Fedora CoreOS with Image Builder layer

This is builds a version of Fedora CoreOS using the ostree native container features.

The GitHub workflow generates a new container image weekly. (See https://github.com/jlebon/pet for inspiration)

The customizations in the Containerfile enable the install of the osbuild-composer service and CLI. In addition, there are systemd services that enable the automatic upgrade and reboot of the running system.

WARNING This example is not safe for production as the system could automatically reboot while a critical workload is running.

Initialization

This assumes you have booted a vanilla Fedora CoreOS image using the provided Butane -> Ignition config to disable zincati and rebase to the layered image.

I used yq as a cheap YAML editor to insert SSH keys into the Butane config.

$ KEY=$(cat ~/.ssh/id_rsa.pub) yq e '.passwd.users[0].ssh_authorized_keys[0] = strenv(KEY)' ignition.bu | butane --pretty --strict > ignition.json
$

Automatic Upgrades & Reboots

Once the system has been rebased to the container image (quay.io/miabbott/fcos-image-builder:latest), the rpm-ostreed-automatic.timer will fire regularly and trigger rpm-ostree upgrade to run.

If an updated container image is available, the deployment will be staged via ostree-finalize-staged.service. On completion of that service, the post-upgrade-reboot.service will fire and check if there is an unbooted deployment (which should be the case after an upgrade). If there is an unbooted deployment, the system reboots.

TODO

• Ultimately, I hope to have a complete deployment/workflow showing how to build a RHEL for Edge image using Image Builder, along with an e2e story for generating and managing the ostree updates.
• Work on a more sane image promotion process + old tag pruning