This is a constantly updating repository for creating a native container image designed to be customized.
Based on BlueBuild Template: See the BlueBuild docs for quick setup instructions for setting up your own repository based on this template.
- Installation by rebasing from Silverblue
- Secure Boot
- Encrypted Drives
- Custom Commands
- ISO
- Verification
To rebase an existing Silverblue installation to the latest build:
First rebase to the unsigned image, to get the proper signing keys and policies installed. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-unverified-registry:ghcr.io/sukarn-m/sukarn-ublue-desktop:latest --rebootThen rebase to the signed image. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sukarn-m/sukarn-ublue-desktop:latest --rebootFirst rebase to the unsigned image, to get the proper signing keys and policies installed. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-unverified-registry:ghcr.io/sukarn-m/sukarn-ublue-laptop:latest --rebootThen rebase to the signed image. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sukarn-m/sukarn-ublue-laptop:latest --rebootFirst rebase to the unsigned image, to get the proper signing keys and policies installed. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-unverified-registry:ghcr.io/sukarn-m/sukarn-ublue-budgie:latest --rebootThen rebase to the signed image. The system will reboot automatically upon completion of this step.
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sukarn-m/sukarn-ublue-budgie:latest --rebootThis repository builds date tags as well, so if you want to rebase to a particular day's build:
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sukarn-m/sukarn-ublue-laptop:20240701
This repository by default also supports signing.
The latest tag will automatically point to the latest build. That build will still always use the Fedora version specified in recipe.yml, so you won't get accidentally updated to the next major version.
To use these images with secure boot, you may need to manually install relevant certificates.
Download Fedora's certificate from https://src.fedoraproject.org/rpms/shim-unsigned-x64/tree/rawhide and save it to /tmp/fedora-ca.cer.
As of writing, the relevant file is located at https://src.fedoraproject.org/rpms/shim-unsigned-x64/blob/rawhide/f/fedora-ca-20200709.cer.
Automated method:
ujust sukarn-enroll-fedora-certificateManual method:
wget --output-document=/tmp/fedora-ca.cer https://src.fedoraproject.org/rpms/shim-unsigned-x64/blob/rawhide/f/fedora-ca-20200709.cer
sudo mokutil --timeout -1
sudo mokutil --import /tmp/fedora-ca.cer
sudo systemctl rebootThe akmods key is located on the ublue-os based images at /etc/pki/akmods/certs/akmods-ublue.der.
Automated method:
ujust enroll-secure-boot-keyManual method:
sudo mokutil --timeout -1
sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
sudo systemctl rebootTPM2 equipped devices can be set to automatically unlock encrypted drives.
Images based on Universal-Blue builds can run the following command to enable auto-unlock using TPM2:
ujust setup-luks-tpm-unlockFor manual steps, refer to https://github.com/ublue-os/config/blob/main/build/ublue-os-luks/luks-enable-tpm2-autounlock.
Images based on Universal-Blue builds can run the following command to enable auto-unlock using TPM2:
ujust remove-luks-tpm-unlockFor manual steps, refer to https://github.com/ublue-os/config/blob/main/build/ublue-os-luks/luks-disable-tpm2-autounlock.
Note: To see a list of all custom commands available, run:
ujust --chooseThese images contain custom commands from the universal-blue project, and custom commands added by the maintainer of this repository. List of custom commands added by the maintainer of this repository:
| Command | Purpose |
|---|---|
sukarn-enable-nfs-cache |
Enable NFS caching |
sukarn-remove-nfs-cache |
Remove NFS caching and cached files |
sukarn-added-canon-lbp-2900 |
Add this printer to the printers list |
sukarn-fix-grub-double-entry |
Fix the grub double entries issue in Fedora Atomic |
sukarn-enroll-fedora-certificate |
Enroll the upstream fedora certificate |
sukarn-grub-toggle-savedefault |
Enable or disable GRUB_SAVEDEFAULT |
If build on Fedora Atomic, you can generate an offline ISO with the instructions available here.
The make-laptop-iso.sh and make-desktop-iso.sh scripts can make ISOs using podman. The ISO is saved in iso-output directory. Run only one of these scripts at a time. They may overwrite each-other's output. See JasonN3/build-container-installer for variables (must be specified in all caps).
The Action currently uses ublue-os/isogenerator-old. The ISO is a netinstaller and should always pull the latest version of your image. Note that this release-iso action is not a replacement for a full-blown release automation like release-please.
These images are signed with Sigstore's cosign. You can verify the signature by downloading the cosign.pub file from this repo and running the following command:
cosign verify --key cosign.pub ghcr.io/sukarn-m/sukarn-ublue