Skip to content

Instantly share code, notes, and snippets.

@joshenders
Last active August 22, 2024 22:17
Show Gist options
  • Save joshenders/1f67ceacaadc066e43e2312119e03533 to your computer and use it in GitHub Desktop.
Save joshenders/1f67ceacaadc066e43e2312119e03533 to your computer and use it in GitHub Desktop.
Flatcar Container Linux UEFI Setup Under Incus on Debian

Flatcar Container Linux Setup Under Incus on Debian

In case you missed it, Canonical relicensed LXD under AGPLv3 in December 2023 with a mandatory CLA. The LXD project was hard forked as Incus and licensed under an Apache 2.0 License.

Incus is maintained by the same team of developers that first created LXD and is recommended for new users going forward.

Install and configure

Borrowed from here.

There are two options currently available to Debian users.

  1. A native incus package is currently available in the Debian testing and unstable repositories. This package will be featured in the upcoming Debian 13 (trixie) release.
apt install incus
  1. Zabbly provides up to date and supported Incus packages for Debian stable releases (11 and 12). Those packages contain everything needed to use all Incus features.

Up to date installation instructions may be found here: https://github.com/zabbly/incus

Configure incus

The example config below uses the dir storage driver.

💡 If you have different needs, just run incus admin init interactively and adjust accordingly.

incus admin init --preseed << EOF
---
config: {}
networks: []
storage_pools:
- config: {}
  description: ""
  name: default
  driver: dir
profiles:
- config: {}
  description: ""
  devices:
    root:
      path: /
      pool: default
      type: disk
  name: default
projects: []
cluster: null
EOF

Set variables for convenience

💡 The current stable release of Flatcar Container Linux can be found here.

export CHANNEL="stable"
export VERSION="3815.2.0"
export IMAGE_BASENAME="flatcar_production_qemu_uefi"
export OVMF_DIR="/opt/incus/share/qemu"

Download UEFI image + OMVF files

💡 Flatcar does not yet officially support UEFI secure boot: flatcar/Flatcar#501 There is a PR in-progress that can produce an image which secure boots but it is not yet signed by a UEFI CA.

wget "https://${CHANNEL}.release.flatcar-linux.net/amd64-usr/${VERSION}/${IMAGE_BASENAME}_image.img"
wget -O "${OVMF_DIR}/${IMAGE_BASENAME}_efi_code.fd" "https://${CHANNEL}.release.flatcar-linux.net/amd64-usr/${VERSION}/${IMAGE_BASENAME}_efi_code.fd" 
wget -O "${OVMF_DIR}/${IMAGE_BASENAME}_efi_vars.fd" "https://${CHANNEL}.release.flatcar-linux.net/amd64-usr/${VERSION}/${IMAGE_BASENAME}_efi_vars.fd"

Update permissions of OMVF files

chmod 0444 "${OVMF_DIR}/${IMAGE_BASENAME}_efi_code.fd"
chmod 0644 "${OVMF_DIR}/${IMAGE_BASENAME}_efi_vars.fd"

Create metadata file for image and compress

cat << EOF > metadata.yaml
---
architecture: x86_64
creation_date: $(date +%s)
properties:
    description: ${IMAGE_BASENAME}_image
    os: Flatcar
    release: ${VERSION}
EOF
tar -cvzf metadata.tar.gz metadata.yaml

Import metadata and image to local image repository

incus image import metadata.tar.gz "${IMAGE_BASENAME}_image.img" --alias "flatcar/${VERSION}"

Create an new profile for the instance

This profile is configured for 16GiB of memory, 2 CPUs with pinned-affinity, 16GiB root disk, setting the instance to autostart on boot and disabling secureboot as the EFI image of Flatcar we're using is unsigned. It uses some advanced directives for overridng the generated qemu and apparmor configuration.

💡 For a full list of instance options, see here. If you're unsure what to set here, you can always change this later.

incus profile create flatcar
incus profile edit flatcar << EOF
---
config:
  limits.memory: 16GiB
  limits.cpu: 0,1
  boot.autostart: true
  raw.apparmor: |-
    ${OVMF_DIR}/${IMAGE_BASENAME}_efi_code.fd rk,
    ${OVMF_DIR}/${IMAGE_BASENAME}_efi_vars.fd rwk,
  raw.qemu: |-
    -drive if=pflash,format=raw,file="${OVMF_DIR}/${IMAGE_BASENAME}_efi_code.fd,readonly=on"
    -drive if=pflash,format=raw,file="${OVMF_DIR}/${IMAGE_BASENAME}_efi_vars.fd"
  raw.qemu.conf: |-
    [drive][0]
    [drive][1]
  security.secureboot: "false"
description: Flatcar
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: br0
    type: nic
  root:
    path: /
    pool: default
    type: disk
    size: 16GiB
name: flatcar
used_by:
EOF

Initialize new instance derived from the flatcar profile

💡 If you weren't sure what to define for limits.* above, you can pass --type and specify an AWS, GCE, or Azure instance type.

incus launch --profile flatcar --vm local:"flatcar/${VERSION}" flatcar

Connect to console

💡 Ctrl-a, q to escape

incus console flatcar

Optional modifications

Review boot-related options

💡 You can edit your existing profile with incus profile edit flatcar

You may want to review the boot-related options in the LXD Documentation to control startup/shutdown and prioritization.

Configure network interface with a specific MAC address for a DHCP reservation

Incus will assign your instance a random MAC address. You can override this property after the instance has launched with:

💡 The first octet of your locally administered MAC address should be either x2, x6, xA, or xE.

incus config device override flatcar eth0 hwaddr=01:02:03:aa:bb:cc

You can do this at launch time with the --device flag:

incus launch --profile flatcar --vm local:"flatcar/${VERSION}" flatcar --device eth0,hwaddr="01:02:03:aa:bb:cc"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment