Setting up Fedora IoT on Raspberry Pi and rootless Podman containers

Photo by Harrison Broadbent on Unsplash

Introduction

Fedora IoT is a foundation for Internet of Things (IoT) and Device Edge ecosystems. It’s a secure, immutable, and image-based operating system that supports the deployment of containerized applications. We’ll discuss how you can run Fedora IoT on a Raspberry Pi to deploy a rootless Podman container.

Running Fedora IoT on Raspberry Pi

Prerequisites:

  • PC (with Fedora)
  • SD-Card and SD-Card Reader
  • Raspberry Pi 3 or 4

Download the IoT image & CHECKSUM for your CPU from getfedora.org.

Screenshot of Fedora IoT image download.

After you download your Fedora IoT image, click Verify your Download to download the CHECKSUM file.

Screenshot to show where to find the "Verify your download." button.

Place the CHECKSUM file in the same location where you downloaded your Fedora IoT image.

Then, install gnupg and the arm image installer:

dnf install gnupg2 arm-image-installer

Next, import Fedora’s GPG keys to verify the image you downloaded:

$ curl -O https://getfedora.org/static/fedora.gpg

Then, verify the CHECKSUM file has a good signature:

$ gpgv --keyring ./fedora.gpg *-CHECKSUM

You should see something similar to the following in the output:

$ gpgv --keyring ./fedora.gpg *-CHECKSUM
gpgv: Signature made Fri 19 Mar 2021 10:10:28 AM EDT
gpgv:                using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39
gpgv: Good signature from "Fedora (34) <fedora-34-primary@fedoraproject.org>"

Lastly, verify the checksum of your download to verify that the signature matches:

$ sha256sum -c *-CHECKSUM

Now, find the name of the SD-Card. You can use various tools, but in this article, we recommend using udisks command line tool udiskctl. First, verify that you have NOT inserted your SD-Card into your SD-Card reader.

Then, enter the following command:

udisksctl status 

The output displays all the connected devices on your machine. Review what devices are currently displayed. Next, plug in your SD-Card and enter the command again. Write down the name of the device that’s been added to the previous list.

Use caution when flashing your SD-Card. If you choose the wrong device, you might overwrite your hard drive.

Flash the image onto the SD-Card.

$ arm-image-installer --image=</path/to/fedora_image> \
      --target=<RPi_Version> --media=/dev/<sd_card_device> \
      --addkey=/path/to/pubkey \
      --resizefs
  • Image – File path to the image you downloaded.
  • target – Type of arm board you are using (in this example it would be either the Raspberry Pi 3 or 4).
  • media – SD-Card path you identified.
  • addkey – Your SSH key.
  • resizefs – Resizes the image to the full SD-Card unless you have another partition to add.

The image won’t have a per-configured user or password.

Zezere is a provisioning service that can deploy devices without a physical console. Use Zezere to set up and deploy your device.

Navigate to provision.fedoraproject.org, then click the Claim Unowned Devices tab, and claim your device (i.e. your SD-Card). Click the Home tab to view your claimed device, then click the SSH Key Management tab to add your SSH key. This allows you to copy your SSH key to any of your Fedora IoT devices. The keys generated in the SSH Key Management tab are public, so they can be shared without risk to the security of your devices.

Image of Zezere to use as reference for instructions on how to deploy your device.

Return to the Home tab and click Submit provision request on your SD-Card to set up a provisioning request. Select fedora-iot-stable from the drop-down and click Schedule to copy your SSH Key onto your Fedora IoT device.

You’re now ready to run your applications.

Setting up rootless Podman containers

Fedora IoT uses Podman to develop, manage, and run Open Container Initiative (OCI) containers. Rootless containers can be run by unprivileged users, adding security against hackers to ensure they’re safe to share between machines.

Install slirpfnetns and fuse-overlays to begin setup of a rootless Podman container:

 sudo dnf -y install slirp4netns fuse-overlayfs shadow-utils

Rootless Podman containers require the root user to have a range of UIDs/GIDs listed in the /etc/subuid and /etc/subgid files. Update the /etc/subuid and /etc/subgid for each non-root user.

sudo usermod --add-subuids START-RANGE --add-subgids START-RANGE USERNAME 
  • START – Starting UID (ex. 1000)
  • RANGE – Range for you UID (ex. if you put 100, then your UID will range from 1000 to 1100)
  • USERNAME – The username you’re updating.

Podman is now set up to run rootless containers.

More setup recommendations

View the following resources for additional ways you can improve the setup of your containers:

Fedora Project community

9 Comments

  1. hasusediot

    Based on my experience with IoT:

    There is no dnf but you don’t have to install anything for rootless use of podman.
    Creating an unprivileged user is enough, you don’t have to configure subuids manually.
    You don’t have to use Zezere for anything, which requires a fedora account. Just add your ssh-key manually or let the arm-installer do it.

  2. david jefferson

    is Fedora IoT can be installed on a smartphone? or is there any distribution Fedora is compatible for?

  3. Useful article.
    Could do with expanding:
    addkey – Your SSH key.

  4. tg121268

    Good article, thank you.

  5. jo

    Is target Pi Zero2W also available? Would be great !

  6. gdumas

    If the image installation tool could take into account the installation of a wifi key, it would be great.

  7. Surya

    installing Fedora for Raspberry Pi is still not as easy and convenient as Ubuntu and Manjaro. If I may suggest, please make the installation process as easy as Ubuntu and Manjaro, so that ordinary people who want to use Fedora on their Raspberry Pi become easier.

  8. Far too vague to be of any use whatsoever 🙁

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: