6.6 KiB
Fedora Kinoite
TPM2 Luks Decryption
Mostly taken from here: https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95
PCR reference for --tpm2-pcrs args
0: System firmware executable
2: Kernel
4: Bootloader
7: Secure boot state
8: Cmdline
9: Initrd
Basic commands:
# Show tpm2 devices
systemd-cryptenroll --tpm2-device=list
# Show crypto luks block devices
blkid -t TYPE=crypto_LUKS
# Enroll the tpm2 device with systemd-cryptenroll
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3
# Reenroll
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9
# Append to command line args
rpm-ostree kargs --append=rd.luks.options=tpm2-device=auto
When you update you'll need to reenroll. Add this to your ~/.bashrc
# LUKS TPM2 commands
alias tpm2-reenroll='sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9'
Podman
Since you'll be using podman for most container-based services, you'll want to set the the podman auth file to somewhere persistent, otherwise it'll get deleted every time you reboot.
Add this to your .bashrc:
# Podman auth file
export REGISTRY_AUTH_FILE=$HOME/.podman-auth.json
Source that and then run podman login to create the file.
Autostarting services with quadlets
If you want to run something as your user at boot (like a systemd process, think ollama) you can create a user quadlets like so:
# Generate the .container file
podman run --rm ghcr.io/containers/podlet --install --description "Local AI" \
podman run \
-d \
-v ollama:/root/.ollama \
-p 11434:11434 \
--name ollama \
--restart always \
docker.io/ollama/ollama > ~/.config/containers/systemd/ollama.container
# Verify the service (Note the filename:service, this is required! You will get "Failed to prepare filename" without it)
systemd-analyze verify ~/.config/containers/systemd/ollama.container:ollama.service
# Start the service
systemctl --user daemon-reload
systemctl --user start ollama
rpm-ostree
Note: if you don't need them, remove extra repos
I removed:
- rpmfusion-nonfree-steam.repo
- rpmfusion-nonfree-nvidia-driver.repo
- google-chrome.repo
- _copr:copr.fedorainfracloud.org:phracek:PyCharm.repo
# Search for available packages
rpm-ostree search git
# Install a package
rpm-ostree install git
# Apply the installed package live
rpm-ostree apply-live
# Check what's been layered
rpm-ostree status
Git, Vim, etc
Some packages are nice to have at the system level.
rpm-ostree install git vim
Libvirt, Qemu, KVM
rpm-ostree install virt-manager libvirt
systemctl enable --now libvirtd
ROCM
Credit to: https://medium.com/@seancheo/running-generative-ai-on-amd-in-fedora-40-28aa3bebb187
Here are most of the ROCM packages that you'll need.
Fedora is currently working on a ROCM meta package here: https://packages.fedoraproject.org/pkgs/rocm/rocm/
rpm-ostree install \
hipblas-devel \
hipblaslt-devel \
hipcc \
hipcc-libomp-devel \
hipcub-devel \
hipfft-devel \
hipfort-devel \
hiprand-devel \
hiprt-devel \
hipsolver-devel \
hipsparse-devel \
rocalution-devel \
rocblas-devel \
rocfft-devel \
rocm-clang-devel \
rocm-clang-tools-extra-devel \
rocm-cmake \
rocm-comgr-devel \
rocm-core-devel \
rocm-hip-devel \
rocm-libc++-devel \
rocm-libc++-static \
rocm-llvm-devel \
rocm-omp-devel \
rocm-runtime-devel \
rocm-rpp-devel \
rocm-smi-devel \
rocminfo \
rocdecode-devel \
rocjpeg-devel \
rocprim-devel \
rocrand-devel \
rocsolver-devel \
rocsparse-devel \
rocthrust-devel \
roctracer-devel \
miopen
Ollama
Run the installation script as normal. Make sure you have the ROCM drivers installed for GPU acceleration. The script should automatically pull the ROCM drivers after installing the base packages. If not, you should install them manually.
For starting ollama as a service, follow the link below with one exception.
# Change the recommended home dir to /var/home/ollama
sudo useradd -r -s /bin/false -U -m -d /var/home/ollama ollama
Network
Hostname
sudo hostnamectl hostname reesework16
VLAN Setup with nmcli
# VLAN 2
nmcli conn
export NMCLI_DEVICE=enp195s0f4u1u3
nmcli connection add type VLAN con-name $NMCLI_DEVICE.2 dev $NMCLI_DEVICE id 2
GPU Support in Distrobox
Fix for error="failed to check permission on /dev/kfd: open /dev/kfd: invalid argument"
# You have to create the video and render group to /etc/group before you can use it
sudo grep -E '^video:' /usr/lib/group | sudo tee -a /etc/group
sudo grep -E '^render:' /usr/lib/group | sudo tee -a /etc/group
sudo usermod -aG video $USER
sudo usermod -aG render $USER
Logout and log back in to adopt new groups.
Automatic Display Switching
# List displays
# Builtin: eDP-2
# Roku: DP-13
# Lenovo: DP-11
kscreen-doctor -o
# Put the builtin display back to normal
kscreen-doctor \
output.eDP-2.enable \
output.eDP-2.position.0,0 \
output.eDP-2.primary \
output.eDP-2.mode.2560x1600@165 \
output.eDP-2.scale.1.25
# Show on Roku TV and Monitor
kscreen-doctor \
output.DP-11.enable \
output.DP-11.position.0,0 \
output.DP-11.mode.2560x1440@60 \
output.DP-11.scale.1 \
output.DP-13.enable \
output.DP-13.position.0,0 \
output.DP-13.mode.2560x1440@100 \
output.DP-13.scale.1 \
output.DP-13.primary \
output.eDP-2.disable
# Show only on the roku TV
kscreen-doctor \
output.DP-11.enable \
output.DP-11.position.0,0 \
output.DP-11.primary \
output.DP-11.mode.3840x2160@60 \
output.DP-11.scale.2 \
output.DP-13.disable \
output.eDP-2.disable
# Mirror the builtin display to the roku tv
kscreen-doctor \
output.DP-11.enable \
output.DP-11.position.0,0 \
output.DP-11.primary \
output.DP-11.mode.3840x2160@60 \
output.DP-11.scale.2 \
output.eDP-2.enable \
output.eDP-2.mode.1920x1080@60 \
output.eDP-2.scale.1 \
output.eDP-2.position.0,0