Installing Fedora/CentOS bootc on Bare Metal
This guide provides instructions to install Fedora/CentOS bootc to bare metal. Three main options are available:
-
Installing from a stock Anaconda ISO/PXE over the network
-
Installing from a bootc-image-builder generated ISO
-
Installing from the container directly with
bootc install
Prerequisites
Before installing Fedora/CentOS bootc, it’s recommended that you have created a customized derived container image;
but this is not a hard requirement, as it is possible to enable basic system access via
e.g. injecting SSH keys with kickstart or with bootc install
and the -root-ssh-authorized-keys
argument.
Using Anaconda
Fedora/CentOS bootc can be installed using Anaconda.
Installing from the network
The ostreecontainer
kickstart verb can be used to provision your custom container image.
This is a full basic Kickstart example:
# Basic setup
text
network --bootproto=dhcp --device=link --activate
# Basic partitioning
clearpart --all --initlabel --disklabel=gpt
reqpart --add-boot
part / --grow --fstype xfs
# Here's where we reference the container image to install - notice the kickstart
# has no `%packages` section! What's being installed here is a container image.
ostreecontainer --url quay.io/centos-bootc/centos-bootc:stream9
firewall --disabled
services --enabled=sshd
# Only inject a SSH key for root
rootpw --iscrypted locked
sshkey --username root "<your key here>"
reboot
Accessing registries
See the bootc documentation on registries, as well as the Container pull secrets section.
The default Anaconda installation ISOs may also need a duplicate copy of some "bootstrap" configuration in order to access the targeted registry when fetching over the network.
In general you can use the Anaconda %pre
command
to perform arbitrary changes to the installation environment before the target
bootc container image is fetched.
%pre
mkdir -p /etc/ostree
cat > /etc/ostree/auth.json << 'EOF'
{
"auths": {
"quay.io": {
"auth": "<your secret here>"
}
}
}
EOF
%end
%pre
mkdir -p /etc/containers/registries.conf.d/
cat > /etc/containers/registries.conf.d/local-registry.conf << 'EOF'
[[registry]]
location="[IP_Address]:5000"
insecure=true
EOF
%end
Alternatively, the %pre
can fetch data from the network using
binaries included in the installation environment, such as curl
.
Similarly, one can use %pre
to inject trusted certificate
authorities into the installation environment’s /etc/pki/ca-trust/source/anchors
and via running update-ca-trust
.
Finally, insecure registries can be configured in a similar way by
modifying the /etc/containers
directory as documented above.
Generating a custom installer ISO with bootc-image-builder
See the bootc-image-builder documentation;
the key is usage of the anaconda-iso
type.
Conceptually, this generates a system close to the "stock" ISOs available from Fedora/CentOS, except your container image content is embedded in the ISO. This means that there is no need to access the network during installation.
For example, you can copy the ISO to a USB stick, and take it into an air-gapped/disconnected environment and perform a bare metal installation.
Using bootc install
A key goal of the bootc
project is having the container image be
the "source of truth" as much as possible. A "basic" installer
is built into the bootc
project and is available as bootc install to-disk
or bootc install to-filesystem
.
More information is available at the upstream bootc site. |
In the very simplest example, assuming you have a running Linux environment
with podman
, you can perform a bare metal installation to a block device.
Commonly, that existing Linux environment will be a "Live ISO" of some form.
At the current time, in Fedora the most suitable default "Live ISO" is
the Fedora CoreOS Live ISO.
You can inject an Ignition configuration into the Live ISO which
runs the following invocation via e.g. a systemd unit:
$ podman run \
--rm --privileged \
--pid=host \
-v /dev:/dev \
-v /var/lib/containers:/var/lib/containers \
--security-opt label=type:unconfined_t \
<image> \
bootc install to-disk /path/to/disk
More advanced installation with bootc install to-filesystem
In this model, you can configure a target block device and root filesystem
using whatever tools you want (e.g. LVM) and then run the same command above,
except with to-filesystem
:
$ podman run \
--rm --privileged \
--pid=host \
-v /:/target \
-v /dev:/dev \
-v /var/lib/containers:/var/lib/containers \
--security-opt label=type:unconfined_t \
<image> \
bootc install to-filesystem /path/to/mounted/fs
Want to help? Learn how to contribute to Fedora Docs ›