Container Image (Software) Management
Many use cases of Linux on the desktop in the public sector rely on an existing Linux distribution (such as Ubuntu or Debian) and develop customisations on top. System administrators build then an image that contains original (upstream) packages as well as custom packages and custom configuration.
Instead of relying on custom orchestration for such customisations on top of existing Linux distributions, EU OS proposes to use Containerfiles (vendor-independent Dockerfiles) that are standardised by the Open Containers Initiative (OCI).
Example:
# point to base image with FROM directive
FROM registry.gitlab.io/eu-os/workspace-images/eu-os-base:latest@sha256:4ba9085726ebfff22f9e589395929bbf8d46260f07470052011d6b86f4599abd
# install some extra packages
RUN --mount=type=cache,dst=/var/cache \
--mount=type=cache,dst=/var/log \
--mount=type=tmpfs,dst=/tmp \
dnf5 -y group install domain-client && \
dnf5 -y install subscription-manager puppet && \
sudo systemctl enable puppet
# add some extra files
RUN cat <<EOT > /etc/puppet/puppet.conf
[main]
server = fleet.testing.eu-os.eu
EOTThe project BuildBuild adds another layer of abstraction, so that such Containerfiles can be conventienly generated with recipe.yml files.
Example:
name: eu-os-my-org
# description will be included in the image's metadata
description: EU OS for My Org
# the base image to build on top of (FROM) and the version tag to use
base-image: registry.gitlab.io/eu-os/workspace-images/eu-os-base
image-version: latest
# module configuration, executed in order
# you can include multiple instances of the same module
modules:
- type: files
files:
- source: system
destination: / # copies files/system/* (* means everything inside it) into your image's root folder /
- type: rpm-ostree
repos:
- https://copr.fedorainfracloud.org/coprs/eu-os/branding/repo/fedora-%OS_VERSION%/eu-os-branding-%OS_VERSION%.repo
- https://copr.fedorainfracloud.org/copr/my-org/branding/repo/fedora-%OS_VERSION/my-org-branding-%OS_VERSION%.repo
install:
- btop
- yakuake
- podman-compose
- my-org-branding
remove:
# example: removing firefox (in favor of the flatpak)
- firefox
- firefox-langpacks
- type: default-flatpaks
notify: true # Send notification after install/uninstall is finished (true/false)
system:
# If no repo information is specified, Flathub will be used by default
install:
- org.mozilla.firefox
- org.kde.okular
- org.kde.kate
remove:
- org.kde.kmahjonggIntroduction to Bootable Containers (bootc)
Normal OCI containers cannot be booted. They rely on a host OS that acts as a hypervisor. Bootable containers contain all necessary files, so that when they are loaded on a baremetal device (laptop/desktop), they can run without such hypervisor or host OS.
References:
Choice of a EU OS Base Image
For the EU OS Proof of Concept, all distributions that release images with bootc support and offer KDE desktop packages come into question. The more stable the packages are and the more they get tested (including by the community), the better it is. To allow third parties to fork EU OS and experiment easily, only images without enterprise license are considered for this Proof of Concept:
- Fedora Kinoite images (
quay.io/fedora/fedora-kinoite) - Fedora Universal Blue (
ghcr.io/ublue-os/kinoite-main) - Fedora Secureblue, see https://secureblue.dev/images
- Fedora AlmaLinux, see https://github.com/AlmaLinux/atomic-desktop/releases/
Then, Redhat offers a Redhat Linux Enterprise (RHEL) container with support against a fee: https://developers.redhat.com/articles/2024/09/24/bootc-getting-started-bootable-containers
Customisations and Updates with Layers
WARNING
This section is work in progress. Related issue: #37
Continuos Integration (CI) and DevOps
WARNING
This section is work in progress. Related issue: #38