Custom Fedora CoreOS (FCOS) layered images.
base: Includes some cli utils- Install instructions
- Manually verify signature
These images are based on the upstream images of FCOS.
Images are built and tagged using GitHub Actions every time a FCOS stream is updated: stable, testing, and next. Or when a new version of bcachefs or zfs is released.
Upstream currently releases in a 2 week cadence.
Images are published on GitHub Packages (ghcr.io) and are multi-arch for linux/amd64 and linux/arm64.
You can also extend FROM these images in your own Containerfile for further customization, if you wish.
FROM fedora-coreos
Includes:
- Utilities:
pv,fd,ripgrep,procs,tree,neovim,bat,ranger,btop,et,tmux,tcpdump,drill,restorecon,podman-tui,restic,rclone,uv,parted,ncat,buildah,mtr,inxi,gdu,7zip,strace,xxhash,fish python3andnodejsare pulled in as dependencies of the above.- Maybe more utils, check the Containerfile
- Config files necessary to verify the signature on images from this repo
- Config files for a proper auto-update
Image:
ghcr.io/paschun/fcos-layers/base:stable
Tags:
:stable:testing:next- Each FCOS version number is tagged, like
:43.20260119.3.1 :latest->:stable
FROM base
Includes:
- Everything in Base
- Latest bcachefs as a kernel module
Image:
ghcr.io/paschun/fcos-layers/bcachefs:stable
Tags:
:stable:testing:next- FCOS-bcachefs version number, like
:43.20260119.3.1-1.36.0 :latest->:stable
FROM base
Includes:
- Everything in Base
- Latest ZFS as a kernel module
Image:
ghcr.io/paschun/fcos-layers/zfs:stable
Tags:
:stable:testing:next- FCOS-ZFS version number, like
:43.20260119.3.1-2.4.0 :latest->:stable
To install, run
> sudo rpm-ostree rebase --bypass-driver --reboot ostree-unverified-registry:ghcr.io/paschun/fcos-layers/bcachefs:stableThe images are also cryptographically signed.
All images contain the necessary config in /etc/containers/policy.json, /etc/containers/registries.d/, and /etc/pki/ to have ostree verify the signature.
So after getting the signature config files via a first unverified rebase, you can activate ostree signature verification with:
> sudo rpm-ostree rebase --bypass-driver --reboot ostree-image-signed:docker://ghcr.io/paschun/fcos-layers/bcachefs:stableIf you are coming from vanilla FCOS, it uses Zincati by default for updates. Zincati depends on a Cincinnati service that runs on Fedora servers. The Zincati client uses it to see if an update is available, and if so, it runs rpm-ostree upgrade.
After rebasing, you can't use Zincati anymore.
So the base image (and derived images) disables zincati.service and instead enables rpm-ostreed-automatic.timer which triggers rpm-ostreed-automatic.service.
You can see what it will do with systemctl cat rpm-ostreed-automatic.{timer,service}. It just runs rpm-ostree upgrade once a day.
rpm-ostreed-automatic.service is further configured by /etc/rpm-ostreed.conf. In the base image, I have set AutomaticUpdatePolicy=apply in this conf file, which applies upgrades and reboots when the service is triggered.
However, rpm-ostreed-automatic is a dumb service. It runs rpm-ostree upgrade every day and reboots, even if there is no base image update available, even if only to update a few rpm packages, which is unnecessary and wipes out useful rollback images.
So, in the base image I have created a systemd unit drop-in for rpm-ostreed-automatic.service that checks first to see if an update is available before running rpm-ostree upgrade.
The image manifests are signed with cosign. To verify them yourself, get the public key in base/paschun.pub, and run:
> cosign verify --key paschun.pub ghcr.io/paschun/fcos-layers/bcachefs:stable