prerequsites
### Prerequisites
This image is not currently available for direct install. The user must follow the [CoreOS installation guide](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/). There are varying methods of installation for bare metal, cloud providers, and virtualization platforms.
@@ -153,17 +379,31 @@ To rebase an Fedora CoreOS machine to the latest uCore (stable):
sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/IMAGE:TAG
```
#### Tag Matrix
| IMAGE | TAG |
|-|-|
| [`ucore`](#ucore) | `stable`, `testing`, `stable-zfs`, `testing-zfs` |
| [`ucore-hci`](#ucore-hci) | `stable`, `testing`, `stable-zfs`, `testing-zfs` |
| [`fedora-coreos-zfs`](#fedora-coreos-zfs) | `stable`, `testing` |
| [`fedora-coreos`](#fedora-coreos) - *stable* | `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` |
| [`fedora-coreos`](#fedora-coreos) - *testing* | `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` |
| [`ucore-minimal`](#ucore-minimal) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` |
| [`ucore-mimimal`](#ucore-minimal) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` |
| [`ucore`](#ucore) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` |
| [`ucore`](#ucore) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` |
| [`ucore-hci`](#ucore-hci) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` |
| [`ucore-hci`](#ucore-hci) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` |
#### Verified Image Updates
This image now includes container policies to support image verification for improved trust of upgrades. Once running one of the `ucore*` images (not included in `fedora-coreos`), the following command will rebase to the verified image reference:
```bash
sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/IMAGE:TAG
```
### Install with Auto-Rebase
Your path to a running uCore can be shortend by using [examples/ucore-autorebase.butane](examples/ucore-autorebase.butane) as the starting point for your CoreOS ignition file.
Your path to a running uCore can be shortened by using [examples/ucore-autorebase.butane](examples/ucore-autorebase.butane) as the starting point for your CoreOS ignition file.
1. As usual, you'll need to [follow the docs to setup a password](https://coreos.github.io/butane/examples/#using-password-authentication). Substitute your password hash for `YOUR_GOOD_PASSWORD_HASH_HERE` in the `ucore-autorebase.butane` file, and add your ssh pub key while you are at it.
1. Generate an ignition file from your new `ucore-autorebase.butane` [using the butane utility](https://coreos.github.io/butane/getting-started/).
@@ -176,3 +416,7 @@ These images are signed with sigstore's [cosign](https://docs.sigstore.dev/cosig
```bash
cosign verify --key cosign.pub ghcr.io/ublue-os/ucore
```
## Metrics
![Alt](https://repobeats.axiom.co/api/embed/07d1ed133f5ed1a1048ea6a76bfe3a23227eedd5.svg "Repobeats analytics image")

25
fedora-coreos-zfs/Containerfile
View File

@@ -1,25 +0,0 @@
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION}
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
COPY --from=ghcr.io/ublue-os/ucore-kmods:${COREOS_VERSION} /rpms/ /tmp/rpms
# enable testing repos if not enabled on testing stream
RUN if [[ "testing" == "${COREOS_VERSION}" ]]; then \
for REPO in $(ls /etc/yum.repos.d/fedora-updates-testing{,-modular}.repo); do \
if [[ "$(grep enabled=1 ${REPO} > /dev/null; echo $?)" == "1" ]]; then \
echo "enabling $REPO" &&\
sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' ${REPO}; \
fi; \
done; \
fi
# install locally prepared RPMs (ZFS, etc)
RUN rpm-ostree install /tmp/rpms/kmods/zfs/*.rpm && \
rpm-ostree cleanup -m && \
rm -rf /tmp/* /var/* && \
ostree container commit && \
mkdir -p /var/tmp && \
chmod -R 1777 /var/tmp

26
fedora-coreos/Containerfile Normal file
View File

@@ -0,0 +1,26 @@
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION}
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
# build with --build-arg NVIDA_TAG="-nvidia" to install nvidia
ARG NVIDIA_TAG="${NVIDIA_TAG}"
# build with --build-arg ZFS_TAG="-zfs" to install zfs
ARG ZFS_TAG="${ZFS_TAG}"
ARG KMOD_SRC="${KMOD_SRC:-ghcr.io/ublue-os/ucore-kmods:${COREOS_VERSION}}"
COPY --from=${KMOD_SRC} /rpms/kmods/*.rpm /tmp/rpms/
COPY --from=${KMOD_SRC} /rpms/kmods/nvidia/*.rpm /tmp/rpms/nvidia/
COPY --from=${KMOD_SRC} /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/
COPY *.sh /tmp/
RUN mkdir -p /var/lib/alternatives \
&& /tmp/install.sh \
&& /tmp/post-install.sh \
&& mv /var/lib/alternatives /staged-alternatives \
&& rm -fr /tmp/* /var/* \
&& ostree container commit \
&& mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \
&& mkdir -p /tmp /var/tmp \
&& chmod -R 1777 /tmp /var/tmp

47
fedora-coreos/install.sh Executable file
View File

@@ -0,0 +1,47 @@
#!/bin/sh
set -ouex pipefail
RELEASE="$(rpm -E %fedora)"
KERNEL="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
#### PREPARE
# enable testing repos if not enabled on testing stream
if [[ "testing" == "${COREOS_VERSION}" ]]; then
for REPO in $(ls /etc/yum.repos.d/fedora-updates-testing{,-modular}.repo); do
if [[ "$(grep enabled=1 ${REPO} > /dev/null; echo $?)" == "1" ]]; then
echo "enabling $REPO" &&
sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' ${REPO}
fi
done
fi
# always disable cisco-open264 repo
sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
#### INSTALL
# inspect to see what RPMS we copied in
find /tmp/rpms/
rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm
## CONDITIONAL: install ZFS
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
rpm-ostree install pv /tmp/rpms/zfs/*.rpm
# for some reason depmod ran automatically with zfs 2.1 but not with 2.2
depmod -A ${KERNEL}
fi
## CONDITIONAL: install NVIDIA
if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then
# repo for nvidia rpms
curl -L https://negativo17.org/repos/fedora-nvidia.repo -o /etc/yum.repos.d/fedora-nvidia.repo
rpm-ostree install /tmp/rpms/nvidia/ublue-os-ucore-nvidia-*.rpm
sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
rpm-ostree install \
/tmp/rpms/nvidia/kmod-nvidia-*.rpm \
nvidia-driver-cuda \
nvidia-container-toolkit
fi

15
fedora-coreos/post-install.sh Executable file
View File

@@ -0,0 +1,15 @@
#!/bin/sh
set -ouex pipefail
## CONDITIONAL: post-install ZFS
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
echo "no post-install tasks for ZFS"
fi
## CONDITIONAL: post-install NVIDIA
if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then
sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/nvidia-container-toolkit.repo
semodule --verbose --install /usr/share/selinux/packages/nvidia-container.pp
fi

26
hci/Containerfile
View File

@@ -1,26 +0,0 @@
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
ARG IMAGE_NAME="${IMAGE_NAME:-ucore}"
ARG PR_PREFIX="${PR_PREFIX}"
ARG ZFS_TAG="${ZFS_TAG}"
FROM ghcr.io/ublue-os/${IMAGE_NAME}:${PR_PREFIX}${COREOS_VERSION}${ZFS_TAG}
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
ARG IMAGE_NAME="${IMAGE_NAME:-ucore}"
ADD github-release-install.sh /tmp/github-release-install.sh
ADD build.sh /tmp/build.sh
ADD packages.json /tmp/packages.json
ADD files/usr /usr
RUN mkdir -p /var/lib/alternatives \
&& wget https://copr.fedorainfracloud.org/coprs/ublue-os/ucore/repo/fedora-$(rpm -E %fedora)/ublue-os-ucore-fedora-$(rpm -E %fedora).repo -O /etc/yum.repos.d/_copr_ublue-os-ucore.repo \
&& /tmp/build.sh \
&& mv /var/lib/alternatives /staged-alternatives \
&& rm -fr /tmp/* /var/* \
&& rpm-ostree cleanup -m \
&& ostree container commit \
&& mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \
&& mkdir -p /tmp /var/tmp \
&& chmod -R 1777 /tmp /var/tmp

23
hci/packages.json
View File

@@ -1,23 +0,0 @@
{
"all": {
"include": {
"all": [
"cockpit-machines",
"duperemove",
"iwlegacy-firmware",
"iwlwifi-dvm-firmware",
"iwlwifi-mvm-firmware",
"libvirt-client",
"libvirt-daemon-kvm",
"snapraid",
"nfs-utils",
"virt-install"
]
},
"exclude": {
"all": [
"nfs-utils-coreos"
]
}
}
}

24
main/Containerfile
View File

@@ -1,24 +0,0 @@
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION}
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
ARG IMAGE_NAME="${IMAGE_NAME:-ucore}"
ARG ZFS_TAG="${ZFS_TAG}"
ADD build.sh /tmp/build.sh
ADD post-install.sh /tmp/post-install.sh
ADD packages.json /tmp/packages.json
COPY --from=ghcr.io/ublue-os/ucore-kmods:${COREOS_VERSION} /rpms/ /tmp/rpms
COPY etc /etc
COPY usr /usr
RUN /tmp/build.sh && \
/tmp/post-install.sh && \
rm -rf /tmp/* /var/* && \
ostree container commit && \
mkdir -p /var/tmp && \
chmod -R 1777 /var/tmp
COPY --from=docker.io/docker/compose-bin:latest /docker-compose /usr/bin/docker-compose

72
main/build.sh
View File

@@ -1,72 +0,0 @@
#!/bin/sh
set -ouex pipefail
RELEASE="$(rpm -E %fedora)"
#### PREPARE
# enable testing repos if not enabled on testing stream
if [[ "testing" == "${COREOS_VERSION}" ]]; then
for REPO in $(ls /etc/yum.repos.d/fedora-updates-testing{,-modular}.repo); do
if [[ "$(grep enabled=1 ${REPO} > /dev/null; echo $?)" == "1" ]]; then
echo "enabling $REPO" &&
sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' ${REPO}
fi
done
fi
# always disable cisco-open264 repo
sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
# add tailscale repo
curl -L https://pkgs.tailscale.com/stable/fedora/tailscale.repo -o /etc/yum.repos.d/tailscale.repo
## add rpmfusion (needed for nvidia akmods, etc)
#rpm-ostree install \
# https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-${RELEASE}.noarch.rpm \
# https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-${RELEASE}.noarch.rpm
#### INSTALL
## install ZFS (and sanoid deps) if tagged
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
rpm-ostree install /tmp/rpms/kmods/zfs/*.rpm \
lzop \
mbuffer \
mhash \
perl-Capture-Tiny \
perl-Config-IniFiles \
perl-Getopt-Long \
pv
fi
## install packages.json stuffs
INCLUDED_PACKAGES=($(jq -r "[(.all.include | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
(select(.\"$COREOS_VERSION\" != null).\"$COREOS_VERSION\".include | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
| sort | unique[]" /tmp/packages.json))
EXCLUDED_PACKAGES=($(jq -r "[(.all.exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
(select(.\"$COREOS_VERSION\" != null).\"$COREOS_VERSION\".exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
| sort | unique[]" /tmp/packages.json))
if [[ "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
EXCLUDED_PACKAGES=($(rpm -qa --queryformat='%{NAME} ' ${EXCLUDED_PACKAGES[@]}))
fi
if [[ "${#INCLUDED_PACKAGES[@]}" -gt 0 && "${#EXCLUDED_PACKAGES[@]}" -eq 0 ]]; then
rpm-ostree install \
${INCLUDED_PACKAGES[@]}
elif [[ "${#INCLUDED_PACKAGES[@]}" -eq 0 && "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
rpm-ostree override remove \
${EXCLUDED_PACKAGES[@]}
elif [[ "${#INCLUDED_PACKAGES[@]}" -gt 0 && "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
rpm-ostree override remove \
${EXCLUDED_PACKAGES[@]} \
$(printf -- "--install=%s " ${INCLUDED_PACKAGES[@]})
else
echo "No packages to install."
fi

31
main/packages.json
View File

@@ -1,31 +0,0 @@
{
"all": {
"include": {
"all": [
"cockpit-networkmanager",
"cockpit-pcp",
"cockpit-podman",
"cockpit-selinux",
"cockpit-storaged",
"cockpit-system",
"distrobox",
"firewalld",
"open-vm-tools",
"pcp-zeroconf",
"podman",
"podman-compose",
"qemu-guest-agent",
"tailscale",
"tmux",
"vim",
"wget",
"wireguard-tools",
"xdg-dbus-proxy",
"xdg-user-dirs"
]
},
"exclude": {
"all": []
}
}
}

73
ucore/Containerfile Normal file
View File

@@ -0,0 +1,73 @@
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
# ucore-minimal image section
FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION} AS ucore-minimal
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
# build with --build-arg NVIDA_TAG="-nvidia" to install nvidia
ARG NVIDIA_TAG="${NVIDIA_TAG}"
# build with --build-arg ZFS_TAG="-zfs" to install zfs
ARG ZFS_TAG="${ZFS_TAG}"
ARG KMOD_SRC="${KMOD_SRC:-ghcr.io/ublue-os/ucore-kmods:${COREOS_VERSION}}"
COPY --from=${KMOD_SRC} /rpms/kmods/*.rpm /tmp/rpms/
COPY --from=${KMOD_SRC} /rpms/kmods/nvidia/*.rpm /tmp/rpms/nvidia/
COPY --from=${KMOD_SRC} /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/
COPY *.sh /tmp/
COPY packages.json /tmp/packages.json
COPY usr /usr
RUN mkdir -p /var/lib/alternatives \
&& /tmp/install-ucore-minimal.sh \
&& /tmp/post-install-ucore-minimal.sh \
&& mv /var/lib/alternatives /staged-alternatives \
&& rm -fr /tmp/* /var/* \
&& ostree container commit \
&& mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \
&& mkdir -p /tmp /var/tmp \
&& chmod -R 1777 /tmp /var/tmp
COPY --from=docker.io/docker/compose-bin:latest /docker-compose /usr/bin/docker-compose
# ucore image section
FROM ucore-minimal AS ucore
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
COPY *.sh /tmp/
COPY packages.json /tmp/packages.json
COPY usr /usr
RUN mkdir -p /var/lib/alternatives \
&& /tmp/install-ucore.sh \
&& mv /var/lib/alternatives /staged-alternatives \
&& rm -fr /tmp/* /var/* \
&& ostree container commit \
&& mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \
&& mkdir -p /tmp /var/tmp \
&& chmod -R 1777 /tmp /var/tmp
# ucore-hci image section
FROM ucore AS ucore-hci
ARG COREOS_VERSION="${COREOS_VERSION:-stable}"
ARG NVIDIA_TAG="${NVIDIA_TAG}"
ARG ZFS_TAG="${ZFS_TAG}"
COPY *.sh /tmp/
COPY packages.json /tmp/packages.json
RUN mkdir -p /var/lib/alternatives \
&& /tmp/install-ucore-hci.sh \
&& mv /var/lib/alternatives /staged-alternatives \
&& rm -fr /tmp/* /var/* \
&& ostree container commit \
&& mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \
&& mkdir -p /tmp /var/tmp \
&& chmod -R 1777 /tmp /var/tmp

18
hci/github-release-install.sh → ucore/github-release-install.sh
View File

@@ -14,11 +14,13 @@
ORG_PROJ=${1}
ARCH_FILTER=${2}
LATEST=${3}
usage() {
echo "$0 ORG_PROJ ARCH_FILTER"
echo " ORG_PROJ - organization/projectname"
echo " ARCH_FILTER - optional extra filter to further limit rpm selection"
echo " LATEST - optional tag override for latest release (eg, nightly-dev)"
}
@@ -32,10 +34,20 @@ if [ -z ${ARCH_FILTER} ]; then
exit 2
fi
if [ -z ${LATEST} ]; then
RELTAG="latest"
else
RELTAG="tags/${LATEST}"
fi
set -ouex pipefail
API="https://api.github.com/repos/${ORG_PROJ}/releases/latest"
RPM_URLS=$(curl --retry 3 --retry-delay 0 --retry-all-errors -sL ${API} \
API_JSON=$(mktemp /tmp/api-XXXXXXXX.json)
API="https://api.github.com/repos/${ORG_PROJ}/releases/${RELTAG}"
# retry up to 5 times with 5 second delays for any error included HTTP 404 etc
curl --fail --retry 5 --retry-delay 5 --retry-all-errors -sL ${API} -o ${API_JSON}
RPM_URLS=$(cat ${API_JSON} \
| jq \
-r \
--arg arch_filter "${ARCH_FILTER}" \
@@ -43,6 +55,6 @@ RPM_URLS=$(curl --retry 3 --retry-delay 0 --retry-all-errors -sL ${API} \
for URL in ${RPM_URLS}; do
# WARNING: in case of multiple matches, this only installs the first matched release
echo "execute: rpm-ostree install \"${URL}\""
#rpm-ostree install "${URL}"
rpm-ostree install "${URL}"
break
done

7
ucore/install-ucore-hci.sh Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/sh
set -ouex pipefail
# install packages.json stuffs
export IMAGE_NAME=ucore-hci
/tmp/packages.sh

65
ucore/install-ucore-minimal.sh Executable file
View File

@@ -0,0 +1,65 @@
#!/bin/sh
set -ouex pipefail
KERNEL="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
RELEASE="$(rpm -E %fedora)"
#### PREPARE
# enable testing repos if not enabled on testing stream
if [[ "testing" == "${COREOS_VERSION}" ]]; then
for REPO in $(ls /etc/yum.repos.d/fedora-updates-testing{,-modular}.repo); do
if [[ "$(grep enabled=1 ${REPO} > /dev/null; echo $?)" == "1" ]]; then
echo "enabling $REPO" &&
sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' ${REPO}
fi
done
fi
# always disable cisco-open264 repo
sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
#### INSTALL
# inspect to see what RPMS we copied in
find /tmp/rpms/
rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm
## CONDITIONAL: install ZFS (and sanoid deps)
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
rpm-ostree install /tmp/rpms/zfs/*.rpm \
lzop \
mbuffer \
mhash \
perl-Capture-Tiny \
perl-Config-IniFiles \
perl-Data-Dumper \
perl-Getopt-Long \
perl-Sys-Hostname \
pv
# for some reason depmod ran automatically with zfs 2.1 but not with 2.2
depmod -A ${KERNEL}
fi
## CONDITIONAL: install NVIDIA
if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then
# repo for nvidia rpms
curl -L https://negativo17.org/repos/fedora-nvidia.repo -o /etc/yum.repos.d/fedora-nvidia.repo
rpm-ostree install /tmp/rpms/nvidia/ublue-os-ucore-nvidia-*.rpm
sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
rpm-ostree install \
/tmp/rpms/nvidia/kmod-nvidia-*.rpm \
nvidia-driver-cuda \
nvidia-container-toolkit
fi
## ALWAYS: install regular packages
# add tailscale repo
curl -L https://pkgs.tailscale.com/stable/fedora/tailscale.repo -o /etc/yum.repos.d/tailscale.repo
# install packages.json stuffs
export IMAGE_NAME=ucore-minimal
/tmp/packages.sh

10
ucore/install-ucore.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
set -ouex pipefail
# install packages.json stuffs
export IMAGE_NAME=ucore
/tmp/packages.sh
# install packages direct from github
/tmp/github-release-install.sh trapexit/mergerfs fc.x86_64

54
ucore/packages.json Normal file
View File

@@ -0,0 +1,54 @@
{
"all": {
"include": {
"all": [],
"ucore-minimal": [
"cockpit-networkmanager",
"cockpit-pcp",
"cockpit-podman",
"cockpit-selinux",
"cockpit-system",
"firewalld",
"open-vm-tools",
"pcp-zeroconf",
"podman",
"podman-compose",
"qemu-guest-agent",
"tailscale",
"tmux",
"wget",
"wireguard-tools"
],
"ucore": [
"cockpit-storaged",
"distrobox",
"duperemove",
"iwlegacy-firmware",
"iwlwifi-dvm-firmware",
"iwlwifi-mvm-firmware",
"nfs-utils",
"pciutils",
"samba",
"samba-usershares",
"snapraid",
"usbutils",
"xdg-dbus-proxy",
"xdg-user-dirs"
],
"ucore-hci": [
"cockpit-machines",
"libvirt-client",
"libvirt-daemon-kvm",
"virt-install"
]
},
"exclude": {
"all": [],
"ucore-minimal": [],
"ucore": [
"nfs-utils-coreos"
],
"ucore-hci": []
}
}
}

32
hci/build.sh → ucore/packages.sh
View File

@@ -4,25 +4,33 @@ set -ouex pipefail
RELEASE="$(rpm -E %fedora)"
# build list of all packages requested for inclusion
INCLUDED_PACKAGES=($(jq -r "[(.all.include | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
(select(.\"$COREOS_VERSION\" != null).\"$COREOS_VERSION\".include | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
| sort | unique[]" /tmp/packages.json))
# build list of all packages requested for exclusion
EXCLUDED_PACKAGES=($(jq -r "[(.all.exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
(select(.\"$COREOS_VERSION\" != null).\"$COREOS_VERSION\".exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
| sort | unique[]" /tmp/packages.json))
# ensure exclusion list only contains packages already present on image
if [[ "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
EXCLUDED_PACKAGES=($(rpm -qa --queryformat='%{NAME} ' ${EXCLUDED_PACKAGES[@]}))
fi
# ensure exclusion list only contains packages already present on image
if [[ "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
EXCLUDED_PACKAGES=($(rpm -qa --queryformat='%{NAME} ' ${EXCLUDED_PACKAGES[@]}))
fi
# simple case to install where no packages need excluding
if [[ "${#INCLUDED_PACKAGES[@]}" -gt 0 && "${#EXCLUDED_PACKAGES[@]}" -eq 0 ]]; then
rpm-ostree install \
${INCLUDED_PACKAGES[@]}
elif [[ "${#INCLUDED_PACKAGES[@]}" -eq 0 && "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
rpm-ostree override remove \
${EXCLUDED_PACKAGES[@]}
# install/excluded packages both at same time
elif [[ "${#INCLUDED_PACKAGES[@]}" -gt 0 && "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
rpm-ostree override remove \
${EXCLUDED_PACKAGES[@]} \
@@ -33,6 +41,18 @@ else
fi
# check if any excluded packages are still present
# (this can happen if an included package pulls in a dependency)
EXCLUDED_PACKAGES=($(jq -r "[(.all.exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
(select(.\"$COREOS_VERSION\" != null).\"$COREOS_VERSION\".exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
| sort | unique[]" /tmp/packages.json))
## install packages direct from github
/tmp/github-release-install.sh trapexit/mergerfs fc.x86_64
if [[ "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
EXCLUDED_PACKAGES=($(rpm -qa --queryformat='%{NAME} ' ${EXCLUDED_PACKAGES[@]}))
fi
# remove any excluded packages which are still present on image
if [[ "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
rpm-ostree override remove \
${EXCLUDED_PACKAGES[@]}
fi

16
main/post-install.sh → ucore/post-install-ucore-minimal.sh
View File

@@ -2,6 +2,22 @@
set -ouex pipefail
## CONDITIONAL: post-install ZFS
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
echo "no post-install tasks for ZFS"
fi
## CONDITIONAL: post-install NVIDIA
if [[ "-nvidia" == "${NVIDIA_TAG}" ]]; then
sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/nvidia-container-toolkit.repo
semodule --verbose --install /usr/share/selinux/packages/nvidia-container.pp
systemctl enable ublue-nvctk-cdi.service
fi
## ALWAYS: regular post-install
systemctl disable docker.socket
systemctl disable zincati.service

95
ucore/usr/etc/containers/policy.json Normal file
View File

@@ -0,0 +1,95 @@
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"ghcr.io/ublue-os": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/ublue-os.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"atomic": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"containers-storage": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"dir": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"tarball": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}

3
ucore/usr/etc/containers/registries.d/ublue-os.yaml Normal file
View File

@@ -0,0 +1,3 @@
docker:
ghcr.io/ublue-os:
use-sigstore-attachments: true

0
main/etc/default/duperemove → ucore/usr/etc/default/duperemove
View File

4
ucore/usr/etc/pki/containers/ublue-os.pub Normal file
View File

@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
-----END PUBLIC KEY-----

0
main/etc/sysctl.conf → ucore/usr/etc/sysctl.conf
View File

0
main/etc/systemd/ucore-paths-provision.conf → ucore/usr/etc/systemd/ucore-paths-provision.conf
View File

0
main/etc/systemd/zram-generator.conf → ucore/usr/etc/systemd/zram-generator.conf
View File

0
hci/files/usr/etc/udev/rules.d/50-usb-realtek-net.rules → ucore/usr/etc/udev/rules.d/50-usb-realtek-net.rules
View File

0
main/etc/systemd/system/cockpit.service → ucore/usr/lib/systemd/system/cockpit.service
View File

0
main/etc/systemd/system/duperemove-weekly@.timer → ucore/usr/lib/systemd/system/duperemove-weekly@.timer
View File

0
main/etc/systemd/system/duperemove@.service → ucore/usr/lib/systemd/system/duperemove@.service
View File

0
main/etc/systemd/system/ucore-paths-provision.service → ucore/usr/lib/systemd/system/ucore-paths-provision.service
View File

0
main/etc/systemd/user/distrobox-upgrade-automatic.service → ucore/usr/lib/systemd/user/distrobox-upgrade-automatic.service
View File

0
main/etc/systemd/user/distrobox-upgrade-automatic.timer → ucore/usr/lib/systemd/user/distrobox-upgrade-automatic.timer
View File

0
main/usr/sbin/ucore-paths-provision.sh → ucore/usr/sbin/ucore-paths-provision.sh
View File