Bluefin Administration Guide

j0rge · November 12, 2023, 3:37am

Day to Day Operation

Bluefin and Aurora are designed to be installed for the life of the hardware without reinstallation. Unlike traditional operating systems the image is always pristine and “clean”, making upgrades less problematic. Updates are automatic and silent by default.

Secure Boot

Secure Boot is supported by default on our systems, providing an additional layer of security. After the first installation, you will be prompted to enroll the secure boot key in the BIOS.

Enter the password ublue-os when prompted to enroll our key.

If this step is not completed during the initial setup, you can manually enroll the key by running the following command in the terminal:

ujust enroll-secure-boot-key

Secure boot is supported with our custom key. The pub key can be found in the root of the bazzite repository here. If you’d like to enroll this key prior to installation or rebase, download the key and run the following:

sudo mokutil --timeout -1
sudo mokutil --import secure_boot.der

Note:

If you encounter an issue with a password being recognized as incorrect, try using the - key on the numpad instead.

Installing Applications

Graphical Applications

Use the GNOME Software Center or KDE Discover applications to install applications from Flathub. Unlike stock Fedora, system updates and upgrades are not handled by this application, it’s scope has been reduced to only install Flatpaks from Flathub. The Warehouse tool is included for management.

Command Line Applications

The brew application is the package manager used for installing command line applications in Bluefin and Aurora.

System Updates

Bluefin and Aurora are designed to be “hands off”. System updates apply once a day, and Flatpaks update twice a day in the background. Updates are applied when the system reboots. Therefore, it is recommended to routinely power off your device when it’s not being used to ensure kernel updates are being applied. Application updates (like the browser) happen independently of this and don’t require a reboot.

See configuration of updates if you want to change the default behavior.

Machine firmware updates are provided through the standard Software Center:

See also: Using rpm-ostree

Upgrades and Throttle Settings

Bluefin publishes images for the current and last stable version of Fedora. This is to give users the maximum flexibility by allowing them to rebase to the version they want.

The latest stable release of Fedora is always tagged latest. The still-supported but older release is labelled as gts, which is slang for “Grand Touring Series”, for those who wish to enjoy the ride from a slower cadence. It is the default Bluefin and Aurora experience starting with Fedora 38. In the future we hope to offer lts → gts → latest as settings.

rpm-ostree reset

Then run a status:

rpm-ostree status

and look for the image you are on, look for a terribly long line like this: ostree-image-signed:docker://ghcr.io/ublue-os/bluefin:latest

That is the image you are currently on. Look for :gts, :latest, or in certain cases the version like :39 or :40. Use a rebase command to move to a newer or older version:

In this example we’re rebasing to :latest, which is the latest stable release of Fedora (currently 40):

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/bluefin:latest

To always be on the :gts (default) release, which is currently Fedora 39:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/bluefin:gts

Explicit version tags of the Fedora release are available for users who wish to handle their upgrade cycle manually:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/bluefin:40

Additionally rebasing to a specific date tag is encouraged if you need to “pin” to a specific day or version:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/bluefin:38-20231101

Check the Fedora Silverblue User Guide for more information.

Overwriting System Defaults

Most Bluefin and Aurora system defaults are shipped on the base image along with Fedora configuration in /usr/etc. Most of these can be overriden by placing a file in /etc.

For example, the Distrobox configuration is in /usr/etc/distrobox/distrobox.ini. Your customization options will be placed in /etc/distrobox/distrobox.ini. This is useful for situations where you need a copy of the original file for reference.

Check the XDG Base Directory Specification for more information on configuration options, in particular ~/.local and ~/.config.

Power Management

By default Bluefin will switch the power profile depending on if you’re on AC or battery. You can adjust this setting by going to the logo menu → extensions manager, and then selecting what you want.

You can also turn off the extensions entirely with this command:

To turn it off: ujust configure-auto-power-profile disable
To turn it on: ujust configure-auto-power-profile enable

Remote Management

Note

This feature is incomplete and needs contributors to make it a reality

Bluefin and Aurora include Cockpit for machine management. We’re hoping to include more out-of-the-box management templates, please check this issue if you’re interested in volunteering.

Verification

These images are signed with sigstore’s cosign. You can verify the signature by downloading the cosign.pub key from this repo and running the following command:

cosign verify --key cosign.pub ghcr.io/ublue-os/bluefin

Building Locally (Bluefin Example)

Clone this repository and cd into the working directory

git clone https://github.com/ublue-os/bluefin.git
cd bluefin

Make modifications if desired
Build the image (Note that this will download and the entire image)
```
podman build . -t bluefin
```
Podman push to a registry of your choice.

Rebase to your image to wherever you pushed it:

sudo rpm-ostree rebase ostree-image-signed:docker://whatever/bluefin:latest

StupendousYappi · January 15, 2024, 8:21pm

FYI, the command sudo rpm-ostree rebase ghcr.io/ublue-os/bluefin:39 didn’t work for me, starting from a ghcr.io/ublue-os/bluefin-dx-nvidia:38 base… it produced the error Invalid refspec ghcr.io/ublue-os/bluefin:39. But running sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/bluefin:39 did work.

Joseph_of_Earth · January 18, 2024, 1:36am

If updates aren’t handled through Gnome Software, is there another graphical way of installing updates?

If I do rpm-ostree upgrade, will that also update my flatpaks?

SFaulken · January 18, 2024, 1:51am

No, rpm-ostree doesn’t know a thing about flatpaks.

stego · January 25, 2024, 5:24pm

Just to make sure I’m not missing anything: The Updates tab is no longer present in the software center, right? And the screenshot is therefore outdated?

j0rge · January 25, 2024, 11:21pm

I haven’t gotten in a while but I think it only shows up for fwupd notifications. I’ll try to catch the next one.

jasper_van_der_marel · February 25, 2024, 9:11pm

Hi, does not show any fwupd notifications in bluefin-latest compared to ujust upgrade

tunix · February 25, 2024, 11:02pm

Hi Jorge,

I’ve started using ublue’s main image and then jumped ship to the startingpoint once I’ve felt that I needed my custom ISO’s for my future installations. But I quickly realized that it’s really hard to keep up with changes to startingpoint and that I wanted a more stable approach where defaults are usually fine but I want to automate my customizations on top of the base.

Here are things I used to do on top startingpoint:

Layer some packages
- some system76 packages (system76-keyboard-configurator, …)
- langpacks-tr
- some dependencies (libgda for pano, etc.)
- moby-engine
- simple-scan
- gnome-boxes (flatpak doesn’t have usb passthrough)
Remove some packages
- firefox + lang packs
- gnome-tour
- toolbx
Install 1Password via bling
Disable pcscd.socket since it causes issues when I want to use my e-signature inside Boxes (requires Windows)
Install custom flatpacks
Added my own selection of packages to yafti
Added my own additions to just files

I used to customize GNOME desktop via Ansible by setting up dconf locally. I like some of the defaults in bluefin but want to add my customizations as well.

So I was wondering what the recommended approach is for customizing bluefin. Do you recommend to have a Containerfile (like we do for classic image overrides) and add my customizations on top of bluefin image? If this is the recommended approach, should I include my dconf changes in /usr/etc/dconf/db/local.d/ or /etc/dconf/db/local.d/ like you mentioned above? (afaik, I should use /usr/etc instead of /etc if I want to overwrite the defaults when building a custom image)

j0rge · February 25, 2024, 11:30pm

Yeah you would do a Containerfile with FROM ghcr.io/ublue-os/bluefin as yourthing

Here’s an example of what @dogphilosopher is doing, but he’s using Bazzite:

github.com

noelmiller/isengard/blob/8aa54a73c3f9cacebf8a4aa446e0c7faee4f23aa/Containerfile

FROM ghcr.io/ublue-os/bazzite:latest AS isengard

ARG IMAGE_NAME="${IMAGE_NAME:-isengard}"
ARG IMAGE_VENDOR="${IMAGE_VENDOR:-noelmiller}"
ARG IMAGE_FLAVOR="${IMAGE_FLAVOR:-main}"
ARG IMAGE_BRANCH="${IMAGE_BRANCH:-main}"
ARG BASE_IMAGE_NAME="${BASE_IMAGE_NAME:-bazzite}"
ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-39}"

### 3. PRE-MODIFICATIONS

## Copy System files to be used in image
COPY system_files /


### 4. MODIFICATIONS
## make modifications desired in your image and install packages here, a few examples follow

# Apply IP Forwarding before installing Docker to prevent messing with LXC networking
RUN sysctl -p

This file has been truncated. show original

We keep it in /usr/etc so the machine always has a pristine copy of the files in case the user mangles their config in /etc and wants to start over. The one gotcha is to search for dconf in the bluefin repo and you’ll have to copy over a systemd service unit to do a dconf update on first boot.

Some other things real quick: bluefin removes the firefox and gnome-tour already so no need to do that. -dx has Docker if you want to snag that config instead of moby engine, and then you’ll find system and user flatpak install/remove service units there too that you might want to snag. Then for ISOs you’ll want to use this github action: GitHub - ublue-os/isogenerator: Creates an ISO for installing a container image as an OS

That should be it!

d1rewolf · March 22, 2024, 2:49am

Per this guide, I was trying to switch from gts to latest. I tried:

% sudo bootc switch ghcr.io/ublue-os/bluefin-dx-nvidia:latest

But received:
ERROR Switching: Reading manifest data from commit: Missing ostree.manifest-digest metadata on merge commit

After some troubleshooting/reading, I changed to:
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/bluefin-dx-nvidia:latest

That worked, fortunately. Hope this helps someone else…

j0rge · March 22, 2024, 9:24pm

Good call, I’ve fixed the docs, thanks!

ORYaRcul · April 28, 2024, 11:30pm

Will there be any side effects if I remove some layers/packages using rpm-ostree override? These packages are -

solaar: so that it doesn’t show in tray
plasma-thunderbolt: so that it doesn’t show in settings

j0rge · April 28, 2024, 11:32pm

Should be fine, you won’t save any space, doing this to the .desktop files will be cleaner.

You’d want to do it the other way around and add NoDisplay=true

Topic		Replies	Views
Introduction to Bluefin Bluefin and Aurora documentation	4	10401	May 11, 2024
Bluefin is now Generally Available Bluefin and Aurora	6	3676	April 30, 2024
Some lessons learned on installing Bluefin for devcontainers, Docker development Bluefin and Aurora developer-experience	4	606	April 14, 2024
How to make Bluefin configuration declarative? Bluefin and Aurora	3	187	February 17, 2024
Prototyping the Bluefin-cli experience Bluefin and Aurora developer-experience	14	1393	April 16, 2024