Provisioning Fedora CoreOS on Google Cloud Platform

This guide shows how to provision new Fedora CoreOS (FCOS) instances on Google Cloud Platform (GCP).

Prerequisites

Before provisioning an FCOS machine, you must have an Ignition configuration file containing your customizations. If you do not have one, see Producing an Ignition File.

Fedora CoreOS has a default core user that can be used to explore the OS. If you want to use it, finalize its configuration by providing e.g. an SSH key.

If you do not want to use Ignition to get started, you can make use of the Afterburn support.

You also need to have access to a GCP account. The examples below use the gcloud command-line tool, which must be separately installed and configured beforehand.

Selecting an image family

Fedora CoreOS is designed to be updated automatically, with different schedules per stream.

FCOS images are published under the fedora-coreos-cloud project and further organized into image families, tracking the corresponding stream:

  • fedora-coreos-stable

  • fedora-coreos-testing

  • fedora-coreos-next

Before proceeding, check the details of each update stream and pick the one most suited for your use case.

You can inspect the current state of an image family as follows:

Inspecting an image family
STREAM='stable'
gcloud compute images describe-from-family \
    --project "fedora-coreos-cloud" "fedora-coreos-${STREAM}"

Launching a VM instance

New GCP instances can be directly created and booted from public FCOS images.

If you just want SSH access and no further customization, you don’t need to pass any custom instance metadata. Depending on your GCP project configuration, relevant SSH public keys will be automatically added to the VM. This provides an easy way to test out FCOS without first creating an Ignition config.

Currently, we don’t support logging in using SSH through the GCP web console, using the gcloud compute ssh CLI method or OS Login. See fedora-coreos-tracker#648 for more information.
Launching a new instance
STREAM='stable'
NAME='fcos-node01'
ZONE='us-central1-a'
gcloud compute instances create              \
    --image-project "fedora-coreos-cloud"    \
    --image-family "fedora-coreos-${STREAM}" \
    --zone "${ZONE}" "${NAME}"
You can find out the instance’s assigned IP by running gcloud compute instances list

You now should be able to SSH into the instance using the associated IP address.

Example connecting
ssh core@<ip address>

In order to launch a customized FCOS instance, a valid Ignition configuration must be passed as metadata under the user-data key at creation time. In the web console, this is available under the Management section. From the command-line, use --metadata-from-file:

Launching and customizing a new instance
STREAM='stable'
NAME='fcos-node01'
ZONE='us-central1-a'
CONFIG='example.ign'
gcloud compute instances create                \
    --image-project "fedora-coreos-cloud"      \
    --image-family "fedora-coreos-${STREAM}"   \
    --metadata-from-file "user-data=${CONFIG}" \
    --zone "${ZONE} "${NAME}"
By design, startup scripts are not supported on FCOS. Instead, it is recommended to encode any startup logic as systemd service units in the Ignition configuration. Again, note you need to use the user-data key for Ignition; it will also not work to paste Ignition into this field in the web console.

Launch a Confidential VM

Support for Confidential Computing is a work in progress in Fedora CoreOS. See the issue #1719.
For an overview about confidential VMs on GCP see confidential VM overview.

To launch a confidential FCOS instance, you need to specify the confidential compute type and use a machine type that supports confidential compute.

From the command-line, use --confidential-compute-type and --machine-type.

Launching a confidential instance using confidential type AMD SEV_SNP
STREAM='stable'
NAME='fcos-cvm-node01'
ZONE='us-central1-a'
CONFIG='example.ign'
MACHINE_TYPE='n2d-standard-2'
gcloud compute instances create                \
    --image-project "fedora-coreos-cloud"      \
    --image-family "fedora-coreos-${STREAM}"   \
    --metadata-from-file "user-data=${CONFIG}" \
    --confidential-compute-type "SEV_SNP"      \
    --machine-type "${MACHINE_TYPE}"           \
    --maintenance-policy terminate             \
    --zone "${ZONE} "${NAME}"
Launching a confidential instance using confidential type Intel TDX
STREAM='stable'
NAME='fcos-cvm-node01'
ZONE='us-central1-a'
CONFIG='example.ign'
MACHINE_TYPE='c3-standard-4'
gcloud compute instances create                \
    --image-project "fedora-coreos-cloud"      \
    --image-family "fedora-coreos-${STREAM}"   \
    --metadata-from-file "user-data=${CONFIG}" \
    --confidential-compute-type "TDX"      \
    --machine-type "${MACHINE_TYPE}"           \
    --maintenance-policy terminate             \
    --zone "${ZONE} "${NAME}"
Example Confidential VM Boot Verification
ssh core@<ip address>
# Confirm the VM is using `AMD SEV-SNP` confidential type
sudo systemd-detect-virt --cvm
sev-snp

# Confirm the VM is using `Intel TDX` confidential type
sudo systemd-detect-virt --cvm
tdx
---

Want to help? Learn how to contribute to Fedora Docs