Fedora IoT becomes an edition

By Jonathan Corbet
August 20, 2020

The Fedora 33 release is currently scheduled for late October; as part of the process of designing this release, the deadline for system-wide change proposals was set for June 30. This release already has a substantial number of big changes in the works, so one might be forgiven for being surprised by a system-wide change proposal that appeared on August 4, which looks to be pre-approved. Not only that, but this proposal expands the small set of official Fedora "editions" by adding the relatively obscure Fedora Internet of Things Edition.

The Fedora distribution is released in a number of forms, including a fair number of "Fedora spins" that skew the distribution toward a specific use case. The flagship Fedora products, though, are the editions, of which there are currently only two: Fedora Workstation and Fedora Server. The former is obviously aimed at desktop deployments, while the latter is meant to be useful on back-end systems. This set of editions has been stable for some time.

There are a few "emerging editions" in the works, including Fedora CoreOS and Silverblue. Also on that list is Fedora IoT which is now poised to become the third edition to be part of the Fedora 33 release. The proposal notes that this is "largely a paperwork exercise at this point". While the remaining work may be confined to paperwork, the project may want to put some effort into documentation sooner or later; actual information about what Fedora IoT is and how to work with it is relatively hard to find.

Digging in

As one might expect, Fedora IoT is meant to be deployed on devices that make up the "Internet of Things". The vision statement behind Fedora IoT, as found in the associated "product requirement document", is:

Fedora is the default platform in the IoT space. Anyone starting an IoT project, from cute embedded hacks all the way up to a multi-million device deployment will start with Fedora.

The distribution is available for both the x86 and arm64 architectures. An attempt to run the Arm version on a Libre Computer "La Frite" single-board computer failed at boot time; that board is not on the list of supported platforms, so this outcome is arguably not surprising. The x86 version runs nicely enough in a virtual machine, though, so that is the version that your editor played around with.

Relative to its peers, the Fedora IoT edition is a small (but not tiny) distribution; installed, it requires a little under 3GB of disk space. It runs within 1GB of RAM with memory to spare — as long as one is not actually doing anything, anyway. The resource constraints of IoT systems force the set of installed packages to be relatively small; if one is expecting a GNOME desktop or a choice of relational database management systems out of the box, one will be disappointed. This is still Fedora, though, so those packages are readily available for installation later; Fedora IoT need not remain a small system.

Veteran Fedora administrators will have to adjust to a new way of managing those packages, though; one does not just run "dnf install" on a Fedora IoT system. Indeed, there is no dnf command available. This distribution, instead, is built using rpm-ostree; packages still show up in the traditional RPM format, but the way they are managed has changed considerably.

The rpm-ostree system is built around the concept of an immutable base image, perhaps augmented by one or more overlay images. The running system is never modified by package-management operations like installations or system upgrades. Instead, rpm-ostree maintains a set of parallel system images, two of them by default. The running image is immutable; any package-management operations will, instead, apply to the next image in the series (being simply the other image in a two-image setup). Thus, for example, the system administrator can install an essential package (Emacs, say), but that package will go into the alternative image and the action will not immediately yield a usable emacs command.

So, for example, the command to add Emacs is:

    # rpm-ostree install emacs

This command will fetch the required packages from the repository in the usual way and install them. Afterward, one can query the state of the system with:

    # rpm-ostree status
    State: idle
    Deployments:
      ostree://fedora-iot:fedora/stable/x86_64/iot
               Version: 32.20200817.0 (2020-08-17T15:28:05Z)
            BaseCommit: 4fa6233db3448c1ee5bb73b89fbddf54167108929d71248ece63ad6969ea308c
          GPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0
                  Diff: 183 added
       LayeredPackages: emacs
    
    * ostree://fedora-iot:fedora/stable/x86_64/iot
               Version: 32.20200817.0 (2020-08-17T15:28:05Z)
                Commit: 4fa6233db3448c1ee5bb73b89fbddf54167108929d71248ece63ad6969ea308c
          GPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0

This output shows the two "deployments" (system images) managed by rpm-ostree; the one marked with the "*" is the currently running image. We see the other image with an additional package (emacs) layered onto it. Actually running that image (and, thus, being able to use Emacs) requires a reboot; at that point, the system will switch to the new image. The image that was running previously will remain in its current form in case a rollback is needed. Once the administrator starts making more changes, though, the previous image will be set up as a copy of the (new) running image, so changes like the addition of Emacs will be preserved going forward.

The idea behind all this mechanism is to make system updates safer. Since an update is applied to an idle image, it cannot break the running system even if it is interrupted at an especially inopportune time; this is good, since updates in general seem to be more than adequately endowed with inopportune times. The updated image will only be set up to run on the next boot after the update completes successfully. If, for some reason, the update as a whole proves to be inopportune, rolling back to the previous (and working) image is a trivial operation; the bootloader can be configured to do so automatically if appropriate. The result is, hopefully, an unbrickable system.

It is also relatively easy to implement a "factory reset" operation that simply removes any layered packages, stripping the system back to the original image. Naturally, rpm-ostree is able to check and enforce package signatures if the intent is to lock the system down.

Rolling releases, containers, and more

While Fedora can be a nice system to work with, administrators tend to reach for something else when the time comes to deploy a production system. One of the main reasons for that is Fedora's update cycle; any given Fedora release is supported for a year, after which the system must be updated to a newer release. That can be inconvenient on any production system; a similar requirement on a distribution for embedded devices could be a serious impediment to the project's "multi-million device deployment" ambitions.

To avoid this problem, Fedora IoT apparently opts out of the normal release cycle; instead, the project has committed to producing a rolling release with monthly updates. With rpm-ostree configured to pull down updates automatically, IoT systems can be kept up to date with little effort. If an update goes bad, the rollback mechanism is there to help users recover.

One other significant difference with Fedora IoT is a relatively strong focus on the use of containers to install applications. The podman tool is provided for this purpose; it's meant to look a lot like Docker, but without the need for any background daemons. Podman comes configured to pull images from docker.io by default. Your editor attempted to use it to install a few versions of NetHack that must all surely be legitimate, but none of them consented to run correctly — thus saving your editor a considerable amount of wasted time.

Beyond those changes, though, Fedora IoT feels much like any other Fedora system. The commands work in the same way, and the usual packages are available. This makes for a relatively rich and comfortable environment for embedded-systems work.

One can't help wonder about the ultimate objective, though. Fedora comes with no support guarantees, a fact that is sure to give pause to any companies thinking about which operating system to install in their million-device products. If Fedora is to have any chance of being deployed in such systems, some sort of commercial support option will have to materialize. When that happens, it may well go under the name of "Red Hat IoT" or some such. Fedora itself may not make it onto all of those devices, but Fedora users will have played with the technology first and helped to make it better.

Fedora IoT becomes an edition

Posted Aug 20, 2020 17:45 UTC (Thu) by dowdle (subscriber, #659) [Link] (3 responses)

Spins ARE NOT for specific use cases, they are the additional desktop environments. I think you are thinking of Fedora Labs:
https://labs.fedoraproject.org/

I have to ask... how about a RPi 4 product? Sure, they do RPi 3 but the 4 has been out long enough to have been revved already.

Fedora IoT becomes an edition

Posted Aug 20, 2020 19:43 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

> Spins ARE NOT for specific use cases, they are the additional desktop environments

It didn't used to be that way when we originally came up with that term. The labs nomenclature hasn't caught on that much. People even within the project routinely use the term spins to refer to anything that is produced by the project but not an official edition

Fedora IoT becomes an edition

Posted Aug 20, 2020 19:48 UTC (Thu) by mattdm (subscriber, #18) [Link]

We found that this distinction wasn't really widely known or understood even among Fedora contributors, and way back in 2018 the Council voted to simplify this and drop the distinction. We haven't had a website refresh, though, so the current layout still has that separation. But going forward, pick a name that makes sense for your variant — Lab, or Spin, or something else.

Fedora IoT becomes an edition

Posted Aug 25, 2020 16:43 UTC (Tue) by misc (subscriber, #73730) [Link]

RPi 4 will be supported by Fedora when the drivers will be upstream.

Fedora IoT becomes an edition

Posted Aug 20, 2020 18:25 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (7 responses)

The last time I tried it on RPi3, there were some missing pieces. In particular, given the way RPi3 does booting, it was not compatible with atomic updates. As far as I remember, the kernel was simply copied to the boot partition via a script. Ditto for other files like device trees.

Is there any progress on updating them safely and atomically?

Fedora IoT becomes an edition

Posted Aug 21, 2020 6:25 UTC (Fri) by jpfrancois (subscriber, #65948) [Link] (5 responses)

I guess one way to do that is to have a double kernel, one in the boot partition with a tiny initramfs that kexecs in the real kernel.

Fedora IoT becomes an edition

Posted Aug 21, 2020 9:07 UTC (Fri) by fwiesweg (guest, #116364) [Link] (2 responses)

I tried this a while ago with buildroot on an rpi1 (which worked fine) and then wanted to port it to an rpi3 and found it to not work. Seems there was a reason why this feature was marked as experimental on ARM, but a tight deadline prevented me from investigating any further.

If anyone succeeded at making this work in the meantime, I'd love to hear about it!

Fedora IoT becomes an edition

Posted Aug 27, 2020 5:04 UTC (Thu) by mkj (subscriber, #85885) [Link] (1 responses)

I implemented something to boot a fallback rpi kernel with https://github.com/mkj/rpi-flipflop#how-it-works
It uses the same mechanism as NOOBS so hopefully it works on newer than a rpi1, though I haven't tested it.

Fedora IoT becomes an edition

Posted Aug 27, 2020 7:48 UTC (Thu) by fwiesweg (guest, #116364) [Link]

Thanks, that looks quite interesting!

Fedora IoT becomes an edition

Posted Aug 21, 2020 10:51 UTC (Fri) by dezgeg (subscriber, #92243) [Link] (1 responses)

No need for any trickery of this sort, you can put your kernel under any filename you want on the boot partition, and then refer it to via extlinux.conf. You can even put multiple entries and select them from multiple kernels in a menu (just like GRUB). I implemented this years ago in NixOS.

Fedora IoT becomes an edition

Posted Aug 21, 2020 15:32 UTC (Fri) by dezgeg (subscriber, #92243) [Link]

...and now a sibling comment reminded me; this is done with U-Boot (so it works on many other arm/aarch64 boards out-of-the-box).

Fedora IoT becomes an edition

Posted Aug 21, 2020 14:33 UTC (Fri) by tau (subscriber, #79651) [Link]

The usual way to accomplish this on a RPi is to chain-load U-Boot, which then loads the active kernel from ext4 root. Of course, the firmware bootloader and U-Boot itself cannot be updated atomically.

Fedora IoT becomes an edition

Posted Aug 21, 2020 1:03 UTC (Fri) by AdamW (subscriber, #48457) [Link]

Just for some additional detail on the process side of things: this has actually been ongoing for a while now and nearly happened for Fedora 32. It didn't mostly because I complained about some things that are mostly resolved at this point.

One of the things that was not clear was the actual *process for making something an Edition* - there sort of wasn't one, because we'd never really thought to make one up. The initial Editions were decided as part of the Fedora.next initiative, but no-one ever thought to write down a These Are The Hoops To Jump Through To Make A New Edition sort of thing. So that's why you didn't see a Change or anything else obvious before this - because it wasn't obvious that becoming an Edition *required* a Change, or anything else like that. It's been sort of vaguely Known for a while that IoT, CoreOS and Silverblue are sort of on the track to becoming official Editions, but there hasn't been much in the way of a clear formal "paper trail" for that.

In the end we decided running it through the Change process is a good way to sort of flag this up and fit it into a framework people understand, which is obviously working, hence this story :) But most of the actual shovel work to prepare for it was done over a longer period.

On the topic of who/what is this for, it might be a good idea to see if you could get an interview with Peter Robinson, who's the main driving force behind the whole IoT project. He could probably give you some interesting answers.

Fedora IoT becomes an edition

Posted Aug 21, 2020 8:19 UTC (Fri) by epa (subscriber, #39769) [Link] (1 responses)

So... Fedora IoT is now a 'thing'?

Fedora IoT becomes an edition

Posted Aug 21, 2020 10:21 UTC (Fri) by darshanime (guest, #127773) [Link]

Aye Aye. Fedora IoT seems to be a thing indeed.

Fedora IoT becomes an edition

Posted Aug 21, 2020 12:07 UTC (Fri) by gdamjan (subscriber, #33634) [Link] (1 responses)

Does anyone know what the difference is between Fedora CoreOS and Fedora IOT? Couldn't find that anywhere.

Fedora IoT becomes an edition

Posted Aug 21, 2020 12:39 UTC (Fri) by walters (subscriber, #7396) [Link]

https://discussion.fedoraproject.org/t/coreos-vs-iot-edit...

Fedora IoT becomes an edition

Posted Sep 4, 2020 13:42 UTC (Fri) by michielwb (guest, #138341) [Link]

> Fedora comes with no support guarantees, a fact that is sure to give pause to any companies thinking about which operating system to install in their million-device products. If Fedora is to have any chance of being deployed in such systems, some sort of commercial support option will have to materialize.

I'm working a lot with embedded linux devices and most vendors seem to not care at all about this. They mostly use *some* old version of linux, add busybox, and add their stuff and call it a day. Using Fedora IoT would be a real improvement -- such as that it would be possible to install *packages*... or to make it easier to have updates... or to use systemd and start services in parallel rather than some hacked startup scripts which all run after another... and so on.

Having an enterprise offering them support is _not_ on their list.