Provisioning of EU OS
Anaconda allows for attended and unattended (hands-off) provisioning of Linux on bare-metal devices and virtual machines. The specific configuration of default values happens in so-called Kickstart configuration files (hereafter named config.toml).
References:
- Redhat Anaconda Manual
- Redhat Anaconda Manual on Kickstart Installations
- Redhat Anaconda Manual Kickstart Examples
Provisioning to Bare Metal machines (desktops/laptops)
The automated Provisioning to Bare Metal or Virtual Machines uses Foreman. It allows the Lifecycle-Management of physical and virtual machines.
Foreman Provisioning Setup
In order to provision EU OS with foreman, we need to create the provisioning template, which will be rendered to a kickstart file:
::include{file=provisioning-template.erb}This templates uses a snippet to do an unattended Realm join via freeipa_register. The included template freeipa_register tries to install the needed packages on demand, which is not possible. So we need to create the snippet freeipa_register_ostree which requires that the needed packages are already installed.
::include{file=freeipa_register_ostree.erb}In order for the boot procedure to work via PXE/TFTP we need the pxegrub2 template fedora_atomic_pxegrub2:
::include{file=pxegrub2.erb}Partition Table
The disk should be formatted with BTRFS using LUKS Full Disk Encryption. The included Partition Table Kickstart default encrypted is sufficient for that. It allows us to give the type (--type=btrfs) and passphrase using the parameters autopart_options and disk_enc_passphrase.
Architectures
Ensure that the Architecture x86_64 is present in Provisioning Setup → Architectures
Operating System
To create EU-OS as Operating System, use to Hosts → Provisioning Setup → Operating Systems → Create Operating System
Operating System
| Option name | Value |
|---|---|
| Name | EU-OS |
| Major Version | 42 |
| Minor Version | |
| Description | EU-OS 42 |
| Family | Red Hat |
| Root Password Hash | SHA512 |
| Architectures | x86_64 |
Partition Table
Selected Items:
- Kickstart default encrypted
Installation Media
Selected Items:
- Fedora mirror
Templates
[!note] Can only be assigned after creation of the Operating System
| Template Type | Value |
|---|---|
| Host initial configuration template | Linux host_init_config default |
| Provisioning template | EU-OS Desktop |
| PXEGrub2 template | Kickstart fedora atomic PXEGrub2 |
Parameters
| Name | Type | Value |
|---|---|---|
install-disk | string | nvme0n1 |
ostree-image-repo | string | registry.gitlab.com/eu-os/workspace-images/eu-os-base-demo |
fedora_flavor | string | eu-os-demo |
autopart_options | string | --type=btrfs |
disk_enc_passphrase | string | temporarypassphrase |
lang | string | de_DE.UTF-8 |
keyboard | string | de |
time-zone | string | Europe/Berlin |
The Templates need to be linked to this operating system in two steps:
- Use the association tab of the provisioning template to assign EU-OS as supported operating system.
- Set the template as active template in the Templates tab of the operating system.
WARNING
This section is work in progress. Related issue: #39
For testing and development, manual provisioning is easier to setup and offers more flexibility. In a production environment, provisioning using Foreman/PXE/netboot images is likely faster for many machines.
Manual Provisioning via ISO Image
The custom OCI image can be transfered on a USB installation medium (e.g. a USB pen drive) using several methods:
- with
bluebuild generate-iso(see documentation; no support forconfig.toml) - with the GUI Podman Desktop and its bootc extension (here, also a Kickstart
config.tomlcan be used) - with the OCI image
bootc-image-builder(see documentation)
The last option offers the most flexibility and can be scripted. Find an example script build-iso.sh and Kickstart config.toml here below.
IMPORTANT
Change the local admin user password, the disk encryption password and the remote OCI image registry!
#!/bin/bash
# Run this script to generate an ISO from the OS container
set -euxo pipefail
cd "$(dirname "$0")"
TYPE="anaconda-iso"
# Set IMAGE to $1 if provided; otherwise fall back to a default
IMAGE=${1:-registry.gitlab.com/eu-os/workspace-images/eu-os-base-demo/eu-os-demo}
mkdir -p output
sudo podman pull "${IMAGE}"
sudo podman run \
--rm \
-it \
--privileged \
--pull=newer \
--security-opt label=type:unconfined_t \
-v /var/lib/containers/storage:/var/lib/containers/storage \
-v ./config.toml:/config.toml:ro \
-v ./output:/output \
quay.io/centos-bootc/bootc-image-builder:latest \
--type "${TYPE}" \
--rootfs btrfs \
"${IMAGE}"[customizations.installer.kickstart]
contents = """
reboot --eject
%post --erroronfail
bootc switch --mutate-in-place --transport registry registry.gitlab.com/eu-os/workspace-images/eu-os-base-demo/eu-os-demo:10
# used during automatic image testing as finished marker
if [ -c /dev/ttyS0 ]; then
# continue on errors here, because we used to omit --erroronfail
echo "Install finished" > /dev/ttyS0 || true
fi
%end
# System language
lang en_UK.UTF-8
# Keyboard layout
keyboard de
# OSTree container setup
ostreecontainer --transport="oci" --url="/run/install/repo/container"
# Generated using Blivet version 3.12.1
ignoredisk --only-use=sda
# Erase all partitions and initialize the disk label
clearpart --all --initlabel
#region fde
# Disk partitioning information
autopart --encrypted --passphrase master-passphrase --type btrfs
#endregion fde
# System Timezone
timezone "Europe/Brussels" --utc
# Prohibit login with root
rootpw --lock
# Setup User with sudo permission
user --groups=wheel --name=admin --password=admin-passphrase --plaintext --gecos="EU OS Local Admin"
"""References:
- Fedora 36 Kickstart Synax Reference (could be outdated!)
- osbuild documentation on Anaconda
- Podman Desktop bootc extension on Github
- Podman Desktop Blog post on bootc extension
Full-Disk Encryption LUKS2
WARNING
This section is work in progress. Related issue: #35
Full-Disk Encryption (FDE) protects configuration data and user data in case the device is lost or stolen. Most Linux distributions as well as EU OS rely for FDE on the software LUKS2.
LUKS2 relies on a specific partitition setup during the provisioning process. The setup is enabled in the config.toml available in full above.
# Disk partitioning information
autopart --encrypted --passphrase master-passphrase --type btrfsUnlocking LUKS2 Volumes
LUKS2 volumes can be unlocked by a passphrase or hardware security tokens. By default, it can be unlocked using a passphrase. The default passpharse of the LUKS2 volume is euos. The default LUKS2 passphrase can be changed after installation, however as the project progresses, a strong passphrase could be generated during partitioning. Hadware security keys serve as an alternative to passphrases and are very convenient. systemd-cryptenroll is used to enroll hardware security tokens, such as TPM, FIDO2 and PKCS#11 devices. Currently, FIDO2 is supported to unlock the LUKS2 FDE volume at boot.
Enrolling FIDO2 Devices
sudo blkid # look out for the crypt luks type and copy the UUID value in below
sudo systemd-cryptenroll --fido2-device auto /dev/<device, i.e. nvme0n1p3>Configuring Kernel Arguments for FIDO2
sudo rpm-ostree kargs --append rd.luks.options=<LUKS device ID>=discard,fido2-device=autoProvisioning with Foreman (PXE and Stub ISO)
- with foreman you can manage hardware models and sets of Kickstart files (requires then the Kartello plugin)
- find more information on foreman on the fleet management page
References:
- Foreman Documentation (nightly) on Provisioning Hosts
- Foreman: Provisioning hosts with NetBoot ISO - Leos Stejskal - CfgMgmtCamp 2025 Ghent
- Tutorial on PXE Provisioning in the Foreman Community Forum
Provisioning to Virtual Machines (VMs)
WARNING
This section is work in progress. Investigation is currently on-going (state of 2025-07-20)