This is a constantly updating repository for creating a native container image designed to be customized.
Based on BlueBuild Template: See the BlueBuild docs for quick setup instructions for setting up your own repository based on this template.
- Installation by rebasing from Silverblue
- Secure Boot
- Encrypted Drives
- Custom Commands
- ISO
- Verification
To rebase an existing Silverblue installation to the latest build:
First rebase to the unsigned image, to get the proper signing keys and policies installed. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-unverified-registry:ghcr.io/sukarn-m/sukarn-ublue-desktop:latest --reboot
Then rebase to the signed image. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sukarn-m/sukarn-ublue-desktop:latest --reboot
First rebase to the unsigned image, to get the proper signing keys and policies installed. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-unverified-registry:ghcr.io/sukarn-m/sukarn-ublue-laptop:latest --reboot
Then rebase to the signed image. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sukarn-m/sukarn-ublue-laptop:latest --reboot
First rebase to the unsigned image, to get the proper signing keys and policies installed. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-unverified-registry:ghcr.io/sukarn-m/sukarn-ublue-budgie:latest --reboot
Then rebase to the signed image. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sukarn-m/sukarn-ublue-budgie:latest --reboot
This repository builds date tags as well, so if you want to rebase to a particular day's build:
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sukarn-m/sukarn-ublue-laptop:20240701
This repository by default also supports signing.
The latest
tag will automatically point to the latest build. That build will still always use the Fedora version specified in recipe.yml
, so you won't get accidentally updated to the next major version.
To use these images with secure boot, you may need to manually install relevant certificates.
Download Fedora's certificate from https://src.fedoraproject.org/rpms/shim-unsigned-x64/tree/rawhide and save it to /tmp/fedora-ca.cer
.
As of writing, the relevant file is located at https://src.fedoraproject.org/rpms/shim-unsigned-x64/blob/rawhide/f/fedora-ca-20200709.cer
.
Automated method:
ujust sukarn-enroll-fedora-certificate
Manual method:
wget --output-document=/tmp/fedora-ca.cer https://src.fedoraproject.org/rpms/shim-unsigned-x64/blob/rawhide/f/fedora-ca-20200709.cer
sudo mokutil --timeout -1
sudo mokutil --import /tmp/fedora-ca.cer
sudo systemctl reboot
The akmods key is located on the ublue-os based images at /etc/pki/akmods/certs/akmods-ublue.der
.
Automated method:
ujust enroll-secure-boot-key
Manual method:
sudo mokutil --timeout -1
sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
sudo systemctl reboot
TPM2 equipped devices can be set to automatically unlock encrypted drives.
Images based on Universal-Blue builds can run the following command to enable auto-unlock using TPM2:
ujust setup-luks-tpm-unlock
For manual steps, refer to https://github.com/ublue-os/config/blob/main/build/ublue-os-luks/luks-enable-tpm2-autounlock.
Images based on Universal-Blue builds can run the following command to enable auto-unlock using TPM2:
ujust remove-luks-tpm-unlock
For manual steps, refer to https://github.com/ublue-os/config/blob/main/build/ublue-os-luks/luks-disable-tpm2-autounlock.
Note: To see a list of all custom commands available, run:
ujust --choose
These images contain custom commands from the universal-blue project, and custom commands added by the maintainer of this repository. List of custom commands added by the maintainer of this repository:
Command | Purpose |
---|---|
sukarn-enable-nfs-cache |
Enable NFS caching |
sukarn-remove-nfs-cache |
Remove NFS caching and cached files |
sukarn-added-canon-lbp-2900 |
Add this printer to the printers list |
sukarn-fix-grub-double-entry |
Fix the grub double entries issue in Fedora Atomic |
sukarn-enroll-fedora-certificate |
Enroll the upstream fedora certificate |
sukarn-grub-toggle-savedefault |
Enable or disable GRUB_SAVEDEFAULT |
If build on Fedora Atomic, you can generate an offline ISO with the instructions available here.
The make-laptop-iso.sh
and make-desktop-iso.sh
scripts can make ISOs using podman
. The ISO is saved in iso-output
directory. Run only one of these scripts at a time. They may overwrite each-other's output. See JasonN3/build-container-installer for variables (must be specified in all caps).
The Action currently uses ublue-os/isogenerator-old. The ISO is a netinstaller and should always pull the latest version of your image. Note that this release-iso action is not a replacement for a full-blown release automation like release-please.
These images are signed with Sigstore's cosign. You can verify the signature by downloading the cosign.pub
file from this repo and running the following command:
cosign verify --key cosign.pub ghcr.io/sukarn-m/sukarn-ublue