Skip to main content

Administrator's Guide

Day to Day Operation

Bluefin is designed to be installed for the life of the hardware without reinstallation. Unlike traditional operating systems the image is always pristine and "clean", making upgrades less problematic. Updates are automatic and silent by default.

This usually means you can set it up your system once, and then have it remain that way. Then likely you'll never have to come back here. 🙂

I want that "defaults lifestyle".

-Matt Ray

Bluefin Desktop Environment Illustration

Installing Applications

Graphical Applications

Use the GNOME Software Center to install applications from Flathub. System updates and upgrades are not handled by this application, it's scope has been reduced to only install Flatpaks from Flathub. The Warehouse tool is included for management.

GNOME Software Center - App Illustration

Command Line Applications

The brew application is the package manager used for installing command line applications in Bluefin.

Note that the cask functionality in homebrew is MacOS specific and non functional in Bluefin, flatpak is used instead.

System Updates

Bluefin is designed to be "hands off". System updates apply weekly, and Flatpaks update twice a day in the background. Updates are applied when the system reboots. Therefore, it is recommended to routinely power off your device when it's not being used to ensure kernel updates are being applied. Application updates (like the browser) happen independently of this and don't require a reboot.

Machine firmware updates are provided through the standard Software Center:

Software Center → Updates

Upgrades and Throttle Settings

Bluefin publishes images based on the current and last stable version of Fedora. This is to give users maximum flexibility by allowing them to rebase to the version they want. You can choose from three rolling tags, or lock to a specific version of Fedora. Check the release notes for specific version information.

gts (default)stable or stable-dailylatest
Fedora Version:404141
GNOME Version:464747
Target User:Most usersEnthusiastsAdvanced users
System Updates:WeeklyWeekly or DailyDaily
Application Updates:Twice a DayTwice a DayTwice a Day
Kernel:GatedGatedUngated
  • gts: This is the default image and is always aliased to the previous stable version of Fedora. It targets the majority of users. It is slang for "Grand Touring Support", to signify a faster cadence than an LTS
  • stable: This is for enthusiasts who want the latest version of GNOME and Fedora. It is always aliased to the current version of Fedora but follows the Fedora CoreOS release schedule and not the Fedora Silverblue release schedule. stable-daily is available for those who want daily builds.
  • latest: For users who want the very latest Fedora has to offer, an ungated linux kernel, daily updates, full open throttle 🔥

The major difference between latest and stable is the kernel cadence and when they do a major upgrade. latest will upgrade to the next major Fedora release as soon as it is available and builds daily.

stable will upgrade when CoreOS does its userspace upgrade, which is usually a few weeks afterwards, and builds weekly or daily. Users can choose the stable-daily image for daily stable updates, or stick to stable for weekly builds.

Advantages

One of Bluefin's strengths is being able to atomically adjust versions. All the tags are built from the same repository and are essentially the same, the version numbers will just be different. gts for a work machine and stable for your hot rod. Additionally the ability to rebase between release cadences lets users repurpose machines for different use cases without needing to reinstall.

Gated Kernel

The gts and stable tags feature a gated kernel. This kernel follows the same version as the Fedora CoreOS stable stream, which is a slower cadence than default Fedora Silverblue. The Universal Blue team may temporarily pin to a specific kernel in order to avoid regressions that may affect users.

Adding and editing kernel boot arguments is currently handled by rpm-ostree, check the upstream documentation for more information.

Managing Updates

In Settings → Network → A network setting, set Metered Connection: has data limits or can incur charges to pause Bluefin updates:

Settings → Network → A network setting - Metered Connection: has data limits or can incur charges Highlight

Switching between Streams

Note that the stable and latest streams update more aggresively and may introduce new changes from Fedora (including regressions), take the user's Linux expertise into account when changing the update cadence.

Use the ujust rebase-helper command to select rebase and select a specific stream:

ujust rebase-helper - channel

Or select date and choose an older image.

ujust rebase-helper - date

Switching between tags manually

Here are the manual commands with rpm-ostree, we recommend becoming familiar with them if you find yourself rebasing often. Before changing a stream it is recommended to remove any locally layered packages:

rpm-ostree reset

Then run a status:

sudo bootc status

and look for the image you are on, it should look something like this:

Current staged image: ghcr.io/ublue-os/bluefin:gts
Image version: 40.20241101.0 (2024-11-02 05:46:53.714 UTC)
Image digest: sha256:cb57c75f7d700773ed6f54e4ba5550235a647fc9251e69345b1113cfd81dc884
Current booted image: ghcr.io/ublue-os/bluefin:gts
Image version: 40.20241030.0 (2024-10-31 05:47:14.513 UTC)
Image digest: sha256:5536b3511f38a57c7f71fd499b616671ef67043f155313f714f8c92a0f8d1e7c
Current rollback state is native ostree

The ghcr.io/ublue-os/bluefin:gts is the important part, with bluefin being the image name, and the :gts being the image tag. That is the image you are currently on. Look for :gts, :stable, :latest, or in certain cases the version like :40 or :41.

Pro Tip: Bluefin's release notes contain the stream switching instructions at the bottom of each release. This is useful if you're trying to nail down a regression in a specific package version.

Use the bootc switch command to move to a newer or older version:

Manual Rebase Examples

In this example we're rebasing to :stable, which is the latest stable release of Fedora (currently 41). The --enforce-container-sigpolicy is important to ensure you're checking the signature of the produced image:
sudo bootc switch ghcr.io/ublue-os/bluefin:stable --enforce-container-sigpolicy

To always be on the :gts (default) release:

sudo bootc switch ghcr.io/ublue-os/bluefin:gts --enforce-container-sigpolicy

Explicit version tags of the Fedora release are available for users who wish to handle their upgrade cycle manually:

sudo bootc switch ghcr.io/ublue-os/bluefin:40 --enforce-container-sigpolicy

Additionally rebasing to a specific date tag is encouraged if you need to "pin" to a specific day or version:

sudo bootc switch ghcr.io/ublue-os/bluefin:stable-20241027 --enforce-container-sigpolicy

If you use an nvidia machine, remember that the -nvidia is important! (This is why it's important to note the image name when you ran that previous status command:

sudo bootc switch ghcr.io/ublue-os/bluefin-nvidia:stable --enforce-container-sigpolicy

Use the skopeo inspect command to query information from an image:

skopeo inspect docker://ghcr.io/ublue-os/bluefin

This will show all the available tags and useful metadata like image and kernel versions.

Check the Fedora Silverblue User Guide for more information.

Virtual Private Networks (VPN)

Tailscale is included by default to provide VPN services for both desktop and development use cases.

  • Using Tailscale with Mullvad - provides the best out of the box experience
  • Using Tailscale with Docker - for development
  • ujust toggle-tailscale will remove the built in desktop integration if you prefer to use something else.
  • Good VPN providers provide Wireguard configurations that can be imported directly into the Network Manager, check their documentation for more information.

Another option is ProtonVPN, which is currently in the process of officially supporting Flatpak.

Other VPN providers may provide a poor packaging experience and are not recommended.

Enabling Local Layering

Local Layering will be disabled by default in Spring 2025

Local Layering is adding individual packages onto the system. In Spring 2025 Bluefin will come with Local Layering OFF by default. It is currently enabled by default.

Generally speaking this is an anti-pattern in Bluefin as the end goal is to move away from the package based model entirely, however sometimes you just need something. Toggling this back to true is just the user's acknowledgement that this will entail manual maintenance as a reminder and that the experience isn't as nice.

info

For some users this minimal amount of maintainance is still much smaller than what they are used to and they glady make that tradeoff. Well played.

You can toggle this setting in /etc/rpm-ostreed.conf:

LockLayering=false

From the manpage:

LockLayering= Controls whether any mutation of the base OSTree commit is supported (for example, package overlays or overrides, initramfs overlays or regeneration). Defaults to false.

rpm-ostree reset and a reboot will always bring the system back to pure image mode, making temporary compromises to get work done is perfectly fine.

Probably FineDon't Do It
VPN ClientSteam
Third party softwareDeveloper Tooling

Local layering does significantly increase update time, but by default all Bluefin systems update in the background anyway and the result will mostly be invisible. Problems will generally occur if you are using a third party repository that doesn't align with what's happening in the Fedora archive at the time. Your mileage may vary.

Overwriting System Defaults

Most Bluefin and Aurora system defaults are shipped on the base image along with Fedora configuration in /usr/etc. Most of these can be overridden by placing a file in /etc.

For example, the Distrobox configuration is in /usr/etc/distrobox/distrobox.ini. Your customization options will be placed in /etc/distrobox/distrobox.ini. This is useful for situations where you need a copy of the original file for reference.

Check the XDG Base Directory Specification for more information on configuration options, in particular ~/.local and ~/.config.

Community Aliases and Workarounds

just is used as a task runner on Bluefin. These are commonly community convenience aliases, or more complex scripts that help automate some tasks or initial setup. This is aliased as ujust, so that you can use just itself for your other projects.

Handy Aliases

  • ujust --choose - Shows every command and the script that is being executed when that command is chosen. Useful for browsing the available commands
  • ujust -n $command - The -n will run a command in dry-run mode, this is useful for inspecting the commands being run
  • ujust update - Manually update the system, flatpaks, and brew formulas
  • ujust bios - Reboot the PC and enter the BIOS/UEFI. Useful for running dual boot systems from independent disks
  • ujust device-info - Sends the status, flatpak list, and system info to the CentOS pastebin, and returns the URL to the terminal. This makes it easy for the end user to paste the URL with their info so others can help them debug
  • ujust changelogs - Show the changelogs for each package since the last update

Pro tip, keep your own tasks and aliases in ~/.Justfile, and they are also handy to put in the root of your project files to automate common tasks, check out this example from Fedora Kinoite.

Note that generally speaking the project tries to keep the system Justfiles finely scoped, most of these workarounds and not full-fledged commands. They may get removed or changed depending on the problem they were initially meant to solve.

Managing Extensions

Bluefin uses the Extension Manager by Matthew Jakeman to manage the desktop extensions. The application is included by default. You can access it via the Logo Menu (thanks Aryan Kaushik!)

GNOME Extension Menu Option (opens Extension Manager)

This is useful if you decide you do not want to use some of the ones bundled with Bluefin.

Extension Manager - System Extensions Highlight

note

If your session crashes, then all of your extensions will be disabled. In the rare case when this happens you may need to turn them all back on in the extensions manager.

Remote Management

Help Wanted

This feature is incomplete and needs contributors to make it a reality

Bluefin and Aurora include Cockpit for machine management. We're hoping to include more out-of-the-box management templates, please check this issue if you're interested in volunteering.

Terminal Configuration

Changing the default terminal shell

Help Wanted

The Bluefin team lacks expertise in both fish and zsh, contributions to help us reach feature parity would be welcome and appreciated!

Bluefin ships Ptyxis as the default terminal. It shows up as Terminal in the menu. It is strongly recommended that you change your shell via the terminal emulator instead of system-wide. Click on the Terminal settings and edit your profile:

Ptyxis → Preferences → Profiles → A Profile Setting → Edit...

Then select "Use Custom Command" and then add the shell you want to use. /usr/bin/fish and /usr/bin/zsh are both included on the image:

Ptyxis → Preferences → Profiles → A Profile Setting → Edit... → Shell → Custom Command

Verification

These images are signed with sigstore's cosign. You can verify the signature by downloading the cosign.pub key from this repo and running the following command:

cosign verify --key cosign.pub ghcr.io/ublue-os/bluefin