cphipps/coreos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
cphipps a203515b98 Add ucore.bu 
Creation
2025-06-13 08:57:36 -04:00
config.bu
Update config.bu
2025-05-16 11:04:30 -04:00
coreos.ign
Add coreos.ign
2025-05-16 10:24:52 -04:00
f-coreos.bu
Update f-coreos.bu
2025-06-13 08:50:14 -04:00
f-coreos.ign
Update f-coreos.ign
2025-05-18 10:33:00 -04:00
README.md
Update README.md
2025-05-16 12:06:14 -04:00
ucore.bu
Add ucore.bu
2025-06-13 08:57:36 -04:00

README.md

Site https://discussion.fedoraproject.org/t/beginners-guide-to-fedora-coreos/143037

Beginners Guide to Fedora CoreOS

In this guide, youll learn how to:

  • Generate RSA SSH keys
  • Generate YAML Butane file
  • Convert YAML Butane file into Ignition File needed for CoreOS installation
  • Locally share your Ignition File with the CoreOS Install
  • Install Fedora CoreOS
  • Layer in Firewalld via rpm-ostree
  • Setup Firewall rules and DNS
  • Setup Pi-hole for network level ad-blocking

Video for the written guide: https://youtu.be/2xhFC9pzqLQ

Fedora CoreOS is great for turning a VM or an old laptop in my case into an appliance that you want a single task to run on. In this example we will take a VM and make it our Pi-hole DNS server running on top of CoreOS, but you could easily swap out Pi-hole for whatever use-case you may have.

Pre-reqs:

Host PC (Im running Fedora Silverblue) VM (or old laptop) Fedora CoreOS Bare Metal ISO: Fedora CoreOS | The Fedora Project

Generate RSA SSH key

SSH keys are the more secure future of passwords. Once you get your SSH key generated, you simply add it into your YAML file which will will setup in the next step. During the generation process, you will be prompted to enter a passphrase for even another layer of security. In this example, I will leave the passphrase empty.

To generate the key, open a Terminal and type:

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

Theres no need to memorize anything at this point, just remember you SSH key lives under ~/.ssh, and youll want the contents inside the id_rsa.pub file for the next step.

Create the Butane YAML Config File Now that we have our SSH key, we can keep going with our CoreOS setup. The next step is to create our Butane YAML file. In this example, I only include the code that allows SSH to work once we install CoreOS. If you are a CoreOS pro, feel free to add more to your file here. Im keeping this one super simple for those who are just getting their feet wet with CoreOS. Under my Downloads folder, I created a coreos folder. So the path will be ~/Downloads/coreos. I named the config file config.bu, but you can name it whatever you like, just make sure the file extension is .bu. Remember the id_rsa.pub file we created earlier? Now you can go open it (I use KWrite or VS Code), copy its contents, and paste them into your config.bu file.

Heres what it should look like (replace XXX with your id_rsa.pub SSH key):

variant: fcos
version: 1.3.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa XXX

Save that bad boy out, and we are ready for the next step.

Convert Butane YAML File into CoreOS Ignition File Now that weve created our YAML file, which we can easily read, we need to convert that into an ignition file which CoreOS can read which is formated in json. To do that, well be running Butane in a container. To keep everything together, go ahead and change directory into our ~/Downloads/coreos folder again.

Then run the following command in the Terminal exactly how you see it:

podman run -i --rm quay.io/coreos/butane:release --strict < config.bu > coreos.ign

Please note: The arrow space filename space arrow is required. Id recommend copying/pasting this as long as youve named your config.bu file the same as the tutorial.

Congrats! Youve officially created your ignition file which is required when installing Fedora CoreOS. 90% of the heavy lifting is over. 🙂

To install CoreOS, run:

sudo coreos-installer install /dev/sdX --ignition-url http://192.168.1.8:8000/coreos.ign --insecure-ignition

Remember to replace X with your drive. This is normally sda, but its better to run lsblk and be 100% sure.

Once the install completes, you can type shutdown now. Head back to your Host PC and lets stop the web host and re-enable the firewall. On the Host PC, the terminal that has the web host running can be stopped by pressing CTRL + C.

To re-enable the firewall, please type in a Terminal: sudo systemctl start firewalld

To ensure the firewall is indeed running again on your Host PC, please check in a Terminal with: sudo systemctl status firewalld

Congrats, now we can SSH into our VM or old laptop to finish setting it up. 🙂

Layer in Firewalld with rpm-ostree

By default, CoreOS doesnt come with firewalld. Lets change that, but first we need to SSH for the first time into our fresh CoreOS install. To do that, we need to open a Terminal and type: ssh core@192.168.1.8

Youll be prompted to accept the key pair by typing yes. Also, if you created a passphrase during your SSH key setup, youll be presented to enter that as well. We didnt do that in this example, so well just type yes. Once youve done that, youll be presented with text similar to this:

chris@hostpc:/var/home/chris$ ssh core@192.168.1.8 Fedora CoreOS 41.20241215.3.0 Tracker: https://github.com/coreos/fedora-coreos-tracker Discuss: https://discussion.fedoraproject.org/tag/coreos Last login: Sun Jan 19 22:21:47 2025 from HOSTPC_IP_ADDRESS_HERE core@fedora:~$

Think of rpm-ostree alot like dnf for Fedora. Well be using it to layer on top of the base image. Since Silverblue is atomic, we cant install packages like a normal Fedora install with dnf would. We have to layer them in.

To install firewalld, open a Terminal and type: sudo rpm-ostree install firewalld

Once that completes, go ahead and reboot, re-SSH back in and well setup the Firewall rules.

Setup Firewall Rules and DNS

Setting up the firewall rules with firewalld is very simple. Re-SSH into our CoreOS machine, then copy and paste these rules.

From a Terminal, type:

sudo firewall-cmd --zone=FedoraServer --add-port=80/tcp

sudo firewall-cmd --zone=FedoraServer --add-port=443/tcp

sudo firewall-cmd --zone=FedoraServer --add-port=53/tcp

sudo firewall-cmd --zone=FedoraServer --add-port=53/udp

sudo firewall-cmd --zone=FedoraServer --add-port=67/udp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=53/udp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=53/tcp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=443/tcp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=67/udp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=80/tcp

Next, we want to setup DNS. In my example, my network is named enp1s0, but yours may be different. To find the network you want to target, type ip addr and it will show to the right of 1, 2, 3… depending on how many network devices you have. Once you have your target network device, open a Terminal and type (Id recommend copy/pasting this. Please edit in KWrite/VS Code if you need to modify the network device name to fit yours):

sudo nmcli device modify enp1s0 ipv4.addresses 192.168.1.8/24
sudo nmcli device modify enp1s0 ipv4.gateway 192.168.1.1

sudo nmcli device modify enp1s0 ipv4.dns "8.8.8.8 8.8.4.4"
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo unlink /etc/resolv.confsudo systemctl restart NetworkManager
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 47 KiB