CoreOS Tectonic

Author: s | 2025-04-25

Tectonic documentation - coreos/tectonic-docs

coreos/tectonic-docs: Tectonic documentation - GitHub

Tectonic InstallerThe Tectonic Installer is an app for creating Tectonic clusters.See official installation documentation if you'd like to use a published release.Read on if you'd like to build and run the installer yourself.UsageNotable Flags and Environment Variablesflagenv variableexample-addressINSTALLER_ADDRESS0.0.0.0:8080-platformsINSTALLER_PLATFORMSbare-metal, aws-cookie-signing-secretINSTALLER_COOKIE_SIGNING_SECRETsecret-disable-secure-cookieINSTALLER_DISABLE_SECURE_COOKIEfalse-open-browserINSTALLER_OPEN_BROWSERfalse-log-levelINSTALLER_LOG_LEVELdebug, warn, error-versionINSTALLER_VERSIONNA-helpINSTALLER_HELPNALicenseGet a license and follow the guides to create Tectonic clusters end to end.Build prerequisitesGo 1.8Nodejs >=6.xYarn >=0.20.xThe tectonic-installer repo must be located at $GOPATH/src/github.com/coreos/tectonic-installerBuild / RunAll commands mentioned here must be run from the same working directory as this README file, ./installer/ from the root of this repo.Build the static binary.make buildRun the binary for your platform (linux, darwin)../bin/linux/installer -helpVisit DependenciesFrontendDependencies are managed with yarn and browserify. Unlike godependencies, yarn dependencies are not vendored directly, becauseyarn install will build native extensions that could break builds onother platforms/operating systems. To add a dependency, run:cd $GOPATH/src/github.com/coreos/tectonic-installer/installer/frontendyarn add $MY_PACKAGE # for a runtime dependencyIf you are adding a build dependency, run the following commands instead:cd $GOPATH/src/github.com/coreos/tectonic-installer/installer/frontendyarn add --dev $MY_BUILD_PACKAGE # for a development dependencyBoth sets of commands will update the package.json andyarn.lock files in the repository - those changes shouldthen be committed.GoDependencies are managed with glide, but committed directly to the repository.If you don't have glide, install the latest release from We require version 0.12 at a minimum.To add a new dependency:Edit the glide.yaml file to add your dependency.Ensure you add a version field for the sha or tag you want to pin to.Revendor the dependencies:make vendorIf it worked correctly it should:Clone your new dep to the /vendor dir, and check out the ref you specified.Update glide.lock to include your new package, adds any transitive dependencies, and updates its hash.For the sake of your fellow reviewers, commit vendored code changes as a separate commit from any other changes.Regenerate or Repair Vendored CodeShould you need to regenerate or repair the vendored code en-mass

Tectonic Summit 2025: CoreOS Tectonic on AWS

Tectonic-torcxA self-contained node-helper to automatically operate torcx on Tectonic machines.BackgroundTectonic needs a specific version of Docker to be installed. Since Dockeron Container Linux is managed by torcx, this tool suite keeps the torcxconfiguration in sync with the cluster environment.The tool ensures that the correct verison of Docker is in the torcx store forany potential OS versions. In other words, it populates torcx stores for Currentand Next OS versions.DetailsThis software handles two main cases:A new node is added to the cluster and needs to be configured (bootstrap)An existing node is ready to reboot to a new OS version (pre-reboot hook)1: BootstrapTrigger an OS update (optional, default true)Determine the Kubelet version to installDetermine the correct Docker versionFetch and configure Docker torcx addons and profileSet the correct kubelet versionTrigger node reboot (if needed by updates)2: OS upgrade on a nodeWatch for pre-reboot annotationDetermine new OS versionDetermine docker versionFetch correct docker torcx addonGC unneeded imagesAdd success annotationIn both cases, it can also determine/update kubelet based on cluster status.Buildmake all to build for all supported architectures.ExecuteThis helper is normally run within a container:docker run \ --tmpfs /tmp \ -v /usr/share:/usr/share:ro \ -v /usr/lib/os-release:/usr/lib/os-release:ro \ -v /usr/share/ca-certificates/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \ -v /var/lib/torcx:/var/lib/torcx \ -v /run/metadata:/run/metadata:ro \ -v /run/systemd:/run/systemd \ -v /run/torcx:/run/torcx:ro \ -v /var/run/dbus:/var/run/dbus \ -v /etc/coreos:/etc/coreos:ro \ -v /etc/torcx:/etc/torcx \ -v /etc/kubernetes:/etc/kubernetes \ -v /dev/log:/dev/log \ quay.io/coreos/tectonic-torcx:latest-dev \ --verbose=debugSee alsobootkubekube-versiontectonic-installer

Introduction to CoreOS Tectonic - YouTube

./cert-genPlace the TLS credentials in the default location:$ sudo mkdir -p /etc/bootcfg$ sudo cp ca.crt server.crt server.key /etc/bootcfg/Save client.crt, client.key, and ca.crt to use with a client tool later.Start bootcfgStart the bootcfg service and enable it if you'd like it to start on every boot.$ sudo systemctl daemon-reload$ sudo systemctl start bootcfg$ sudo systemctl enable bootcfgVerifyVerify the bootcfg service is running and can be reached by client machines (those being provisioned).$ systemctl status bootcfg$ dig bootcfg.example.comVerify you receive a response from the HTTP and API endpoints.$ curl you enabled the gRPC API,$ openssl s_client -connect bootcfg.example.com:8081 -CAfile /etc/bootcfg/ca.crt -cert examples/etc/bootcfg/client.crt -key examples/etc/bootcfg/client.keyCONNECTED(00000003)depth=1 CN = fake-caverify return:1depth=0 CN = fake-serververify return:1---Certificate chain 0 s:/CN=fake-server i:/CN=fake-ca---....Download CoreOS (optional)bootcfg can serve CoreOS images in development or lab environments to reduce bandwidth usage and increase the speed of CoreOS PXE boots and installs to disk.Download a recent CoreOS release with signatures.$ ./scripts/get-coreos stable 1185.3.0 . # note the "." 3rd argumentMove the images to /var/lib/bootcfg/assets,$ sudo cp -r coreos /var/lib/bootcfg/assets/var/lib/bootcfg/assets/├── coreos│ └── 1185.3.0│ ├── CoreOS_Image_Signing_Key.asc│ ├── coreos_production_image.bin.bz2│ ├── coreos_production_image.bin.bz2.sig│ ├── coreos_production_pxe_image.cpio.gz│ ├── coreos_production_pxe_image.cpio.gz.sig│ ├── coreos_production_pxe.vmlinuz│ └── coreos_production_pxe.vmlinuz.sigand verify the images are acessible....">$ curl large production environments, use a cache proxy or mirror suitable for your environment to serve CoreOS images.NetworkReview network setup with your network administrator to set up DHCP, TFTP, and DNS services on your network. At a high level, your goals are to:Chainload PXE firmwares to iPXEPoint iPXE client machines to the bootcfg iPXE HTTP endpoint bootcfg.example.com resolves to your bootcfg deploymentCoreOS. Tectonic documentation - coreos/tectonic-docs

CoreOS Tectonic Monitoring and Performance

Of configuration data across the cluster, making it possible to build highly available and fault-tolerant applications that can automatically scale and recover from failures. Overall, CoreOS represents a significant advancement in cloud-native computing, providing a robust, streamlined and secure foundation for the deployment of modern containerized applications in scalable and distributed environments.Examples of CoreOSTicketmaster: Ticketmaster, a leading global event ticketing company, adopted CoreOS to transform its ticketing infrastructure and provide faster, more scalable services to its customers. The company utilized CoreOS for containerization of its applications, which helped simplify the deployment process, increase the reliability of its services, and design a highly scalable platform that could handle millions of requests per second. This implementation allowed Ticketmaster to reduce its infrastructure costs significantly and build an agile, user-friendly experience for its customers.Handy: Handy, an on-demand home services platform, leveraged CoreOS and its orchestration tool (Tectonic) to improve the scalability, manageability, and security of its cloud-based platform. By employing CoreOS, Handy was able to efficiently manage its microservices architecture, provide consistent deployment processes, and increase the overall development velocity. The use of CoreOS also enabled Handy to have a well-automated environment setup and a robust container infrastructure, which allowed the company to focus on rapidly adding new features and improving its application for users.Honeycomb: Honeycomb, an observability platform for distributed software, adopted CoreOS as a crucial part of its infrastructure to scale their applications and manage them effectively. CoreOS’s container runtime (rkt) played a significant role in delivering efficient resource consumption and easy-to-control processes for Honeycomb’s applications. Additionally, the CoreOS container linux also provided a stable and secure host for running the company’s services. Ultimately, CoreOS helped Honeycomb create a streamlined, reliable, and maintainable infrastructure to support its growing customer base.CoreOS FAQWhat is CoreOS?CoreOS is an open-source lightweight operating system that focuses on providing a minimal operating environment for deploying containerized applications. It is designed for running containerized applications at scale, providing features such as automatic updates and security patches.What are the benefits of using CoreOS?CoreOS offers several benefits, such as a lightweight footprint, ease of deployment, automatic updates, improved security, and the ability to run containerized applications efficiently. All these features contribute to a more stable, secure, and scalable environment for deploying container-based applications.What are the main components of CoreOS?CoreOS consists of three main components: the Container Linux operating system, the rkt container runtime, and the etcd distributed key-value store. These components work together to provide a minimal, secure, and easily-maintainable platform for running containerized applications.How does CoreOS compare to other container-optimized operating systems?CoreOS is often compared to other lightweight operating systems designed for running containers, such as RancherOS and Ubuntu Core. While each has its own unique features, CoreOS stands

tectonic-docs/README.md at master coreos/tectonic-docs

By editing the systemd unit or adding a systemd dropin. Find the complete set of bootcfg flags and environment variables at config.sudo systemctl edit bootcfgBy default, the read-only HTTP machine endpoint will be exposed on port 8080.# /etc/systemd/system/bootcfg.service.d/override.conf[Service]Environment="BOOTCFG_ADDRESS=0.0.0.0:8080"Environment="BOOTCFG_LOG_LEVEL=debug"A common customization is enabling the gRPC API to allow clients with a TLS client certificate to change machine configs.# /etc/systemd/system/bootcfg.service.d/override.conf[Service]Environment="BOOTCFG_ADDRESS=0.0.0.0:8080"Environment="BOOTCFG_RPC_ADDRESS=0.0.0.0:8081"The Tectonic Installer uses this API. Tectonic users with a CoreOS provisioner can start with an example that enables it.$ sudo cp contrib/systemd/bootcfg-for-tectonic.service /etc/systemd/system/bootcfg.serviceCustomize bootcfg to suit your preferences.FirewallAllow your port choices on the provisioner's firewall so the clients can access the service. Here are the commands for those using firewalld:$ sudo firewall-cmd --zone=MYZONE --add-port=8080/tcp --permanent$ sudo firewall-cmd --zone=MYZONE --add-port=8081/tcp --permanentGenerate TLS CredentialsSkip this unless you need to enable the gRPC APIThe bootcfg gRPC API allows client apps (bootcmd CLI, Tectonic Installer, etc.) to update how machines are provisioned. TLS credentials are needed for client authentication and to establish a secure communication channel. Client machines (those PXE booting) read from the HTTP endpoints and do not require this setup.If your organization manages public key infrastructure and a certificate authority, create a server certificate and key for the bootcfg service and a client certificate and key for each client tool.Otherwise, generate a self-signed ca.crt, a server certificate (server.crt, server.key), and client credentials (client.crt, client.key) with the examples/etc/bootcfg/cert-gen script. Export the DNS name or IP (discouraged) of the provisioner host.$ cd examples/etc/bootcfg# DNS or IP Subject Alt Names where bootcfg can be reached$ export SAN=DNS.1:bootcfg.example.com,IP.1:192.168.1.42$

Broken Download Links on coreos Issue 299 coreos/tectonic

420 }, { "path": "/etc/se-hostkeys/ibm-z-hostkey-.crt", "contents": { "source": "data:;base64," }, "mode": 420 } ] }}``` You can add as many host keys as required if you want your node to be able to run on multiple IBM Z® machines. To generate the Base64 encoded string, run the following command: base64 .crt Compared to guests not running IBM® Secure Execution, the first boot of the machine is longer because the entire image is encrypted with a randomly generated LUKS passphrase before the Ignition phase. Add Ignition protection To protect the secrets that are stored in the Ignition config file from being read or even modified, you must encrypt the Ignition config file. To achieve the desired security, Ignition logging and local login are disabled by default when running IBM® Secure Execution. Fetch the public GPG key for the secex-qemu.qcow2 image and encrypt the Ignition config with the key by running the following command: gpg --recipient-file /path/to/ignition.gpg.pub --yes --output /path/to/config.ign.gpg --verbose --armor --encrypt /path/to/config.ign Follow the fast-track installation of RHCOS to install nodes by using the IBM® Secure Execution QCOW image. Before you start the VM, replace serial=ignition with serial=ignition_crypted, and add the launchSecurity parameter. Verification When you have completed the fast-track installation of RHCOS and Ignition runs at the first boot, verify if decryption is successful. If the decryption is successful, you can expect an output similar to the following example: Example output[ 2.801433] systemd[1]: Starting coreos-ignition-setup-user.service - CoreOS Ignition User Config Setup...[ 2.803959] coreos-secex-ignition-decrypt[731]: gpg: key : public key "Secure Execution (secex) 38.20230323.dev.0" imported[ 2.808874] coreos-secex-ignition-decrypt[740]: gpg: encrypted with rsa4096 key, ID , created [ OK ] Finished coreos-secex-igni…S Secex Ignition Config Decryptor. If the decryption fails, you can expect an output similar to the following example: Example outputStarting coreos-ignition-s…reOS Ignition User Config Setup...[ 2.863675] coreos-secex-ignition-decrypt[729]: gpg: key : public key "Secure Execution (secex) 38.20230323.dev.0" imported[ 2.869178] coreos-secex-ignition-decrypt[738]: gpg: encrypted with RSA key, ID [ 2.870347] coreos-secex-ignition-decrypt[738]: gpg: public key decryption failed: No secret key[ 2.870371] coreos-secex-ignition-decrypt[738]: gpg: decryption failed: No secret key 2.6.7.2. Configuring NBDE with static IP in an IBM Z or IBM LinuxONE environment Enabling NBDE disk. Tectonic documentation - coreos/tectonic-docs