Installing Fedora/CentOS bootc on Bare Metal

This guide provides instructions to install Fedora/CentOS bootc to bare metal. Three main options are available:

  • Installing from a stock Anaconda ISO/PXE over the network

  • Installing from a bootc-image-builder generated ISO

  • Installing from the container directly with bootc install

Prerequisites

Before installing Fedora/CentOS bootc, it’s recommended that you have created a customized derived container image; but this is not a hard requirement, as it is possible to enable basic system access via e.g. injecting SSH keys with kickstart or with bootc install and the -root-ssh-authorized-keys argument.

Using Anaconda

Fedora/CentOS bootc can be installed using Anaconda.

Installing from the network

The ostreecontainer kickstart verb can be used to provision your custom container image.

This is a full basic Kickstart example:

basic.ks
# Basic setup
text
network --bootproto=dhcp --device=link --activate
# Basic partitioning
clearpart --all --initlabel --disklabel=gpt
reqpart --add-boot
part / --grow --fstype xfs

# Here's where we reference the container image to install - notice the kickstart
# has no `%packages` section!  What's being installed here is a container image.
ostreecontainer --url quay.io/centos-bootc/centos-bootc:stream9

firewall --disabled
services --enabled=sshd

# Only inject a SSH key for root
rootpw --iscrypted locked
sshkey --username root "<your key here>"
reboot
Accessing registries

See the bootc documentation on registries, as well as the Container pull secrets section.

The default Anaconda installation ISOs may also need a duplicate copy of some "bootstrap" configuration in order to access the targeted registry when fetching over the network.

In general you can use the Anaconda %pre command to perform arbitrary changes to the installation environment before the target bootc container image is fetched.

Configuring a pull secret
%pre
mkdir -p /etc/ostree
cat > /etc/ostree/auth.json << 'EOF'
{
        "auths": {
                "quay.io": {
                        "auth": "<your secret here>"
                }
        }
}
EOF
%end
Disable TLS for an insecure registry
%pre
mkdir -p /etc/containers/registries.conf.d/
cat > /etc/containers/registries.conf.d/local-registry.conf << 'EOF'
[[registry]]
location="[IP_Address]:5000"
insecure=true
EOF
%end

Alternatively, the %pre can fetch data from the network using binaries included in the installation environment, such as curl.

Similarly, one can use %pre to inject trusted certificate authorities into the installation environment’s /etc/pki/ca-trust/source/anchors and via running update-ca-trust.

Finally, insecure registries can be configured in a similar way by modifying the /etc/containers directory as documented above.

Generating a custom installer ISO with bootc-image-builder

See the bootc-image-builder documentation; the key is usage of the anaconda-iso type.

Conceptually, this generates a system close to the "stock" ISOs available from Fedora/CentOS, except your container image content is embedded in the ISO. This means that there is no need to access the network during installation.

For example, you can copy the ISO to a USB stick, and take it into an air-gapped/disconnected environment and perform a bare metal installation.

Using bootc install

A key goal of the bootc project is having the container image be the "source of truth" as much as possible. A "basic" installer is built into the bootc project and is available as bootc install to-disk or bootc install to-filesystem.

More information is available at the upstream bootc site.

In the very simplest example, assuming you have a running Linux environment with podman, you can perform a bare metal installation to a block device. Commonly, that existing Linux environment will be a "Live ISO" of some form. At the current time, in Fedora the most suitable default "Live ISO" is the Fedora CoreOS Live ISO. You can inject an Ignition configuration into the Live ISO which runs the following invocation via e.g. a systemd unit:

$ podman run \
--rm --privileged \
--pid=host \
-v /dev:/dev \
-v /var/lib/containers:/var/lib/containers \
--security-opt label=type:unconfined_t \
<image> \
bootc install to-disk /path/to/disk

More advanced installation with bootc install to-filesystem

In this model, you can configure a target block device and root filesystem using whatever tools you want (e.g. LVM) and then run the same command above, except with to-filesystem:

$ podman run \
--rm --privileged \
--pid=host \
-v /:/target \
-v /dev:/dev \
-v /var/lib/containers:/var/lib/containers \
--security-opt label=type:unconfined_t \
<image> \
bootc install to-filesystem /path/to/mounted/fs