在KVM/OpenStack上安装/运行Fedora CoreOS(FCOS)

时间:2020-02-23 14:31:42  来源:igfitidea点击:

Fedora CoreOS(FCOS)是设计用于安全,大规模地运行容器化工作负载的最小操作系统。这个操作系统的构建块是出色的CoreOS和Fedora Atomic。它具有自动更新的功能,并且不可变以确保操作系统稳定可靠。操作系统会使用rpm-ostree自动更新最新的操作系统改进,错误修复和安全更新。

与其他Linux操作系统不同,Fedora CoreOS(FCOS)没有安装时配置。每个FCOS系统都以通用磁盘镜像开始。对于每种部署机制(云VM,本地VM,裸机),可以在首次引导时提供配置。 FCOS使用Ignition读取并应用配置文件。

在裸机上或者作为带有ISO文件的虚拟机进行Fedora CoreOS安装时,Ignition将在安装时注入配置。但是对于在云环境中完成的部署,Ignition将通过云用户数据机制收集配置。

在KVM/OpenStack上运行/安装Fedora CoreOS(FCOS)

在本教程中,很好地了解了如何在OpenStack和KVM虚拟化环境中运行Fedora CoreOS(FCOS)。以下是在OpenStack/KVM上配置不变的Fedora CoreOS基础结构的标准过程。首先编写一个Fedora CoreOS Config(FCC),这是一个YAML文件,用于指定机器的所需配置。然后,我们将使用Fedora CoreOS Config Transpiler验证FCC并将其转换为Ignition配置。最后一步是启动Fedora CoreOS计算机并传递生成的Ignition配置。计算机成功启动以启动供应后。

下载最新的QCOW2镜像

有两种方法可以为OpenStack和KVM下载FCOS镜像。

使用coreos-installer

coreos-installer是一个程序,用于协助安装Fedora CoreOS(FCOS)和Red Hat Enterprise Linux CoreOS(RHCOS)。该工具可用于下载FCOS的最新图像。

在Fedora上安装coreos-installer:

--- Fedora Workstation/Server -
$sudo dnf install coreos-installer

--- Fedora COreOS --
$rpm-ostree install coreos-installer

检查命令下载选项:

$coreos-installer download --help
coreos-installer-download 
Download a CoreOS image

USAGE:
    coreos-installer download [OPTIONS]

OPTIONS:
    -s, --stream <name>            Fedora CoreOS stream [default: stable]
        --architecture <name>      Target CPU architecture [default: x86_64]
    -p, --platform <name>          Fedora CoreOS platform name [default: metal]
    -f, --format <name>            Image format [default: raw.xz]
    -u, --image-url <URL>          Manually specify the image URL
    -C, --directory <path>         Destination directory [default: .]
    -d, --decompress               Decompress image and don't save signature
        --insecure                 Skip signature verification
        --stream-base-url <URL>    Base URL for Fedora CoreOS stream metadata
    -h, --help                     Prints help information

列出可下载的Fedora CoreOS镜像:

$coreos-installer list-stream
Architecture  Platform   Format
x86_64        aliyun     qcow2.xz
x86_64        aws        vmdk.xz
x86_64        azure      vhd.xz
x86_64        gcp        tar.gz
x86_64        metal      iso
x86_64        metal      pxe
x86_64        metal      raw.xz
x86_64        openstack  qcow2.xz
x86_64        qemu       qcow2.xz
x86_64        vmware     ova

下载OpenStack的镜像:

coreos-installer download --stream stable --platform openstack --decompress  --format qcow2.xz

Qemu/KVM:

coreos-installer download --stream stable --platform qemu --decompress  --format qcow2.xz

命令输出示例:

gpg: Signature made Tue 14 Jan 2017 01:28:28 AM UTC
gpg:                using RSA key 50CB390B3C3359C4
gpg: Good signature from "Fedora (31) <theitroad@localhost>" [ultimate]
> Read disk 431.5 MiB/431.5 MiB (100%)   
./fedora-coreos-31.20170113.3.1-openstack.x86_64.qcow2

手动下载FCOS图像

从FCOS下载页面为平台复制最新的图像URL。

OpenStack的:

wget <image-url> -O fedora-coreos-openstack.qcow2.xz
unxz fedora-coreos-openstack.qcow2.xz

QEMU/KVM:

wget  <image-url> -O fedora-coreos-qemu.qcow2.xz
unxz fedora-coreos-qemu.qcow2.xz

对于Openstack,我们需要将Fedora CoreOS镜像上传到OpenStack Glance服务:

openstack image create "fcos" \
    --file fedora-coreos-openstack.qcow2 \
    --disk-format qcow2 --container-format bare \
    --public

确认图像已上传:

$openstack image list
+--------------------------------------+-----------------+--------+
| ID                                   | Name            | Status |
+--------------------------------------+-----------------+--------+
| 6576c788-19e1-4de4-bf63-a769763cd00d | fcos            | active |
+--------------------------------------+-----------------+--------+

第2步:创建Fedora CoreOS Config(FCC)

FCC是具有所需计算机配置的YAML文件。 FCC支持所有点火功能,并且还提供其他语法(糖),使指定典型配置更改更加容易。

这是我的基本YAML配置文件,用于将SSH密钥添加到默认核心用户。

$vim fcos.fcc 
variant: fcos
version: 1.0.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa <ssh-pub-key>

其中:core是FCOS用户的名称<ssh-pub-key>是公用密钥的内容

FCC的完整详细信息及其规格在" FCOS设置和配置"页面中介绍。

将FCC转换为点火配置

现在,使用Fedora CoreOS Config Transpiler验证我们的FCC并将其转换为Ignition配置。

--- Podman --
$podman pull quay.io/coreos/fcct
$podman run -i --rm quay.io/coreos/fcct -pretty -strict <fcos.fcc > fcos.ign

--- Docker --
$docker pull quay.io/coreos/fcct
$docker run -i --rm quay.io/coreos/fcct -pretty -strict <fcos.fcc > fcos.ign

将fcos.fcc替换为FCC文件的名称,将fcos.ign替换为要创建的点火文件的名称。

我们可以使用以下方法手动验证点火配置文件:

--- Podman --
$podman run --rm -i quay.io/coreos/ignition-validate - < fcos.ign

--- Docker --
$docker run --rm -i quay.io/coreos/ignition-validate - < fcos.ign

启动Fedora CoreOS计算机

准备好点火文件后,我们可以通过传递创建的Ignition配置来创建Fedora CoreOS计算机。

在OpenStack上

OpenStack CLI:配置和使用OpenStack CLI

$openstack server create \
 --image fcos \
 --key-name <your-openstack-key-name> \
 --flavor m1.small \
 --security-group  <your-security-group>  \
 --network private  \
 --user-data fcos.ign \
 fcos

将<your-openstack-key-name>替换为上传到OpenStack的SSH密钥的名称。<your-security-group>替换为上传到OpenStack的安全组的ID

在构建开始时立即输出

+-------------------------------------+---------------------------------------------+
| Field                               | Value                                       |
+-------------------------------------+---------------------------------------------+
| OS-DCF:diskConfig                   | MANUAL                                      |
| OS-EXT-AZ:availability_zone         |                                             |
| OS-EXT-SRV-ATTR:host                | None                                        |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None                                        |
| OS-EXT-SRV-ATTR:instance_name       |                                             |
| OS-EXT-STS:power_state              | NOSTATE                                     |
| OS-EXT-STS:task_state               | scheduling                                  |
| OS-EXT-STS:vm_state                 | building                                    |
| OS-SRV-USG:launched_at              | None                                        |
| OS-SRV-USG:terminated_at            | None                                        |
| accessIPv4                          |                                             |
| accessIPv6                          |                                             |
| addresses                           |                                             |
| adminPass                           | ru6YiFeRLWn5                                |
| config_drive                        |                                             |
| created                             | 2017-01-24T19:27:11Z                        |
| flavor                              | m1.small (1)                                |
| hostId                              |                                             |
| id                                  | 6402494f-a2b1-4b6d-b462-7bc54d38d53b        |
| image                               | fcos (6576c788-19e1-4de4-bf63-a769763cd00d) |
| key_name                            | jmutai                                      |
| name                                | fcos                                        |
| progress                            | 0                                           |
| project_id                          | 06bcc3c56ab1489282b65681e782d7f6            |
| properties                          |                                             |
| security_groups                     | name='7fffea2a-b756-473a-a13a-219dd0f1913a' |
| status                              | BUILD                                       |
| updated                             | 2017-01-24T19:27:11Z                        |
| user_id                             | 336acbb7421f47f8be4891eabf0c9cc8            |
| volumes_attached                    |                                             |
+-------------------------------------+---------------------------------------------+

检查虚拟机状态:

$openstack server list  --name fcos
+--------------------------------------+------+--------+---------------------+-------+----------+
| ID                                   | Name | Status | Networks            | Image | Flavor   |
+--------------------------------------+------+--------+---------------------+-------+----------+
| 6402494f-a2b1-4b6d-b462-7bc54d38d53b | fcos | ACTIVE | private=10.10.1.126 | fcos  | m1.small |
+--------------------------------------+------+--------+---------------------+-------+----------+

让我们看看是否可以ping通VM:

$ping -c 3 10.10.1.126
PING 10.10.1.126 (10.10.1.126) 56(84) bytes of data.
64 bytes from 10.10.1.126: icmp_seq=1 ttl=64 time=0.320 ms
64 bytes from 10.10.1.126: icmp_seq=2 ttl=64 time=0.297 ms
64 bytes from 10.10.1.126: icmp_seq=3 ttl=64 time=0.373 ms

--- 10.10.1.126 ping statistics --
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.297/0.330/0.373/0.031 ms

我们可以SSH到实例吗?

$ssh theitroad@localhost
Warning: Permanently added '10.10.1.126' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/centos/.ssh/id_rsa': 
Fedora CoreOS 31.20170113.3.1
Tracker: https://github.com/coreos/fedora-coreos-tracker

检查操作系统版本:

$cat /etc/os-release 
NAME=Fedora
VERSION="31.20170113.3.1 (CoreOS)"
ID=fedora
VERSION_ID=31
VERSION_CODENAME=""
PLATFORM_ID="platform:f31"
PRETTY_NAME="Fedora CoreOS 31.20170113.3.1"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:31"
HOME_URL="https://getfedora.org/coreos/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-coreos/"
SUPPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
BUG_REPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=31
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=31
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="CoreOS"
VARIANT_ID=coreos
OSTREE_VERSION='31.20170113.3.1'

$uname -a
Linux host-10-10-1-126 5.4.8-200.fc31.x86_64 #1 SMP Mon Jan 6 16:44:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

在KVM/QEMU上

将下载的镜像复制到虚拟机安装目录,例如:

sudo cp fedora-coreos-qemu.qcow2 /var/lib/libvirt/images/fedora-coreos-qemu.qcow2

使用virt-install:

$virt-install -n fcos --vcpus 2 -r 2048 \
  --os-variant=fedora31 --import \
  --network bridge=virbr0 \
  --disk=/var/lib/libvirt/images/fedora-coreos-qemu.qcow2,format=qcow2,bus=virtio \
  --noautoconsole \
  --qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/path/to/fcos.ign"

在Fedora CoreOS上安装软件包

我们可以在Fedora CoreOS上安装的软件包数量有限制。更新Fedora CoreOS和安装应用程序的主要方法是rpm-ostree。

rpm-ostree通过修改FCOS安装来扩展构成Silverblue的软件包。程序包分层会创建新的部署或者可引导文件系统根,并且必须在程序包分层后重新引导系统。这样可以保留回滚和事务模型。首先,生成rpm repo元数据:

$sudo rpm-ostree refresh-md 
Enabled rpm-md repositories: updates fedora
Updating metadata for 'updates'... done
rpm-md repo 'updates'; generated: 2017-01-24T14:56:09Z
Updating metadata for 'fedora'... done
rpm-md repo 'fedora'; generated: 2019-10-23T22:52:47Z
Importing rpm-md... done

可以使用以下方法在Silverblue上安装软件包:

$sudo rpm-ostree install <package name>
Example:
$sudo rpm-ostree install vim
Checking out tree f480038... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2017-01-24T14:56:09Z
rpm-md repo 'fedora' (cached); generated: 2019-10-23T22:52:47Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 13 packages (20.0 MB)
Downloading from 'fedora'... done
Downloading from 'updates'... done
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
......

软件包安装后需要重新启动:

$sudo systemctl reboot