├── .github └── workflows │ ├── ansible-firewalld.yml │ ├── build-zfs-module.yml │ ├── butane.yml │ ├── convert-ubuntu-package.yml │ ├── dracut-module.yml │ ├── generate-rhcos-versions.yml │ ├── initramfs-module.yml │ ├── inject-go-binary.yml │ ├── podman-next.yml │ ├── replace-kernel.yml │ ├── replace-systemd.yml │ ├── rsyslog.yml │ ├── selinux.yml │ ├── tailscale.yml │ └── wifi.yml ├── LICENSE ├── README.md ├── ansible-firewalld ├── Containerfile ├── README.md └── configure-firewall-playbook.yml ├── autoupdate-unit ├── Containerfile └── usr │ └── lib │ └── systemd │ └── system │ ├── autoupdate-host.service │ ├── autoupdate-host.timer │ └── timers.target.wants │ └── autoupdate-host.timer ├── build-zfs-module └── Containerfile ├── butane ├── Containerfile └── demo.bu ├── ci └── generate-rhcos-versions.py ├── convert-ubuntu-package ├── Containerfile └── README.md ├── dracut-module ├── Containerfile ├── README.md └── files │ ├── echo-here.service │ └── module-setup.sh ├── initramfs-module └── Containerfile ├── inject-go-binary ├── Containerfile ├── README.md ├── hello-world.go └── hello-world.service ├── kernel-rt └── Containerfile ├── loading-kernel-module ├── Containerfile ├── README.md └── fcos-config.fcc ├── nexodus ├── Containerfile ├── copr-nexodus-fedora.repo └── copr-nexodus-pubkey.gpg ├── podman-next ├── Containerfile ├── rhcontainerbot-podman-next-fedora.gpg └── rhcontainerbot-podman-next-fedora.repo ├── replace-kernel └── Containerfile ├── replace-systemd └── Containerfile ├── rsyslog ├── Containerfile ├── README.md └── remote.conf ├── selinux └── Containerfile ├── tailscale └── Containerfile └── wifi ├── Containerfile └── etc └── NetworkManager └── system-connections └── ExampleCorpWifi.ini /.github/workflows/ansible-firewalld.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: ansible-firewalld" 2 | 3 | env: 4 | IMAGE_NAME: "ansible-firewalld" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - ansible-firewalld/* 12 | - .github/workflows/ansible-firewalld.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - ansible-firewalld/* 18 | - .github/workflows/ansible-firewalld.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/build-zfs-module.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: build-zfs-module" 2 | 3 | env: 4 | IMAGE_NAME: "build-zfs-module" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - build-zfs-module/* 12 | - .github/workflows/build-zfs-module.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - build-zfs-module/* 18 | - .github/workflows/build-zfs-module.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/butane.yml: -------------------------------------------------------------------------------- 1 | name: "Build image butane" 2 | 3 | env: 4 | IMAGE_NAME: "butane" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - butane/* 12 | - .github/workflows/butane.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - butane/* 18 | - .github/workflows/butane.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/convert-ubuntu-package.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: convert-ubuntu-package" 2 | 3 | env: 4 | IMAGE_NAME: "convert-ubuntu-package" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - convert-ubuntu-package/* 12 | - .github/workflows/convert-ubuntu-package.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - convert-ubuntu-package/* 18 | - .github/workflows/convert-ubuntu-package.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/dracut-module.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: dracut-module" 2 | 3 | env: 4 | IMAGE_NAME: "dracut-module" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - dracut-module/* 12 | - .github/workflows/dracut-module.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - dracut-module/* 18 | - .github/workflows/dracut-module.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/generate-rhcos-versions.yml: -------------------------------------------------------------------------------- 1 | name: Generate RHCOS versions 2 | 3 | on: 4 | schedule: 5 | - cron: '0 */6 * * *' 6 | workflow_dispatch: 7 | 8 | permissions: 9 | contents: write 10 | 11 | jobs: 12 | generate-rhcos-versions: 13 | name: generate rhcos versions 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v2 18 | - name: generate rhcos versions 19 | run: ci/generate-rhcos-versions.py 20 | - name: Create commit 21 | run: | 22 | git config user.name 'CoreOS Bot' 23 | git config user.email coreosbot@fedoraproject.org 24 | if ! git diff --quiet --exit-code; then 25 | git commit -am "examples: generate rhcos versions ✨" \ 26 | -m "Triggered by generate-rhcos-versions GitHub Action." 27 | fi 28 | - name: Open pull request 29 | uses: peter-evans/create-pull-request@v6 30 | with: 31 | token: ${{ secrets.COREOSBOT_RELENG_TOKEN }} 32 | branch: generate-rhcos-versions 33 | push-to-fork: coreosbot-releng/coreos-layering-examples 34 | base: rhcos 35 | commit-message: "examples: generate rhcos versions" 36 | title: "examples: generate rhcos versions" 37 | body: "Created by generate-rhcos-versions [GitHub workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/generate-rhcos-versions.yml) ([source](${{ github.server_url }}/${{ github.repository }}/blob/main/.github/workflows/generate-rhcos-versions.yml))." 38 | committer: "CoreOS Bot " 39 | author: "CoreOS Bot " 40 | -------------------------------------------------------------------------------- /.github/workflows/initramfs-module.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: initramfs-module" 2 | 3 | env: 4 | IMAGE_NAME: "initramfs-module" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - initramfs-module/* 12 | - .github/workflows/initramfs-module.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - initramfs-module/* 18 | - .github/workflows/initramfs-module.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/inject-go-binary.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: inject-go-binary" 2 | 3 | env: 4 | IMAGE_NAME: "inject-go-binary" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - inject-go-binary/* 12 | - .github/workflows/inject-go-binary.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - inject-go-binary/* 18 | - .github/workflows/inject-go-binary.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/podman-next.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: podman-next" 2 | 3 | env: 4 | IMAGE_NAME: "podman-next" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - podman-next/* 12 | - .github/workflows/podman-next.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - podman-next/* 18 | - .github/workflows/podman-next.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/replace-kernel.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: replace-kernel" 2 | 3 | env: 4 | IMAGE_NAME: "replace-kernel" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - replace-kernel/* 12 | - .github/workflows/replace-kernel.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - replace-kernel/* 18 | - .github/workflows/replace-kernel.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/replace-systemd.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: replace-systemd" 2 | 3 | env: 4 | IMAGE_NAME: "replace-systemd" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - replace-systemd/* 12 | - .github/workflows/replace-systemd.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - replace-systemd/* 18 | - .github/workflows/replace-systemd.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/rsyslog.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: rsyslog" 2 | 3 | env: 4 | IMAGE_NAME: "rsyslog" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - rsyslog/* 12 | - .github/workflows/rsyslog.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - rsyslog/* 18 | - .github/workflows/rsyslog.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/selinux.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: selinux" 2 | 3 | env: 4 | IMAGE_NAME: "selinux" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - selinux/* 12 | - .github/workflows/selinux.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - selinux/* 18 | - .github/workflows/selinux.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/tailscale.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: tailscale" 2 | 3 | env: 4 | IMAGE_NAME: "tailscale" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - tailscale/* 12 | - .github/workflows/tailscale.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - tailscale/* 18 | - .github/workflows/tailscale.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /.github/workflows/wifi.yml: -------------------------------------------------------------------------------- 1 | name: "Build image: wifi" 2 | 3 | env: 4 | IMAGE_NAME: "wifi" 5 | 6 | on: 7 | pull_request: 8 | branches: 9 | - main 10 | paths: 11 | - wifi/* 12 | - .github/workflows/wifi.yml 13 | push: 14 | branches: 15 | - main 16 | paths: 17 | - wifi/* 18 | - .github/workflows/wifi.yml 19 | 20 | jobs: 21 | build-image: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Checkout repo 25 | uses: actions/checkout@v3 26 | 27 | - name: Build container image 28 | uses: redhat-actions/buildah-build@v2 29 | with: 30 | context: ${{ env.IMAGE_NAME }} 31 | containerfiles: ${{ env.IMAGE_NAME }}/Containerfile 32 | image: ${{ env.IMAGE_NAME }} 33 | layers: false 34 | oci: true 35 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Example containers that derive from (Fedora) CoreOS 2 | 3 | Fedora CoreOS is now also an OCI container image that can be used as a base 4 | image to create *bootable* derivative containers. 5 | 6 | See https://github.com/coreos/fedora-coreos-docs/pull/540 for more information about how to use this. 7 | 8 | Additional background links are: 9 | 10 | - https://fedoraproject.org/wiki/Changes/OstreeNativeContainer 11 | - https://github.com/coreos/enhancements/blob/main/os/coreos-layering.md 12 | 13 | This repository contains example containers to demonstrate 14 | functionality. 15 | 16 | ## Examples 17 | 18 | - [ansible-firewalld](ansible-firewalld/): Demos using [Ansible](https://github.com/ansible/ansible) to configure [firewalld](https://github.com/firewalld/firewalld) 19 | - [build-zfs-module](build-zfs-module/): Build the ZFS third party module as rpm and install it 20 | - [butane](butane/): Demos using https://github.com/coreos/butane 21 | - [convert-ubuntu-package](convert-ubuntu-package/): Convert an Ubuntu package to rpm using [alien](https://wiki.debian.org/Alien) and install it. 22 | - [dracut-module](dracut-module): Install and run a dracut module 23 | - [initramfs-module](initramfs-module/): Demos generating a initramfs with specific modules added and omitted. 24 | - [inject-go-binary](inject-go-binary/): Demos adding building and injecting a Go binary + systemd unit 25 | - [podman-next](podman-next): Use COPR to install the podman-next package 26 | - [rsyslog](rsyslog/): Install and configure rsyslog to forward to a remote host 27 | - [replace-kernel](replace-kernel): Replace the kernel using packages from Koji 28 | - [replace-systemd](replace-systemd/): Replacing a base package, in this case systemd 29 | - [selinux](selinux/): Demos changing a SELinux boolean 30 | - [tailscale](tailscale/): Demos https://tailscale.com/download/linux/fedora 31 | - [wifi](wifi/): Install support for wireless networks along with pre-baked configuration to join a network 32 | - [loading-kernel-module](loading-kernel-module/): Demo loading a kernel module to the worker nodes 33 | 34 | ## Running an example 35 | 36 | - Build an image using an example from this repo and push it to an image registry: 37 | ``` 38 | set IMAGE (podman build $EXAMPLE -q) 39 | podman push $IMAGE quay.io/$USER/$EXAMPLE 40 | ``` 41 | 42 | - Setup a system that has `rpm-ostree` installed. One possibility is [using `virt-install`](https://docs.fedoraproject.org/en-US/fedora-coreos/getting-started/#_booting_on_a_local_hypervisor_libvirt_example). 43 | 44 | 45 | - [Rebase the system](https://coreos.github.io/rpm-ostree/container/#rebasing-a-client-system) with `rpm-ostree` to the image 46 | -------------------------------------------------------------------------------- /ansible-firewalld/Containerfile: -------------------------------------------------------------------------------- 1 | # This example uses Ansible to configure firewalld to set up a node-local firewall suitable as recommended for use as an OpenShift 4 worker. 2 | # However, this is intended to generalize to using Ansible as well as firewalld for generic tasks. 3 | FROM quay.io/fedora/fedora-coreos:stable 4 | 5 | ADD configure-firewall-playbook.yml . 6 | 7 | # Install firewalld; also install ansible, use it to run a playbook, then remove it 8 | # so it doesn't take up space persistently. 9 | # TODO: Need to also remove ansible-installed dependencies 10 | RUN rpm-ostree install firewalld ansible && \ 11 | ansible-playbook configure-firewall-playbook.yml && \ 12 | rpm -e ansible && \ 13 | ostree container commit 14 | -------------------------------------------------------------------------------- /ansible-firewalld/README.md: -------------------------------------------------------------------------------- 1 | # Running ansible in a container build for firewalling 2 | 3 | In this example, we: 4 | 5 | - Derive from the base image 6 | - Install `ansible` 7 | - Inject [a playbook](configure-firewall-playbook.yml) into the image 8 | - Run ansible as part of the build, using the upstream `firewalld` task 9 | - Remove `ansible` (we don't need it at runtime) 10 | 11 | There's nothing really specific to firewalling here; this example can 12 | be used as a reference for executing any arbitrary ansible playbook 13 | as part of a container image build. -------------------------------------------------------------------------------- /ansible-firewalld/configure-firewall-playbook.yml: -------------------------------------------------------------------------------- 1 | #This list of ports was taken from: 2 | #https://github.com/openshift/enhancements/blob/master/dev-guide/host-port-registry.md 3 | #These tasks are intended as an example. 4 | - hosts: localhost 5 | tasks: 6 | - name: Enable service firewalld 7 | systemd: 8 | name: firewalld 9 | enabled: yes 10 | #The next two tasks can be veried by: `sudo firewall-cmd --list-all` 11 | - name: Open tcp ports 12 | firewalld: 13 | offline: yes 14 | port: "{{ item }}/tcp" 15 | permanent: yes 16 | state: enabled 17 | loop: 18 | - 80 19 | - 443 20 | - 1936 21 | - 2041 22 | - 2379 23 | - 2380 24 | - 3306 25 | - 5050 26 | - 6080 27 | - 6180-6181 28 | - 6183 29 | - 6385 30 | - 6443 31 | - 8089 32 | - 9001 33 | - 9100-9103 34 | - 9105-9106 35 | - 9120-9122 36 | - 9200-9219 37 | - 9258 38 | - 9444-9447 39 | - 9537 40 | - 9641-9644 41 | - 9978-9979 42 | - 10010 43 | - 10250-10251 44 | - 10255-10259 45 | - 10263 46 | - 10357 47 | - 10443-10444 48 | - 17697 49 | - 22623-22624 50 | - 60000 51 | 52 | - name: Open udp ports 53 | firewalld: 54 | #Offline needed as these tasks will be running in 55 | #a container build which does not have the service running. 56 | offline: yes 57 | port: "{{ item }}/udp" 58 | permanent: yes 59 | state: enabled 60 | loop: 61 | - 500 62 | - 4500 63 | - 4789 64 | - 6081 65 | - 9122 66 | 67 | #These next two tasks can be verified by: `sudo firewall-cmd --list-all --zone trusted` 68 | - name: Add localhost to trusted zone 69 | command: "firewall-offline-cmd --zone=trusted --add-interface=lo" 70 | 71 | - name: Open tcp ports for localhost 72 | firewalld: 73 | zone: trusted 74 | offline: yes 75 | port: "{{ item }}/tcp" 76 | permanent: yes 77 | state: enabled 78 | loop: 79 | - 4180 80 | - 8797 81 | - 9259 82 | - 9260 83 | - 9443 84 | - 9977 85 | - 10248 86 | - 10300-10303 87 | - 11443 88 | - 20000 89 | - 29100-29103 90 | - 29105 91 | - 29150-29151 92 | - 29445 93 | -------------------------------------------------------------------------------- /autoupdate-unit/Containerfile: -------------------------------------------------------------------------------- 1 | # This example injects a systemd unit to perform automatic daily OS updates. 2 | FROM quay.io/fedora/fedora-coreos:stable 3 | # The key content is in [usr/lib/systemd/system](usr/lib/systemd/system) 4 | ADD usr usr 5 | # At the current time, zincati cannot be used for container updates. More in https://github.com/coreos/fedora-coreos-tracker/issues/1263 6 | RUN systemctl mask zincati 7 | -------------------------------------------------------------------------------- /autoupdate-unit/usr/lib/systemd/system/autoupdate-host.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Automatic host upgrades 3 | [Service] 4 | Type=simple 5 | # Note that this will be a no-op if there are no changes. 6 | ExecStart=rpm-ostree upgrade --reboot 7 | # We'll use https://github.com/coreos/rpm-ostree/pull/4384 in the future 8 | StandardOutput=null -------------------------------------------------------------------------------- /autoupdate-unit/usr/lib/systemd/system/autoupdate-host.timer: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Automatic daily host upgrades 3 | [Timer] 4 | OnBootSec=1h 5 | OnUnitInactiveSec=1d 6 | [Install] 7 | WantedBy=timers.target 8 | -------------------------------------------------------------------------------- /autoupdate-unit/usr/lib/systemd/system/timers.target.wants/autoupdate-host.timer: -------------------------------------------------------------------------------- 1 | ../autoupdate-host.timer -------------------------------------------------------------------------------- /build-zfs-module/Containerfile: -------------------------------------------------------------------------------- 1 | # Needs to be set to the Fedora version on CoreOS stable stream, as it is our base image. 2 | # In a script, you can set this using: 3 | # BUILDER_VERSION=$(curl -s "https://builds.coreos.fedoraproject.org/streams/stable.json" | jq -r '.architectures.x86_64.artifacts.metal.release' | cut -d '.' -f 1) 4 | ARG BUILDER_VERSION=39 5 | 6 | FROM quay.io/fedora/fedora-coreos:stable as kernel-query 7 | #We can't use the `uname -r` as it will pick up the host kernel version 8 | RUN rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}' > /kernel-version.txt 9 | 10 | # Using https://openzfs.github.io/openzfs-docs/Developer%20Resources/Custom%20Packages.html 11 | FROM registry.fedoraproject.org/fedora:${BUILDER_VERSION} as builder 12 | ARG BUILDER_VERSION 13 | COPY --from=kernel-query /kernel-version.txt /kernel-version.txt 14 | WORKDIR /etc/yum.repos.d 15 | RUN curl -L -O https://src.fedoraproject.org/rpms/fedora-repos/raw/f${BUILDER_VERSION}/f/fedora-updates-archive.repo && \ 16 | sed -i 's/enabled=AUTO_VALUE/enabled=true/' fedora-updates-archive.repo 17 | RUN dnf install -y jq dkms gcc make autoconf automake libtool rpm-build libtirpc-devel libblkid-devel \ 18 | libuuid-devel libudev-devel openssl-devel zlib-devel libaio-devel libattr-devel elfutils-libelf-devel \ 19 | kernel-$(cat /kernel-version.txt) kernel-modules-$(cat /kernel-version.txt) kernel-devel-$(cat /kernel-version.txt) \ 20 | python3 python3-devel python3-setuptools python3-cffi libffi-devel git ncompress libcurl-devel 21 | WORKDIR / 22 | # Uses project_id from: https://release-monitoring.org/project/11706/ 23 | RUN curl "https://release-monitoring.org/api/v2/versions/?project_id=11706" | jq --raw-output '.stable_versions[0]' >> /zfs_version.txt 24 | RUN curl -L -O https://github.com/openzfs/zfs/releases/download/zfs-$(cat /zfs_version.txt)/zfs-$(cat /zfs_version.txt).tar.gz && \ 25 | tar xzf zfs-$(cat /zfs_version.txt).tar.gz && mv zfs-$(cat /zfs_version.txt) zfs 26 | WORKDIR /zfs 27 | RUN ./configure -with-linux=/usr/src/kernels/$(cat /kernel-version.txt)/ -with-linux-obj=/usr/src/kernels/$(cat /kernel-version.txt)/ \ 28 | && make -j1 rpm-utils rpm-kmod 29 | 30 | FROM quay.io/fedora/fedora-coreos:stable 31 | COPY --from=builder /zfs/*.rpm /zfs/ 32 | RUN rm /zfs/*devel*.rpm /zfs/zfs-test*.rpm && \ 33 | rpm-ostree install \ 34 | /zfs/*.$(rpm -qa kernel --queryformat '%{ARCH}').rpm && \ 35 | # Auto-load ZFS module 36 | depmod -a "$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" && \ 37 | echo "zfs" > /etc/modules-load.d/zfs.conf && \ 38 | # we don't want any files on /var 39 | rm -rf /var/lib/pcp && \ 40 | ostree container commit 41 | -------------------------------------------------------------------------------- /butane/Containerfile: -------------------------------------------------------------------------------- 1 | # TODO https://github.com/coreos/butane/pull/338 2 | FROM quay.io/coreos/butane as butane 3 | # See the butane file for configuration changes 4 | ADD demo.bu /demo.bu 5 | # Compile to ignition 6 | RUN butane --pretty --strict demo.bu > /demo.ign 7 | 8 | FROM quay.io/fedora/fedora-coreos:stable 9 | # Copy our generated Ignition 10 | COPY --from=butane /demo.ign demo.ign 11 | # Now apply it to the live filesystem, and clean it up 12 | RUN /usr/libexec/ignition-apply demo.ign && rm -f demo.ign && ostree container commit 13 | -------------------------------------------------------------------------------- /butane/demo.bu: -------------------------------------------------------------------------------- 1 | variant: fcos 2 | version: 1.1.0 3 | storage: 4 | files: 5 | # Configure chrony to use custom servers 6 | - path: /etc/chrony.conf 7 | overwrite: true 8 | contents: 9 | inline: | 10 | server foo.example.net maxdelay 0.4 offline 11 | server bar.example.net maxdelay 0.4 offline 12 | server baz.example.net maxdelay 0.4 offline 13 | driftfile /var/lib/chrony/drift 14 | makestep 1.0 3 15 | rtcsync 16 | logdir /var/log/chrony 17 | mode: 0644 18 | systemd: 19 | units: 20 | - name: serial-getty@ttyS0.service 21 | dropins: 22 | - name: autologin.conf 23 | contents: | 24 | [Service] 25 | TTYVTDisallocate=no 26 | ExecStart= 27 | ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM 28 | -------------------------------------------------------------------------------- /ci/generate-rhcos-versions.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # Update Dockerfiles to use rhcos images. 3 | 4 | import os 5 | import requests 6 | import sys 7 | import yaml 8 | 9 | RHCOS_IMAGE = 'registry.ci.openshift.org/rhcos-devel/rhel-coreos:4.11' 10 | RHEL_REPOS = '#You will need the RHEL repos in a file.\nADD rhel.repo /etc/yum.repos.d' 11 | FCOS_IMAGE = 'quay.io/fedora/fedora-coreos:stable' 12 | 13 | basedir = os.path.normpath(os.path.join(os.path.dirname(sys.argv[0]), '..')) 14 | for root, dirs, files in os.walk(basedir): 15 | for name in files: 16 | if not name.endswith("Dockerfile"): 17 | continue 18 | path = os.path.join(basedir, os.path.join(root, name)) 19 | with open(path, "rt") as f: 20 | contents = f.read() 21 | replacement = RHCOS_IMAGE 22 | if 'rpm-ostree install' in contents: 23 | replacement = f"{replacement}\n{RHEL_REPOS}" 24 | print("Generating RHCOS version of: " + os.path.join(root, name)) 25 | new_contents = contents.replace(FCOS_IMAGE, replacement) 26 | if contents == new_contents: 27 | print(f"No changes to {path}") 28 | else: 29 | with open(path, "wt") as f: 30 | f.write(new_contents) 31 | -------------------------------------------------------------------------------- /convert-ubuntu-package/Containerfile: -------------------------------------------------------------------------------- 1 | # Convert an Ubuntu package to rpm using alien and install it 2 | FROM ubuntu:latest as converter 3 | RUN apt update && \ 4 | apt install -y alien && \ 5 | cd /tmp && \ 6 | apt download gocryptfs && \ 7 | alien --to-rpm --scripts --fixperms gocryptfs*.deb 8 | 9 | FROM quay.io/fedora/fedora-coreos:stable 10 | COPY --from=converter /tmp/gocryptfs*.rpm /tmp 11 | RUN rpm-ostree install /tmp/gocryptfs*.rpm && \ 12 | rm /tmp/gocryptfs*.rpm && \ 13 | ostree container commit 14 | -------------------------------------------------------------------------------- /convert-ubuntu-package/README.md: -------------------------------------------------------------------------------- 1 | # Convert an Ubuntu Package and Install It 2 | 3 | This example converts an Ubuntu package into an rpm using [alien](https://wiki.debian.org/Alien) and then installs it using `rpm-ostree`. 4 | 5 | This is useful for packages that are present in Ubuntu, but not in Fedora. This example installs Ubuntu's latest packaged version of gocryptfs, which is [no longer maintained in Fedora](https://discussion.fedoraproject.org/t/gocryptfs-not-available-on-fedora-36). 6 | -------------------------------------------------------------------------------- /dracut-module/Containerfile: -------------------------------------------------------------------------------- 1 | # Install and run a dracut module 2 | FROM quay.io/fedora/fedora-coreos:stable 3 | 4 | # Install dracut module requirements 5 | RUN rpm-ostree install busybox rng-tools pcsc-tools bluez && \ 6 | ostree container commit 7 | 8 | # Add dracut module files 9 | COPY files/ /usr/lib/dracut/modules.d/10systemd-echo-here/ 10 | 11 | # Run dracut to build a new initrd 12 | RUN export KERNEL_VERSION="$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" && \ 13 | stock_arguments=$(lsinitrd "/lib/modules/${KERNEL_VERSION}/initramfs.img" | grep '^Arguments: ' | sed 's/^Arguments: //') && \ 14 | mkdir -p /tmp/dracut /var/roothome && \ 15 | bash <(/usr/bin/echo "dracut $stock_arguments") && \ 16 | rm -rf /var/* /tmp/* && \ 17 | ostree container commit 18 | 19 | # Move the new initrd into place while keeping the stock initrd in the image for reference. 20 | RUN export KERNEL_VERSION="$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" && \ 21 | mv -v "/lib/modules/${KERNEL_VERSION}/initramfs.img" "/lib/modules/${KERNEL_VERSION}/initramfs.stock.img" && \ 22 | mv -v /boot/initramfs*.img "/lib/modules/${KERNEL_VERSION}/initramfs.img" && \ 23 | ostree container commit 24 | 25 | # Show that the initrd includes the echo-here service: 26 | RUN lsinitrd /lib/modules/*/initramfs.img | grep echo-here 27 | -------------------------------------------------------------------------------- /dracut-module/README.md: -------------------------------------------------------------------------------- 1 | # Install and run a dracut module 2 | 3 | This example adds a dracut module to the container and calls dracut to build a new initrd using this module. 4 | 5 | This is useful when something needs to run inside of the initrd, which is very early in the boot process. 6 | 7 | This specific example registers a systemd service that prints out when it was executed. 8 | -------------------------------------------------------------------------------- /dracut-module/files/echo-here.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Service to Echo Here During initrd Startup 3 | DefaultDependencies=no 4 | ConditionVirtualization=!container 5 | 6 | Requires=systemd-udev-settle.service 7 | After=systemd-udev-settle.service 8 | Before=cryptsetup.target 9 | 10 | [Service] 11 | Type=oneshot 12 | ExecStart=/usr/bin/echo --------------------HERE-------------------- 13 | 14 | -------------------------------------------------------------------------------- /dracut-module/files/module-setup.sh: -------------------------------------------------------------------------------- 1 | depends() { 2 | echo systemd 3 | return 0 4 | } 5 | 6 | install() { 7 | inst_simple "${moddir}/echo-here.service" "${systemdsystemunitdir}/echo-here.service" 8 | $SYSTEMCTL -q --root "$initdir" add-wants cryptsetup.target echo-here.service 9 | } 10 | -------------------------------------------------------------------------------- /initramfs-module/Containerfile: -------------------------------------------------------------------------------- 1 | # This examples rebuilds the initramfs adding ostree, iscsi, ifcfg modules 2 | # omiting the network-legacy and nouveau modules. After the initramfs is built it is moved to 3 | # /lib/modules/$KERNEL_VERSION/initramfs.img where it will be used on ostree systems. 4 | FROM quay.io/fedora/fedora-coreos:stable 5 | USER root 6 | RUN KERNEL_VERSION=$(rpm -q kernel | cut -c 8-); \ 7 | # In FCOS we add configuration files for dracut to ensure that the "base image" has its 8 | # initramfs arguments embedded. They can be seen on: 9 | # https://github.com/coreos/fedora-coreos-config/tree/testing-devel/overlay.d/05core/usr/lib/dracut 10 | # This makes sure that required arguments are reused when running dracut in a container build like this one. 11 | # Other distributions like RHCOS might not provide/require the same arguments and will need to be added to the 12 | # dracut invocation. 13 | # The RCHOS arguments needed can be seen on: 14 | # https://github.com/openshift/os/blob/1f2c0eb7e370d2412db15fa28556f419ddf73c5d/common.yaml#L37 15 | dracut --reproducible -v --add 'ostree' -f --omit-drivers 'nouveau' \ 16 | --add 'iscsi' --add 'ifcfg' --omit 'network-legacy' /lib/modules/$KERNEL_VERSION/initramfs.img $KERNEL_VERSION && \ 17 | ostree container commit 18 | -------------------------------------------------------------------------------- /inject-go-binary/Containerfile: -------------------------------------------------------------------------------- 1 | # Build a small Go program 2 | FROM registry.access.redhat.com/ubi8/ubi:latest as builder 3 | WORKDIR /build 4 | COPY . . 5 | RUN yum -y install go-toolset 6 | RUN go build hello-world.go 7 | 8 | FROM quay.io/fedora/fedora-coreos:stable 9 | # Inject it into Fedora CoreOS 10 | COPY --from=builder /build/hello-world /usr/bin 11 | # And add our unit file 12 | ADD hello-world.service /usr/lib/systemd/system/hello-world.service 13 | RUN ln -s ../hello-world.service /usr/lib/systemd/system/multi-user.target.wants 14 | # Also add strace; the `rm -rf /var/cache` is the equivalent of `yum clean all`. 15 | # For `ostree container commit`, see https://github.com/ostreedev/ostree-rs-ext/issues/159 16 | RUN rpm-ostree install strace && rm -rf /var/cache && \ 17 | ostree container commit 18 | -------------------------------------------------------------------------------- /inject-go-binary/README.md: -------------------------------------------------------------------------------- 1 | # inject-go-binary 2 | 3 | This example demonstrates using a standard `Containerfile` multi-stage build to 4 | compile a Go binary from source along with a systemd unit, and inject it into 5 | the target operating system. 6 | 7 | Additionally, `strace` is installed as a layered package. 8 | -------------------------------------------------------------------------------- /inject-go-binary/hello-world.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | ) 6 | 7 | func main() { 8 | fmt.Println("Hello, world!") 9 | } 10 | -------------------------------------------------------------------------------- /inject-go-binary/hello-world.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=A hello world unit! 3 | [Service] 4 | Type=oneshot 5 | RemainAfterExit=yes 6 | ExecStart=/usr/bin/hello-world 7 | [Install] 8 | WantedBy=multi-user.target 9 | -------------------------------------------------------------------------------- /kernel-rt/Containerfile: -------------------------------------------------------------------------------- 1 | # This replaces the (throughput) kernel with kernel-rt for latency-sensitive workloads. 2 | FROM quay.io/okd/centos-stream-coreos-9:4.12-x86_64 3 | # First, at the current time for replacing the kernel this invocation is required. 4 | # This need will be lifted in the future. 5 | RUN rpm-ostree cliwrap install-to-root / 6 | # Note a few things here. 7 | # - The image does not have RT and NFV repositories enabled. Right now rpm-ostree 8 | # doesn't expose `dnf config-manager`, so we manually enable the yum repos with sed. 9 | # - The default image has the meta-package "kernel" installed for the throughput kernel, 10 | # but we don't install `kernel-rt` because that has dependencies on a lot of other 11 | # things. 12 | # - We need to do the swap as a single "transaction" to avoid broken dependencies. 13 | RUN sed -i "/\[rt\]/,/\[/ s/enabled=0/enabled=1/" /etc/yum.repos.d/centos-addons.repo && \ 14 | sed -i "/\[nfv\]/,/\[/ s/enabled=0/enabled=1/" /etc/yum.repos.d/centos-addons.repo && \ 15 | rpm-ostree override remove kernel kernel-{core,modules,modules-extra} \ 16 | --install kernel-rt-core --install kernel-rt-modules \ 17 | --install kernel-rt-modules-extra --install kernel-rt-kvm && \ 18 | ostree container commit 19 | -------------------------------------------------------------------------------- /loading-kernel-module/Containerfile: -------------------------------------------------------------------------------- 1 | FROM fedora:38 as builder 2 | ARG KERNEL_VERSION 3 | 4 | RUN dnf install -y \ 5 | git \ 6 | make 7 | 8 | WORKDIR /home 9 | 10 | # Get the kernel-headers 11 | RUN KERNEL_XYZ=$(echo ${KERNEL_VERSION} | cut -d"-" -f1) && \ 12 | KERNEL_DISTRO=$(echo ${KERNEL_VERSION} | cut -d"-" -f2 | cut -d"." -f-2) && \ 13 | KERNEL_ARCH=$(echo ${KERNEL_VERSION} | cut -d"-" -f2 | cut -d"." -f3) && \ 14 | dnf install -y \ 15 | https://kojipkgs.fedoraproject.org//packages/kernel/${KERNEL_XYZ}/${KERNEL_DISTRO}/${KERNEL_ARCH}/kernel-${KERNEL_VERSION}.rpm \ 16 | https://kojipkgs.fedoraproject.org//packages/kernel/${KERNEL_XYZ}/${KERNEL_DISTRO}/${KERNEL_ARCH}/kernel-core-${KERNEL_VERSION}.rpm \ 17 | https://kojipkgs.fedoraproject.org//packages/kernel/${KERNEL_XYZ}/${KERNEL_DISTRO}/${KERNEL_ARCH}/kernel-modules-${KERNEL_VERSION}.rpm \ 18 | https://kojipkgs.fedoraproject.org//packages/kernel/${KERNEL_XYZ}/${KERNEL_DISTRO}/${KERNEL_ARCH}/kernel-modules-core-${KERNEL_VERSION}.rpm \ 19 | https://kojipkgs.fedoraproject.org//packages/kernel/${KERNEL_XYZ}/${KERNEL_DISTRO}/x86_64/kernel-devel-${KERNEL_VERSION}.rpm 20 | 21 | RUN git clone https://github.com/kubernetes-sigs/kernel-module-management 22 | 23 | WORKDIR /home/kernel-module-management/ci/kmm-kmod 24 | 25 | RUN KERNEL_SRC_DIR=/lib/modules/${KERNEL_VERSION}/build make all 26 | 27 | FROM quay.io/fedora/fedora-coreos:stable 28 | ARG KERNEL_VERSION 29 | 30 | COPY --from=builder /home/kernel-module-management/ci/kmm-kmod/kmm_ci_a.ko /usr/lib/modules/${KERNEL_VERSION}/ 31 | 32 | # This is needed in order to autoload the module at boot time. 33 | RUN depmod -a "${KERNEL_VERSION}" && echo kmm_ci_a > /etc/modules-load.d/kmm_ci_a.conf 34 | 35 | RUN rpm-ostree install strace && rm -rf /var/cache && \ 36 | ostree container commit 37 | -------------------------------------------------------------------------------- /loading-kernel-module/README.md: -------------------------------------------------------------------------------- 1 | # Loading Kernel Module 2 | 3 | ### Get the correct kernel-version 4 | 5 | We need the correct kernel version in order to build the kernel-module for the 6 | right kernel. 7 | 8 | Since after reboot, the kernel of the host will be the kernel RPM installed on 9 | the new image, aka, the `fedora-coreos:stable` image that we are using as 10 | the last layer, then the correct way to get the kernel version is by getting it 11 | from the image itself. 12 | ``` 13 | $ podman run -it fedora-coreos:stable rpm -qa | grep kernel 14 | kernel-modules-core-6.3.8-200.fc38.x86_64 15 | kernel-core-6.3.8-200.fc38.x86_64 16 | kernel-modules-6.3.8-200.fc38.x86_64 17 | kernel-6.3.8-200.fc38.x86_64 18 | ``` 19 | 20 | Let's export the kernel version. 21 | ``` 22 | export KERNEL_VERSION=6.3.8-200.fc38.x86_64 23 | ``` 24 | 25 | ### Build the container image 26 | 27 | Now, we will build a simple container image that will contains a basic 28 | kernel-module in it. 29 | 30 | Since the kernel we want to build is a `fc38` kernel we will use `fedora:38` as 31 | a base image to build the kernel-module. 32 | 33 | ``` 34 | podman build --build-arg KERNEL_VERSION=${KERNEL_VERSION} -t quay.io/ybettan/fedora-coreos:kmm-kmod -f Containerfile 35 | podman push quay.io/ybettan/fedora-coreos:kmm-kmod 36 | ``` 37 | 38 | ### Create an ignition file 39 | 40 | Ignition files are a way to configure a CoreOS machine at boot time. 41 | 42 | We are going to create a simple ignition file that add your public SSH key to 43 | the machine so you can SSH to it after the installation. 44 | 45 | Edit `fcos-config.fcc` and put your public SSH key in it. Then we are going to 46 | generate the ignition file from that yaml. 47 | 48 | ``` 49 | podman run -i --rm quay.io/coreos/fcct -p -s fcos-config.ign 50 | ``` 51 | 52 | And make sure it was created correctly by inspecting `fcos-config.ign`. 53 | 54 | ### Configuring SELinux 55 | 56 | We are goign to use `virt` in order to install the VM, therefore, we need to 57 | add a SELinux rule to allow `virt` to read the ignition file. 58 | 59 | If you don't want to add any SELInux rule you can temporarly disable it. 60 | 61 | * Check SELinux status: `getenforce` 62 | * Disable SELinux: `setenforce 0` (status should become `permissive`) 63 | * Enable SELinux: `setenforce 1` (status should become `enforcing`) 64 | 65 | ### Provision a Fedora-CoreOS VM 66 | 67 | Now, we are going to download the Fedora-CoreOS disk image for Qemu. We 68 | are going to use that disk in order to boot a VM from it later on this 69 | tutorial. 70 | 71 | The version of Fedora we are using for this VM doesn't really matter to much as we 72 | are going to reboot from the contianer we built anyway. 73 | 74 | For instuctions on how to create the VM visit 75 | [provisioning-libvirt](https://docs.fedoraproject.org/en-US/fedora-coreos/provisioning-libvirt/) 76 | 77 | We can run `virsh console fcos` to get a boot console. 78 | 79 | ### SSH to the machine 80 | 81 | Use `virsh net-dhcp-leases default` in order to get the VM IP and then we can SSH to it. 82 | 83 | ``` 84 | ssh core@ 85 | ``` 86 | 87 | ### Rebooting from the container 88 | 89 | From inside the VM we will use the `rpm-ostree rebase` command in order to 90 | reboot from a spacific container image. 91 | 92 | ``` 93 | sudo su 94 | rpm-ostree rebase --experimental ostree-unverified-registry:quay.io/ybettan/fedora-coreos:kmm-kmod --bypass-driver 95 | systemctl reboot 96 | ``` 97 | 98 | ### SSH to the new FedoraCoreOS image 99 | 100 | Once the VM has booted, we can SSH to it again and validate that we indeed have 101 | the "new layer" of the image. 102 | 103 | ``` 104 | [core@localhost ~]$ rpm-ostree status 105 | State: idle 106 | Deployments: 107 | ● ostree-unverified-registry:quay.io/ybettan/fedora-coreos:kmm-kmod 108 | Digest: sha256:5d1f14548bc202c7051d8f67ab524c5745ad3c9b16149685de25b791abee066a 109 | Version: 38.20230625.3.0 (2023-07-16T09:14:56Z) 110 | 111 | fedora:fedora/x86_64/coreos/stable 112 | Version: 38.20230625.3.0 (2023-07-11T11:57:53Z) 113 | Commit: e841d77aadb875bb801ac845a0d9b8a70b4224bdeb15e7d6c5bff1da932c0301 114 | GPGSignature: Valid signature by 6A51BBABBA3D5467B6171221809A8D7CEB10B464 115 | ``` 116 | 117 | We can also validate that the kernel-module is present 118 | ``` 119 | [core@localhost ~]$ lsmod | grep kmm_ci_a 120 | kmm_ci_a 16384 0 121 | ``` 122 | -------------------------------------------------------------------------------- /loading-kernel-module/fcos-config.fcc: -------------------------------------------------------------------------------- 1 | 2 | variant: fcos 3 | version: 1.0.0 4 | passwd: 5 | users: 6 | - name: core 7 | ssh_authorized_keys: 8 | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7L9EJ4LZPyY0Q1/nRCDiKffTZLHeo0S5cm4OtONa1PDlMWHtFtAZLiQcUjOIOIpslSJsEPoG2vmx30AEfYdE8jLw/yTRiPsiUkq2keNW9KjtpZkp0gpVEaVosyqp2+ZnXxVTzLNh4wmCuy5UDX2KnxSQAZcnW6Y4Ckkzwcr9RXvzRDmGNhhMGUPemmIEMC8yUuRrsp9dHpDnE7oxj5H7Fl2m/55MvFFTv9ef5uuheb7fqfRHyHVfhuwMoQBTTGcAlxEi6ecMlch+FIygVq/ZaJZECxb2IprmoSPi5Vj8Od+pgp6LWqW+WVazGkB4iBprXlmocSPuIdA4jdrHzSAy7GwBiYhg3QPhmEj90lncKLhNmdz74NHX76ohgjES7z1LbpHzA/FVHsmgSesEB3g+2NegPXtRpX79S6LocS8IxhFvdkenn3KTAqO6CyEuW7KoBhtkoJOe7BR/evOSFPm8XngBS0YVN3/mSeV67Ym9RK8UnMgxoQg8dQbUQWarh9QE= root@ybettan-testing.edgeinfra.cloud 9 | 10 | 11 | -------------------------------------------------------------------------------- /nexodus/Containerfile: -------------------------------------------------------------------------------- 1 | # As per https://docs.nexodus.io/quickstart/ 2 | # You will need to `sudo nexctl nexd status` and follow 3 | # the instructions to register the device. 4 | FROM quay.io/fedora/fedora-coreos:stable 5 | COPY copr-nexodus-fedora.repo /etc/yum.repos.d/ 6 | COPY copr-nexodus-pubkey.gpg /etc/pki/rpm-gpg/ 7 | RUN rpm-ostree install nexodus && \ 8 | systemctl enable nexodus && \ 9 | ostree container commit 10 | -------------------------------------------------------------------------------- /nexodus/copr-nexodus-fedora.repo: -------------------------------------------------------------------------------- 1 | [copr:copr.fedorainfracloud.org:nexodus:nexodus] 2 | name=Copr repo for nexodus owned by nexodus 3 | baseurl=https://download.copr.fedorainfracloud.org/results/nexodus/nexodus/fedora-$releasever-$basearch/ 4 | type=rpm-md 5 | skip_if_unavailable=True 6 | gpgcheck=1 7 | gpgkey=file:///etc/pki/rpm-gpg/copr-nexodus-pubkey.gpg 8 | repo_gpgcheck=0 9 | enabled=1 10 | enabled_metadata=1 11 | -------------------------------------------------------------------------------- /nexodus/copr-nexodus-pubkey.gpg: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mQENBGVVPF8BCADKB/W4Z2CkRB0gHovHe9V4dAaDpGy4WdDJJKaaiKaZeWdPcp5q 4 | dldBB3fNm/nlirmyuzOT0/JSvIPh8YKF56xYCKhBEBN3t+xib/xI1i2AI8Dz5yEJ 5 | IcWcLBfxyyLfYnOyb5WnURNMKojj0aotmjK6DOokKIEEJRrIY62X3KC2HKMLe4RK 6 | tQ6m3ExmBdDehOoiZyCsIi3av9CiNHUA8HTvXj3FccZbgKA47w0od/ZOH2REpxX6 7 | pao4kpOGgEFzY2C4CVOOYyE+JpTbtESw2Lc4T1JhPNCNqgXFlOYTzwXn9laaxbpy 8 | u3jgitu/SIhgTvpADBBJjPL2k1boAJPtql5/ABEBAAG0Pm5leG9kdXNfbmV4b2R1 9 | cyAoTm9uZSkgPG5leG9kdXMjbmV4b2R1c0Bjb3ByLmZlZG9yYWhvc3RlZC5vcmc+ 10 | iQFXBBMBCABBFiEEV2vm36NT+OIy4ReX0oY6VpdiJ6cFAmVVPF8CGy8FCQlmAYAF 11 | CwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQ0oY6VpdiJ6dRFwgAwMq3HRd3 12 | fj8zh5Zbz3aSKqPkvUU/RhOJj4oj2FYhN3sT4n6JHGICu0PS4N0E0CNrFGdTVUjB 13 | 2LoOA7cZlJv/Fr1mgCN5C0l7bcgSgyGVVpLUe4t4pZNVInE/qATFlXO3UVJh+hjZ 14 | JwYrslKnLqPMiXAyA/NZjDOexBiS54kGz2lnFuIHPbC51wMyFPtpGhlHihLTtAPF 15 | v5IFh/mix4L0KYoLsRgMLrz03f1vtZYOxTDVjN9Q050tK+LtJOL/eSnNXpICo/3/ 16 | wSAjhicZr082hmdbuLcJLGRtxBD4gRT7LikLuj0igdkhJ4/r9+yf34ngis4MSGao 17 | uH2Gi/oluPQGQg== 18 | =n397 19 | -----END PGP PUBLIC KEY BLOCK----- 20 | -------------------------------------------------------------------------------- /podman-next/Containerfile: -------------------------------------------------------------------------------- 1 | FROM quay.io/fedora/fedora-coreos:stable 2 | 3 | # Setup the podman-next copr repo 4 | # Note: This might need to be updated from time to time to the latest GPG key. 5 | # The repo config itself is release agnotic but the GPG key might change. 6 | COPY rhcontainerbot-podman-next-fedora.repo /etc/yum.repos.d/ 7 | COPY rhcontainerbot-podman-next-fedora.gpg /etc/pki/rpm-gpg/ 8 | 9 | # Replace aardvark-dns, conmon, crun, netavark, podman, containers-common 10 | # Remove moby-engine, containerd, runc 11 | # Note: Currently does not result in a size reduction for the container image 12 | RUN rpm-ostree override replace --experimental --freeze \ 13 | --from repo="copr:copr.fedorainfracloud.org:rhcontainerbot:podman-next" \ 14 | aardvark-dns conmon crun netavark podman containers-common containers-common-extra && \ 15 | rpm-ostree override remove moby-engine containerd runc && \ 16 | ostree container commit 17 | -------------------------------------------------------------------------------- /podman-next/rhcontainerbot-podman-next-fedora.gpg: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mQENBGGpQ8EBCAC3a5QD6FsFzFPVsNDrIXNXz/yDOdh0PdUat6Fma26pB2ivar1K 4 | H03VrB8/zEmiM7qjgnR/Z3h0b6jkiOiqR39/+hQVKm2Hs222cnC8Tcj36FASpHDq 5 | GxVVceqs/9zMc1oJTcCkgfrLtOxsQxsLcln43z9e5TF/oSkFFoyhCtCyl8SBWrzb 6 | qk7ihoZVA/zn+CjyauniUwN+ezTSJj821AfeymF9mNzkqkh9HcPr2aze+0Mct/FV 7 | eUXfGJ2LQufvhgNHu/eg958Oz2mBJS2JUxDjoQSAYYXzWSmTTQ4ft2+aA9rlg16E 8 | 88G1HnRsYXqail7UQM9Bspqnq5cd+JehEgodABEBAAG0VHJoY29udGFpbmVyYm90 9 | X3BvZG1hbi1uZXh0IChOb25lKSA8cmhjb250YWluZXJib3QjcG9kbWFuLW5leHRA 10 | Y29wci5mZWRvcmFob3N0ZWQub3JnPokBWAQTAQgAQhYhBEk3txShalNb9LOwGI5U 11 | Q5nYfes5BQJhqUPBAhsvBQkJZgGABQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIX 12 | gAAKCRCOVEOZ2H3rOfdcB/4irNK45SoOjhMZpub+UjxqB6t7SSj1LucJVNJhLG7c 13 | 80nTapczhoghk8zN5txdnPGKbwOzfYReB9NEb7w231yVu+JhIU/5kY2UTS3QA/uN 14 | UG0BBPZ+0yRuOYK4A/mX5BCceTzBkwRkPG7AM0tT7G5tJBt1Z6sQJMfj2drUKutn 15 | +x1wJDsK4Ga0rDlpXsn81aQ7gZAUKiUiKXbujGDLyjPYwvKkjNA74CgAqz60RlXJ 16 | /LtcbS2pQV1ZuIpaHXyO+82IOmVJmXNL1YNfni5M60f+3/A9pyiiw3c1C+iho77N 17 | SfsgYLo0HKX7m1i4Q181F+RhSRgKmWP9PVRJ1H0xhDNO 18 | =P6WX 19 | -----END PGP PUBLIC KEY BLOCK----- 20 | -------------------------------------------------------------------------------- /podman-next/rhcontainerbot-podman-next-fedora.repo: -------------------------------------------------------------------------------- 1 | [copr:copr.fedorainfracloud.org:rhcontainerbot:podman-next] 2 | name=Copr repo for podman-next owned by rhcontainerbot 3 | baseurl=https://download.copr.fedorainfracloud.org/results/rhcontainerbot/podman-next/fedora-$releasever-$basearch/ 4 | type=rpm-md 5 | skip_if_unavailable=True 6 | gpgcheck=1 7 | gpgkey=file:///etc/pki/rpm-gpg/rhcontainerbot-podman-next-fedora.gpg 8 | repo_gpgcheck=0 9 | enabled=1 10 | enabled_metadata=1 11 | -------------------------------------------------------------------------------- /replace-kernel/Containerfile: -------------------------------------------------------------------------------- 1 | # This example uses rpm-ostree's cliwrap to allow dracut to run on the container and generate an initramfs. 2 | FROM quay.io/fedora/fedora-coreos:stable 3 | # Enable cliwrap. 4 | RUN rpm-ostree cliwrap install-to-root / 5 | # Replace the kernel, kernel-core, kernel-modules-core and kernel-modules packages. 6 | RUN rpm-ostree override replace https://kojipkgs.fedoraproject.org//packages/kernel/6.8.10/300.fc40/x86_64/kernel-6.8.10-300.fc40.x86_64.rpm \ 7 | https://kojipkgs.fedoraproject.org//packages/kernel/6.8.10/300.fc40/x86_64/kernel-core-6.8.10-300.fc40.x86_64.rpm \ 8 | https://kojipkgs.fedoraproject.org//packages/kernel/6.8.10/300.fc40/x86_64/kernel-modules-6.8.10-300.fc40.x86_64.rpm \ 9 | https://kojipkgs.fedoraproject.org//packages/kernel/6.8.10/300.fc40/x86_64/kernel-modules-core-6.8.10-300.fc40.x86_64.rpm && \ 10 | ostree container commit 11 | -------------------------------------------------------------------------------- /replace-systemd/Containerfile: -------------------------------------------------------------------------------- 1 | FROM quay.io/fedora/fedora-coreos:stable 2 | RUN rpm-ostree override replace https://bodhi.fedoraproject.org/updates/FEDORA-2024-d5e5296648 && \ 3 | #workaround for: https://github.com/coreos/layering-examples/issues/49 4 | rpm --reinstall https://kojipkgs.fedoraproject.org//packages/systemd/255.4/1.fc40/x86_64/systemd-255.4-1.fc40.x86_64.rpm && \ 5 | #https://coreos.github.io/rpm-ostree/architecture-core/#content-in-var 6 | rm -rf /var/lock /var/mail /var/lib/ /var/log /var/run && \ 7 | ostree container commit 8 | -------------------------------------------------------------------------------- /rsyslog/Containerfile: -------------------------------------------------------------------------------- 1 | # Install and configure rsyslog 2 | FROM quay.io/fedora/fedora-coreos:stable 3 | RUN rpm-ostree install rsyslog && \ 4 | ostree container commit 5 | ADD remote.conf /etc/rsyslog.d/remote.conf 6 | 7 | -------------------------------------------------------------------------------- /rsyslog/README.md: -------------------------------------------------------------------------------- 1 | # Installing and configuring rsyslog 2 | 3 | This example installs `rsyslog` *and* a [configuration file](remote.conf) for it. 4 | 5 | This is a simple example, but it's worth elaborating here that we are *transactionally binding* 6 | the configuration and code. For example, if you want to update the `rsyslog` version *and* 7 | change the config file at the same time, that is applied transactionally. 8 | -------------------------------------------------------------------------------- /rsyslog/remote.conf: -------------------------------------------------------------------------------- 1 | # Example from `man rsyslog` to forward all logs via TCP to a remote server 2 | *.* @@server.example.net 3 | -------------------------------------------------------------------------------- /selinux/Containerfile: -------------------------------------------------------------------------------- 1 | # Change a SELinux boolean. A conflict between overlayfs semantics 2 | # and libselinux existed before fedora 37. This examples shows that 3 | # selinux booleans can now be changed correctly as part of the build. 4 | # https://github.com/SELinuxProject/selinux/pull/342 5 | FROM quay.io/fedora/fedora-coreos:stable 6 | 7 | RUN setsebool -P -N container_manage_cgroup 1 8 | -------------------------------------------------------------------------------- /tailscale/Containerfile: -------------------------------------------------------------------------------- 1 | # This is like https://tailscale.com/download/linux/fedora 2 | # except it happens as part of a container build! You then need to do 3 | # `tailscale up` via some other mechanism. 4 | FROM quay.io/fedora/fedora-coreos:stable 5 | RUN cd /etc/yum.repos.d/ && curl -LO https://pkgs.tailscale.com/stable/fedora/tailscale.repo && \ 6 | rpm-ostree install tailscale && \ 7 | systemctl enable tailscaled && \ 8 | ostree container commit 9 | -------------------------------------------------------------------------------- /wifi/Containerfile: -------------------------------------------------------------------------------- 1 | # Install wireless support along with a static configuration file. 2 | FROM quay.io/fedora/fedora-coreos:stable 3 | RUN rpm-ostree install NetworkManager-wifi NetworkManager-wwan wpa_supplicant wireless-regdb && \ 4 | ostree container commit 5 | # And also inject a config file. This pattern of using the COPY command 6 | # to inject an "overlay" for /etc can easily be extended to add multiple 7 | # config files. 8 | COPY etc /etc 9 | -------------------------------------------------------------------------------- /wifi/etc/NetworkManager/system-connections/ExampleCorpWifi.ini: -------------------------------------------------------------------------------- 1 | [connection] 2 | id=ExampleCorpWiFi 3 | uuid=6ad20506-0f78-4060-980b-820b7508efba 4 | type=wifi 5 | interface-name=wlp4s0 6 | permissions= 7 | 8 | [wifi] 9 | mac-address-blacklist= 10 | mode=infrastructure 11 | ssid=ExampleCorpWiFi 12 | 13 | [wifi-security] 14 | auth-alg=open 15 | key-mgmt=wpa-psk 16 | # TODO: see https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/106 17 | # We should also have an opinionated story for managing secrets in Ignition + derivation. 18 | psk=examplekeyhere 19 | 20 | [ipv4] 21 | dns-search= 22 | method=auto 23 | 24 | [ipv6] 25 | addr-gen-mode=stable-privacy 26 | dns-search= 27 | method=auto 28 | 29 | [proxy] 30 | --------------------------------------------------------------------------------