cphipps/coreos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source 
Clean up site info and remove un needed parts
This commit is contained in:
cphipps
2025-05-16 12:06:14 -04:00
parent 42dc5031d6
commit 74e64a20f2
1 changed files with 32 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
README.md
View File

@@ -1,44 +1,41 @@
Site https://discussion.fedoraproject.org/t/beginners-guide-to-fedora-coreos/143037
Beginners Guide to Fedora CoreOS
# Beginners Guide to Fedora CoreOS
In this guide, youll learn how to:
Generate RSA SSH keys
Generate YAML Butane file
Convert YAML Butane file into Ignition File needed for CoreOS installation
Locally share your Ignition File with the CoreOS Install
Install Fedora CoreOS
Layer in Firewalld via rpm-ostree
Setup Firewall rules and DNS
Setup Pi-hole for network level ad-blocking
* Generate RSA SSH keys
* Generate YAML Butane file
* Convert YAML Butane file into Ignition File needed for CoreOS installation
* Locally share your Ignition File with the CoreOS Install
* Install Fedora CoreOS
* Layer in Firewalld via rpm-ostree
* Setup Firewall rules and DNS
* Setup Pi-hole for network level ad-blocking
Video for the written guide: https://youtu.be/2xhFC9pzqLQ
Fedora CoreOS is great for turning a VM or an old laptop in my case into an appliance that you want a single task to run on. In this example we will take a VM and make it our Pi-hole DNS server running on top of CoreOS, but you could easily swap out Pi-hole for whatever use-case you may have.
Pre-reqs:
# Pre-reqs:
Host PC (Im running Fedora Silverblue)
VM (or old laptop)
Fedora CoreOS Bare Metal ISO: Fedora CoreOS | The Fedora Project
Generate RSA SSH key
Fedora CoreOS Bare Metal ISO: [Fedora CoreOS | The Fedora Project](https://fedoraproject.org/coreos/download?stream=stable)
# Generate RSA SSH key
SSH keys are the more secure future of passwords. Once you get your SSH key generated, you simply add it into your YAML file which will will setup in the next step. During the generation process, you will be prompted to enter a passphrase for even another layer of security. In this example, I will leave the passphrase empty.
To generate the key, open a Terminal and type:
UPDATE: thanks 0xrl over on reddit (Pick one)
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa (More Secure RSA, but larger keys)
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 (The new standard Ed25519)
```
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
```
Theres no need to memorize anything at this point, just remember you SSH key lives under ~/.ssh, and youll want the contents inside the id_rsa.pub file for the next step.
Create the Butane YAML Config File
Now that we have our SSH key, we can keep going with our CoreOS setup. The next step is to create our Butane YAML file. In this example, I only include the code that allows SSH to work once we install CoreOS. If you are a CoreOS pro, feel free to add more to your file here. Im keeping this one super simple for those who are just getting their feet wet with CoreOS. Under my Downloads folder, I created a coreos folder. So the path will be ~/Downloads/coreos. I named the config file config.bu, but you can name it whatever you like, just make sure the file extension is .bu. Remember the id_rsa.pub file we created earlier? Now you can go open it (I use KWrite or VS Code), copy its contents, and paste them into your config.bu file.
Heres what it should look like (replace XXX with your id_rsa.pub SSH key):
```
variant: fcos
version: 1.3.0
passwd:
@@ -46,47 +43,25 @@ passwd:
- name: core
ssh_authorized_keys:
- ssh-rsa XXX
```
Save that bad boy out, and we are ready for the next step.
Convert Butane YAML File into CoreOS Ignition File
Now that weve created our YAML file, which we can easily read, we need to convert that into an ignition file which CoreOS can read which is formated in json. To do that, well be running Butane in a container. To keep everything together, go ahead and change directory into our ~/Downloads/coreos folder again.
Then run the following command in the Terminal exactly how you see it:
```
podman run -i --rm quay.io/coreos/butane:release --strict < config.bu > coreos.ign
```
Please note: The arrow space filename space arrow is required. Id recommend copying/pasting this as long as youve named your config.bu file the same as the tutorial.
Congrats! Youve officially created your ignition file which is required when installing Fedora CoreOS. 90% of the heavy lifting is over. :slightly_smiling_face:
Locally share your Ignition File
During the CoreOS install, youll notice the install requires a URL pointing to your ignition file. Lets tackle that next. Change directory back into our ~/Downloads/coreos folder if you arent already. We are going to setup temporary web hosting to share our coreos.ign file out to our VM/old laptop without sharing it with the world. The only devices that can see your web host will be internal devices, as long as you arent forwarding out port 8000 in your router. Please dont do that :slightly_smiling_face: Youll need to know the IP address of your Host PC so you can reference it correctly when typing in the URL of the ignition file.
To find your IP Address on the Host PC, open a Terminal and type:
ip addr
Make note of your Host IP. For this example we can use 192.168.1.8. Now, we will disable our firewall temporarily so we do not receive any 404 access denied errors when trying to access the file for the install.
To disable the firewall, open a Terminal and type:
sudo systemctl stop firewalld
We are now ready to fire up the web host to share the ignition file from the Host machine. To start the web host, open a Terminal and type:
python3 -m http.server
We are using Fedora 41 Silverblue in this tutorial, if your distro doesnt include python, please download python before running the command above.
Everything we have done so far has been on the Host PC. Now it is time to move over to our VM or old laptop to install Fedora CoreOS.
Install Fedora CoreOS
Boot to your Bare Metal ISO you downloaded earlier. You should be presented with a black screen and a Terminal prompt. First, we want to check what our drive names are. To do this, run lsblk. Replace /dev/sdX with the correct drive you wish to target. For VMs, this is normally /dev/vda.
To install CoreOS, run:
# To install CoreOS, run:
```
sudo coreos-installer install /dev/sdX --ignition-url http://192.168.1.8:8000/coreos.ign --insecure-ignition
```
Remember to replace X with your drive. This is normally sda, but its better to run lsblk and be 100% sure.
Once the install completes, you can type shutdown now. Head back to your Host PC and lets stop the web host and re-enable the firewall. On the Host PC, the terminal that has the web host running can be stopped by pressing CTRL + C.
@@ -97,7 +72,7 @@ To ensure the firewall is indeed running again on your Host PC, please check in
Congrats, now we can SSH into our VM or old laptop to finish setting it up. :slightly_smiling_face:
Layer in Firewalld with rpm-ostree
# Layer in Firewalld with rpm-ostree
By default, CoreOS doesnt come with firewalld. Lets change that, but first we need to SSH for the first time into our fresh CoreOS install. To do that, we need to open a Terminal and type: ssh core@192.168.1.8
Youll be prompted to accept the key pair by typing yes. Also, if you created a passphrase during your SSH key setup, youll be presented to enter that as well. We didnt do that in this example, so well just type yes. Once youve done that, youll be presented with text similar to this:
@@ -115,11 +90,11 @@ To install firewalld, open a Terminal and type: sudo rpm-ostree install firewall
Once that completes, go ahead and reboot, re-SSH back in and well setup the Firewall rules.
Setup Firewall Rules and DNS
# Setup Firewall Rules and DNS
Setting up the firewall rules with firewalld is very simple. Re-SSH into our CoreOS machine, then copy and paste these rules.
From a Terminal, type:
```
sudo firewall-cmd --zone=FedoraServer --add-port=80/tcp
sudo firewall-cmd --zone=FedoraServer --add-port=443/tcp
@@ -139,70 +114,15 @@ sudo firewall-cmd --permanent --zone=FedoraServer --add-port=443/tcp
sudo firewall-cmd --permanent --zone=FedoraServer --add-port=67/udp
sudo firewall-cmd --permanent --zone=FedoraServer --add-port=80/tcp
```
Next, we want to setup DNS. In my example, my network is named enp1s0, but yours may be different. To find the network you want to target, type ip addr and it will show to the right of 1, 2, 3… depending on how many network devices you have. Once you have your target network device, open a Terminal and type (Id recommend copy/pasting this. Please edit in KWrite/VS Code if you need to modify the network device name to fit yours):
```
sudo nmcli device modify enp1s0 ipv4.addresses 192.168.1.8/24
sudo nmcli device modify enp1s0 ipv4.gateway 192.168.1.1
```
```
sudo nmcli device modify enp1s0 ipv4.dns "8.8.8.8 8.8.4.4"
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo unlink /etc/resolv.confsudo systemctl restart NetworkManager
Setup Pi-hole
Now our CoreOS is ready for its intended use. Lets get Pi-hole setup and running. To start, we need to create two volumes required by Pi-hole to operate. Open a Terminal and type:
sudo podman volume create pihole_pihole
sudo podman volume create pihole_dnsmasq
Next, lets pull the image down. Open a Terminal and type:
sudo podman pull docker.io/pihole/pihole
Now lets run it, and make sure it works. Notice my timezone is America/Denver. Youll need to change this to your appropriate timezone. Also, please change the WEBPASSWORD. Open a Terminal and type:
sudo podman run --name=pihole \
--hostname=pi-hole \
--cap-add=NET_ADMIN \
--dns=127.0.0.1 \
--dns=1.1.1.1 \
-e TZ=America/Denver \
-e SERVERIP=192.168.1.8 \
-e WEBPASSWORD=CHANGETHIS \
-e DNS1=1.1.1.1 \
-e DNS2=1.0.0.1 \
-e DNSSEC=true \
-e CONDITIONAL_FORWARDING=true \
-e CONDITIONAL_FORWARDING_IP=192.168.1.1 \
-e CONDITIONAL_FORWARDING_DOMAIN=lan \
-e TEMPERATUREUNIT=c \
-v pihole_pihole:/etc/pihole:Z \
-v pihole_dnsmasq:/etc/dnsmasq.d:Z \
-p 80:80/tcp \
-p 443:443/tcp \
-p 67:67/udp \
-p 53:53/tcp \
-p 53:53/udp \
docker.io/pihole/pihole
Congrats! Youve just setup Pi-hole on CoreOS!
BONUS If using a laptop
If you are using an old laptop like me, you dont want to keep the lid open all the time. To fix that, open a Terminal and type:
sudo mkdir -p /etc/systemd/logind.conf.d
sudo nano /etc/systemd/logind.conf.d/ignore-lid-switch.conf
Heres the contents of the ignore-lid-switch.conf (I would copy/paste this):
[Login]
HandleLidSwitch=ignore
HandleLidSwitchExternalPower=ignore
HandleLidSwitchDocked=ignore
Press CTRL + O to write your changes OUT. CTRL + X to EXIT.
Now, we need to restart the login service.
Open a Terminal and type: sudo systemctl restart systemd-logind
```