Full Network Conversion, pt. 2: The Switch to Fedora

In the previous part of this series, I explained what started the whole process, praised a Mexican soup, and got angry about snap. And then I didn’t post this part for a very long time, and I’d like to apologize to anyone who may be reading this expecting more timely updates. I will not promise that it won’t happen again.

But anyway here’s part two of this series! It talks mostly about what the first hours of switching to Fedora was like! I probably won’t go over the basic differences like apt vs dnf/yum too much, since there’s not too much to talk about there.

Hats, Roll Out

The typical strategy is to install the new operating system on my local Linux box first, and make sure the existing things I have run correctly, with minimal fuss. Given my recent conversion to containers, this process is of course greatly accelerated, because now all I have to learn is “okay now how do I install Docker”, and “what’s the standard firewall solution around here”.

On the local box, I installed Fedora Workstation, then learned of the dnf swap command to switch from GNOME to Plasma, then learned of the Fedora KDE Spin (and the lightweight spins, which come up later). Oh well, at least I got there. I also discovered that Fedora Workstation ships with something called “firewalld”, at some very strict settings, which was a bit of a head scratcher at first when the local box’s specific functions like file serving and Plex didn’t work. On the VPSes, my provider has a Fedora image which is very basic. So basic in fact, that it did not even come with its own firewall. My previous firewall from Ubuntu was in Fedora’s repositories, however, so I’m just sticking with the devil I know.

Permission Denied

Wait, what? Why am I getting these all of a sudden? Oh, SELinux.

I’ve previously experimented with running SELinux in the past, and I’m largely familiar with its trappings. In fact, I’m actually quite relieved to know SELinux is running in enforcing mode by default. However, I’ve run into some problems with Docker. Given some time, I could probably automate making SELinux rules that allow Docker containers to work with no trouble at all, but for now I’ve just gone back to Permissive mode (where it throws warnings when something wacky happens).

I mention SELinux, so I should put an obligatory paragraph. Remember PRISM, a long long time ago, basically about the NSA spying on everybody? Remember Linus’ joke about saying “no” and nodding yes when asked if there’s backdoors in the kernel? In the kernel configuration menu, SELinux’s options are very consistently labeled “NSA SELinux”. Naturally, I could be drawing conclusions where none exist and what not, but I feel funny if I don’t at least mention all this.

Kube for Training, Kube for the Dead

There was one little snag. At the time, my apprenticeship was having me largely focus on trying to learn Kubernetes (which I still have a hard time wrapping my head around but at least I’m kinda there?). And at the time, there was only one “local testing” Kubernetes system I was getting consistently to work: microk8s. And there was only one place that it was distributed.

And I had just declared that place my arch nemesis. Oh well, not the first time.

Luckily, I managed to avoid some of the pitfalls here that made snap my sworn enemy.

  • Firstly, microk8s is considered a “classic” snap, which means that many of the limitations and restrictions normally found in snaps were eased up, but just for microk8s. Apparently, even Canonical realize that not everything “just works” in a snap, pun not intended.
  • Secondly, because snap relies heavily on AppArmor instead of SELinux, confinement within snaps effectively doesn’t even work outside of Ubuntu. This allows snap to almost behave like a traditional package manager, the way Canonical seems to think it works. Unfortunately for snap, I’m only using it here because microk8s is a Canonical product only available through official Microsoft Canonical channels, and will continue using actually-good package management software like dnf in the future.

What’s Next For Part 3?

This part largely deals with the main network switch to Fedora. I have one more place that needed a distro switch, but it wasn’t a regular computer box. What was it? Find out! Live in suspense until then! Learn what it was like watching a new show in the 90s! I might even post something unrelated in between! Who knows!

  • January 14, 2023