Setting alternatives

Due to an ongoing issue in how alternatives configurations are stored on the system, Fedora CoreOS systems can not use the usual alternatives commands to configure them.

Instead, until this issue is resolved, you can set the symlinks directly in /etc/alternatives. For example, to use the legacy-based variants of the iptables commands:

variant: fcos
version: 1.5.0
storage:
  links:
    - path: /etc/alternatives/iptables
      target: /usr/sbin/iptables-legacy
      overwrite: true
      hard: false
    - path: /etc/alternatives/iptables-restore
      target: /usr/sbin/iptables-legacy-restore
      overwrite: true
      hard: false
    - path: /etc/alternatives/iptables-save
      target: /usr/sbin/iptables-legacy-save
      overwrite: true
      hard: false
    - path: /etc/alternatives/ip6tables
      target: /usr/sbin/ip6tables-legacy
      overwrite: true
      hard: false
    - path: /etc/alternatives/ip6tables-restore
      target: /usr/sbin/ip6tables-legacy-restore
      overwrite: true
      hard: false
    - path: /etc/alternatives/ip6tables-save
      target: /usr/sbin/ip6tables-legacy-save
      overwrite: true
      hard: false

Using alternatives commands

Starting with Fedora CoreOS based on Fedora 41, you can use alternatives commands to configure the default command.

  1. Example Butane config using a systemd unit to configure the default iptables backend

variant: fcos
version: {butane-latest-stable-spec}
systemd:
  units:
    - name: custom-iptables-default.service
      enabled: true
      contents: |
        [Unit]
        Description=Set the default backend for iptables
        [Service]
        ExecStart=/usr/sbin/alternatives --set iptables /usr/sbin/iptables-legacy
        RemainAfterExit=yes
        [Install]
        WantedBy=multi-user.target
We don’t recommend configuring the default iptables backend to iptables-legacy. This is just an example.

You can also manually run the alternatives commands to configure the default command runtime.

  1. Example to manually configure the default iptables backend

# Check the link info
alternatives --display iptables
iptables --version

# Configure iptables to point to iptables-nft
sudo alternatives --set iptables /usr/sbin/iptables-nft

# Verify iptables version is iptables-nft
alternatives --display iptables
iptables --version

Want to help? Learn how to contribute to Fedora Docs