Fedora IoT is a foundation for Internet of Things (IoT) and Device Edge ecosystems. It’s a secure, immutable, and image-based operating system that supports the deployment of containerized applications. We’ll discuss how you can run Fedora IoT on a Raspberry Pi to deploy a rootless Podman container.
Running Fedora IoT on Raspberry Pi
- PC (with Fedora)
- SD-Card and SD-Card Reader
- Raspberry Pi 3 or 4
Download the IoT image & CHECKSUM for your CPU from getfedora.org.
After you download your Fedora IoT image, click Verify your Download to download the CHECKSUM file.
Place the CHECKSUM file in the same location where you downloaded your Fedora IoT image.
Then, install gnupg and the arm image installer:
dnf install gnupg2 arm-image-installer
Next, import Fedora’s GPG keys to verify the image you downloaded:
$ curl -O https://getfedora.org/static/fedora.gpg
Then, verify the CHECKSUM file has a good signature:
$ gpgv --keyring ./fedora.gpg *-CHECKSUM
You should see something similar to the following in the output:
$ gpgv --keyring ./fedora.gpg *-CHECKSUM gpgv: Signature made Fri 19 Mar 2021 10:10:28 AM EDT gpgv: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39 gpgv: Good signature from "Fedora (34) <email@example.com>"
Lastly, verify the checksum of your download to verify that the signature matches:
$ sha256sum -c *-CHECKSUM
Now, find the name of the SD-Card. You can use various tools, but in this article, we recommend using udisks command line tool udiskctl. First, verify that you have NOT inserted your SD-Card into your SD-Card reader.
Then, enter the following command:
The output displays all the connected devices on your machine. Review what devices are currently displayed. Next, plug in your SD-Card and enter the command again. Write down the name of the device that’s been added to the previous list.
Use caution when flashing your SD-Card. If you choose the wrong device, you might overwrite your hard drive.
Flash the image onto the SD-Card.
$ arm-image-installer --image=</path/to/fedora_image> \ --target=<RPi_Version> --media=/dev/<sd_card_device> \ --addkey=/path/to/pubkey \ --resizefs
- Image – File path to the image you downloaded.
- target – Type of arm board you are using (in this example it would be either the Raspberry Pi 3 or 4).
- media – SD-Card path you identified.
- addkey – Your SSH key.
- resizefs – Resizes the image to the full SD-Card unless you have another partition to add.
The image won’t have a per-configured user or password.
Zezere is a provisioning service that can deploy devices without a physical console. Use Zezere to set up and deploy your device.
Navigate to provision.fedoraproject.org, then click the Claim Unowned Devices tab, and claim your device (i.e. your SD-Card). Click the Home tab to view your claimed device, then click the SSH Key Management tab to add your SSH key. This allows you to copy your SSH key to any of your Fedora IoT devices. The keys generated in the SSH Key Management tab are public, so they can be shared without risk to the security of your devices.
Return to the Home tab and click Submit provision request on your SD-Card to set up a provisioning request. Select fedora-iot-stable from the drop-down and click Schedule to copy your SSH Key onto your Fedora IoT device.
You’re now ready to run your applications.
Setting up rootless Podman containers
Fedora IoT uses Podman to develop, manage, and run Open Container Initiative (OCI) containers. Rootless containers can be run by unprivileged users, adding security against hackers to ensure they’re safe to share between machines.
Install slirpfnetns and fuse-overlays to begin setup of a rootless Podman container:
sudo dnf -y install slirp4netns fuse-overlayfs shadow-utils
Rootless Podman containers require the root user to have a range of UIDs/GIDs listed in the /etc/subuid and /etc/subgid files. Update the /etc/subuid and /etc/subgid for each non-root user.
sudo usermod --add-subuids START-RANGE --add-subgids START-RANGE USERNAME
- START – Starting UID (ex. 1000)
- RANGE – Range for you UID (ex. if you put 100, then your UID will range from 1000 to 1100)
- USERNAME – The username you’re updating.
Podman is now set up to run rootless containers.
More setup recommendations
View the following resources for additional ways you can improve the setup of your containers: