containers/bootc
1
0
Fork 0
mirror of https://github.com/containers/bootc.git synced 2026-02-05 06:45:13 +01:00
Code Issues Activity
Files
main
bootc/Dockerfile

212 lines
9.6 KiB
Docker
Raw Permalink Normal View History

build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
# Build this project from source and write the updated content
# (i.e. /usr/bin/bootc and systemd units) to a new derived container
# image. See the `Justfile` for an example
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
Rework GHA testing: Use bcvk, cover composefs with tmt Part 1: Use bcvk For local tests, right now testcloud+tmt doesn't support UEFI, see https://github.com/teemtee/tmt/issues/4203 This is a blocker for us doing more testing with UKIs. In this patch we switch to provisioning VMs with bcvk, which fixes this - but beyond that a really compelling thing about this is that bcvk is *also* designed to be ergonomic and efficient beyond just being a test runner, with things like virtiofs mounting of host container storage, etc. In other words, bcvk is the preferred way to run local virt with bootc, and this makes our TMT tests use it. Now a major downside of this though is we're effectively implementing a new "provisioner" for tmt (bypassing the existing `virtual`). In the more medium term I think we want to add `bcvk` as a provisioner option to tmt. Anyways for now, this works by discovers test plans via `tmt plan ls`, spawning a separate VM per test, and then using uses tmt's connect provisioner to run tests targeting these externally provisioned systems. Part 2: Rework the Justfile and Dockerfile This adds `base` and `variant` arguments which are propagated through the system, and we have a new `variant` for sealed composefs. The readonly tests now pass with composefs. Drop the continuous repo tests...as while we could keep that it's actually a whole *other* entry in this matrix. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-04 09:20:56 -05:00
# Note this is usually overridden via Justfile
build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
ARG base=quay.io/centos-bootc/centos-bootc:stream10
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
# This first image captures a snapshot of the source code,
# note all the exclusions in .dockerignore.
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
FROM scratch as src
COPY . /src
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# And this image only captures contrib/packaging separately
# to ensure we have more precise cache hits.
FROM scratch as packaging
COPY contrib/packaging /
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
# This image installs build deps, pulls in our source code, and installs updated
# bootc binaries in /out. The intention is that the target rootfs is extracted from /out
build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
# back into a final stage (without the build deps etc) below.
build-sys: Always build a "from scratch" image This changes things so we always run through https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/ in our default builds, which helps work around https://github.com/containers/composefs-rs/issues/132 But it will also help clean up our image building in general a bit. Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 13:19:24 -05:00
FROM $base as buildroot
Dockerfile: enable initramfs by default As we progress the composefs work along this is becoming more of a general requirement. I think it still makes sense to leave it as optional for now, but I think for the bulk of the cases we'll want to go ahead and build the initramfs support in. Signed-off-by: John Eckersberg <jeckersb@redhat.com>
2025-09-24 14:27:34 -04:00
# Flip this off to disable initramfs code
ARG initramfs=1
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# This installs our buildroot, and we want to cache it independently of the rest.
# Basically we don't want changing a .rs file to blow out the cache of packages.
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
# Use tmpfs for /run and /tmp with bind mounts inside to avoid leaking mount stubs into the image
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
/run/packaging/install-buildroot
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
# Now copy the rest of the source
COPY --from=src /src /src
WORKDIR /src
# See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
# We aren't using the full recommendations there, just the simple bits.
build-sys: Run most parts with `--network=none` (#1725) build-sys: Run most parts with `--network=none` Why? It just shows that we have put some thought into our build system and care about reproducibility, hermetic builds etc. And yes of course, `--network=bridge` should probably have been required as an opt-in in Dockerfile, but oh well. It's not too bad to sprinkle `--network=none` in some places. The biggest one is wrapping `make`. Signed-off-by: Colin Walters <walters@verbum.org>
2025-10-31 21:02:39 -04:00
# First we download all of our Rust dependencies
xtask: Add local-rust-deps command for auto-detecting path dependencies Add `cargo xtask local-rust-deps` which uses `cargo metadata` to find local path dependencies outside the workspace (e.g., from [patch] sections) and outputs podman bind mount arguments. This enables a cleaner workflow for local development against modified dependencies like composefs-rs: 1. Add a [patch] section to Cargo.toml with real local paths 2. Run `just build` - the Justfile auto-detects and bind-mounts them Benefits over the previous BOOTC_extra_src approach: - No manual env var needed - Paths work for both local `cargo build` and container builds - No /run/extra-src indirection or Cargo.toml path munging required - Auto-detection means it Just Works™ The Justfile's build target now calls `cargo xtask local-rust-deps` to get bind mount args, falling back gracefully if there are no external deps. The old BOOTC_extra_src mechanism is still supported for backwards compat. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-22 17:47:29 -05:00
# Note: Local path dependencies (from [patch] sections) are auto-detected and bind-mounted by the Justfile
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
build-sys: Always build a "from scratch" image This changes things so we always run through https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/ in our default builds, which helps work around https://github.com/containers/composefs-rs/issues/132 But it will also help clean up our image building in general a bit. Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 13:19:24 -05:00
# We always do a "from scratch" build
# https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/
# because this fixes https://github.com/containers/composefs-rs/issues/132
# NOTE: Until we have https://gitlab.com/fedora/bootc/base-images/-/merge_requests/317
# this stage will end up capturing whatever RPMs we find at this time.
# NOTE: This is using the *stock* bootc binary, not the one we want to build from
# local sources. We'll override it later.
# NOTE: All your base belong to me.
FROM $base as target-base
build-sys: Enable CentOS Stream compose repos to avoid version skew The base image may be built from a compose that has newer packages than what's available on the public mirrors. This causes version skew where packages like bootupd have different versions between the base image and our built image. For example, bootupd 0.2.32 changed the EFI file layout from /usr/lib/bootupd/updates/EFI/ to /usr/lib/efi/, and if we build with an older bootupd from mirrors while the target image has the newer layout, bootloader installation fails. Enable the CentOS Stream compose repos with higher priority to ensure we get matching versions. xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174 Signed-off-by: Colin Walters <walters@verbum.org> Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-16 14:03:49 -05:00
# Handle version skew between base image and mirrors for CentOS Stream
# xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Enable CentOS Stream compose repos to avoid version skew The base image may be built from a compose that has newer packages than what's available on the public mirrors. This causes version skew where packages like bootupd have different versions between the base image and our built image. For example, bootupd 0.2.32 changed the EFI file layout from /usr/lib/bootupd/updates/EFI/ to /usr/lib/efi/, and if we build with an older bootupd from mirrors while the target image has the newer layout, bootloader installation fails. Enable the CentOS Stream compose repos with higher priority to ensure we get matching versions. xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174 Signed-off-by: Colin Walters <walters@verbum.org> Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-16 14:03:49 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
/run/packaging/enable-compose-repos
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
build-sys: Always build a "from scratch" image This changes things so we always run through https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/ in our default builds, which helps work around https://github.com/containers/composefs-rs/issues/132 But it will also help clean up our image building in general a bit. Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 13:19:24 -05:00
FROM scratch as base
COPY --from=target-base /target-rootfs/ /
build-sys: Remove separate integration test image The previous commit consolidated test content (nushell, cloud-init, etc.) into the base image. This completes that work by removing the separate `build-integration-test-image` target and updating all references. Now `just build` produces the complete test-ready image directly, simplifying the build pipeline and eliminating the intermediate `localhost/bootc-integration` image. Also adds SKIP_CONFIGS support for the coreos testing workflow, which skips LBIs, test kargs, and install configs that would conflict with FCOS. Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-06 14:56:15 -05:00
# SKIP_CONFIGS=1 skips LBIs, test kargs, and install configs (for FCOS testing)
ARG SKIP_CONFIGS
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
# Use tmpfs for /run and /tmp with bind mounts inside to avoid leaking mount stubs into the image
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=src,src=/src/hack,target=/run/hack \
cd /run/hack/ && SKIP_CONFIGS="${SKIP_CONFIGS}" ./provision-derived.sh
build-sys: Always build a "from scratch" image This changes things so we always run through https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/ in our default builds, which helps work around https://github.com/containers/composefs-rs/issues/132 But it will also help clean up our image building in general a bit. Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 13:19:24 -05:00
# Note we don't do any customization here yet
# Mark this as a test image
LABEL bootc.testimage="1"
# Otherwise standard metadata
LABEL containers.bootc 1
LABEL ostree.bootable 1
# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
ENV container=oci
# Optional labels that only apply when running this image as a container. These keep the default entry point running under systemd.
STOPSIGNAL SIGRTMIN+3
CMD ["/sbin/init"]
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
# This layer contains things which aren't in the default image and may
# be used for sealing images in particular.
FROM base as tools
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
/run/packaging/initialize-sealing-tools
build-sys: Consistently use `RUN --network=none` and add check Ensure all RUN instructions after the "external dependency cutoff point" marker include `--network=none` right after `RUN`. This enforces that external dependencies are clearly delineated in the early stages of the Dockerfile. The check is part of `cargo xtask check-buildsys` and includes unit tests. Assisted-by: OpenCode (Sonnet 4) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 16:36:30 -05:00
# -------------
# external dependency cutoff point:
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
# NOTE: Every RUN instruction past this point should use `--network=none`; we want to ensure
# all external dependencies are clearly delineated.
build-sys: Consistently use `RUN --network=none` and add check Ensure all RUN instructions after the "external dependency cutoff point" marker include `--network=none` right after `RUN`. This enforces that external dependencies are clearly delineated in the early stages of the Dockerfile. The check is part of `cargo xtask check-buildsys` and includes unit tests. Assisted-by: OpenCode (Sonnet 4) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 16:36:30 -05:00
# This is verified in `cargo xtask check-buildsys`.
# -------------
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
FROM buildroot as build
test: Fix Dockerfile ARG issue Signed-off-by: Xiaofeng Wang <henrywangxf@me.com>
2025-11-27 17:03:36 +08:00
# Version for RPM build (optional, computed from git in Justfile)
ARG pkgversion
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
# For reproducible builds, SOURCE_DATE_EPOCH must be exported as ENV for rpmbuild to see it
ARG SOURCE_DATE_EPOCH
ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# Build RPM directly from source, using cached target directory
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
# This image signs systemd-boot using our key, and writes the resulting binary into /out
FROM tools as sdboot-signed
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
# The secureboot key and cert are passed via Justfile
# We write the signed binary into /out
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
# Note: /out already contains systemd-boot-unsigned RPM from initialize-sealing-tools
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
--mount=type=secret,id=secureboot_key \
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
--mount=type=secret,id=secureboot_cert <<EORUN
set -xeuo pipefail
# Extract the unsigned systemd-boot binary from the downloaded RPM
cd /tmp
rpm2cpio /out/*.rpm | cpio -idmv
# Find the extracted unsigned binary
sdboot_unsigned=$(ls ./usr/lib/systemd/boot/efi/systemd-boot*.efi)
sdboot_bn=$(basename ${sdboot_unsigned})
# Sign with sbsign using db certificate and key
sbsign --key /run/secrets/secureboot_key \
--cert /run/secrets/secureboot_cert \
--output /out/${sdboot_bn} \
${sdboot_unsigned}
ls -al /out/${sdboot_bn}
EORUN
# ----
# Unit and integration tests
# The section here (up until the last `FROM` line which acts as the default target)
# is non-default images for unit and source code validation.
# ----
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
Updates to build sys and CONTRIBUTING.md The emphasis here is on trying to have the `Justfile` be the default entrypoint, wrapping other tools. - Replace mentions of podman-bootc with bcvk since I hope the latter supercedes the former - Unify the unit test entrypoint - Set up /var/tmp as a tmpdir to fix the etc merge test (otherwise, selinux failures w/tmp) - Run the unit+container tests in integration.yml - Have `just validate` run in a container Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-22 14:48:13 -04:00
# This "build" includes our unit tests
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
FROM build as units
Updates to build sys and CONTRIBUTING.md The emphasis here is on trying to have the `Justfile` be the default entrypoint, wrapping other tools. - Replace mentions of podman-bootc with bcvk since I hope the latter supercedes the former - Unify the unit test entrypoint - Set up /var/tmp as a tmpdir to fix the etc merge test (otherwise, selinux failures w/tmp) - Run the unit+container tests in integration.yml - Have `just validate` run in a container Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-22 14:48:13 -04:00
# A place that we're more likely to be able to set xattrs
VOLUME /var/tmp
ENV TMPDIR=/var/tmp
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make install-unit-tests
Updates to build sys and CONTRIBUTING.md The emphasis here is on trying to have the `Justfile` be the default entrypoint, wrapping other tools. - Replace mentions of podman-bootc with bcvk since I hope the latter supercedes the former - Unify the unit test entrypoint - Set up /var/tmp as a tmpdir to fix the etc merge test (otherwise, selinux failures w/tmp) - Run the unit+container tests in integration.yml - Have `just validate` run in a container Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-22 14:48:13 -04:00
# This just does syntax checking
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
FROM buildroot as validate
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make validate
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
# ----
# Stages for the final image
# ----
# Perform all filesystem transformations except generating the sealed UKI (if configured)
FROM base as base-penultimate
Rework GHA testing: Use bcvk, cover composefs with tmt Part 1: Use bcvk For local tests, right now testcloud+tmt doesn't support UEFI, see https://github.com/teemtee/tmt/issues/4203 This is a blocker for us doing more testing with UKIs. In this patch we switch to provisioning VMs with bcvk, which fixes this - but beyond that a really compelling thing about this is that bcvk is *also* designed to be ergonomic and efficient beyond just being a test runner, with things like virtiofs mounting of host container storage, etc. In other words, bcvk is the preferred way to run local virt with bootc, and this makes our TMT tests use it. Now a major downside of this though is we're effectively implementing a new "provisioner" for tmt (bypassing the existing `virtual`). In the more medium term I think we want to add `bcvk` as a provisioner option to tmt. Anyways for now, this works by discovers test plans via `tmt plan ls`, spawning a separate VM per test, and then using uses tmt's connect provisioner to run tests targeting these externally provisioned systems. Part 2: Rework the Justfile and Dockerfile This adds `base` and `variant` arguments which are propagated through the system, and we have a new `variant` for sealed composefs. The readonly tests now pass with composefs. Drop the continuous repo tests...as while we could keep that it's actually a whole *other* entry in this matrix. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-04 09:20:56 -05:00
ARG variant
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
# Switch to a signed systemd-boot, if configured
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
--mount=type=bind,from=sdboot-signed,src=/,target=/run/sdboot-signed <<EORUN
set -xeuo pipefail
if test "${variant}" = "composefs-sealeduki-sdboot"; then
/run/packaging/switch-to-sdboot /run/sdboot-signed
fi
EORUN
# Configure the rootfs
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
ARG rootfs=""
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
/run/packaging/configure-rootfs "${variant}" "${rootfs}"
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
# Override with our built package
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
--mount=type=bind,from=packages,src=/,target=/run/packages \
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
/run/packaging/install-rpm-and-setup /run/packages
build-sys: Rework sealing to be one build step Now that we're doing a "from scratch" build we don't have the mtime issue, and so we can change our build system to do everything in a single step. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-08 11:33:40 -05:00
# Inject some other configuration
COPY --from=packaging /usr-extras/ /usr/
# Clean up package manager caches
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
/run/packaging/cleanup
# Generate the sealed UKI in a separate stage
# This computes the composefs digest from base-penultimate and creates a signed UKI
# We need our newly-built bootc for the compute-composefs-digest command
FROM tools as sealed-uki
ARG variant
# Install our bootc package (only needed for the compute-composefs-digest command)
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
--mount=type=bind,from=packages,src=/,target=/run/packages \
rpm -Uvh --oldpackage /run/packages/bootc-*.rpm
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
--mount=type=secret,id=secureboot_key \
--mount=type=secret,id=secureboot_cert \
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
--mount=type=bind,from=base-penultimate,src=/,target=/run/target <<EORUN
set -xeuo pipefail
if test "${variant}" = "composefs-sealeduki-sdboot"; then
/run/packaging/seal-uki /run/target /out /run/secrets
fi
EORUN
# And now the final image
FROM base-penultimate
ARG variant
# Copy the sealed UKI and finalize the image (remove raw kernel, create symlinks)
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
--mount=type=bind,from=sealed-uki,src=/,target=/run/sealed-uki <<EORUN
set -xeuo pipefail
if test "${variant}" = "composefs-sealeduki-sdboot"; then
/run/packaging/finalize-uki /run/sealed-uki/out
fi
EORUN
# And finally, test our linting
# lint: allow non-tmpfs - we want to detect leaked files in /run and /tmp
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none <<EORUN
set -xeuo pipefail
# workaround for https://github.com/containers/buildah/pull/6233
rm -vrf /run/systemd
bootc container lint --fatal-warnings
EORUN
Copy Permalink