Ansible automation for deploying a KVM hypervisor using bootc and Fedora Server.
This Ansible automation uses bootc to create "the perfect" KVM hypervisor with ZFS, NFS + Samba, Cockpit, and Sanoid + Syncoid.
- Install a fresh Fedora Server to the desired host - use the latest minimal install to save disk space on the resulting deployed machine
- Install
podman
on the host - Generate an SSH key
- Create inventory using the example in the
docs
folder - Make sure you have passwordless sudo or root access to desired host using your new SSH key
- Install needed Ansible collections
ansible-galaxy install -r collections/requirements.yml
- Run
ansible-playbook deploy.yml -i inventories/<your_inventory.yml>
- You will need an existing machine with Podman and Ansible
- The Ansible can be run locally or remotely - just be sure to have root or passwordless sudo working
- Create inventory for a local or remote run using the example in the
docs
folder - Run
ansible-playbook iso.yml -i inventories/<your_inventory.yml>
- ISO will be created on the local or remote machine,
/root/bootcblade-output/bootiso/install.iso
- The SSH key (for the user) is added for the root user and baked into the image generation - the resulting BootcBlade image will include your SSH key
- The user, ssh key, and password (if defined) are configured after deployment via Ansible
- The user, SSH key, and password (if defined) are baked into the ISO - the resulting ISO will include your user, SSH key, and hashed password (if defined)
- A new or existing system must exist. This system should be as small as possible because its filesystem will persist in the resulting deployed machine
bootcblade.containerfile
is copied to the existing system, thenpodman build
is used to build the image- Once the image is built, the BootcBlade image is deployed to the system - then it is rebooted
- Ansible creates the user with (or without) the password and adds the SSH key
- An existing system must exist to build the ISO on, no changes to this system are made
- Running the Ansible will create the files necessary to generate the ISO - including the user with (or without) password and the SSH key
- Resulting ISO is stored in the /root directory
- Configuration files and all used container images are deleted
- ISO installer wipes all attached disks - use with caution
Updates happen in two ways. When deploy.yml
is used, there is a systemd unit created (bootcblade-rebuild.service
) that is created and will run once a week.
This service depends on /root/bootcblade.containerfile
to exist, as the container is rebuilt. If the build is successful, then the new container is staged.
The default update service bootc-fetch-apply-updates.service
is masked as well so it will not run.
If deploy.yml
is not used (perhaps the system was installed using an ISO created by iso.yml
), then there is no automated update process
and the default bootc-fetch-apply-updates.service
is still enabled. If you want the automatic update method, then ansible-playbook deploy.yml --tags configure-bootcblade
will need to be run, either remotely or as localhost, and the required variables will need to be defined.
You can use update.yml
to recreate this, assuming you have the correct inventory.
The default tag used for centos-bootc
is referenced in templates/bootcblade.containerfile.j2
- its possible that there was a kernel update, or a release update, that breaks ZFS. Usually these issues are transient and resolve on their own. If you need a build now (perhaps for a fresh system) you can try and see if there is an older release (tag) from the upstream repo, and adjust it using the bootc_image_tag
variable.
https://quay.io/repository/centos-bootc/centos-bootc?tab=tags&tag=latest
This is a description of each variable, what it does, and a table to determine when it is needed.
create_user
: This user will be created duringdeploy.yml
andiso.yml
create_user_password
: This password will be used for the created usercreate_user_ssh_pub
: This is a SSH pubkey that will be added to the created user duringdeploy.yml
andiso.yml
, also it is applied to the root user indeploy.yml
create_user_shell
: This shell setting will be used for the created user only duringdeploy.yml
bootc_image_tag
: Override the source image tag fordeploy.yml
,iso.yml
, andupdate.yml
skip_zfs
: Default is false, if true ZFS and all supporting packages will not be part of the container buildskip_kvm
: Default is false, if true KVM and all supporting packages will not be part of the container buildskip_shares
: Default is false, if true NFS & Smba plus all supporting packages will not be part of the container buildansible_user
- This is an Ansible variable, useful for connecting to the initial machine with a different user duringdeploy.yml
ansible_connection
- This is an Ansible variable, useful when running Ansible locally withiso.yml
andupdate.yml
Variable | Used | Required |
---|---|---|
create_user | X | - |
create_user_password | X | - |
create_user_ssh_pub | X | X |
create_user_shell | X | - |
bootc_image_tag | X | - |
skip_zfs | X | - |
skip_kvm | X | - |
skip_shares | X | - |
Variable | Used | Required |
---|---|---|
create_user | X | X |
create_user_password | X | - |
create_user_ssh_pub | X | X |
create_user_shell | - | - |
bootc_image_tag | X | - |
skip_zfs | X | - |
skip_kvm | X | - |
skip_shares | X | - |
Variable | Used | Required |
---|---|---|
create_user | - | - |
create_user_password | - | - |
create_user_ssh_pub | - | - |
create_user_shell | - | - |
bootc_image_tag | X | - |
skip_zfs | X | - |
skip_kvm | X | - |
skip_shares | X | - |
Due to the nature of UID/GID drift in rpm-ostree and bootc (https://lwn.net/Articles/1018082/), some considerations should be noted for long running systems. Adding packages to your image that create service accounts and updating your deployment to this new image may cause issues.