Running CoreOS Container Linux on DigitalOcean

Choosing a channel

Container Linux is designed to be updated automatically with different schedules per channel. You can disable this feature, although we don't recommend it. Read the release notes for specific features and bug fixes.

The following command will create a single droplet. For more details, check out Launching via the API.

The Alpha channel closely tracks master and is released frequently. The newest versions of system libraries and utilities will be available for testing. The current version is Container Linux 1451.2.0.

Launch Container Linux Droplet

Launch via DigitalOcean API by specifying $REGION, $SIZE and $SSH_KEY_ID:

curl --request POST "https://api.digitalocean.com/v2/droplets" \
     --header "Content-Type: application/json" \
     --header "Authorization: Bearer $TOKEN" \
     --data '{"region":"'"${REGION}"'",
        "image":"coreos-alpha",
        "size":"'"$SIZE"'",
        "user_data": "'"$(cat ~/config.ign)"'",
        "ssh_keys":["'"$SSH_KEY_ID"'"],
        "name":"core-1"}'

The Beta channel consists of promoted Alpha releases. The current version is Container Linux 1437.2.0.

Launch Container Linux Droplet

Launch via DigitalOcean API by specifying $REGION, $SIZE and $SSH_KEY_ID:

curl --request POST "https://api.digitalocean.com/v2/droplets" \
     --header "Content-Type: application/json" \
     --header "Authorization: Bearer $TOKEN" \
     --data '{"region":"'"${REGION}"'",
        "image":"coreos-beta",
        "size":"'"$SIZE"'",
        "user_data": "'"$(cat ~/config.ign)"'",
        "ssh_keys":["'"$SSH_KEY_ID"'"],
        "name":"core-1"}'

The Stable channel should be used by production clusters. Versions of Container Linux are battle-tested within the Beta and Alpha channels before being promoted. The current version is Container Linux 1409.5.0.

Launch Container Linux Droplet

Launch via DigitalOcean API by specifying $REGION, $SIZE and $SSH_KEY_ID:

curl --request POST "https://api.digitalocean.com/v2/droplets" \
     --header "Content-Type: application/json" \
     --header "Authorization: Bearer $TOKEN" \
     --data '{"region":"'"${REGION}"'",
        "image":"coreos-stable",
        "size":"'"$SIZE"'",
        "user_data": "'"$(cat ~/config.ign)"'",
        "ssh_keys":["'"$SSH_KEY_ID"'"],
        "name":"core-1"}'

Container Linux Configs

Container Linux allows you to configure machine parameters, configure networking, launch systemd units on startup, and more via Container Linux Configs. These configs are then transpiled into Ignition configs and given to booting machines. Head over to the docs to learn about the supported features. Note that DigitalOcean doesn't allow an instance's userdata to be modified after the instance has been launched. This isn't a problem since Ignition only runs on the first boot.

You can provide a raw Ignition config to Container Linux via the DigitalOcean web console or via the DigitalOcean API.

As an example, this config will configure and start etcd:

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
# This config is meant to be consumed by the config transpiler, which will
# generate the corresponding Ignition config. Do not pass this config directly
# to instances of Container Linux.

etcd:
  # All options get passed as command line flags to etcd.
  # Any information inside curly braces comes from the machine at boot time.

  # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
  advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
  initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
  # listen on both the official ports and the legacy ports
  # legacy ports can be omitted if your application doesn't depend on them
  listen_client_urls:          "http://0.0.0.0:2379"
  listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
  # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
  # specify the initial size of your cluster with ?size=X
  discovery:                   "https://discovery.etcd.io/<token>"
This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
{
  "ignition": {
    "version": "2.0.0",
    "config": {}
  },
  "storage": {},
  "systemd": {
    "units": [
      {
        "name": "etcd-member.service",
        "enable": true,
        "dropins": [
          {
            "name": "20-clct-etcd-member.conf",
            "contents": "[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --listen-peer-urls=\"http://${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0}:2380\" \\\n  --listen-client-urls=\"http://0.0.0.0:2379\" \\\n  --initial-advertise-peer-urls=\"http://${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0}:2380\" \\\n  --advertise-client-urls=\"http://${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0}:2379\" \\\n  --discovery=\"https://discovery.etcd.io/\u003ctoken\u003e\""
          }
        ]
      }
    ]
  },
  "networkd": {},
  "passwd": {}
}

Adding more machines

To add more instances to the cluster, just launch more with the same Container Linux Config. New instances will join the cluster regardless of region.

SSH to your droplets

Container Linux is set up to be a little more secure than other DigitalOcean images. By default, it uses the core user instead of root and doesn't use a password for authentication. You'll need to add an SSH key(s) via the web console or add keys/passwords via your Ignition config in order to log in.

To connect to a droplet after it's created, run:

ssh core@<ip address>

Optionally, you may want to configure your ssh-agent to more easily run fleet commands.

Launching droplets

Via the API

For starters, generate a Personal Access Token and save it in an environment variable:

read TOKEN
# Enter your Personal Access Token

Upload your SSH key via DigitalOcean's API or the web console. Retrieve the SSH key ID via the "list all keys" method:

curl --request GET "https://api.digitalocean.com/v2/account/keys" \
     --header "Authorization: Bearer $TOKEN"

Save the key ID from the previous command in an environment variable:

read SSH_KEY_ID
# Enter your SSH key ID

Create a 512MB droplet with private networking in NYC3 from the Container Linux Stable image:

curl --request POST "https://api.digitalocean.com/v2/droplets" \
     --header "Content-Type: application/json" \
     --header "Authorization: Bearer $TOKEN" \
     --data '{
      "region":"nyc3",
      "image":"coreos-stable",
      "size":"512mb",
      "name":"core-1",
      "private_networking":true,
      "ssh_keys":['$SSH_KEY_ID'],
      "user_data": "'"$(cat config.ign | sed 's/"/\\"/g')"'"
}'

For more details, check out DigitalOcean's API documentation.

Via the web console

  1. Open the "new droplet" page in the web console.
  2. Give the machine a hostname, select the size, and choose a region.
Choosing a size and hostname
  1. Enable User Data and add your Ignition config in the text box.
Droplet settings for networking and Ignition
  1. Choose your preferred channel of Container Linux.
Choosing a Container Linux channel
  1. Select your SSH keys.

Note that DigitalOcean is not able to inject a root password into Container Linux images like it does with other images. You'll need to add your keys via the web console or add keys or passwords via your Container Linux Config in order to log in.

Using CoreOS Container Linux

Now that you have a machine booted it is time to play around. Check out the Container Linux Quickstart guide or dig into more specific topics.