Managing Packages in Fedora CoreOS - A Comprehensive DNF and rpm-ostree Guide
Fedora CoreOS (FCOS) represents a paradigm shift in operating system design, focusing on minimal, immutable infrastructure optimized for running containerized workloads. Unlike traditional Linux distributions, CoreOS uses a unique approach to package management that combines the atomic updating capabilities of rpm-ostree
with the familiar DNF
package manager. This guide explores how to effectively manage packages in this container-focused environment while maintaining the stability and security benefits of an immutable OS design.
Understanding the CoreOS Package Management Philosophy
CoreOS adopts a fundamentally different approach to system updates and package management:
graph TD A[System Management in CoreOS] --> B[Immutable Base OS] A --> C[Atomic Updates] A --> D[Layered Packages]
B --> E[Read-only /usr] B --> F[Predictable state]
C --> G[rpm-ostree] G --> H[Complete System Images] G --> I[Bootable Snapshots]
D --> J[DNF/rpm-ostree install] J --> K[User Installed Packages] J --> L[Container Integration]
The key concepts that differentiate CoreOS include:
- Immutable Base System: The core OS is treated as a unit, updated atomically
- Image-Based Updates: System updates are complete filesystem trees, not individual packages
- Package Layering: Additional packages can be “layered” on top of the base image
- Container Focus: Most applications should run as containers, not directly on the host
Initial CoreOS Setup
Before diving into package management, let’s ensure your CoreOS system is properly set up:
Checking System Status
# View current deployment statusrpm-ostree status
# Example output:# State: idle# AutomaticUpdates: disabled# Deployments:# ● fedora:fedora/x86_64/coreos/stable# Version: 35.20220116.3.0# Commit: 9f12...# OSName: fedora
Enabling Container Tools
CoreOS is designed primarily to run containers. Ensure container tools are enabled:
# Enable and start Podmansystemctl enable --now podman
Configuring Repository Sources
While CoreOS updates primarily come through rpm-ostree
, you can configure additional repositories for layered packages:
# Create a custom repository configurationsudo mkdir -p /etc/yum.repos.d/sudo tee /etc/yum.repos.d/custom.repo > /dev/null << EOF[fedora]name=Fedora \$releasever - \$basearchbaseurl=https://mirrors.fedoraproject.org/metalink?repo=fedora-\$releasever&arch=\$basearchenabled=1gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-\$releasever-\$basearch
[updates]name=Fedora \$releasever - \$basearch - Updatesbaseurl=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f\$releasever&arch=\$basearchenabled=1gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-\$releasever-\$basearchEOF
Basic System Update Operations
Checking for Updates
# Check for available updates without applying themrpm-ostree upgrade --check
Applying System Updates
# Update the systemrpm-ostree upgrade
# After updating, reboot to apply changessystemctl reboot
Rebasing to a New Version
When you want to move to a newer CoreOS release:
# Rebase to a specific Fedora versionrpm-ostree rebase fedora:35
# Or follow a specific streamrpm-ostree rebase fedora/stable/x86_64/coreos
Managing Layered Packages
While CoreOS discourages extensive host package installation, you can layer packages when needed:
Installing Packages
# Install a single packagerpm-ostree install htop
# Install multiple packagesrpm-ostree install vim tmux git
# After installation, reboot to apply changessystemctl reboot
Removing Packages
# Remove a layered packagerpm-ostree uninstall htop
# Remove multiple packagesrpm-ostree uninstall vim tmux
# After removal, reboot to apply changessystemctl reboot
Searching for Packages
# Search for available packagesrpm-ostree search httpd
Listing Installed Packages
# List all layered packagesrpm-ostree status --json | jq '.deployments[0].layered_packages'
# List all installed packages (base + layered)rpm-ostree db list
Advanced Configuration and Maintenance
DNF Configuration Options
You can customize DNF behavior by creating or modifying /etc/dnf/dnf.conf
:
# Create a custom DNF configurationsudo tee /etc/dnf/dnf.conf > /dev/null << EOF[main]gpgcheck=1installonly_limit=3clean_requirements_on_remove=truebest=Trueskip_if_unavailable=Truefastestmirror=Truemax_parallel_downloads=10deltarpm=TrueEOF
Working with Package Groups
CoreOS allows installing predefined groups of packages:
# List available groupsdnf group list
# Install a package grouprpm-ostree install @"Development Tools"
# After installation, reboot to apply changessystemctl reboot
System Maintenance Operations
Regular maintenance keeps your system running optimally:
# Remove old deployments (keeping only the current one)rpm-ostree cleanup -p
# Remove all but the latest two deploymentsrpm-ostree cleanup --rollback=2
# Clean DNF cachednf clean all
# Remove unused packagesrpm-ostree cleanup -m
System Rollback
One of the key benefits of CoreOS is easy rollback to previous states:
# List available deploymentsrpm-ostree status
# Rollback to previous deploymentrpm-ostree rollback
# Reboot to apply rollbacksystemctl reboot
# Pin current deployment (prevent it from being garbage collected)rpm-ostree pin
Integrating with Container Workflows
CoreOS is designed primarily as a container host platform:
Container Base Management
# Pull container imagespodman pull registry.fedoraproject.org/fedora:latest
# Run a container with host integrationpodman run -d --name web_server -p 80:80 nginx
# Build custom imagespodman build -t custom_app:1.0 .
System Containers
For services that need deeper system integration:
# Install system container packagesrpm-ostree install podman-compose
# Create a system container definitionmkdir -p ~/.config/containers/systemd/cat > ~/.config/containers/systemd/web.container << EOF[Unit]Description=Web Server ContainerAfter=network-online.targetWants=network-online.target
[Container]Image=docker.io/nginx:latestPublishPort=8080:80Volume=/var/www/html:/usr/share/nginx/html:Z
[Service]Restart=always
[Install]WantedBy=default.targetEOF
# Enable and start the containersystemctl --user daemon-reloadsystemctl --user enable --now container-web.service
Troubleshooting Common Issues
Failed Updates
If updates fail to apply:
# Check system statusrpm-ostree status
# Clear cached datarpm-ostree cleanup -b
# Force refresh metadatarpm-ostree refresh-md -f
Package Conflicts
When facing package installation conflicts:
# View transaction problemsrpm-ostree ex history
# Reset to last working staterpm-ostree rollback
# Force package installation (use with caution)rpm-ostree install --allow-inactive package_name
Logging and Debugging
Viewing logs can help diagnose issues:
# View system logsjournalctl -u rpm-ostreed
# Enable verbose loggingrpm-ostree --verbose status
# Export transaction historyrpm-ostree ex history > history.txt
System Health Checks
Regular health checks help maintain system integrity:
# Check system statusrpm-ostree status
# View service statussystemctl status rpm-ostreed
# Monitor system resourcestop
Best Practices for CoreOS Package Management
Performance Optimization
- Use delta RPMs: Enable deltarpm in DNF configuration to reduce download sizes
- Configure appropriate mirror servers: Use geographically close mirrors
- Implement caching strategies: Consider using a local proxy cache for multiple nodes
Security Considerations
- Always verify package signatures: Never disable gpgcheck
- Keep system updated regularly: Schedule regular maintenance windows
- Use trusted repositories only: Avoid third-party repos when possible
Maintenance Schedule
- Plan regular update windows: Schedule updates during low-usage periods
- Test updates in non-production first: Validate changes before production deployment
- Maintain backup deployments: Always keep at least one known-good deployment
Conclusion
Fedora CoreOS provides a robust, secure platform for container workloads by fundamentally rethinking package management. The combination of rpm-ostree
for atomic system updates and DNF for package layering offers both stability and flexibility. By following the practices outlined in this guide, you can effectively manage your CoreOS systems while maintaining the security and reliability benefits of an immutable infrastructure approach.
Remember that CoreOS is designed with containers in mind—the best practice is to run most applications as containers rather than installing packages directly on the host. This containerized approach enhances security, simplifies updates, and improves resource utilization across your infrastructure.