Fornitura di Fedora CoreOS su Google Cloud Platform

Questa guida mostra come effettuare il provisioning di nuove istanze Fedora CoreOS (FCOS) su Google Cloud Platform (GCP).

Prerequisiti

Prima di configurare una macchina FCOS, è necessario avere un file di configurazione Ignition con le proprie personalizzazioni. Se non ne hai uno, consulta Produzione di un File Ignition.

Fedora CoreOS dispone di un utente predefinito core che può essere utilizzato per esplorare il sistema operativo. Se desideri utilizzarlo, completa la sua configurazione fornendo, ad esempio, una chiave SSH.

If you do not want to use Ignition to get started, you can make use of the Afterburn support.

You also need to have access to a GCP account. The examples below use the gcloud command-line tool, which must be separately installed and configured beforehand.

Selecting an image family

Fedora CoreOS is designed to be updated automatically, with different schedules per stream.

FCOS images are published under the fedora-coreos-cloud project and further organized into image families, tracking the corresponding stream:

  • fedora-coreos-stable

  • fedora-coreos-testing

  • fedora-coreos-next

Before proceeding, check the details of each update stream and pick the one most suited for your use case.

You can inspect the current state of an image family as follows:

Inspecting an image family
STREAM='stable'
gcloud compute images describe-from-family \
    --project "fedora-coreos-cloud" "fedora-coreos-${STREAM}"

Avvio di un’istanza VM

New GCP instances can be directly created and booted from public FCOS images.

If you just want SSH access and no further customization, you don’t need to pass any custom instance metadata. Depending on your GCP project configuration, relevant SSH public keys will be automatically added to the VM. This provides an easy way to test out FCOS without first creating an Ignition config.

Currently, we don’t support logging in using SSH through the GCP web console, using the gcloud compute ssh CLI method or OS Login. See fedora-coreos-tracker#648 for more information.
Avvio di una nuova istanza
STREAM='stable'
NAME='fcos-node01'
ZONE='us-central1-a'
gcloud compute instances create              \
    --image-project "fedora-coreos-cloud"    \
    --image-family "fedora-coreos-${STREAM}" \
    --zone "${ZONE}" "${NAME}"
You can find out the instance’s assigned IP by running gcloud compute instances list

You now should be able to SSH into the instance using the associated IP address.

Example connecting
ssh core@<ip address>

In order to launch a customized FCOS instance, a valid Ignition configuration must be passed as metadata under the user-data key at creation time. In the web console, this is available under the Management section. From the command-line, use --metadata-from-file:

Launching and customizing a new instance
STREAM='stable'
NAME='fcos-node01'
ZONE='us-central1-a'
CONFIG='example.ign'
gcloud compute instances create                \
    --image-project "fedora-coreos-cloud"      \
    --image-family "fedora-coreos-${STREAM}"   \
    --metadata-from-file "user-data=${CONFIG}" \
    --zone "${ZONE} "${NAME}"
By design, startup scripts are not supported on FCOS. Instead, it is recommended to encode any startup logic as systemd service units in the Ignition configuration. Again, note you need to use the user-data key for Ignition; it will also not work to paste Ignition into this field in the web console.

Launch a Confidential VM

Support for Confidential Computing is a work in progress in Fedora CoreOS. See the issue #1719.
For an overview about confidential VMs on GCP see confidential VM overview.

To launch a confidential FCOS instance, you need to specify the confidential compute type and use a machine type that supports confidential compute.

From the command-line, use --confidential-compute-type and --machine-type.

Launching a confidential instance using confidential type AMD SEV_SNP
STREAM='stable'
NAME='fcos-cvm-node01'
ZONE='us-central1-a'
CONFIG='example.ign'
MACHINE_TYPE='n2d-standard-2'
gcloud compute instances create                \
    --image-project "fedora-coreos-cloud"      \
    --image-family "fedora-coreos-${STREAM}"   \
    --metadata-from-file "user-data=${CONFIG}" \
    --confidential-compute-type "SEV_SNP"      \
    --machine-type "${MACHINE_TYPE}"           \
    --maintenance-policy terminate             \
    --zone "${ZONE} "${NAME}"
Launching a confidential instance using confidential type Intel TDX
STREAM='stable'
NAME='fcos-cvm-node01'
ZONE='us-central1-a'
CONFIG='example.ign'
MACHINE_TYPE='c3-standard-4'
gcloud compute instances create                \
    --image-project "fedora-coreos-cloud"      \
    --image-family "fedora-coreos-${STREAM}"   \
    --metadata-from-file "user-data=${CONFIG}" \
    --confidential-compute-type "TDX"      \
    --machine-type "${MACHINE_TYPE}"           \
    --maintenance-policy terminate             \
    --zone "${ZONE} "${NAME}"
Example Confidential VM Boot Verification
ssh core@<ip address>
# Confirm the VM is using `AMD SEV-SNP` confidential type
sudo systemd-detect-virt --cvm
sev-snp

# Confirm the VM is using `Intel TDX` confidential type
sudo systemd-detect-virt --cvm
tdx
---

Want to help? Learn how to contribute to Fedora Docs