EU OS

Appearance

Provisioning of EU OS

Anaconda allows for attended and unattended (hands-off) provisioning of Linux on bare-metal devices and virtual machines. The specific configuration of default values happens in so-called Kickstart configuration files (hereafter named config.toml).

References:

Provisioning to Bare Metal machines (desktops/laptops)

WARNING

This section is work in progress. Related issue: #39

For testing and development, manual provisioning is easier to setup and offers more flexibility. In a production environment, provisioning using Foreman/PXE/netboot images is likely faster for many machines.

Manual Provisioning via ISO Image

The custom OCI image can be transfered on a USB installation medium (e.g. a USB pen drive) using several methods:

  • with bluebuild generate-iso (see documentation; no support for config.toml)
  • with the GUI Podman Desktop and its bootc extension (here, also a Kickstart config.toml can be used)
  • with the OCI image bootc-image-builder (see documentation)

The last option offers the most flexibility and can be scripted. Find an example script build-iso.sh and Kickstart config.toml here below.

IMPORTANT

Change the local admin user password, the disk encryption password and the remote OCI image registry!

#!/bin/bash

# Run this script to generate an ISO from the OS container

set -euxo pipefail

cd "$(dirname "$0")"

TYPE="anaconda-iso"

# Set IMAGE to $1 if provided; otherwise fall back to a default
IMAGE=${1:-registry.gitlab.com/eu-os/workspace-images/eu-os-base-demo/eu-os-demo}

mkdir -p output

sudo podman pull "${IMAGE}"
sudo podman run \
    --rm \
    -it \
    --privileged \
    --pull=newer \
    --security-opt label=type:unconfined_t \
    -v /var/lib/containers/storage:/var/lib/containers/storage \
    -v ./config.toml:/config.toml:ro \
    -v ./output:/output \
    quay.io/centos-bootc/bootc-image-builder:latest \
    --type "${TYPE}" \
    --rootfs btrfs \
    "${IMAGE}"
[customizations.installer.kickstart]
contents = """
reboot --eject

%post --erroronfail
bootc switch --mutate-in-place --transport registry registry.gitlab.com/eu-os/workspace-images/eu-os-base-demo/eu-os-demo:10

# used during automatic image testing as finished marker
if [ -c /dev/ttyS0 ]; then
    # continue on errors here, because we used to omit --erroronfail
    echo "Install finished" > /dev/ttyS0 || true
fi
%end

# System language
lang en_UK.UTF-8

# Keyboard layout
keyboard de

# OSTree container setup
ostreecontainer --transport="oci" --url="/run/install/repo/container"

# Generated using Blivet version 3.12.1
ignoredisk --only-use=sda

# Erase all partitions and initialize the disk label
clearpart --all --initlabel

#region fde
# Disk partitioning information
autopart --encrypted --passphrase master-passphrase --type btrfs
#endregion fde

# System Timezone
timezone "Europe/Brussels" --utc

# Prohibit login with root
rootpw --lock

# Setup User with sudo permission
user --groups=wheel --name=admin --password=admin-passphrase --plaintext --gecos="EU OS Local Admin"
"""

References:

Full-Disk Encryption LUKS2

WARNING

This section is work in progress. Related issue: #35

Full-Disk Encryption (FDE) protects configuration data and user data in case the device is lost or stolen. Most Linux distributions as well as EU OS rely for FDE on the software LUKS2.

LUKS2 relies on a specific partitition setup during the provisioning process. The setup is enabled in the config.toml available in full above.

bash
# Disk partitioning information
autopart --encrypted --passphrase master-passphrase --type btrfs
Unlocking LUKS2 Volumes

LUKS2 volumes can be unlocked by a passphrase or hardware security tokens. By default, it can be unlocked using a passphrase. The default passpharse of the LUKS2 volume is euos. The default LUKS2 passphrase can be changed after installation, however as the project progresses, a strong passphrase could be generated during partitioning. Hadware security keys serve as an alternative to passphrases and are very convenient. systemd-cryptenroll is used to enroll hardware security tokens, such as TPM, FIDO2 and PKCS#11 devices. Currently, FIDO2 is supported to unlock the LUKS2 FDE volume at boot.

Enrolling FIDO2 Devices
sh
sudo blkid # look out for the crypt luks type and copy the UUID value in below
sudo systemd-cryptenroll --fido2-device auto /dev/<device, i.e. nvme0n1p3>
Configuring Kernel Arguments for FIDO2
sh
sudo rpm-ostree kargs --append rd.luks.options=<LUKS device ID>=discard,fido2-device=auto

Provisioning with Foreman (PXE and Stub ISO)

  • with foreman you can manage hardware models and sets of Kickstart files (requires then the Kartello plugin)
  • find more information on foreman on the fleet management page

References:

Provisioning to Virtual Machines (VMs)

WARNING

This section is work in progress. Investigation is currently on-going (state of 2025-07-20)