Project Atomic is now sunset

The Atomic Host platform is now replaced by CoreOS. Users of Atomic Host are encouraged to join the CoreOS community on the Fedora CoreOS communication channels.

The documentation contained below and throughout this site has been retained for historical purposes, but can no longer be guaranteed to be accurate.

Project News

Docker 1.4, Cockpit 0.27 (stable) added to CentOS 7 Atomic

If you’re running the CentOS Atomic Host images, you’ll want to do an atomic upgrade right about now. The update includes a bump for Docker to 1.4, and brings Cockpit to 0.27, and pulls in a few additional package updates.

As you’ve probably read, Docker 1.4 includes a few bug fixes, security fixes, and several new features.

Cockpit 0.27 is the most recent stable release from the Cockpit Project. This release of the Cockpit server manager is the same used for Fedora 21 Atomic Host, and includes a lot of stability and feature improvements since 0.24.

What’s in that update?!

You can see all the packages updated by using atomic db diff commit1 commit2. (And you can see the commit hashes for the two trees with atomic status.)

Cockpit Hackfest ahead of DevConf.cz

Going to DevConf.cz? Or just happen to be close to the Czech Republic and have a strong interest in Cockpit? You can learn how to hack on Cockpit, build plugins or prototypes, and much more!

The Hackfest will be held in Room A113, Brno University of Technology, on Friday 6 February from 2:10 to 5:10 CET. Of course, you should check out DevConf.cz too, it’s free to attend and you’ll have dozens of fantastic presentations to choose from related to free software. Also, keep an eye on Red Hat’s Community Calendar for other free and open source related events that may be of interest.

Hope to see you there!

View article »

Fedora 21 goes gold with Atomic images

Good news, everybody! Fedora 21 was officially released yesterday with not just one, not just two, but three flavors &hdash; a Cloud, Server, and Workstation release. You should definitely check out the workstation and server releases, but I want to focus particularly on the Cloud release with its Atomic Host image.

If you head over to the Get Fedora Cloud Page, you’ll find the download page with the Fedora 21 Atomic Host, with a RAW-format image and a qcow2 image suitable for OpenStack or KVM (e.g., Virt-Manager).

You’ll also find a list of AMIs for running Fedora 21 Atomic Host on Amazon Web Services in US East, US West, EU West, Asia Pacific SE, Asia Pacific NE, and South America East.

The Fedora 21 Atomic Host release is a streamlined Fedora 21 base with just the packages you need to run a host optimized for running Linux containers.

Updates

Note that if you were running one of the recent Fedora 21 Atomic Host pre-release images, you can update to Fedora 21 final with sudo atomic upgrade and then reboot.

Fedora 21 Docker Images

Naturally, you’re going to want something in the containers to run on Fedora Atomic Host. Why not take the new Fedora 21 Docker images for a test drive?

You can find the Fedora images on the Docker Hub (using docker pull fedora:21) or get them direct from the Fedora Spins site. The nice thing about grabbing directly from Fedora’s Spins page is you can also verify the download.

If you haven’t directly downloaded an image before, here’s how to load and run the image:

docker load -i Fedora-Docker-Base-20141203-21.x86_64.tar.gz
docker run -it --rm Fedora-Docker-Base-20141203-21.x86_64 bash

If the image name changes due to updates later, just replace the filename with the new download’s filename.

Get Involved!

Now that Fedora 21 is out the door, we all get a breather for about five minutes – and then start working on Fedora 22.

You can join us in the Fedora Cloud Working Group, sync up on the mailing list, or talk to us on Freenode in #fedora-cloud.

View article »

New CentOS Atomic image, Updated CentOS containers, and FreeIPA 4.1.2

If you’re running the CentOS images released last month, you’ll notice that you can pull an update using atomic update that will pick up updates to a number of crucial packages (e.g. Docker) from base CentOS as well as additional packages carried by the Atomic SIG.

We also have new monthly images up on CentOS.org, and a new pointer to the most recent images.

Any time you want to grab the most recent CentOS Atomic Host image use:

The xz image is compressed, the uncompressed qcow image is good for importing directly into OpenStack or another cloud platform that requires uncompressed image URLs.

Updated CentOS Containers

Worth noting that the CentOS Docker images have been updated as well on Docker Hub, so if you’re using CentOS containers you may want to do a docker pull to update them or respin any images that are using CentOS as the base container.

New FreeIPA Container

FreeIPA is an exciting project if you need an integrated security information management solution. The CentOS FreeIPA Docker container is super-useful if you want to use FreeIPA with minimal hassle.

The CentOS FreeIPA container was updated last week to 4.1.2, which brings the CentOS FreeIPA container up to date with the most recent stable FreeIPA release. See the CentOS.org post for more information.

Of course, FreeIPA isn’t the only containerized application available via the CentOS repo on Docker Hub. You’ll also find Wildfly, Nginx, MariaDB, and the Apache Web Server.

Have an idea for a new image for CentOS? If you have a Dockerfile you can submit a pull request to the GitHub repo. Have questions about the CentOS containers? Ask for help on the centos-devel mailing list or in #centos-devel on Freenode.

View article »

Docker's New Security Advisories and Untrusted Images

Docker has released two CVEs with the newest version (docker-1.3.2) regarding two privilege escalation flaws. They are only an issue when running untrusted images.

Yawn!!!

I question whether they should be CVE’s at all. People need to realize that installing a Docker image is the equivalent of installing an RPM or a Debian .deb package.

  • If you install an RPM or Debian package from an untrusted source on your machine, then you should expect your machine will get owned.
  • If you install a Docker image from an untrusted source on your machine, then you should expect your machine will get owned.

That lesson has to be painfully learned, at first. For most users, it’s not obvious that docker pull is in the same class as yum install.

My fear with these CVEs is that people will start to assume Docker is unsafe or full of vulnerabilties. Check out this article on The Register, for example.

Docker has to spend time working on fixing the vulnerabilities, and people will get the false sense of security that docker can install untrusted images securely. Of course as soon as a user starts a container on the untrusted image, who knows what is going to happen? If the container runs any code as root, your machine can be owned. Remember, containers do not contain.

It’s All About Trust

The bottom line here? Do not run untrusted Docker images. Treat a Docker image the same way you would treat other software you install on your machine. It should be from a source you trust. You should not blindly install software from a third party just to get the latest version of a project or to save a little time.

To address this, Red Hat is building a certification process for Docker images, similar to what we do for third party software.

For folks who are using Fedora or CentOS, make sure that you’re getting your images from the official Fedora and CentOS Docker repositories or from repositories you trust – if you’re using one of the many third-party images, you don’t have a good way to confirm the origin of the software. Whether you’re running Docker 1.3.2 or 1.0, untrusted containers are unsafe, period.

View article »

Testing Kubernetes with an Atomic Host

Atomic hosts include Kubernetes for orchestration and management of containerized application deployments, across a cluster of container hosts. If you’re interested in taking Kubernetes for a spin on an Atomic host, read on!

Kubernetes+Atomic Hello World

First, boot into CentOS Atomic host. You ought to be able to use Fedora Atomic as well, but currently, Atomic Fedora comes with an earlier version of kubernetes, so for each of the kubectl commands in this howto, there’s a different kubecfg command, for now.

Read More »