diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 713f596..147522a 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -212,6 +212,7 @@ jobs: fail-fast: false matrix: image_suffix: + - "-minimal" - "" - "-hci" nvidia_tag: @@ -224,10 +225,12 @@ jobs: - image_base: ucore - image_version: ${{ needs.stream_info.outputs.version }} - pr_prefix: ${{ needs.workflow_info.outputs.pr_prefix }} + - image_suffix: "-minimal" + description: An OCI image of Fedora CoreOS with a few extra tools and suitable for running in a VM - image_suffix: "" - extra_desc: "n" + description: An OCI image of Fedora CoreOS with a few extra tools, hardware support, and storage utilities - image_suffix: "-hci" - extra_desc: " hyper-converged infrastructure" + description: A hyper-converged infrastructure OCI image of Fedora CoreOS (storage + hypervisor) steps: # Checkout push-to-registry action GitHub repository @@ -284,7 +287,7 @@ jobs: labels: | io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/ucore/main/README.md - org.opencontainers.image.description=A${{ matrix.extra_desc }} OCI image of Fedora CoreOS with batteries included + org.opencontainers.image.description=${{ matrix.description }} org.opencontainers.image.title=${{ matrix.image_base }}${{ matrix.image_suffix }} org.opencontainers.image.version=${{ matrix.image_version }} diff --git a/README.md b/README.md index ea6eead..90f3c99 100644 --- a/README.md +++ b/README.md @@ -7,13 +7,30 @@ You should be familiar with [Fedora CoreOS](https://getfedora.org/coreos/), as this is an OCI image of CoreOS with "batteries included". More specifically, it's an opinionated, custom CoreOS image, built daily with some commonly used tools added in. The idea is to make a lightweight server image including most used services or the building blocks to host them. -WARNING: This image has **not** been heavily tested, though the underlying components have. Please take a look at the included modifications and help test if this project interests you. +Please take a look at the included modifications and help us test uCore if the project interests you. ## Images & Features +The uCore project builds four images, each with different tags for different features. + +The image names are: + +- [`fedora-coreos`](#fedora-coreos) +- [`ucore-minimal`](#ucore-minimal) +- [`ucore`](#ucore) +- [`ucore-hci`](#ucore-hci) + +The [tag matrix](#tag-matrix) includes combinations of the following: + +- `stable` - for an image based on the Fedora CoreOS stable stream +- `testing` - for an image based on the Fedora CoreOS testing stream +- `nvidia` - for an image which includes nvidia driver and container runtime +- `zfs` - for an image which includes zfs driver and tools + + ### `fedora-coreos` -**NOTE: formerly named `fedora-coreos-zfs`, that version of the image did not offer the nvidia option. Please update with `rpm-ostree rebase`.** +*NOTE: formerly named `fedora-coreos-zfs`, the previous version of the image did not offer the nvidia option. If on the previous image name, please update with `rpm-ostree rebase`.* A generic [Fedora CoreOS image](https://quay.io/repository/fedora/fedora-coreos?tab=tags) image with choice of add-on kernel modules: @@ -26,20 +43,16 @@ A generic [Fedora CoreOS image](https://quay.io/repository/fedora/fedora-coreos? *NOTE: currently, zincati fails to start on systems with OCI based deployments (like uCore). Upstream efforts are active to correct this.* -### `ucore` +### `ucore-minimal` -Suitable for running containerized workloads on either baremetal or virtual machines, this image tries to stay lightweight but functional for multiple use cases, including that of a storage server (NAS). +Suitable for running containerized workloads on either bare metal or virtual machines, this image tries to stay lightweight but functional. - Starts with a [Fedora CoreOS image](https://quay.io/repository/fedora/fedora-coreos?tab=tags) - Adds the following: - - [cockpit](https://cockpit-project.org) - - [distrobox](https://github.com/89luca89/distrobox) - - [duperemove](https://github.com/markfasheh/duperemove) - - guest VM agents (`qemu-guest-agent` and `open-vm-tools`) - - intel wifi firmware - CoreOS omits this despite including atheros wifi firmware... hardware enablement FTW - - [mergerfs](https://github.com/trapexit/mergerfs) - - moby-engine(docker), docker-compose and podman-compose - - [snapraid](https://www.snapraid.it/) + - [cockpit](https://cockpit-project.org) (podman container and system management) + - [firewalld](https://firewalld.org/) + - guest VM agents (`qemu-guest-agent` and `open-vm-tools`)) + - [docker-compose](https://github.com/docker/compose) and [podman-compose](https://github.com/containers/podman-compose) *docker(moby-engine) and podman are pre-installed in CoreOS* - [tailscale](https://tailscale.com) and [wireguard-tools](https://www.wireguard.com) - [tmux](https://github.com/tmux/tmux/wiki/Getting-Started) - udev rules enabling full functionality on some [Realtek 2.5Gbit USB Ethernet](https://github.com/wget/realtek-r8152-linux/) devices @@ -50,18 +63,31 @@ Suitable for running containerized workloads on either baremetal or virtual mach - Optional [ZFS versions](#tag-matrix) add: - [sanoid/syncoid dependencies](https://github.com/jimsalterjrs/sanoid) - [see below](#zfs) for details - [ZFS driver](https://github.com/ublue-os/ucore-kmods) - latest driver (currently pinned to 2.2.x series) +- Disables Zincati auto upgrade/reboot service - Enables staging of automatic system updates via rpm-ostreed - Enables password based SSH auth (required for locally running cockpit web interface) -- Disables Zincati auto upgrade/reboot service +- Provides public key allowing [SecureBoot](#secureboot) (for ucore signed `nvidia` or `zfs` drivers) Note: per [cockpit instructions](https://cockpit-project.org/running.html#coreos) the cockpit-ws RPM is **not** installed, rather it is provided as a pre-defined systemd service which runs a podman container. -### `ucore-hci` +### `ucore` + +This image builds on `ucore-minimal` but adds drivers, storage tools and utilities making it more useful on bare metal or as a storage server (NAS). + +- Starts with a [`ucore-minimal`](#ucore-minimal) image providing everything above, plus: +- Adds the following: + - [cockpit-storaged](https://cockpit-project.org) (udisks2 based storage management) + - [distrobox](https://github.com/89luca89/distrobox) - a [toolbox](https://containertoolbx.org/) alternative + - [duperemove](https://github.com/markfasheh/duperemove) + - intel wifi firmware - CoreOS omits this despite including atheros wifi firmware... hardware enablement FTW + - [mergerfs](https://github.com/trapexit/mergerfs) + - [snapraid](https://www.snapraid.it/) -Hyper-Coverged Infrastructure(HCI) refers to storage and virtualization in one place... So this image primarily adds the virtualization stack. +### `ucore-hci` +Hyper-Coverged Infrastructure(HCI) refers to storage and hypervisor in one place... This image primarily adds libvirt tools for virtualization. -- Starts with `ucore` to give you everything above, plus: +- Starts with a [`ucore`](#ucore) image providing everything above, plus: - Adds the following: - [cockpit-machines](https://github.com/cockpit-project/cockpit-machines): Cockpit GUI for managing virtual machines - [libvirt-client](https://libvirt.org/): `virsh` command-line utility for managing virtual machines @@ -180,7 +206,7 @@ The utility will prompt for a password. The password will be used to verify this ## How to Install -### Prerequsites +### Prerequisites This image is not currently available for direct install. The user must follow the [CoreOS installation guide](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/). There are varying methods of installation for bare metal, cloud providers, and virtualization platforms. @@ -205,16 +231,26 @@ sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/IMAGE:TAG |-|-| | [`fedora-coreos`](#fedora-coreos) - *stable* | `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` | | [`fedora-coreos`](#fedora-coreos) - *testing* | `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` | +| [`ucore-minimal`](#ucore-minimal) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` | +| [`ucore-mimimal`](#ucore-minimal) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` | | [`ucore`](#ucore) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` | | [`ucore`](#ucore) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` | | [`ucore-hci`](#ucore-hci) - *stable* | `stable`, `stable-nvidia`, `stable-zfs`,`stable-nvidia-zfs` | | [`ucore-hci`](#ucore-hci) - *testing* | `testing`, `testing-nvidia`, `testing-zfs`, `testing-nvidia-zfs` | +#### Verified Image Updates + +This image now includes container policies to support image verification for improved trust of upgrades. Once running one of the `ucore*` images (not included in `fedora-coreos`), the following command will rebase to the verified image reference: + +```bash +sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/IMAGE:TAG +``` + ### Install with Auto-Rebase -Your path to a running uCore can be shortend by using [examples/ucore-autorebase.butane](examples/ucore-autorebase.butane) as the starting point for your CoreOS ignition file. +Your path to a running uCore can be shortened by using [examples/ucore-autorebase.butane](examples/ucore-autorebase.butane) as the starting point for your CoreOS ignition file. 1. As usual, you'll need to [follow the docs to setup a password](https://coreos.github.io/butane/examples/#using-password-authentication). Substitute your password hash for `YOUR_GOOD_PASSWORD_HASH_HERE` in the `ucore-autorebase.butane` file, and add your ssh pub key while you are at it. 1. Generate an ignition file from your new `ucore-autorebase.butane` [using the butane utility](https://coreos.github.io/butane/getting-started/). diff --git a/ucore/Containerfile b/ucore/Containerfile index b9aaa26..b3a422e 100644 --- a/ucore/Containerfile +++ b/ucore/Containerfile @@ -1,8 +1,8 @@ ARG COREOS_VERSION="${COREOS_VERSION:-stable}" -# ucore-hci image section -FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION} AS ucore +# ucore-minimal image section +FROM quay.io/fedora/fedora-coreos:${COREOS_VERSION} AS ucore-minimal ARG COREOS_VERSION="${COREOS_VERSION:-stable}" # build with --build-arg NVIDA_TAG="-nvidia" to install nvidia @@ -20,10 +20,9 @@ COPY packages.json /tmp/packages.json COPY usr /usr -RUN export IMAGE_NAME=ucore \ - && mkdir -p /var/lib/alternatives \ - && /tmp/install.sh \ - && /tmp/post-install.sh \ +RUN mkdir -p /var/lib/alternatives \ + && /tmp/install-ucore-minimal.sh \ + && /tmp/post-install-ucore-minimal.sh \ && mv /var/lib/alternatives /staged-alternatives \ && rm -fr /tmp/* /var/* \ && ostree container commit \ @@ -34,6 +33,26 @@ RUN export IMAGE_NAME=ucore \ COPY --from=docker.io/docker/compose-bin:latest /docker-compose /usr/bin/docker-compose +# ucore image section +FROM ucore-minimal AS ucore + +ARG COREOS_VERSION="${COREOS_VERSION:-stable}" + +COPY *.sh /tmp/ +COPY packages.json /tmp/packages.json + +COPY usr /usr + +RUN mkdir -p /var/lib/alternatives \ + && /tmp/install-ucore.sh \ + && mv /var/lib/alternatives /staged-alternatives \ + && rm -fr /tmp/* /var/* \ + && ostree container commit \ + && mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives \ + && mkdir -p /tmp /var/tmp \ + && chmod -R 1777 /tmp /var/tmp + + # ucore-hci image section FROM ucore AS ucore-hci @@ -44,9 +63,8 @@ ARG ZFS_TAG="${ZFS_TAG}" COPY *.sh /tmp/ COPY packages.json /tmp/packages.json -RUN export IMAGE_NAME=ucore-hci \ - && mkdir -p /var/lib/alternatives \ - && /tmp/install-hci.sh \ +RUN mkdir -p /var/lib/alternatives \ + && /tmp/install-ucore-hci.sh \ && mv /var/lib/alternatives /staged-alternatives \ && rm -fr /tmp/* /var/* \ && ostree container commit \ diff --git a/ucore/install-hci.sh b/ucore/install-hci.sh deleted file mode 100755 index 24020a8..0000000 --- a/ucore/install-hci.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -set -ouex pipefail - -RELEASE="$(rpm -E %fedora)" - -# ucore copr needed for some packages -curl -L https://copr.fedorainfracloud.org/coprs/ublue-os/ucore/repo/fedora-${RELEASE}/ublue-os-ucore-fedora-${RELEASE}.repo \ - -o /etc/yum.repos.d/_copr_ublue-os-ucore.repo - -# install packages.json stuffs -/tmp/packages.sh diff --git a/ucore/install-ucore-hci.sh b/ucore/install-ucore-hci.sh new file mode 100755 index 0000000..c642e73 --- /dev/null +++ b/ucore/install-ucore-hci.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +set -ouex pipefail + +# install packages.json stuffs +export IMAGE_NAME=ucore-hci +/tmp/packages.sh diff --git a/ucore/install.sh b/ucore/install-ucore-minimal.sh similarity index 94% rename from ucore/install.sh rename to ucore/install-ucore-minimal.sh index a607b6f..6596b44 100755 --- a/ucore/install.sh +++ b/ucore/install-ucore-minimal.sh @@ -59,7 +59,5 @@ fi curl -L https://pkgs.tailscale.com/stable/fedora/tailscale.repo -o /etc/yum.repos.d/tailscale.repo # install packages.json stuffs +export IMAGE_NAME=ucore-minimal /tmp/packages.sh - -# install packages direct from github -/tmp/github-release-install.sh trapexit/mergerfs fc.x86_64 diff --git a/ucore/install-ucore.sh b/ucore/install-ucore.sh new file mode 100755 index 0000000..df4ff0c --- /dev/null +++ b/ucore/install-ucore.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +set -ouex pipefail + +# install packages.json stuffs +export IMAGE_NAME=ucore +/tmp/packages.sh + +# install packages direct from github +/tmp/github-release-install.sh trapexit/mergerfs fc.x86_64 diff --git a/ucore/packages.json b/ucore/packages.json index 336771b..6324fbe 100644 --- a/ucore/packages.json +++ b/ucore/packages.json @@ -1,27 +1,30 @@ { "all": { "include": { - "all": [ + "all": [], + "ucore-minimal": [ "cockpit-networkmanager", "cockpit-podman", "cockpit-selinux", - "cockpit-storaged", "cockpit-system", - "distrobox", - "duperemove", "firewalld", - "iwlegacy-firmware", - "iwlwifi-dvm-firmware", - "iwlwifi-mvm-firmware", "open-vm-tools", "podman", "podman-compose", "qemu-guest-agent", - "snapraid", "tailscale", "tmux", "wget", - "wireguard-tools", + "wireguard-tools" + ], + "ucore": [ + "cockpit-storaged", + "distrobox", + "duperemove", + "iwlegacy-firmware", + "iwlwifi-dvm-firmware", + "iwlwifi-mvm-firmware", + "snapraid", "xdg-dbus-proxy", "xdg-user-dirs" ], @@ -35,6 +38,8 @@ }, "exclude": { "all": [], + "ucore-minimal": [], + "ucore": [], "ucore-hci": [ "nfs-utils-coreos" ] diff --git a/ucore/post-install.sh b/ucore/post-install-ucore-minimal.sh similarity index 100% rename from ucore/post-install.sh rename to ucore/post-install-ucore-minimal.sh