HowTo: Test the Fedora Atomic container images by rebasing

Ask Fedora
, , , ,
1

:warning: Warning

These images are not yet released. They may cause issues that can lead to you needing to reinstall the system.
You will use images from the quay.io container host and need to add manual configurations that are not in Fedora yet

They are also less bandwidth-optimized, as OSTree only downloads the diffs, while the OCI images are updated with container chunks that are bigger.

Do this at your own risk!

The Atomic Desktops use ISOs that install the system using OSTree remotes.

The container images are a side project, and possibly replace the OSTree remote in the future.

They became popular indirectly, as uBlue uses them for all their dozens of images, including the flagship variants Bazzite, Bluefin/Aurora and uCore.

This tells enough about their reliability. To try them today, follow these instructions:

As example I use kinoite, you can see all options here.

1. Make a backup

It could always be that the other variant does not boot. If you need your system and want to be sure to have a backup, make one now

run0
ostree admin pin 0

2. Rebase to the unsigned image

Due to a current issue, this step is necessary.

rpm-ostree rebase --reboot ostree-unverified-registry:quay.io/fedora-ostree-desktops/VARIANT:$(rpm -E %fedora)

3. Rebase to the signed Image

After the reboot, use these commands to do the final rebase.

The images are not yet signed.

# get the public key
curl -O "https://gitlab.com/fedora/ostree/ci-test/-/raw/main/quay.io-fedora-ostree-desktops.pub"

# switch to privileged shell
run0

echo $SHELL #make sure to use bash

mkdir -p /etc/pki/containers

cp quay.io-fedora-ostree-desktops.pub /etc/pki/containers/

restorecon -RFv /etc/pki/containers

cat <<EOF > /etc/containers/registries.d/quay.io-fedora-ostree-desktops.yaml
docker:
  quay.io/fedora-ostree-desktops:
    use-sigstore-attachments: true
EOF

restorecon -RFv /etc/containers/registries.d/quay.io-fedora-ostree-desktops.yaml

cat <<EOF > /etc/containers/policy.json
{
    "default": [
        {
            "type": "reject"
        }
    ],
    "transports": {
        "docker": {
            "quay.io/fedora-ostree-desktops": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/etc/pki/containers/quay.io-fedora-ostree-desktops.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }
                }
            ],
            "": [{"type": "insecureAcceptAnything"}]
	},
        "docker-daemon": {
	        "": [{"type": "insecureAcceptAnything"}]
	    }
    }
}
EOF

bootc switch --enforce-container-sigpolicy quay.io/fedora-ostree-desktops/IMAGENAME:VERSION

4. Verify

After the second reboot, confirm you are using the correct image:

bootc status
1 Like
2

Hello, so i tried the first command and it rebooted fine, but the second one give me

error: Preparing import: Fetching manifest: containers-policy.json specifies a default of insecureAcceptAnything; refusing usage

i’m in rawhide btw

2 Likes
3

Those images are not signed. You don’t need the second step.

Disclaimer: Those are not official Fedora images. See: fedora / Fedora Atomic Desktops / ci-test · GitLab

Work to make those images the default in Fedora is tracked in:

4 Likes
4

Thanks for the info

5

A post was merged into an existing topic: F41 Change Proposal: Enabling composefs by default for Atomic Desktops, CoreOS and IoT (Self-Contained)

6

i updated to the new rawhide image in quay.io and know i’m stuck in grub command line, so, i guess failed test?

note: i’m not using secure boot, it just drop me directly at grub command line

i can’t even rollback, how do i even get logs here

1 Like
7

The rawhide images now come with composefs enabled and you need to make sure that your bootloader is updated and BLS capable before switching to them.

This is why those images are not the default yet, as there are still issues to solve, notably with the transition from the classic ostree installations.

1 Like
8

So these images are the “how to test” for the change proposal?

Do they already have ostree-grub2 removed?

I am currently struggling on getting updates to stage.

9

i reinstalled it lol, but my grub was updated and BLS capable, because i enabled it before, look like it’s the same thing that happened here F41 Change Proposal: Enabling composefs by default for Atomic Desktops, CoreOS and IoT (Self-Contained) - #18 by jbtrystram

10

I was just about to ask.

Should we test if rebasing to signed works now?

I tried, and get

error: Preparing import: Fetching manifest: containers-policy.json specifies a default of insecureAcceptAnything; refusing usage

The default container policy seems odd 
$ cat /etc/containers/policy.json
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports":
        {
            "docker-daemon":
                {
                    "": [{"type":"insecureAcceptAnything"}]
                }
        }
}

I suppose you need to download the pubkey first

curl -fsSL "https://gitlab.com/fedora/ostree/ci-test/-/raw/main/quay.io-fedora-ostree-desktops.pub" | run0 tee /etc/pki/containers/quay.io-fedora-ostree-desktops.pub >/dev/null

cat /etc/pki/containers/quay.io-fedora-ostree-desktops.pub

then… I guess trust the entire image host?

podman image trust set quay.io -t signedBy -f /etc/pki/containers/quay.io-fedora-ostree-desktops.pub
This edits the policy 
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker": {
            "quay.io": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/containers/quay.io-fedora-ostree-desktops.pub"
                }
            ]
        },
        "docker-daemon": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        }
    }
}

now getting error: Creating importer: failed to invoke method OpenImage: failed to invoke method OpenImage: A signature was required, but no signature exists

so I guess close but not yet done

11

These are the steps you can follow if you want to switch/rebase to signed bootable container images, assuming you are using an updated Atomic Desktops 41 version.

Switch to signed Atomic Desktops bootable container images 
$ sudo ostree admin pin 0

$ sudo mkdir -p /etc/pki/containers
$ curl -O "https://gitlab.com/fedora/ostree/ci-test/-/raw/main/quay.io-fedora-ostree-desktops.pub"
$ sudo cp quay.io-fedora-ostree-desktops.pub /etc/pki/containers/
$ sudo restorecon -RFv /etc/pki/containers

$ sudo bash -c 'cat <<EOF > /etc/containers/registries.d/quay.io-fedora-ostree-desktops.yaml
docker:
  quay.io/fedora-ostree-desktops:
    use-sigstore-attachments: true
EOF'
$ sudo restorecon -RFv /etc/containers/registries.d/quay.io-fedora-ostree-desktops.yaml

$ cat /etc/containers/policy.json
{
    "default": [
        {
            "type": "reject"
        }
    ],
    "transports": {
        "docker": {
            "quay.io/fedora-ostree-desktops": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/etc/pki/containers/quay.io-fedora-ostree-desktops.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }
                }
            ],
            "": [{"type": "insecureAcceptAnything"}]
	},
        "docker-daemon": {
	        "": [{"type": "insecureAcceptAnything"}]
	    }
    }
}

$ sudo bootc switch --enforce-container-sigpolicy quay.io/fedora-ostree-desktops/silverblue:41
2 Likes
12

Thanks! Good idea to invoke bash, I personally use fish, even though bash is the root shell so it is used with run0