Fedora 28 Atomic Host brings Podman, Automatic Update Check and More

Fedora 28 Atomic Host is available now, as part of the Fedora 28 release! This release brings various exciting features to enhance your experience with Atomic Host. Highlighted features include: automatic update check, Podman, unified OSTree repo, system container using SELinux policy from the host, official AMIs available in more AWS EC2 regions, and continued multi-arch support.

Automatic update check

Fedora 28 Atomic Host, features automatic update checking. By default, automatic update check is disabled. To know the state of automatic updates, run:

$ rpm-ostree status -v
State: idle; auto updates disabled
Deployments:
● ostree://fedora-atomic:fedora/28/x86_64/atomic-host
 Version: 28.20180425.0 (2018-04-25 19:14:57)
...

To enable automatic update checks, update AutomaticUpdatePolicy value from none to check in /etc/rpm-ostreed.conf file. Then, reload rpm-ostreed service followed by enabling the timer rpm-ostreed-automatic.timer .

$ sudo rpm-ostree reload
$ sudo systemctl enable rpm-ostreed-automatic.timer --now
$ rpm-ostree status -v
State: busy; auto updates enabled (check; running)
Deployments:
● ostree://fedora-atomic:fedora/28/x86_64/atomic-host
...

Or, 
State: idle; auto updates enabled (check; last run 3min 57s ago)
Deployments:
● ostree://fedora-atomic:fedora/28/x86_64/atomic-host
...

More information are available in rpm-ostreed.conf and rpm-ostreed-automatic.service man page.

Podman available as default

Podman is a command line utility for creating and maintaining containers.  Fedora 28 Atomic Host features Podman in the default install. Podman provides a great alternative to Docker for running OCI containers and pods. Additionally, Podman offers docker compatible command line options which makes it easy to use for people who are already familiar with docker commands. For example, you can run, delete, or inspect a container using podman:

$ sudo podman run -it registry.fedoraproject.org/fedora echo "Hello to Podman"
Trying to pull registry.fedoraproject.org/fedora...Getting image source signatures
Copying blob sha256:548d1dae8c2b61abb3d4d28a10a67e21d5278d42d1f282428c0dcbba06844c2c
 85.59 MB / 85.59 MB [=====================================================] 32s
Copying config sha256:426866d6fa419873f97e5cbd320eeb22778244c1dfffa01c944db3114f55772e
 1.27 KB / 1.27 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
Hello to Podman

In the above command run, podman first pulls in fedora:latest image from registry.fedoraproject.org registry since it wasn’t available locally. Next, it launches a container with name test_container and runs echo “Hello to Podman” command inside container and then exits.

Now, view the image, exited container and delete them.

$ sudo podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.fedoraproject.org/fedora latest 426866d6fa41 10 days ago 263MB

$ sudo podman ps -a
CONTAINER ID IMAGE COMMAND CREATED AT STATUS PORTS NAMES
adac3731ea84 registry.fedoraproject.org/fedora:latest echo Hello to Podman 2018-05-07 05:53:29 +0000 UTC Exited (0) 6 minutes ago test_container

$ sudo podman rm test_container
Adac3731ea846e57c9e308634ab73df8dec46eff50060497dac4c2bf43515953

$ sudo podman rmi registry.fedoraproject.org/fedora:latest
426866d6fa419873f97e5cbd320eeb22778244c1dfffa01c944db3114f55772e

There are also some features which are special to podman . For example, –all option to delete all running containers and images.

$ sudo podman rm --all
$ sudo podman rmi --all

We also have nice documentation on github for available podman command line options.

Unified OSTree repo

Previously separate OSTree repositories were maintained for each Fedora. Fedora 28, features a unified OSTree repo model where content is composed and shipped from different releases in a single repo. Consequently, refs from all architectures and branches are part of a single unified repo. Future updates on Fedora 28 Atomic Host will be part of same unified repository.

System Container using SELinux policy from the host

With the release of Fedora 28 Atomic Host, every file in a system container gets the same label it would have if installed on the host. For example: /usr/bin/foo in the container will have the same SELinux label as /usr/bin/foo on the host. This will allow us to run containerized system services without losing the possibility of having different SELinux contexts. One of the major benefit of this feature is that, we can fully deduplicate files on Fedora Atomic Host with the rest of the system, as there is no mismatch in the xattrs.

AMI availability in more AWS EC2 regions

Fedora Atomic Host AMIs  are available in the AWS EC2 regions from past few releases. Additionally, Fedora 28 Atomic Host is available in more regions. New regions in which the AMIs will be available includes ap-northeast-2, ap-south-1, ca-central-1, eu-west-2 and us-east-2.

Continued Multi-Arch support

Fedora 27 Atomic Host release, adds support for aarch64 and ppc64le architectures. These architectures will be supported during Fedora 27 based Atomic Host Two Week releases. This will continue with support for the Atomic Host for Fedora 28 release. Futhermore, Fedora 28 Atomic Host users on multi-arches will continue getting updates for host with every Two Week release.

Upgrade and Support Policy

Now that Fedora 28 Atomic Host is available, updates for Fedora 27 Atomic Host will be on best effort basis. To continue getting latest and tested updates, it is recommend to migrate your host to Fedora 28 Atomic Host. For any help on how to perform upgrade, follow the steps in this Project Atomic blog post. For further questions, reach out to the Project Atomic Mailing List or join #atomic on freenode.

Now, it’s time to give Fedora 28 Atomic Host try! Get your favorite image format (iso, qcow2, raw, ami or vagrant) from Atomic Host download page. If you have PowerPC or ARM 64-bit Little Endian box, grab required images for ppc64le and aarch64 and give it a try.

Fedora Project community

1 Comment

  1. jwm

    rpm-ostree is such a great piece of technology. It’s a promising approach to being able to tailor a base container host OS from different packages and deploying it to any large fleets homogenous hardware, like servers and IoT (an upcoming security armageddon). It will be interesting to see where it goes in relation to the latest Container Linux announcements.

    I’ve been trying out Atomic for both containers and virtual machines and it works great. To get libvirt running with device passthrough working all I had to do was:

    rpm-ostree install libvirt-daemon-qemu qemu-kvm virt-install
    rpm-ostree ex kargs --append=intel_iommu=on

    and reboot. After a recent “atomic host upgrade”, my virts were still came up fine.

    Likewise kudos for for all the work on podman and all the other OCI tooling. Dividing the container tools into small, reusable and auditable components is a huge win for tooling and security.

Leave a Reply

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: