├── .gitignore ├── .earthlyignore ├── live ├── zipl.prm ├── isolinux │ ├── boot.msg │ └── isolinux.cfg └── EFI │ └── fedora │ └── grub.cfg ├── platforms.yaml ├── overlay.d ├── 05core ├── 09misc ├── 15fcos ├── 40grub ├── 08nouveau ├── 08composefs ├── 30lvmdevices ├── 20platform-chrony ├── 25azure-udev-rules ├── 07fix-selinux-labels └── 99custom │ ├── usr │ ├── lib │ │ └── systemd │ │ │ ├── system-preset │ │ │ └── 99-custom.preset │ │ │ └── system │ │ │ ├── k3s.service │ │ │ └── k3s-agent.service │ └── bin │ │ └── k3s-killall.sh │ └── etc │ ├── ostree │ └── remotes.d │ │ └── k3s-coreos.conf │ └── NetworkManager │ └── dispatcher.d │ └── 50-tailscale ├── .gitmodules ├── rancher-k3s-common.repo ├── tailscale.repo ├── image.yaml ├── manifest.yaml ├── fedora.repo ├── Earthfile ├── fedora-coreos-minimal.yaml └── fedora-coreos-base-minimal.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | /artifacts 2 | -------------------------------------------------------------------------------- /.earthlyignore: -------------------------------------------------------------------------------- 1 | Earthfile 2 | /artifacts 3 | -------------------------------------------------------------------------------- /live/zipl.prm: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/live/zipl.prm -------------------------------------------------------------------------------- /platforms.yaml: -------------------------------------------------------------------------------- 1 | fedora-coreos-config/platforms.yaml -------------------------------------------------------------------------------- /overlay.d/05core: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/05core -------------------------------------------------------------------------------- /overlay.d/09misc: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/09misc -------------------------------------------------------------------------------- /overlay.d/15fcos: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/15fcos -------------------------------------------------------------------------------- /overlay.d/40grub: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/40grub -------------------------------------------------------------------------------- /overlay.d/08nouveau: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/08nouveau -------------------------------------------------------------------------------- /overlay.d/08composefs: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/08composefs -------------------------------------------------------------------------------- /overlay.d/30lvmdevices: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/30lvmdevices -------------------------------------------------------------------------------- /live/isolinux/boot.msg: -------------------------------------------------------------------------------- 1 | ../../fedora-coreos-config/live/isolinux/boot.msg -------------------------------------------------------------------------------- /overlay.d/20platform-chrony: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/20platform-chrony -------------------------------------------------------------------------------- /overlay.d/25azure-udev-rules: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/25azure-udev-rules -------------------------------------------------------------------------------- /overlay.d/07fix-selinux-labels: -------------------------------------------------------------------------------- 1 | ../fedora-coreos-config/overlay.d/07fix-selinux-labels -------------------------------------------------------------------------------- /overlay.d/99custom/usr/lib/systemd/system-preset/99-custom.preset: -------------------------------------------------------------------------------- 1 | enable tailscaled.service 2 | -------------------------------------------------------------------------------- /overlay.d/99custom/etc/ostree/remotes.d/k3s-coreos.conf: -------------------------------------------------------------------------------- 1 | [remote "k3s-coreos"] 2 | url=https://k3s-coreos.makerforce.io/ostree/ 3 | gpg-verify=false 4 | -------------------------------------------------------------------------------- /overlay.d/99custom/etc/NetworkManager/dispatcher.d/50-tailscale: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ethtool -K ${DEVICE_IFACE} rx-udp-gro-forwarding on rx-gro-list off 4 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "fedora-coreos-config"] 2 | path = fedora-coreos-config 3 | url = https://github.com/coreos/fedora-coreos-config.git 4 | fetchRecurseSubmodules = true 5 | branch = stable 6 | -------------------------------------------------------------------------------- /rancher-k3s-common.repo: -------------------------------------------------------------------------------- 1 | [rancher-k3s-common-stable] 2 | name=Rancher K3s Common (stable) 3 | baseurl=https://rpm.rancher.io/k3s/stable/common/coreos/noarch 4 | enabled=1 5 | gpgcheck=1 6 | repo_gpgcheck=0 7 | gpgkey=https://rpm.rancher.io/public.key 8 | -------------------------------------------------------------------------------- /tailscale.repo: -------------------------------------------------------------------------------- 1 | [tailscale-stable] 2 | name=Tailscale stable 3 | baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch 4 | enabled=1 5 | type=rpm 6 | repo_gpgcheck=1 7 | gpgcheck=1 8 | gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg 9 | -------------------------------------------------------------------------------- /image.yaml: -------------------------------------------------------------------------------- 1 | # fedora-coreos-config/image.yaml 2 | # This file can optionally contain configuration specific to the stream, 3 | # similarly to manifest.yaml. Unlike image-base.yaml, which is shared by all 4 | # streams. 5 | include: fedora-coreos-config/image-base.yaml 6 | 7 | # vim: set et ts=2 sw=2: 8 | -------------------------------------------------------------------------------- /overlay.d/99custom/usr/lib/systemd/system/k3s.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Lightweight Kubernetes (server) 3 | Documentation=https://k3s.io 4 | Wants=network-online.target 5 | After=network-online.target 6 | 7 | [Install] 8 | WantedBy=multi-user.target 9 | 10 | [Service] 11 | Type=notify 12 | EnvironmentFile=-/etc/default/%N 13 | EnvironmentFile=-/etc/sysconfig/%N 14 | EnvironmentFile=-/etc/systemd/system/k3s.service.env 15 | KillMode=process 16 | Delegate=yes 17 | User=root 18 | # Having non-zero Limit*s causes performance problems due to accounting overhead 19 | # in the kernel. We recommend using cgroups to do container-local accounting. 20 | LimitNOFILE=1048576 21 | LimitNPROC=infinity 22 | LimitCORE=infinity 23 | TasksMax=infinity 24 | TimeoutStartSec=0 25 | Restart=always 26 | RestartSec=5s 27 | ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service 2>/dev/null' 28 | ExecStartPre=-/sbin/modprobe br_netfilter 29 | ExecStartPre=-/sbin/modprobe overlay 30 | ExecStart=/usr/bin/k3s server 31 | -------------------------------------------------------------------------------- /overlay.d/99custom/usr/lib/systemd/system/k3s-agent.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Lightweight Kubernetes (agent) 3 | Documentation=https://k3s.io 4 | Wants=network-online.target 5 | After=network-online.target 6 | 7 | [Install] 8 | WantedBy=multi-user.target 9 | 10 | [Service] 11 | Type=notify 12 | EnvironmentFile=-/etc/default/%N 13 | EnvironmentFile=-/etc/sysconfig/%N 14 | EnvironmentFile=-/etc/systemd/system/k3s-agent.service.env 15 | KillMode=process 16 | Delegate=yes 17 | User=root 18 | # Having non-zero Limit*s causes performance problems due to accounting overhead 19 | # in the kernel. We recommend using cgroups to do container-local accounting. 20 | LimitNOFILE=1048576 21 | LimitNPROC=infinity 22 | LimitCORE=infinity 23 | TasksMax=infinity 24 | TimeoutStartSec=0 25 | Restart=always 26 | RestartSec=5s 27 | ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service 2>/dev/null' 28 | ExecStartPre=-/sbin/modprobe br_netfilter 29 | ExecStartPre=-/sbin/modprobe overlay 30 | ExecStart=/usr/bin/k3s agent 31 | -------------------------------------------------------------------------------- /manifest.yaml: -------------------------------------------------------------------------------- 1 | variables: 2 | stream: stable 3 | prod: true 4 | 5 | releasever: 41 6 | 7 | ostree-layers: 8 | - overlay/99custom 9 | 10 | packages: 11 | # 12 | # Add packages 13 | # 14 | # Management 15 | - htop 16 | # Networking 17 | - tailscale 18 | - ethtool 19 | # SELinux policy module for k3s 20 | - container-selinux k3s-selinux 21 | # 22 | # Restore packages 23 | # 24 | # We removed file-transfer.yaml, but curl is required for coreos-livepxe-rootfs.sh 25 | - curl 26 | # We removed user-experience.yaml, but bsdtar is required for 35coreos-live dracut module 27 | - bsdtar 28 | # We removed user-experience.yaml, but the improved MOTD experience might be useful 29 | - console-login-helper-messages-issuegen 30 | - console-login-helper-messages-profile 31 | # We removed shared-el9.yaml, but network teaming might be useful 32 | - NetworkManager-team teamd 33 | 34 | #exclude-packages: 35 | # # Ensure containerd is removed 36 | # - containerd 37 | 38 | # fedora-coreos-config/manifests/fedora-coreos.yaml 39 | ref: k3s-coreos/${basearch}/${stream} 40 | metadata: 41 | license: MIT 42 | name: k3s-coreos 43 | summary: K3s CoreOS ${stream} 44 | 45 | # fedora-coreos-config/manifests/fedora-coreos.yaml 46 | automatic-version-prefix: "${releasever}." 47 | 48 | # fedora-coreos-config/manifests/fedora-coreos.yaml 49 | include: 50 | - fedora-coreos-minimal.yaml 51 | 52 | # vim: set et ts=2 sw=2: 53 | -------------------------------------------------------------------------------- /fedora.repo: -------------------------------------------------------------------------------- 1 | # Note we use baseurl= here because using auto-selected mirrors conflicts with 2 | # change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85. 3 | 4 | [fedora] 5 | name=Fedora $releasever - $basearch 6 | baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/ 7 | https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/ 8 | #metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch 9 | enabled=1 10 | #metadata_expire=7d 11 | repo_gpgcheck=0 12 | type=rpm 13 | gpgcheck=1 14 | gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary 15 | skip_if_unavailable=False 16 | 17 | [fedora-updates] 18 | name=Fedora $releasever - $basearch - Updates 19 | baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/ 20 | https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/ 21 | #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch 22 | enabled=1 23 | repo_gpgcheck=0 24 | type=rpm 25 | gpgcheck=1 26 | metadata_expire=6h 27 | gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary 28 | skip_if_unavailable=False 29 | 30 | [fedora-updates-testing] 31 | name=Fedora $releasever - $basearch - Test Updates 32 | baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/ 33 | https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/ 34 | #metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch 35 | enabled=0 36 | gpgcheck=1 37 | metadata_expire=6h 38 | gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary 39 | skip_if_unavailable=False 40 | -------------------------------------------------------------------------------- /Earthfile: -------------------------------------------------------------------------------- 1 | VERSION 0.8 2 | 3 | ARG --global image_namespace=registry.makerforce.io/k3s-coreos 4 | ARG --global image_tag=latest 5 | ARG --global base_image=docker.io/library/alpine:3.21.3 6 | 7 | 8 | coreos-assembler-source: 9 | FROM $base_image 10 | 11 | RUN apk add --no-cache git 12 | 13 | GIT CLONE \ 14 | --branch 4c2afc4b72954427a3d2f71fc73c1ea762ec19c1 \ 15 | https://github.com/coreos/coreos-assembler.git \ 16 | src 17 | 18 | SAVE ARTIFACT src/* / 19 | SAVE IMAGE --push $image_namespace/cache/coreos-assembler-source:$image_tag 20 | 21 | coreos-assembler: 22 | BUILD +coreos-assembler-source 23 | FROM DOCKERFILE +coreos-assembler-source/ 24 | 25 | SAVE IMAGE --push $image_namespace/cache/coreos-assembler:$image_tag 26 | 27 | 28 | setup: 29 | FROM $image_namespace/cache/coreos-assembler:$image_tag 30 | 31 | ARG source=/src 32 | ARG custom_overlay=overlay.d/99custom 33 | 34 | COPY . $source 35 | 36 | # Create overlay binaries directory 37 | RUN mkdir -p $source/$custom_overlay/usr/bin 38 | 39 | # Download and install k3s 40 | RUN cd $source/$custom_overlay \ 41 | && curl -Lo usr/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.32.2%2Bk3s1/k3s \ 42 | && chmod 755 usr/bin/k3s 43 | 44 | # Download and install dust 45 | RUN cd $source/$custom_overlay \ 46 | && curl -Lo dust.tar.gz https://github.com/bootandy/dust/releases/download/v1.1.2/dust-v1.1.2-x86_64-unknown-linux-gnu.tar.gz \ 47 | && tar -xzf dust.tar.gz --strip-components 1 '*dust' --directory usr/bin \ 48 | && rm dust.tar.gz 49 | 50 | ARG COSA_SKIP_OVERLAY=1 51 | RUN --privileged \ 52 | cosa init --transient $source \ 53 | && cosa fetch 54 | 55 | SAVE IMAGE --push $image_namespace/cache/setup:$image_tag 56 | 57 | 58 | build: 59 | FROM +setup 60 | 61 | ARG COSA_SKIP_OVERLAY=1 62 | ARG XZ_DEFAULTS=--memlimit=4G 63 | RUN --privileged \ 64 | cosa fetch \ 65 | && cosa build container \ 66 | && cosa osbuild qemu metal metal4k \ 67 | && cosa buildextend-live \ 68 | && cosa compress 69 | RUN rm \ 70 | builds/latest 71 | 72 | SAVE ARTIFACT builds/* AS LOCAL artifacts/ 73 | 74 | 75 | shell: 76 | FROM +build 77 | 78 | RUN --interactive bash 79 | -------------------------------------------------------------------------------- /live/EFI/fedora/grub.cfg: -------------------------------------------------------------------------------- 1 | # Note this file mostly matches the grub.cfg file from within the 2 | # efiboot.img on the Fedora Server DVD iso. Diff this file with that 3 | # file in the future to pick up changes. 4 | # 5 | # One diff to note is we use linux and initrd instead of linuxefi and 6 | # initrdefi. We do this because it works and allows us to use this same 7 | # file on other architectures. https://github.com/coreos/fedora-coreos-config/issues/63 8 | # 9 | # This file is loaded directly when booting via El Torito, and indirectly 10 | # from a stub config in efiboot.img when booting via the hybrid ESP. 11 | 12 | set default="1" 13 | 14 | function load_video { 15 | insmod efi_gop 16 | insmod efi_uga 17 | insmod video_bochs 18 | insmod video_cirrus 19 | insmod all_video 20 | } 21 | 22 | load_video 23 | set gfxpayload=keep 24 | insmod gzio 25 | insmod part_gpt 26 | insmod ext2 27 | 28 | set timeout=5 29 | ### END /etc/grub.d/00_header ### 30 | 31 | ### BEGIN /etc/grub.d/10_linux ### 32 | menuentry 'K3s CoreOS (Live)' --class fedora --class gnu-linux --class gnu --class os { 33 | linux /images/pxeboot/vmlinuz @@KERNEL-ARGS@@ ignition.firstboot ignition.platform.id=metal coreos.liveiso.fromram 34 | ################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################ COREOS_KARG_EMBED_AREA 35 | initrd /images/pxeboot/initrd.img /images/ignition.img 36 | } 37 | -------------------------------------------------------------------------------- /overlay.d/99custom/usr/bin/k3s-killall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | [ $(id -u) -eq 0 ] || exec sudo --preserve-env=K3S_DATA_DIR $0 $@ 3 | 4 | K3S_DATA_DIR=${K3S_DATA_DIR:-/var/lib/rancher/k3s} 5 | 6 | for bin in ${K3S_DATA_DIR}/data/**/bin/; do 7 | [ -d $bin ] && export PATH=$PATH:$bin:$bin/aux 8 | done 9 | 10 | set -x 11 | 12 | for service in /etc/systemd/system/k3s*.service; do 13 | [ -s $service ] && systemctl stop $(basename $service) 14 | done 15 | 16 | for service in /etc/init.d/k3s*; do 17 | [ -x $service ] && $service stop 18 | done 19 | 20 | pschildren() { 21 | ps -e -o ppid= -o pid= | \ 22 | sed -e 's/^\s*//g; s/\s\s*/\t/g;' | \ 23 | grep -w "^$1" | \ 24 | cut -f2 25 | } 26 | 27 | pstree() { 28 | for pid in $@; do 29 | echo $pid 30 | for child in $(pschildren $pid); do 31 | pstree $child 32 | done 33 | done 34 | } 35 | 36 | killtree() { 37 | kill -9 $( 38 | { set +x; } 2>/dev/null; 39 | pstree $@; 40 | set -x; 41 | ) 2>/dev/null 42 | } 43 | 44 | remove_interfaces() { 45 | # Delete network interface(s) that match 'master cni0' 46 | ip link show 2>/dev/null | grep 'master cni0' | while read ignore iface ignore; do 47 | iface=${iface%%@*} 48 | [ -z "$iface" ] || ip link delete $iface 49 | done 50 | 51 | # Delete cni related interfaces 52 | ip link delete cni0 53 | ip link delete flannel.1 54 | ip link delete flannel-v6.1 55 | ip link delete kube-ipvs0 56 | ip link delete flannel-wg 57 | ip link delete flannel-wg-v6 58 | 59 | # Restart tailscale 60 | if [ -n "$(command -v tailscale)" ]; then 61 | tailscale set --advertise-routes= 62 | fi 63 | } 64 | 65 | getshims() { 66 | ps -e -o pid= -o args= | sed -e 's/^ *//; s/\s\s*/\t/;' | grep -w "${K3S_DATA_DIR}"'/data/[^/]*/bin/containerd-shim' | cut -f1 67 | } 68 | 69 | killtree $({ set +x; } 2>/dev/null; getshims; set -x) 70 | 71 | do_unmount_and_remove() { 72 | set +x 73 | while read -r _ path _; do 74 | case "$path" in $1*) echo "$path" ;; esac 75 | done < /proc/self/mounts | sort -r | xargs -r -t -n 1 sh -c 'umount -f "$0" && rm -rf "$0"' 76 | set -x 77 | } 78 | 79 | do_unmount_and_remove '/run/k3s' 80 | do_unmount_and_remove '/var/lib/kubelet/pods' 81 | do_unmount_and_remove '/var/lib/kubelet/plugins' 82 | do_unmount_and_remove '/run/netns/cni-' 83 | 84 | # Remove CNI namespaces 85 | ip netns show 2>/dev/null | grep cni- | xargs -r -t -n 1 ip netns delete 86 | 87 | remove_interfaces 88 | 89 | rm -rf /var/lib/cni/ 90 | iptables-save | grep -v KUBE- | grep -v CNI- | grep -iv flannel | iptables-restore 91 | ip6tables-save | grep -v KUBE- | grep -v CNI- | grep -iv flannel | ip6tables-restore 92 | 93 | -------------------------------------------------------------------------------- /live/isolinux/isolinux.cfg: -------------------------------------------------------------------------------- 1 | # Note this file mostly matches the isolinux.cfg file from the K3s 2 | # Server DVD iso. Diff this file with that file in the future to pick up 3 | # changes. 4 | serial 0 5 | default vesamenu.c32 6 | # timeout in units of 1/10s. 50 == 5 seconds 7 | timeout 50 8 | 9 | display boot.msg 10 | 11 | # Clear the screen when exiting the menu, instead of leaving the menu displayed. 12 | # For vesamenu, this means the graphical background is still displayed without 13 | # the menu itself for as long as the screen remains in graphics mode. 14 | menu clear 15 | menu background splash.png 16 | menu title K3s CoreOS 17 | menu vshift 8 18 | menu rows 18 19 | menu margin 8 20 | #menu hidden 21 | menu helpmsgrow 15 22 | menu tabmsgrow 13 23 | 24 | # Border Area 25 | menu color border * #00000000 #00000000 none 26 | 27 | # Selected item 28 | menu color sel 0 #ffffffff #00000000 none 29 | 30 | # Title bar 31 | menu color title 0 #ff7ba3d0 #00000000 none 32 | 33 | # Press [Tab] message 34 | menu color tabmsg 0 #ff3a6496 #00000000 none 35 | 36 | # Unselected menu item 37 | menu color unsel 0 #84b8ffff #00000000 none 38 | 39 | # Selected hotkey 40 | menu color hotsel 0 #84b8ffff #00000000 none 41 | 42 | # Unselected hotkey 43 | menu color hotkey 0 #ffffffff #00000000 none 44 | 45 | # Help text 46 | menu color help 0 #ffffffff #00000000 none 47 | 48 | # A scrollbar of some type? Not sure. 49 | menu color scrollbar 0 #ffffffff #ff355594 none 50 | 51 | # Timeout msg 52 | menu color timeout 0 #ffffffff #00000000 none 53 | menu color timeout_msg 0 #ffffffff #00000000 none 54 | 55 | # Command prompt text 56 | menu color cmdmark 0 #84b8ffff #00000000 none 57 | menu color cmdline 0 #ffffffff #00000000 none 58 | 59 | # Do not display the actual menu unless the user presses a key. All that is displayed is a timeout message. 60 | 61 | menu tabmsg Press Tab for full configuration options on menu items. 62 | 63 | menu separator # insert an empty line 64 | menu separator # insert an empty line 65 | 66 | label linux 67 | menu label ^K3s CoreOS (Live) 68 | menu default 69 | kernel /images/pxeboot/vmlinuz 70 | append initrd=/images/pxeboot/initrd.img,/images/ignition.img @@KERNEL-ARGS@@ ignition.firstboot ignition.platform.id=metal coreos.liveiso.fromram 71 | ################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################ COREOS_KARG_EMBED_AREA 72 | 73 | menu separator # insert an empty line 74 | 75 | menu end 76 | -------------------------------------------------------------------------------- /fedora-coreos-minimal.yaml: -------------------------------------------------------------------------------- 1 | # This manifest file defines things that should really only go 2 | # into "official" builds of Fedora CoreOS (such as including `fedora-release-coreos`) 3 | # or are very "opinionated" like disabling SSH passwords by default. 4 | 5 | ref: fedora/${basearch}/coreos/${stream} 6 | metadata: 7 | license: MIT 8 | name: fedora-coreos 9 | summary: Fedora CoreOS ${stream} 10 | 11 | add-commit-metadata: 12 | fedora-coreos.stream: ${stream} 13 | 14 | 15 | include: fedora-coreos-base-minimal.yaml 16 | conditional-include: 17 | - if: prod == false 18 | # long-term, would be good to support specifying a nested TreeComposeConfig 19 | include: fedora-coreos-config/manifests/disable-zincati.yaml 20 | - if: 21 | - basearch != "s390x" 22 | # for 42+, it's inherited from fedora-bootc 23 | - releasever < 42 24 | # And remove some cruft from grub2 25 | include: fedora-coreos-config/manifests/grub2-removals.yaml 26 | # On <41, we want to keep making sure dnf doesn't slip in somehow 27 | # On 41+, we do want it 28 | # https://github.com/coreos/fedora-coreos-tracker/issues/1687 29 | - if: releasever < 41 30 | include: fedora-coreos-config/manifests/exclude-dnf.yaml 31 | # for 42+, it's inherited from fedora-bootc 32 | - if: releasever == 41 33 | include: fedora-coreos-config/manifests/include-dnf.yaml 34 | # Wifi firmwares will be dropped in F41 35 | - if: releasever < 41 36 | include: fedora-coreos-config/manifests/wifi-firmwares.yaml 37 | # for 42+, it's inherited from fedora-bootc 38 | - if: releasever == 41 39 | include: fedora-coreos-config/manifests/composefs.yaml 40 | - if: releasever >= 41 41 | include: fedora-coreos-config/manifests/selinux-workaround.yaml 42 | 43 | ostree-layers: 44 | - overlay/15fcos 45 | 46 | automatic-version-prefix: "${releasever}..dev" 47 | mutate-os-release: "${releasever}" 48 | 49 | # All Fedora CoreOS streams share the same pool for locked files. 50 | lockfile-repos: 51 | - fedora-coreos-pool 52 | 53 | packages: 54 | - fedora-release-coreos 55 | - fedora-repos-ostree 56 | # the archive repo for more reliable package layering 57 | # https://github.com/coreos/fedora-coreos-tracker/issues/400 58 | - fedora-repos-archive 59 | # CL ships this. 60 | #- moby-engine 61 | # Already pulled in by moby-engine, but let's be explicit. Typhoon uses it. 62 | #- containerd 63 | # Updates 64 | - zincati 65 | # Include and set the default editor 66 | #- nano nano-default-editor 67 | # Introduce a default colored prompt for Fedora's default shell bash. 68 | # https://github.com/coreos/fedora-coreos-tracker/issues/1567 69 | - bash-color-prompt 70 | 71 | etc-group-members: 72 | # Add the docker group to /etc/group 73 | # https://github.com/coreos/fedora-coreos-tracker/issues/2 74 | # This will be no longer needed when systemd-sysusers has been implemented: 75 | # https://github.com/projectatomic/rpm-ostree/issues/49 76 | #- docker 77 | 78 | # ⚠⚠⚠ ONLY TEMPORARY HACKS ALLOWED HERE; ALL ENTRIES NEED TRACKER LINKS ⚠⚠⚠ 79 | # See also the version of this in fedora-coreos-base.yaml 80 | postprocess: 81 | # Disable Zincati on non-release builds 82 | # https://github.com/coreos/fedora-coreos-tracker/issues/212 83 | - | 84 | #!/usr/bin/env bash 85 | set -euxo pipefail 86 | source /etc/os-release 87 | if [[ $OSTREE_VERSION = *.dev* ]]; then 88 | mkdir -p /etc/zincati/config.d 89 | echo -e '# https://github.com/coreos/fedora-coreos-tracker/issues/212\nupdates.enabled = false' > /etc/zincati/config.d/95-disable-on-dev.toml 90 | fi 91 | # Users shouldn't be configuring `rpm-ostreed.conf` 92 | # https://github.com/coreos/fedora-coreos-tracker/issues/271 93 | - | 94 | #!/usr/bin/env bash 95 | set -xeuo pipefail 96 | cat > /tmp/rpm-ostreed.conf << 'EOF' 97 | # By default, this system has its OS updates managed by 98 | # `zincati.service`. Changes made to this file may 99 | # conflict with the configuation of `zincati.service`. 100 | # See https://github.com/coreos/zincati for additional 101 | # information. 102 | 103 | EOF 104 | cat /usr/etc/rpm-ostreed.conf >> /tmp/rpm-ostreed.conf 105 | cp /tmp/rpm-ostreed.conf /usr/etc/rpm-ostreed.conf 106 | rm /tmp/rpm-ostreed.conf 107 | # Make sure that we do not ship broken symlinks: 108 | # https://github.com/coreos/fedora-coreos-config/issues/1782 109 | # Remove known broken symlinks that point to non-existing files or directories: 110 | # - Remove `.build-id` for binaries that we remove in other parts of the FCOS manifest 111 | # - Remove links to man pages that we remove in FCOS 112 | # Man pages are removed in FCOS thus the links in alternatives pointing to those are left there broken. 113 | # Docs removal comes from manifests/fedora-coreos.yaml 114 | # - systemd-firstboot comes from manifests/ignition-and-ostree.yaml 115 | # - systemd-gpt-auto-generator comes from ignition-and-ostree.yaml 116 | - | 117 | #!/usr/bin/env bash 118 | set -euo pipefail 119 | 120 | list_broken_symlinks_folders=( 121 | '/etc/alternatives/' 122 | '/usr/lib/.build-id/' 123 | ) 124 | 125 | # It is not possible to remove files from usr after first boot so that is 126 | # why we are removing them in the postprocess scripts here. 127 | # The .build-id links are pointing to binaries that we remove in other parts of the FCOS manifest. 128 | list_known_removed_folders=( 129 | '/usr/bin/systemd-firstboot' 130 | '/usr/lib/systemd/system-generators/systemd-gpt-auto-generator' 131 | '/usr/share/doc/' 132 | '/usr/share/info/' 133 | '/usr/share/man/' 134 | ) 135 | for folder in "${list_broken_symlinks_folders[@]}"; do 136 | find "${folder}" -type l | while read -r file_name; do 137 | real_path=$(realpath -m "${file_name}"); 138 | if [[ -e "${real_path}" ]]; then 139 | continue 140 | fi 141 | for element in "${list_known_removed_folders[@]}"; do 142 | if [[ "${real_path}" == "${element}"* ]]; then 143 | rm -r "${file_name}" 144 | fi 145 | done 146 | done 147 | done 148 | 149 | 150 | remove-files: 151 | # We don't ship man(1) or info(1) 152 | - usr/share/info 153 | - usr/share/man 154 | # Drop text docs too 155 | - usr/share/doc 156 | 157 | # Things we don't expect to ship on the host. We currently 158 | # have recommends: false so these could only come in via 159 | # hard requirement, in which case the build will fail. 160 | exclude-packages: 161 | - python 162 | - python2 163 | - python2-libs 164 | - python3 165 | - python3-libs 166 | - perl 167 | - perl-interpreter 168 | - nodejs 169 | - grubby 170 | - cowsay # Just in case 171 | # Let's make sure initscripts doesn't get pulled back in 172 | # https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254 173 | - initscripts 174 | # nor /usr/sbin/service 175 | - initscripts-service 176 | # For (datacenter/cloud oriented) servers, we want to see the details by default. 177 | # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/ 178 | - plymouth 179 | # Do not use legacy ifcfg config format in NetworkManager 180 | # See https://github.com/coreos/fedora-coreos-config/pull/1991 181 | - NetworkManager-initscripts-ifcfg-rh 182 | 183 | # vim: set et ts=2 sw=2: 184 | -------------------------------------------------------------------------------- /fedora-coreos-base-minimal.yaml: -------------------------------------------------------------------------------- 1 | # This file is most of a Fedora CoreOS like system; it inherits from "core". 2 | # Add things in this file which are somewhat "opinionated", not necessarily 3 | # core functionality. 4 | 5 | include: 6 | - fedora-coreos-config/manifests/kernel.yaml 7 | - fedora-coreos-config/manifests/system-configuration.yaml 8 | - fedora-coreos-config/manifests/ignition-and-ostree.yaml 9 | #- fedora-coreos-config/manifests/file-transfer.yaml 10 | - fedora-coreos-config/manifests/networking-tools.yaml 11 | #- fedora-coreos-config/manifests/user-experience.yaml 12 | - fedora-coreos-config/manifests/shared-workarounds.yaml 13 | #- fedora-coreos-config/manifests/shared-el9.yaml 14 | #- fedora-coreos-config/manifests/shared-el10.yaml 15 | 16 | conditional-include: 17 | # starting from f42, we inherit from tier-x 18 | # once we're on f42, we can move this up to the default list of includes above 19 | - if: releasever >= 42 20 | include: fedora-coreos-config/manifests/tier-x.yaml 21 | # all these are inherited from tier-x in f42+, but we carry them here to 22 | # enforce that there's really no coupling until f42 23 | - if: releasever < 42 24 | include: fedora-coreos-config/manifests/tier-x-dupes.yaml 25 | 26 | ostree-layers: 27 | - overlay/05core 28 | - overlay/08nouveau 29 | - overlay/09misc 30 | - overlay/20platform-chrony 31 | - overlay/25azure-udev-rules 32 | - overlay/30lvmdevices 33 | - overlay/40grub 34 | 35 | # Be minimal 36 | recommends: false 37 | 38 | ignore-removed-users: 39 | - root 40 | ignore-removed-groups: 41 | - root 42 | etc-group-members: 43 | - wheel 44 | - sudo 45 | - systemd-journal 46 | - adm 47 | 48 | check-passwd: 49 | type: "file" 50 | filename: "fedora-coreos-config/manifests/passwd" 51 | check-groups: 52 | type: "file" 53 | filename: "fedora-coreos-config/manifests/group" 54 | 55 | default-target: multi-user.target 56 | 57 | # we can drop this when it's the rpm-ostree default 58 | rpmdb: sqlite 59 | 60 | # ⚠⚠⚠ ONLY TEMPORARY HACKS ALLOWED HERE; ALL ENTRIES NEED TRACKER LINKS ⚠⚠⚠ 61 | # See also the version of this in fedora-coreos.yaml 62 | postprocess: 63 | # Enable SELinux booleans used by OpenShift 64 | # https://github.com/coreos/fedora-coreos-tracker/issues/284 65 | - | 66 | #!/usr/bin/env bash 67 | set -xeuo pipefail 68 | setsebool -P -N container_use_cephfs on # RHBZ#1692369 69 | setsebool -P -N virt_use_samba on # RHBZ#1754825 70 | 71 | # Mask dnsmasq. We include dnsmasq for host services that use the dnsmasq 72 | # binary but intentionally mask the systemd service so users can't easily 73 | # use it as an external dns server. We prefer they use a container for that. 74 | # https://github.com/coreos/fedora-coreos-tracker/issues/519 75 | - | 76 | #!/usr/bin/env bash 77 | systemctl mask dnsmasq.service 78 | 79 | # Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we 80 | # remove iptables-legacy. This is needed because alternatives don't work 81 | # https://github.com/coreos/fedora-coreos-tracker/issues/677 82 | # https://github.com/coreos/fedora-coreos-tracker/issues/676 83 | - | 84 | #!/usr/bin/env bash 85 | set -xeuo pipefail 86 | ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables 87 | ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore 88 | ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save 89 | ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables 90 | ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore 91 | ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save 92 | 93 | # Force the ssh-host-keys-migration to happen on every boot 94 | # to handle cases where someone did a upgrade->rollback->upgrade 95 | # See https://github.com/coreos/fedora-coreos-tracker/issues/1473 96 | # We should remove this after the next barrier release. 97 | - | 98 | #!/usr/bin/env bash 99 | set -xeuo pipefail 100 | mkdir -p /usr/lib/systemd/system/ssh-host-keys-migration.service.d 101 | cat <<'EOF' > /usr/lib/systemd/system/ssh-host-keys-migration.service.d/coreos-force-migration-on-every-boot.conf 102 | # Force the ssh-host-keys-migration to happen on every boot 103 | # to handle cases where someone did a upgrade->rollback->upgrade 104 | # See https://github.com/coreos/fedora-coreos-tracker/issues/1473 105 | [Unit] 106 | ConditionPathExists= 107 | EOF 108 | 109 | # Packages listed here should be specific to Fedore CoreOS (as in not yet 110 | # available in RHCOS or not desired in RHCOS). All other packages should go 111 | # into one of the sub-manifests listed at the top. 112 | packages: 113 | # Security 114 | #- polkit 115 | # Containers 116 | #- systemd-container catatonit 117 | #- fuse-overlayfs slirp4netns 118 | # Some host applications(i.e. NetworkManager) use dnsmasq 119 | # as the binary for some various utility operations. 120 | # https://github.com/coreos/fedora-coreos-tracker/issues/519 121 | #- dnsmasq 122 | # For podman v4 netavark gets pulled in but it only recommends 123 | # aardvark-dns (which provides name resolution based on container 124 | # names). This functionality was previously provided by dnsname from 125 | # podman-plugins in the podman v3 stack. 126 | # See https://github.com/containers/netavark/pull/217 127 | #- aardvark-dns 128 | # Since we need `containernetworking-plugins` installed to continue 129 | # to support CNI networks we need to also explicitly install 130 | # `netavark` so we get both of them installed since both of them 131 | # provide `container-network-stack`. 132 | # https://github.com/coreos/fedora-coreos-tracker/issues/1128#issuecomment-1071458717 133 | #- netavark 134 | # Minimal NFS client 135 | - nfs-utils-coreos 136 | # Active Directory support 137 | #- adcli 138 | # Additional firewall support; we aren't including these in RHCOS or they 139 | # don't exist in RHEL 140 | #- iptables-nft iptables-services 141 | # WireGuard https://github.com/coreos/fedora-coreos-tracker/issues/362 142 | #- wireguard-tools 143 | # Storage 144 | #- btrfs-progs 145 | #- WALinuxAgent-udev 146 | # Allow communication between sudo and SSSD 147 | # for caching sudo rules by SSSD. 148 | # https://github.com/coreos/fedora-coreos-tracker/issues/445 149 | #- libsss_sudo 150 | # SSSD; we only ship a subset of the backends 151 | #- sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap 152 | # Used by admins interactively 153 | #- attr 154 | #- openssl 155 | # Provides terminal tools like clear, reset, tput, and tset 156 | #- ncurses 157 | # file-transfer: note fuse-sshfs is not in RHEL 158 | # so we can't put it in file-transfer.yaml 159 | #- fuse-sshfs 160 | # Improved MOTD experience 161 | - console-login-helper-messages-motdgen 162 | # i18n 163 | #- kbd 164 | # resolved was broken out to its own package in rawhide/f35 165 | - systemd-resolved 166 | # In F35+ need `iptables-legacy` package 167 | # See https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451 168 | - iptables-legacy 169 | # NIC firmware we've traditionally shipped but then were split out of linux-firmware in Fedora 170 | #- qed-firmware # https://github.com/coreos/fedora-coreos-tracker/issues/1746 171 | 172 | 173 | # - irqbalance 174 | # - This thing is crying out to be pulled into systemd, but that hasn't happened 175 | # yet. Also we may want to add to rpm-ostree something like arch negation; 176 | # basically right now it doesn't exist on s390x. 177 | # Anyways, it was requested by the Red Hat perf team for RHCOS, so we have it here. 178 | # https://serverfault.com/questions/513807/is-there-still-a-use-for-irqbalance-on-modern-hardware 179 | # https://access.redhat.com/solutions/41535 180 | # - qemu-user-static-x86 181 | # - Include this on non-x86_64 FCOS images to allow access to the large 182 | # inventory of containers only built for x86_64. 183 | # https://github.com/coreos/fedora-coreos-tracker/issues/1237 184 | # - google-compute-engine-guest-configs-udev 185 | # - Add this package on x86_64 and aarch64 (the two architectures 186 | # GCP supports. https://github.com/coreos/fedora-coreos-tracker/issues/1494 187 | # This should be moved to a shared manifest when RHEL has this package. 188 | # - crun-wasm wasmedge-rt 189 | # - Support for wasm runtime: https://github.com/coreos/fedora-coreos-tracker/issues/1375 190 | packages-x86_64: 191 | - irqbalance 192 | #- google-compute-engine-guest-configs-udev 193 | #- crun-wasm wasmedge-rt 194 | # Include AMD microcode updates, see https://github.com/coreos/fedora-coreos-tracker/issues/1618. 195 | # This normally should belong in bootable-rpm-ostree.yaml (alongside 196 | # `microcode_ctl`), but this change hasn't hit RHCOS yet. 197 | #- amd-ucode-firmware 198 | packages-ppc64le: 199 | - irqbalance 200 | - librtas 201 | - powerpc-utils-core 202 | - ppc64-diag-rtas 203 | - qemu-user-static-x86 204 | packages-aarch64: 205 | - irqbalance 206 | - qemu-user-static-x86 207 | - google-compute-engine-guest-configs-udev 208 | - crun-wasm wasmedge-rt 209 | packages-s390x: 210 | - qemu-user-static-x86 211 | 212 | remove-from-packages: 213 | # Hopefully short-term hack -- see https://github.com/coreos/fedora-coreos-config/pull/1206#discussion_r705425869. 214 | # This keeps the size down and ensures nothing tries to use it, preventing us 215 | # from shedding the dep eventually. 216 | - [cracklib-dicts, .*] 217 | 218 | # vim: set et ts=2 sw=2: 219 | --------------------------------------------------------------------------------