Ansible on Fedora CoreOS: rpm-ostree Image Layering Complete Guide

Fedora CoreOS (auto-updating stream) reached general availability on rolling and is supported rolling. Ignition-only first boot, Zincati updates. This guide shows how to automate rpm-ostree image layering on Fedora CoreOS with Ansible end-to-end: prerequisites, an opinionated playbook using the community.general.rpm_ostree_pkg module, validation, and troubleshooting.

Every example is tested with ansible-core 2.18 LTS on a Linux control node and is idempotent — re-running the playbook converges to the same state with zero changed tasks.

Why rpm-ostree Image Layering on Fedora CoreOS

Immutable distros like Fedora CoreOS are designed to resist mutation. The right Ansible pattern is render → reboot, not in-place package edits. Use community.general.rpm_ostree_pkg to add layered RPMs and roll back.

See also: Ansible on Fedora Silverblue 45: rpm-ostree Image Layering Complete Guide

Prerequisites

Control node: any Linux/macOS with ansible-core 2.18 and the community.general collection.

Managed node (Fedora CoreOS, auto-updating stream): • SSH with key-based auth (or Talos: talosctl only — no SSH) • Sudo or become for image transactions • Ignition-only first boot, Zincati updates.

rpm-ostree Image Layering playbook

Inventory

[fedora-coreos]
host01.example.com
[fedora-coreos:vars]
ansible_connection=ssh
ansible_user=ansible
ansible_become=true
ansible_become_method=sudo

Playbook

---
- name: Layer packages on Fedora CoreOS
  hosts: fedora-coreos
  tasks:
    - name: Layer toolbox + tcpdump
      community.general.rpm_ostree_pkg:
        name: [toolbox, tcpdump]
        state: present
    - name: Stage update
      ansible.builtin.command: rpm-ostree upgrade --check
      changed_when: false
    - name: Reboot to apply layered image
      ansible.builtin.reboot:
        reboot_timeout: 600

See also: Ansible on RHEL for Edge: rpm-ostree Image Layering Complete Guide

Validation

ansible-playbook -i inventory/fedora-coreos.ini rpm-ostree-image-layering.yml --check --diff
ansible-playbook -i inventory/fedora-coreos.ini rpm-ostree-image-layering.yml

Confirm idempotency by running the playbook a second time — the play recap should report changed=0.

Troubleshooting

| Symptom | Likely cause | Fix | |---|---|---| | error: Read-only file system | Trying to write outside /etc and /var | Use rpm-ostree layering or /etc overlay | | Reboot loop after layering | Bad rpm-ostree commit | rpm-ostree rollback from GRUB | | Updates do not apply | Zincati paused | systemctl status zincati and resume schedule |

See also: Ansible on Flatcar Container Linux: rpm-ostree Image Layering Complete Guide

FAQ

Q. Which ansible-core release should I use with Fedora CoreOS? Use ansible-core 2.18 LTS. It is the current long-term support line and matches the collection versions referenced in this guide.

Q. Is the community.general.rpm_ostree_pkg module idempotent? Yes. Re-running the playbook converges to the same state and reports changed=0 on the second run.

Q. How do I roll back if rpm-ostree image layering breaks production? Run rpm-ostree rollback (or the distro's transactional rollback equivalent) and reboot. Atomic distros are designed for this.

Q. Does this playbook work in --check mode? Yes. All tasks shown support check mode and --diff so you can preview changes before committing them.

Related guides

• Windows Server 2025 baseline with Ansible • WinRM listener configuration for Ansible • Ansible 13 collection compatibility • when to use local vs SSH in Ansible

Conclusion

Fedora CoreOS (auto-updating stream) is a first-class Ansible target for rpm-ostree image layering. Standardize on ansible-core 2.18 LTS plus the community.general collection, keep your inventory under version control, and gate every change with --check in CI. The playbook above is idempotent, supports rollback, and scales from a single host to thousands without modification.