public
/
bootc-base-images
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #40 from cgwalters/doc-logins 

docs: Improve login/tryout docs
This commit is contained in:
Colin Walters 2023-11-08 20:04:06 -05:00 committed by GitHub
parent f390fdaad9 a172237629
commit a42f336f05
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 171 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
docs/example.ks Normal file
View File

@ -0,0 +1,110 @@
text
# Basic partitioning
clearpart --all --initlabel --disklabel=gpt
part prepboot --size=4 --fstype=prepboot
part biosboot --size=1 --fstype=biosboot
part /boot/efi --size=100 --fstype=efi
part /boot --size=1000 --fstype=ext4 --label=boot
part / --grow --fstype xfs
ostreecontainer --url quay.io/centos-boot/fedora-tier-1:eln --no-signature-verification
firewall --disabled
services --enabled=sshd
# Only inject a SSH key for root
rootpw --iscrypted locked
# Add your example SSH key here!
#sshkey --username root "ssh-ed25519 <key> demo@example.com"
reboot
# ONLY SCROLL PAST HERE TO SEE THE TEMPORARY UGLY HACKS
# Install via bootupd - TODO change anaconda to auto-detect this
bootloader --location=none --disabled
%post
# Work around anaconda wanting a root password
passwd -l root
/usr/bin/bootupctl backend install --device /dev/vda /
mkdir -p /boot/grub2
# Work around https://github.com/coreos/bootupd/pull/536 not being merged yet
base64 -d >/boot/grub2/grub.cfg << EOF
IyBUaGlzIGZpbGUgaXMgY29waWVkIGZyb20gaHR0cHM6Ly9naXRodWIuY29tL2NvcmVvcy9jb3Jl
b3MtYXNzZW1ibGVyL2Jsb2IvbWFpbi9zcmMvZ3J1Yi5jZmcKIyBDaGFuZ2VzOgojICAgLSBEcm9w
cGVkIElnbml0aW9uIGdsdWUsIHRoYXQgY2FuIGJlIGluamVjdGVkIGludG8gcGxhdGZvcm0uY2Zn
CiMgc2V0IHBhZ2VyPTEKIyBwZXRpdGJvb3QgZG9lc24ndCBzdXBwb3J0IC1lIGFuZCBkb2Vzbid0
IHN1cHBvcnQgYW4gZW1wdHkgcGF0aCBwYXJ0CmlmIFsgLWQgKG1kL21kLWJvb3QpL2dydWIyIF07
IHRoZW4KICAjIGZjY3QgY3VycmVudGx5IGNyZWF0ZXMgL2Jvb3QgUkFJRCB3aXRoIHN1cGVyYmxv
Y2sgMS4wLCB3aGljaCBhbGxvd3MKICAjIGNvbXBvbmVudCBwYXJ0aXRpb25zIHRvIGJlIHJlYWQg
ZGlyZWN0bHkgYXMgZmlsZXN5c3RlbXMuICBUaGlzIGlzCiAgIyBuZWNlc3NhcnkgYmVjYXVzZSB0
cmFuc3Bvc2VmcyBkb2Vzbid0IHlldCByZXJ1biBncnViMi1pbnN0YWxsIG9uIEJJT1MsCiAgIyBz
byBHUlVCIHN0aWxsIGV4cGVjdHMgL2Jvb3QgdG8gYmUgYSBwYXJ0aXRpb24gb24gdGhlIGZpcnN0
IGRpc2suCiAgIwogICMgVGhlcmUgYXJlIHR3byBjb25zZXF1ZW5jZXM6CiAgIyAxLiBPbiBCSU9T
IGFuZCBVRUZJLCB0aGUgc2VhcmNoIGNvbW1hbmQgbWlnaHQgcGljayBhbiBpbmRpdmlkdWFsIFJB
SUQKICAjICAgIGNvbXBvbmVudCwgYnV0IHdlIHdhbnQgaXQgdG8gdXNlIHRoZSBmdWxsIFJBSUQg
aW4gY2FzZSB0aGVyZSBhcmUgYmFkCiAgIyAgICBzZWN0b3JzIGV0Yy4gIFRoZSB1bmRvY3VtZW50
ZWQgLS1oaW50IG9wdGlvbiBpcyBzdXBwb3NlZCB0byBzdXBwb3J0CiAgIyAgICB0aGlzIHNvcnQg
b2Ygb3ZlcnJpZGUsIGJ1dCBpdCBkb2Vzbid0IHNlZW0gdG8gd29yaywgc28gd2Ugc2V0ICRib290
CiAgIyAgICBkaXJlY3RseS4KICAjIDIuIE9uIEJJT1MsIHRoZSAibm9ybWFsIiBtb2R1bGUgaGFz
IGFscmVhZHkgYmVlbiBsb2FkZWQgZnJvbSBhbgogICMgICAgaW5kaXZpZHVhbCBSQUlEIGNvbXBv
bmVudCwgYW5kICRwcmVmaXggc3RpbGwgcG9pbnRzIHRoZXJlLiAgV2Ugd2FudAogICMgICAgZnV0
dXJlIG1vZHVsZSBsb2FkcyB0byBjb21lIGZyb20gdGhlIFJBSUQsIHNvIHdlIHJlc2V0ICRwcmVm
aXguCiAgIyAgICAoT24gVUVGSSwgdGhlIHN0dWIgZ3J1Yi5jZmcgaGFzIGFscmVhZHkgc2V0ICRw
cmVmaXggcHJvcGVybHkuKQogIHNldCBib290PW1kL21kLWJvb3QKICBzZXQgcHJlZml4PSgkYm9v
dCkvZ3J1YjIKZWxzZQogIGlmIFsgLWYgJHtjb25maWdfZGlyZWN0b3J5fS9ib290dXVpZC5jZmcg
XTsgdGhlbgogICAgc291cmNlICR7Y29uZmlnX2RpcmVjdG9yeX0vYm9vdHV1aWQuY2ZnCiAgZmkK
ICBpZiBbIC1uICIke0JPT1RfVVVJRH0iIF07IHRoZW4KICAgIHNlYXJjaCAtLWZzLXV1aWQgIiR7
Qk9PVF9VVUlEfSIgLS1zZXQgYm9vdCAtLW5vLWZsb3BweQogIGVsc2UKICAgIHNlYXJjaCAtLWxh
YmVsIGJvb3QgLS1zZXQgYm9vdCAtLW5vLWZsb3BweQogIGZpCmZpCnNldCByb290PSRib290Cgpp
ZiBbIC1mICR7Y29uZmlnX2RpcmVjdG9yeX0vZ3J1YmVudiBdOyB0aGVuCiAgbG9hZF9lbnYgLWYg
JHtjb25maWdfZGlyZWN0b3J5fS9ncnViZW52CmVsaWYgWyAtcyAkcHJlZml4L2dydWJlbnYgXTsg
dGhlbgogIGxvYWRfZW52CmZpCgppZiBbIHgiJHtmZWF0dXJlX21lbnVlbnRyeV9pZH0iID0geHkg
XTsgdGhlbgogIG1lbnVlbnRyeV9pZF9vcHRpb249Ii0taWQiCmVsc2UKICBtZW51ZW50cnlfaWRf
b3B0aW9uPSIiCmZpCgpmdW5jdGlvbiBsb2FkX3ZpZGVvIHsKICBpZiBbIHgkZmVhdHVyZV9hbGxf
dmlkZW9fbW9kdWxlID0geHkgXTsgdGhlbgogICAgaW5zbW9kIGFsbF92aWRlbwogIGVsc2UKICAg
IGluc21vZCBlZmlfZ29wCiAgICBpbnNtb2QgZWZpX3VnYQogICAgaW5zbW9kIGllZWUxMjc1X2Zi
CiAgICBpbnNtb2QgdmJlCiAgICBpbnNtb2QgdmdhCiAgICBpbnNtb2QgdmlkZW9fYm9jaHMKICAg
IGluc21vZCB2aWRlb19jaXJydXMKICBmaQp9CgojIHRyYWNrZXI6IGh0dHBzOi8vZ2l0aHViLmNv
bS9jb3Jlb3MvZmVkb3JhLWNvcmVvcy10cmFja2VyL2lzc3Vlcy84MDUKaWYgWyAtZiAkcHJlZml4
L3BsYXRmb3JtLmNmZyBdOyB0aGVuCiAgc291cmNlICRwcmVmaXgvcGxhdGZvcm0uY2ZnCmZpCgpp
ZiBbIHgkZmVhdHVyZV90aW1lb3V0X3N0eWxlID0geHkgXSA7IHRoZW4KICBzZXQgdGltZW91dF9z
dHlsZT1tZW51CiAgc2V0IHRpbWVvdXQ9MQojIEZhbGxiYWNrIG5vcm1hbCB0aW1lb3V0IGNvZGUg
aW4gY2FzZSB0aGUgdGltZW91dF9zdHlsZSBmZWF0dXJlIGlzCiMgdW5hdmFpbGFibGUuCmVsc2UK
ICBzZXQgdGltZW91dD0xCmZpCgojIEltcG9ydCB1c2VyIGRlZmluZWQgY29uZmlndXJhdGlvbgoj
IHRyYWNrZXI6IGh0dHBzOi8vZ2l0aHViLmNvbS9jb3Jlb3MvZmVkb3JhLWNvcmVvcy10cmFja2Vy
L2lzc3Vlcy84MDUKaWYgWyAtZiAkcHJlZml4L3VzZXIuY2ZnIF07IHRoZW4KICBzb3VyY2UgJHBy
ZWZpeC91c2VyLmNmZwpmaQoKYmxzY2ZnCgo=
EOF
%end

96
docs/install.md
View File

@ -4,6 +4,67 @@
nav_order: 2 nav_order: 2
--- ---
## Operating system state (users, ssh keys)
It's absolutely crucial to understand that the container image *is* the
operating system content. Notably the default `tier-1` image
[does not include cloud-init](cloud-agents.md) or Ignition or any default
recommended mechanism for provisioning user accountson its own.
Commonly then you will want to build your own container image derived from e.g.
`quay.io/centos-boot/fedora-tier-1:eln` that adds a login mechanism. For
example, you could
[add cloud-init](https://gitlab.com/CentOS/cloud/sagano-examples/-/blob/main/cloud-init-base/Containerfile).
However, it's also possible to embed SSH login configuration in the image, or
configure any login mechanism you desire in general! For example, you could set
up a VPN configuration in your operating system and ensure logins are only
possible over the VPN, etc.
## Installation using Anaconda
Tools like
[Anaconda](https://anaconda-installer.readthedocs.io/en/latest/intro.html)
support injecting configuration at image installation time, such as SSH keys and
passwords. This means that in contrast to what was said just before, it's
possible to directly install (and update from) an "unconfigured base image"
provided by this project.
This hinges on the
[ostreecontainer](https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#ostreecontainer)
kickstart verb, which is new in Fedora 38; for example, there is a
[netinst.iso](https://dl.fedoraproject.org/pub/fedora/linux/releases/39/Everything/x86_64/iso/)
which can be scripted with kickstart. Because a current development target for
this project is [Fedora ELN](https://docs.fedoraproject.org/en-US/eln/), it's
also supported to use the ISO generated by that project.
See [example.ks](example.ks) for an example Kickstart file. The
[virt-install --initrd-inject](https://github.com/virt-manager/virt-manager/blob/main/man/virt-install.rst#--initrd-inject)
helps inject kickstart for installation to virtual machines.
## Using `bootc install-to-filesystem --replace=alongside` with a cloud image
A toplevel goal of this project is that the "source of truth" for Linux
operating system management is a container image registry - as opposed to e.g. a
set of qcow2 OpenStack images or AMIs, etc. You should not need to maintain
infrastructure to e.g. manage garbage collection or versioning of cloud (IaaS)
VM images.
The latest releases of `bootc` have support for
`bootc install-to-filesystem --replace=alongside`. More about this core mechanic
in the
[bootc install docs](https://github.com/containers/bootc/blob/main/docs/install.md).
Here's an example set of steps to execute; this could be done via e.g.
[cloud-init](https://cloudinit.readthedocs.io/en/latest/reference/index.html)
configuration.
```shell
dnf -y install podman skopeo
podman run --rm --privileged --pid=host -v /:/target --security-opt label=type:unconfined_t <yourimage> bootc install-to-filesystem --target-no-signature-verification --karg=console=ttyS0,115200n8 --replace=alongside /target
reboot
```
<!-- <!--
## Booting directly from KVM guest image ## Booting directly from KVM guest image
@ -31,41 +92,6 @@ rpm-ostree rebase ostree-unverified-registry:quay.io/centos-boot/fedora-tier-1:e
systemctl reboot systemctl reboot
``` ```
See also [this pull request][1] for more information.
## TODO: Use osbuild ## TODO: Use osbuild
Document the ongoing work to materialize a disk image from a container. Document the ongoing work to materialize a disk image from a container.
## Using `bootc install-to-filesystem --replace=alongside` with a cloud image
A toplevel goal of this project is that the "source of truth" for Linux
operating system management is a container image registry - as opposed to e.g. a
set of qcow2 OpenStack images or AMIs, etc.
The latest development builds of `bootc` have support for
`bootc install-to-filesystem --replace=alongside`. More about this core
mechanic in the [bootc install docs](https://github.com/containers/bootc/blob/main/docs/install.md).
Here's an example set of steps to execute; this could be done via e.g.
[cloud-init](https://cloudinit.readthedocs.io/en/latest/reference/index.html)
configuration.
```shell
dnf -y install podman skopeo
podman run --rm --privileged --pid=host -v /:/target --security-opt label=type:unconfined_t quay.io/centos-boot/fedora-tier-1:eln bootc install-to-filesystem --target-no-signature-verification --karg=console=ttyS0,115200n8 --replace=alongside /target
reboot
```
## Generating a derived container image
These examples just use a "stock" container image, and in the first case rely on
user state being preserved by the `rpm-ostree rebase`.
What's much more interesting is to generate a custom derived container image,
and target that instead. For more information, see
- <https://github.com/coreos/layering-examples>
- <https://github.com/openshift/rhcos-image-layering-examples>
[1]: https://github.com/coreos/fedora-coreos-docs/pull/540