This is an automated archive made by the Lemmit Bot.

The original was posted on /r/fedora by /u/TheLinuxITGuy on 2025-01-22 16:20:53+00:00.

In this guide, you’ll learn how to:

• Generate RSA SSH keys
• Generate YAML Butane file
• Convert YAML Butane file into Ignition File needed for CoreOS installation
• Locally share your Ignition File with the CoreOS Install
• Install Fedora CoreOS
• Layer in Firewalld via rpm-ostree
• Setup Firewall rules and DNS
• Setup Pi-hole for network level ad-blocking

Video for the written guide: 

Fedora CoreOS is great for turning a VM or an old laptop in my case into an appliance that you want a single task to run on. In this example we will take a VM and make it our Pi-hole DNS server running on top of CoreOS, but you could easily swap out Pi-hole for whatever use-case you may have.

Pre-reqs:

Host PC (I’m running Fedora Silverblue)

VM (or old laptop)

Fedora CoreOS Bare Metal ISO:

Generate RSA SSH key

SSH keys are the more secure future of passwords. Once you get your SSH key generated, you simply add it into your YAML file which will will setup in the next step. During the generation process, you will be prompted to enter a passphrase for even another layer of security. In this example, I will leave the passphrase empty.

To generate the key, open a Terminal and type:

ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa

There’s no need to memorize anything at this point, just remember you SSH key lives under ~/.ssh, and you’ll want the contents inside the idrsa.pub file for the next step.

Create the Butane YAML Config File

Now that we have our SSH key, we can keep going with our CoreOS setup. The next step is to create our Butane YAML file. In this example, I only include the code that allows SSH to work once we install CoreOS. If you are a CoreOS pro, feel free to add more to your file here. I’m keeping this one super simple for those who are just getting their feet wet with CoreOS. Under my Downloads folder, I created a coreos folder. So the path will be ~/Downloads/coreos. I named the config file config.bu, but you can name it whatever you like, just make sure the file extension is .bu. Remember the idrsa.pub file we created earlier? Now you can go open it (I use KWrite or VS Code), copy it’s contents, and paste them into your config.bu file.

Here’s what it should look like (replace XXX with your idrsa.pub SSH key):

variant: fcos

version: 1.3.0

passwd:

users:

- name: core

ssh_authorized_keys:

- ssh-rsa XXX

Save that bad boy out, and we are ready for the next step.

Convert Butane YAML File into CoreOS Ignition File

Now that we’ve created our YAML file, which we can easily read, we need to convert that into an ignition file which CoreOS can read which is formated in json. To do that, we’ll be running Butane in a container. To keep everything together, go ahead and change directory into our ~/Downloads/coreos folder again.

Then run the following command in the Terminal exactly how you see it:

podman run -i --rm quay.io/coreos/butane:release --strict < config.bu > coreos.ign

Please note: The arrow space filename space arrow is required. I’d recommend copying/pasting this as long as you’ve named your config.bu file the same as the tutorial.

Congrats! You’ve officially created your ignition file which is required when installing Fedora CoreOS. 90% of the heavy lifting is over. 🙂

Locally share your Ignition File

During the CoreOS install, you’ll notice the install requires a URL pointing to your ignition file. Let’s tackle that next. Change directory back into our ~/Downloads/coreos folder if you aren’t already. We are going to setup temporary web hosting to share our coreos.ign file out to our VM/old laptop without sharing it with the world. The only devices that can see your web host will be internal devices, as long as you aren’t forwarding out port 8000 in your router. Please don’t do that 🙂 You’ll need to know the IP address of your Host PC so you can reference it correctly when typing in the URL of the ignition file.

To find your IP Address on the Host PC, open a Terminal and type:

ip addr

Make note of your Host IP. For this example we can use 192.168.1.8. Now, we will disable our firewall temporarily so we do not receive any 404 access denied errors when trying to access the file for the install.

To disable the firewall, open a Terminal and type:

sudo systemctl stop firewalld

We are now ready to fire up the web host to share the ignition file from the Host machine. To start the web host, open a Terminal and type:

python3 -m http.server

We are using Fedora 41 Silverblue in this tutorial, if your distro doesn’t include python, please download python before running the command above.

Everything we have done so far has been on the Host PC. Now it is time to move over to our VM or old laptop to install Fedora CoreOS.

Install Fedora CoreOS

Boot to your Bare Metal ISO you downloaded earlier. You should be presented with a black screen and a Terminal prompt. First, we want to check what our drive names are. To do this, run lsblk. Replace /dev/sdX with the correct drive you wish to target. For VMs, this is normally /dev/vda.

To install CoreOS, run: sudo coreos-installer install /dev/sdX --ignition-url http://192.168.1.8:8000/coreos.ign --insecure-ignition

Remember to replace X with your drive. This is normally sda, but it’s better to run lsblk and be 100% sure.

Once the install completes, you can type shutdown now. Head back to your Host PC and let’s stop the web host and re-enable the firewall. On the Host PC, the terminal that has the web host running can be stopped by pressing CTRL + C.

To re-enable the firewall, please type in a Terminal: sudo systemctl start firewalld

To ensure the firewall is indeed running again on your Host PC, please check in a Terminal with: sudo systemctl status firewalld

Congrats, now we can SSH into our VM or old laptop to finish setting it up. 🙂

Layer in Firewalld with rpm-ostree

By default, CoreOS doesn’t come with firewalld. Let’s change that, but first we need to SSH for the first time into our fresh CoreOS install. To do that, we need to open a Terminal and type: ssh core@192.168.1.8

You’ll be prompted to accept the key pair by typing yes. Also, if you created a passphrase during your SSH key setup, you’ll be presented to enter that as well. We didn’t do that in this example, so we’ll just type yes. Once you’ve done that, you’ll be presented with text similar to this:

chris@hostpc:/var/home/chris$ ssh core@192.168.1.8

Fedora CoreOS 41.20241215.3.0

Tracker: https://github.com/coreos/fedora-coreos-tracker

Discuss: https://discussion.fedoraproject.org/tag/coreos

Last login: Sun Jan 19 22:21:47 2025 from HOSTPC_IP_ADDRESS_HERE

core@fedora:~$

Think of rpm-ostree alot like dnf for Fedora. We’ll be using it to layer on top of the base image. Since Silverblue is atomic, we can’t install packages like a normal Fedora install with dnf would. We have to layer them in.

To install firewalld, open a Terminal and type: sudo rpm-ostree install firewalld

Once that completes, go ahead and reboot, re-SSH back in and we’ll setup the Firewall rules.

Setup Firewall Rules and DNS

Setting up the firewall rules with firewalld is very simple. Re-SSH into our CoreOS machine, then copy and paste these rules.

From a Terminal, type:

sudo firewall-cmd --zone=FedoraServer --add-port=80/tcp

sudo firewall-cmd --zone=FedoraServer --add-port=443/tcp

sudo firewall-cmd --zone=FedoraServer --add-port=53/tcp

sudo firewall-cmd --zone=FedoraServer --add-port=53/udp

sudo firewall-cmd --zone=FedoraServer --add-port=67/udp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=53/udp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=53/tcp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=443/tcp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=67/udp

sudo firewall-cmd --permanent --zone=FedoraServer --add-port=80/tcp

Next, we want to setup DNS. In my example, my network is named enp1s0, but yours may be different. To find the network you want to target, type ip addr and it will show to the right of 1, 2, 3… depending on how many network devices you have. Once you have your target network device, open a Terminal and type (I’d recommend copy/pasting this. Please edit in KWrite/VS Code if you need to modify the network device name to fit yours):

sudo nmcli device modify enp1s0 ipv4.addresses 192.168.1.8/24

sudo nmcli device modify enp1s0 ipv4.gateway 192.168.1.1

sudo nmcli device modify enp1s0 ipv4.dns "8.8.8.8 8.8.4.4"

sudo systemctl disable systemd-resolved

sudo systemctl stop systemd-resolved

sudo unlink /etc/resolv.conf

sudo systemctl restart NetworkManager

Setup Pi-hole

Now our CoreOS is ready for it’s intended use. Let’s get Pi-hole setup and running. To start, we need to create two volumes required by Pi-hole to operate. Open a Terminal and type:

sudo podman volume create pihole_pihole

`sudo podman volume create p...

Content cut off. Read original on https://old.reddit.com/r/Fedora/comments/1i7ewsf/beginners_guide_to_fedora_coreos/