Install / run Fedora CoreOS (FCOS) on KVM / OpenStack

Fedora CoreOS (FCOS) is a minimal operating system designed to run containerized workloads securely and at scale. The building blocks of this operating system are the excellent CoreOS and Fedora Atomic. It has automatic updates and is immutable to ensure the operating system is stable and reliable. The operating system will use rpm-ostree to automatically update the latest operating system improvements, bug fixes and security updates.

Unlike other Linux operating systems, Fedora CoreOS (FCOS) is not configured during installation. Every FCOS system starts with a universal disk image. For each deployment mechanism (cloud VM, local VM, bare metal), configuration can be provided at first startup. FCOS uses the following command to read and apply the configuration file ignition.

When installing Fedora CoreOS on a bare metal or as a virtual machine with an ISO file, Ignition will inject the configuration during the installation. But for deployments done in a cloud environment, Ignition will collect configurations through the cloud’s user data mechanism.

Run / install Fedora CoreOS (FCOS) on KVM / OpenStack

In this guide, we will introduce how to run Fedora CoreOS (FCOS) in OpenStack and KVM virtualization environments. Following is the standard process for configuring the unchanged Fedora CoreOS infrastructure on OpenStack / KVM.

  1. You first write Fedora CoreOS configuration (FCC)-This is a YAML file that specifies the required configuration of the computer.
  2. You will then use Fedora CoreOS Config Transpiler to Verify your FCC and convert it to ignition configuration.
  3. The final step is to boot the Fedora CoreOS computer and pass the generated Ignition configuration. After the computer starts successfully to start provisioning.

Step 1: Download the latest QCOW2 image

Go to FCOS download page Retrieves the latest images for QEMU.


wget -O fedora-coreos-openstack.qcow2.xz
unxz fedora-coreos-openstack.qcow2.xz


wget -O fedora-coreos-qemu.qcow2.xz
unxz fedora-coreos-qemu.qcow2.xz

For Openstack, you need to upload the Fedora CoreOS image to the OpenStack Glance service:

openstack image create "fcos" 
    --file fedora-coreos-openstack.qcow2 
    --disk-format qcow2 --container-format bare 

Confirm that the image has been uploaded:

$ openstack image list
| ID                                   | Name            | Status |
| 6576c788-19e1-4de4-bf63-a769763cd00d | fcos            | active |

Step 2: Create Fedora CoreOS Config (FCC)

The FCC is a YAML file with the required computer configuration. The FCC supports all ignition functions and provides additional syntax (“sugar”) to make it easier to specify typical configuration changes.

This is my basic YAML configuration file for adding SSH keys to the default core user.

$ vim fcos.fcc 
variant: fcos
version: 1.0.0
    - name: core
        - ssh-rsa xx...


  • Core Is the name of the FCOS user
  • xx … Is the content of your public key

Covers full details of the FCC and its specifications FCOS setup and configuration page.

Step 3: Convert the FCC to an ignition configuration

We will now use the Fedora CoreOS Config Transpiler to validate the FCC and convert it to an Ignition configuration.

--- Podman ---
$ podman pull
$ podman run -i --rm -pretty -strict  fcos.ign

--- Docker ---
$ docker pull
$ docker run -i --rm -pretty -strict  fcos.ign

replace fcos.fcc With the name of the FCC file and fcos.ign With the name of the ignition file to be created.

You can manually verify the ignition profile using:

--- Podman ---
$ podman run --rm -i - < fcos.ign

--- Docker ---
$ docker run --rm -i - < fcos.ign

Step 4: Start your Fedora CoreOS computer

After preparing the ignition file, you can create a Fedora CoreOS computer by passing the created Ignition configuration.

On OpenStack

OpenStack CLI: Configuring and using the OpenStack CLI

$ openstack server create 
 --image fcos 
 --flavor m1.small 
 --network private  
 --user-data fcos.ign 


  • Upload the name of your SSH key to OpenStack.
  • The ID of the security group has been uploaded to OpenStack

Output immediately at the beginning of the build

| Field                               | Value                                       |
| OS-DCF:diskConfig                   | MANUAL                                      |
| OS-EXT-AZ:availability_zone         |                                             |
| OS-EXT-SRV-ATTR:host                | None                                        |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None                                        |
| OS-EXT-SRV-ATTR:instance_name       |                                             |
| OS-EXT-STS:power_state              | NOSTATE                                     |
| OS-EXT-STS:task_state               | scheduling                                  |
| OS-EXT-STS:vm_state                 | building                                    |
| OS-SRV-USG:launched_at              | None                                        |
| OS-SRV-USG:terminated_at            | None                                        |
| accessIPv4                          |                                             |
| accessIPv6                          |                                             |
| addresses                           |                                             |
| adminPass                           | ru6YiFeRLWn5                                |
| config_drive                        |                                             |
| created                             | 2020-01-24T19:27:11Z                        |
| flavor                              | m1.small (1)                                |
| hostId                              |                                             |
| id                                  | 6402494f-a2b1-4b6d-b462-7bc54d38d53b        |
| image                               | fcos (6576c788-19e1-4de4-bf63-a769763cd00d) |
| key_name                            | jmutai                                      |
| name                                | fcos                                        |
| progress                            | 0                                           |
| project_id                          | 06bcc3c56ab1489282b65681e782d7f6            |
| properties                          |                                             |
| security_groups                     | name='7fffea2a-b756-473a-a13a-219dd0f1913a' |
| status                              | BUILD                                       |
| updated                             | 2020-01-24T19:27:11Z                        |
| user_id                             | 336acbb7421f47f8be4891eabf0c9cc8            |
| volumes_attached                    |                                             |

Check the status of the virtual machine:

$ openstack server list  --name fcos
| ID                                   | Name | Status | Networks            | Image | Flavor   |
| 6402494f-a2b1-4b6d-b462-7bc54d38d53b | fcos | ACTIVE | private= | fcos  | m1.small |

Let's see if we can ping the VM:

$ ping -c 3
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.320 ms
64 bytes from icmp_seq=2 ttl=64 time=0.297 ms
64 bytes from icmp_seq=3 ttl=64 time=0.373 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.297/0.330/0.373/0.031 ms

Can we SSH to the instance?

$ ssh [email protected]
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/centos/.ssh/id_rsa': 
Fedora CoreOS 31.20200113.3.1

Check the operating system version:

$ cat /etc/os-release 
VERSION="31.20200113.3.1 (CoreOS)"
PRETTY_NAME="Fedora CoreOS 31.20200113.3.1"

$ uname -a
Linux host-10-10-1-126 5.4.8-200.fc31.x86_64 #1 SMP Mon Jan 6 16:44:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux


Copy the downloaded image to the virtual machine installation directory, for example:

sudo cp fedora-coreos-qemu.qcow2 /var/lib/libvirt/images/fedora-coreos-qemu.qcow2

Use virt-install:

$ virt-install -n fcos --vcpus 2 -r 2048 
  --os-variant=fedora31 --import 
  --network bridge=virbr0 
  --qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/path/to/fcos.ign"

Install packages on Fedora CoreOS

There is a limit to the number of packages you can install on Fedora CoreOS. The main method for updating Fedora CoreOS and installing applications is rpm-ostree.

rpm-ostree Works by modifying the FCOS installation to extend the packages that make up Silverblue. Package layering creates a new "deployed" or bootable file system root, and the system must be rebooted after the package is layered. This preserves the rollback and transaction models.

  • First, generate the rpm repo metadata:
$ sudo rpm-ostree refresh-md 
Enabled rpm-md repositories: updates fedora
Updating metadata for 'updates'... done
rpm-md repo 'updates'; generated: 2020-01-24T14:56:09Z
Updating metadata for 'fedora'... done
rpm-md repo 'fedora'; generated: 2019-10-23T22:52:47Z
Importing rpm-md... done
  • You can install packages on Silverblue using:
$ sudo rpm-ostree install 
$ sudo rpm-ostree install vim
Checking out tree f480038... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2020-01-24T14:56:09Z
rpm-md repo 'fedora' (cached); generated: 2019-10-23T22:52:47Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 13 packages (20.0 MB)
Downloading from 'fedora'... done
Downloading from 'updates'... done
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done

You need to restart after the package is installed:

$ sudo systemctl reboot

Install on bare metal

If you are interested in installing FCOS on bare metal via ISO or PXE boot, please follow Bare metal installation instructions Write Fedora CoreOS to disk. Ignition is injected during installation.

Keep in touch as we will provide more guides on Fedora CoreOS. In the meantime, check out other guides:

Manage packages on Fedora Silverblue using toolbox, rpm-ostree and Flatpak

How to run Docker containers with Podman and Libpod

Setting up Docker container registry and encrypting SSL with Podman

Install Minikube Kubernetes on CentOS 8 / CentOS 7 using KVM