• 2022-08-27
  • unique

CoreOS Container Server

Create an Image

# get coreos image
podman run --pull=always --rm -v $HOME/.local/share/libvirt/images/:/data -w /data quay.io/coreos/coreos-installer:release download -s "${STREAM}" -p qemu -f qcow2.xz --decompress
alias coreos-dl='podman run --pull=always --rm -v $(pwd):/data -w /data quay.io/coreos/coreos-installer:release download -s stable --decompress'

# for vultr run:
coreos-dl -p vultr -f raw.xz
# for others run:
coreos-dl -p metal -f raw.xz
# upload to temporary storage

you can also create an iso with the ign embedded:

boot rescue mode, ssh to server: get the link for the raw image from:

curl "https://builds.coreos.fedoraproject.org/streams/stable.json" | jq '{metal_raw_xz: .architectures.x86_64.artifacts.metal.formats."raw.xz".disk.location, vultr_raw_xz: .architectures.x86_64.artifacts.vultr.formats."raw.xz".disk.location, do_qcow2_xz: .architectures.x86_64.artifacts.digitalocean.formats."qcow2.gz".disk.location}'

In this example we set up a knot dns server

export COREOS_DISK="https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/36.20220703.3.1/x86_64/fedora-coreos-36.20220703.3.1-metal.x86_64.raw.xz"

# write image directlt to disk:
curl -sL $COREOS_DISK | xz -d | dd of=/dev/sda status=progress

# generate ignition file:
alias butane="podman run --interactive --rm quay.io/coreos/butane:release --pretty --strict"
butane < coreos-knot.bu > coreos-knot.ign

# mount boot and write ignition file
mount /dev/sda3 /mnt
mkdir /mnt/ignition
vi /mnt/ignition/config.ign
umount /mnt

After setting up the server we need to configure it

sudo podman run -it --rm -v /tmp/knot-rundir:/rundir:Z docker.io/cznic/knot:latest knotc

In the shell that opens we can configure the server to listen on port 53 with the following commands

conf-begin
conf-set server.listen 0.0.0.0@53
conf-set server.listen ::@53
conf-commit
exit

after the configuration we have to restart the server with one of the follwing ways

sudo podman stop knot-dns
sudo rm /tmp/knot-rundir/knot.pid
sudo podman start knot-dns
# or run
sudo systemctl restart knot-dns

check that it’s now listening on the correct port

sudo ss -tulpn

example butan config

base config

variant: fcos
version: 1.4.0
passwd:
  users:
    - name: core
      groups:
        - wheel
      ssh_authorized_keys:
        - >-
          ssh-ed25519
          AAAAC3......
          example@example.com

Knot DNS example

variant: fcos
version: 1.4.0
passwd:
  users:
    - name: core
      groups:
        - wheel
      ssh_authorized_keys:
        - >-
          ssh-ed25519
          AAAAC3......
          example@example.com

storage:
  files:
    - path: /etc/systemd/resolved.conf
      mode: 0644
      overwrite: true
      contents:
        inline: |
          [Resolve]
          DNSStubListener=no

systemd:
  units:
    - name: knot-dns.service
      enabled: true
      contents: |
        [Unit]
        Description=Knot DNS
        After=network-online.target
        Wants=network-online.target

        [Service]
        Environment=POD=docker.io/cznic/knot:latest
        Environment=POD_NAME=knot-dns
        Environment=POD_DATA=/var/knot
        Environment=POD_RUN=/tmp/knot-rundir
        Environment=POD_ID=53
        ExecStartPre=-/bin/podman kill ${POD_NAME}
        ExecStartPre=-/bin/podman rm ${POD_NAME}
        ExecStartPre=-/bin/rm -f ${POD_RUN}/knot.pid
        ExecStartPre=-/bin/podman pull ${POD}
        ExecStartPre=-sh -c '/bin/test -f "${POD_DATA}" || /bin/install -d -o ${POD_ID} -g ${POD_ID} "${POD_DATA}" && /bin/podman run --rm -v ${POD_DATA}:/storage:Z ${POD} knotc conf-init'
        ExecStartPre=-/bin/install -d -o ${POD_ID} -g ${POD_ID} ${POD_RUN}
        ExecStart=/bin/podman run --name ${POD_NAME} -v ${POD_DATA}:/storage:Z -v ${POD_RUN}:/rundir:Z --network host ${POD} knotd
        ExecStop=/bin/podman stop ${POD_NAME}

        [Install]
        WantedBy=multi-user.target

an additional configuration needed for exoscale and vultr: https://github.com/coreos/fedora-coreos-tracker/issues/907#issuecomment-1195936480

restart

![[Pasted image 20221019232427.png]]

setup

sudo podman stop knot-dns
sudo rm /tmp/knot-rundir/knot.pid

sudo podman run -it --rm -v /tmp/knot-rundir:/rundir:Z -v /var/knot:/storage:Z docker.io/cznic/knot:latest knotc conf-import /rundir/master.yaml

sudo podman start knot-dns

sudo podman run -it --rm -v /tmp/knot-rundir:/rundir:Z docker.io/cznic/knot:latest knotc
zone-begin catz01.invalid.
zone-set -- @ 0 SOA invalid. invalid. 0 3600 600 2147483646 0
zone-set -- @ 0 NS invaild.
zone-set -- version 0 TXT "2"
# python -c 'import hashlib; print(hashlib.shake_256(f"{DOMAIN}.{PRIMARY_NS}".encode("UTF-8")).hexdigest(15))'
zone-set -- aa0392e3-f0a3-4cba-9936-19fb419f48da.zones 0 PTR rievo.xyz.
zone-set -- group.aa0392e3-f0a3-4cba-9936-19fb419f48da.zones 0 TXT tmpl_unsigned
zone-commit --


#!/usr/bin/env python3  

import uuid  
import json  

# generate catz for dnscontrol

if __name__ == '__main__':  
   with open('./domain.json') as f:  
       data = json.load(f)  

   primary_ns = "ns.rievo.xyz."
   for domain in data:
       # generate with hash instead
       d_id = f"{domain}.{primary_ns}".encode("UTF-8")
       domain_uuid = hashlib.shake_256(d_id).hexdigest(15)
       print(f"\n    // {domain}")  
       print(f"    PTR('{domain_uuid}.zones', '{domain}.'),")  
       print(f"    TXT('group.{domain_uuid}.zones', 'tmpl_unsigned'),")

zone-begin --
zone-set -- @ 7200 SOA ns.rievo.ch. hostmaster.rievo.net. 2023012000 14400 3600 1209600 3600
zone-set catz01.invalid. @ 0 SOA invalid. invalid. 0 3600 600 2147483646 0
zone-diff --
zone-commit --

# add to .bashrc
alias knotc="sudo podman run -it --rm -v /tmp/knot-rundir:/rundir:z docker.io/cznic/knot:latest knotc"  
alias knotc-ro="sudo podman run -it --rm -v /tmp/knot-rundir:/rundir:z -v /var/knot:/storage:ro,z docker.io/cznic/knot:latest knotc"  
alias kontc-rw="sudo podman run -it --rm -v /tmp/knot-rundir:/rundir:z -v /var/knot:/storage:z docker.io/cznic/knot:latest knotc"

TODO: try moving to quadlet/systemd-podman https://major.io/p/podman-quadlet-watchtower/

source