XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Guide to getting Fedora CoreOS, Portainer and Xen Orchestra Docker Support working

    Scheduled Pinned Locked Moved Xen Orchestra
    3 Posts 3 Posters 3.4k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      foxy82
      last edited by stormi

      I have spent way longer than I should have trying to getting a VM running Fedora CoreOS with Portainer installed as a Docker connected to xscontainer and Xen Orchestra so I thought I'd document the journey.

      To be honest once Portainer is installed I'm not sure the rest is really worth the effort to connect Docker to Xen Orchestra it but I wasn't going to let this beat me 😄

      If you only want a quick way to get Fedora CoreOS + Portainer up and running steps 5 -> 14 should have you covered.

      Also I've seen in the forum that xscontianer isn't supported for Xen 8.2 so is only provided "as-is".

      I'm really new to XCP-NG (this VM is only the second I've installed after the Xen Orchestra one so any feedback much appreciated)

      1. Download the Fedora CoseOS LiveDVS iso and upload it to XCP-NG ISO Storage(tested with version: https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/38.20230430.3.1/x86_64/fedora-coreos-38.20230430.3.1-live.x86_64.iso

      On your XCP-NG host

      1. Install xscontainer: yum install xscontainer
      2. Fix issue with old python2-paramkiko library Note warninig here: https://xcp-ng.org/forum/topic/6845/xscontainer/18)

      [Moderator UPDATE 2024-03-19 : DON'T DO THIS. This overrides system libs and "voids the warranty" - Stormi]

      yum install python2-pip --enablerepo=epel
pip2 install --upgrade "pip < 21"
pip2 install --upgrade "cryptography == 2.5"
pip2 install --upgrade "paramiko < 3"
      1. xscontainer - Apply utf-8 patch (from: https://github.com/xenserver/xscontainer/pull/59/files)
      nano /usr/lib/python2.7/site-packages/xscontainer/util/__init__.py

      Change

      result = str(item)

      to

      result = item.encode('utf-8')

      On a Linux machine with with Docker or use WSL do the following:

      1. Create a password hash for a password to login to Fedore CoreOS:
      mkpasswd --method=yescrypt
      1. Create a Butane file:
      variant: fcos
version: 1.3.0
passwd:
  users:
    - name: core
      password_hash: <YOUR PASSWORD HASH>
      groups:
        - docker
      ssh_authorized_keys:
        - ssh-rsa <YOUR SSH PUBLIC KEY> 
storage:
  files:
    - path: /etc/hostname
      mode: 0644
      contents:
        inline: |
          docker-vm
    - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf
      mode: 0644
      contents:
        inline: |
          # Fedora CoreOS disables SSH password login by default.
          # Enable it.
          # This file must sort before 40-disable-passwords.conf.
          PasswordAuthentication yes
    - path: /etc/profile.d/systemd-pager.sh
      mode: 0644
      contents:
        inline: |
          # Tell systemd to not use a pager when printing information
          export SYSTEMD_PAGER=cat
    - path: /etc/sysctl.d/20-silence-audit.conf
      mode: 0644
      contents:
        inline: |
          # Raise console message logging level from DEBUG (7) to WARNING (4)
          # to hide audit messages from the interactive console
          kernel.printk=4
systemd:
  units:
    # Installing software as a layered package with rpm-ostree
    - name: rpm-ostree-install.service
      enabled: true
      contents: |
        [Unit]
        Description=Install software with rpm-ostree
        After=systemd-machine-id-commit.service
        After=network-online.target
        # We run before `zincati.service` to avoid conflicting rpm-ostree transactions.
        Before=zincati.service
        ConditionPathExists=!/var/lib/%N.stamp

        [Service]
        Type=oneshot
        RemainAfterExit=yes
        # `--allow-inactive` ensures that rpm-ostree does not return an error
        # if the package is already installed. This is useful if the package is
        # added to the root image in a future Fedora CoreOS release as it will
        # prevent the service from failing.
        ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive xe-guest-utilities-latest
        ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive nmap
        ExecStart=/bin/touch /var/lib/%N.stamp
        # Now reboot to make changes take effect
        ExecStart=/usr/bin/systemctl reboot
        
        [Install]
        WantedBy=multi-user.target

    # Start software that has been installed
    - name: postinst2.service
      enabled: true
      contents: |
        [Unit]
        Description=Initial System Setup Part 2
        # We run this after the packages have been overlayed
        After=network-online.target
        ConditionPathExists=!/var/lib/%N.stamp
        ConditionPathExists=/var/lib/rpm-ostree-install.stamp

        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=/usr/bin/systemctl enable xe-linux-distribution
        ExecStart=/bin/touch /var/lib/%N.stamp
        # Now reboot to make changes take effect
        ExecStart=/usr/bin/systemctl reboot

        [Install]
        WantedBy=multi-user.target

    - name: docker.portainer.service
      enabled: true
      contents: |-
        [Unit]
        Description=Portainer Admin Container
        After=docker.service
        Requires=docker.service network.target network-online.target

        [Service]
        Type=oneshot
        RemainAfterExit=yes
        TimeoutStartSec=0
        ExecStartPre=-/usr/bin/docker stop %n
        ExecStartPre=-/usr/bin/docker rm %n
        ExecStartPre=/usr/bin/docker pull portainer/portainer-ce
        ExecStart=-/usr/bin/mkdir -p /mnt/shared_nfs/portainer_data
        # Privileged mode is required for binding to local socket to work due to SELINUX (https://github.com/portainer/portainer/issues/849)
        ExecStart=/usr/bin/docker run --privileged=true -d -p 9000:9000 --name %n --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /var/portainer_data:/data portainer/portainer-ce
        ExecStop=/usr/bin/docker stop -t 15 %n

        [Install]
        WantedBy=multi-user.target
      1. Convert butane file to ignition file
      sudo docker run -i --rm quay.io/coreos/butane:release < coreos-for-xcp-ng.bu > coreos.ign
      1. Host the file for the VM
      python3 -m http.server

      Back on your XC_-NG host:

      1. Create a VM.
        Template: CoreOS (probably not needed)
        ISO: Select the Fedora CoreOS ISO
        Disk: Set size to 9GiB (to avoid a warning in the VM)

      On the newly created VM console. Host/Port are of the machine hosting the file in step (8):

      curl -O <host>:<port>/coreos.ign
sudo coreos-installer install /dev/xvda --ignition-file coreos.ign

      Once the install is complete

      poweroff

      1. On the VM - disable the DVD Drive (in XO this is under the Advanced tab).

      2. Restart the VM. It is designed to reboot itself 2 times. -Watch the console for it to finish and don't interrupt it - especially on first power on when it will go to a login prompt for quite a long while - resist the urge to log in and let it finish.

      3. Ensure you can login to the VM console with the username: core and password set in step (5)

      4. Check Portainer works by going to VM_IP:9000 in a web browser create password and login.

      On XCP-NG console:

      1. Get the UUID of the VM - either xe vm-list or look in XO.

      2. Run

      xscontainer-prepare-vm -v <UUID> --username core

      select "yes" options throughout.

      You should now have CoreOS with Portainer setup and also see the Containers in XO in a "Container" tab when you select the VM.

      References:

      1. https://discussion.fedoraproject.org/t/fedora-coreos-xentools-installation-for-xenserver-vms-dummy-mode/21337/2
      2. https://github.com/xcp-ng/xcp/wiki/Docker-in-XCP-ng
      3. https://github.com/xenserver/xscontainer/pull/59
      4. https://www.portainer.io/blog/from-zero-to-production-with-fedora-coreos-portainer-and-wordpress-in-7-easy-steps
      MattPark created this issue in portainer/portainer

      closed SELinux compatibility #849

      dalrrard opened this pull request in xenserver/xscontainer

      closed Update util/__init__.py #59

      dalrrard opened this pull request in xenserver/xscontainer

      closed Update util/__init__.py #59

      1 Reply Last reply Reply Quote 1
      • codycryptoC Offline
        codycrypto
        last edited by

        I found another workaround (one-step solution) for the "Unable to verify key-based authentication error" without having to mess with any of the python packaging.

        This would replace steps 3 and 4 above

        Adding

        PubkeyAcceptedKeyTypes +ssh-rsa

        To your /etc/ssh/sshd_config file will make the VM accept the older authentication

        1 Reply Last reply Reply Quote 0
        • stormiS Offline
          stormi Vates 🪐 XCP-ng Team
          last edited by

          I added a big warning in step 3 which should never be done outside a test host that you are ready to reinstall afterwards.

          codycrypto's comment is another workaround which replaces it without any impact on the host, but weakens the security by accepting weaker key types.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post