containers/bootc
1
0
Fork 0
mirror of https://github.com/containers/bootc.git synced 2026-02-05 06:45:13 +01:00
Code Issues Activity
Files
108c35baf91d2dd76cac442dd9f6285bda46ce2d
bootc/Dockerfile

142 lines
6.9 KiB
Docker
Raw Normal View History

build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
# Build this project from source and write the updated content
# (i.e. /usr/bin/bootc and systemd units) to a new derived container
# image. See the `Justfile` for an example
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
Rework GHA testing: Use bcvk, cover composefs with tmt Part 1: Use bcvk For local tests, right now testcloud+tmt doesn't support UEFI, see https://github.com/teemtee/tmt/issues/4203 This is a blocker for us doing more testing with UKIs. In this patch we switch to provisioning VMs with bcvk, which fixes this - but beyond that a really compelling thing about this is that bcvk is *also* designed to be ergonomic and efficient beyond just being a test runner, with things like virtiofs mounting of host container storage, etc. In other words, bcvk is the preferred way to run local virt with bootc, and this makes our TMT tests use it. Now a major downside of this though is we're effectively implementing a new "provisioner" for tmt (bypassing the existing `virtual`). In the more medium term I think we want to add `bcvk` as a provisioner option to tmt. Anyways for now, this works by discovers test plans via `tmt plan ls`, spawning a separate VM per test, and then using uses tmt's connect provisioner to run tests targeting these externally provisioned systems. Part 2: Rework the Justfile and Dockerfile This adds `base` and `variant` arguments which are propagated through the system, and we have a new `variant` for sealed composefs. The readonly tests now pass with composefs. Drop the continuous repo tests...as while we could keep that it's actually a whole *other* entry in this matrix. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-04 09:20:56 -05:00
# Note this is usually overridden via Justfile
build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
ARG base=quay.io/centos-bootc/centos-bootc:stream10
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
# This first image captures a snapshot of the source code,
# note all the exclusions in .dockerignore.
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
FROM scratch as src
COPY . /src
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# And this image only captures contrib/packaging separately
# to ensure we have more precise cache hits.
FROM scratch as packaging
COPY contrib/packaging /
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
# This image installs build deps, pulls in our source code, and installs updated
# bootc binaries in /out. The intention is that the target rootfs is extracted from /out
build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
# back into a final stage (without the build deps etc) below.
build-sys: Always build a "from scratch" image This changes things so we always run through https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/ in our default builds, which helps work around https://github.com/containers/composefs-rs/issues/132 But it will also help clean up our image building in general a bit. Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 13:19:24 -05:00
FROM $base as buildroot
Dockerfile: enable initramfs by default As we progress the composefs work along this is becoming more of a general requirement. I think it still makes sense to leave it as optional for now, but I think for the bulk of the cases we'll want to go ahead and build the initramfs support in. Signed-off-by: John Eckersberg <jeckersb@redhat.com>
2025-09-24 14:27:34 -04:00
# Flip this off to disable initramfs code
ARG initramfs=1
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# This installs our buildroot, and we want to cache it independently of the rest.
# Basically we don't want changing a .rs file to blow out the cache of packages.
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
/run/packaging/install-buildroot
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
# Now copy the rest of the source
COPY --from=src /src /src
WORKDIR /src
# See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
# We aren't using the full recommendations there, just the simple bits.
build-sys: Run most parts with `--network=none` (#1725) build-sys: Run most parts with `--network=none` Why? It just shows that we have put some thought into our build system and care about reproducibility, hermetic builds etc. And yes of course, `--network=bridge` should probably have been required as an opt-in in Dockerfile, but oh well. It's not too bad to sprinkle `--network=none` in some places. The biggest one is wrapping `make`. Signed-off-by: Colin Walters <walters@verbum.org>
2025-10-31 21:02:39 -04:00
# First we download all of our Rust dependencies
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
FROM buildroot as sdboot-content
# Writes to /out
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp /src/contrib/packaging/configure-systemdboot download
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
build-sys: Always build a "from scratch" image This changes things so we always run through https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/ in our default builds, which helps work around https://github.com/containers/composefs-rs/issues/132 But it will also help clean up our image building in general a bit. Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 13:19:24 -05:00
# We always do a "from scratch" build
# https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/
# because this fixes https://github.com/containers/composefs-rs/issues/132
# NOTE: Until we have https://gitlab.com/fedora/bootc/base-images/-/merge_requests/317
# this stage will end up capturing whatever RPMs we find at this time.
# NOTE: This is using the *stock* bootc binary, not the one we want to build from
# local sources. We'll override it later.
# NOTE: All your base belong to me.
FROM $base as target-base
build-sys: Enable CentOS Stream compose repos to avoid version skew The base image may be built from a compose that has newer packages than what's available on the public mirrors. This causes version skew where packages like bootupd have different versions between the base image and our built image. For example, bootupd 0.2.32 changed the EFI file layout from /usr/lib/bootupd/updates/EFI/ to /usr/lib/efi/, and if we build with an older bootupd from mirrors while the target image has the newer layout, bootloader installation fails. Enable the CentOS Stream compose repos with higher priority to ensure we get matching versions. xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174 Signed-off-by: Colin Walters <walters@verbum.org> Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-16 14:03:49 -05:00
# Handle version skew between base image and mirrors for CentOS Stream
# xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Enable CentOS Stream compose repos to avoid version skew The base image may be built from a compose that has newer packages than what's available on the public mirrors. This causes version skew where packages like bootupd have different versions between the base image and our built image. For example, bootupd 0.2.32 changed the EFI file layout from /usr/lib/bootupd/updates/EFI/ to /usr/lib/efi/, and if we build with an older bootupd from mirrors while the target image has the newer layout, bootloader installation fails. Enable the CentOS Stream compose repos with higher priority to ensure we get matching versions. xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174 Signed-off-by: Colin Walters <walters@verbum.org> Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-16 14:03:49 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
/run/packaging/enable-compose-repos
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
build-sys: Always build a "from scratch" image This changes things so we always run through https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/ in our default builds, which helps work around https://github.com/containers/composefs-rs/issues/132 But it will also help clean up our image building in general a bit. Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 13:19:24 -05:00
FROM scratch as base
COPY --from=target-base /target-rootfs/ /
build-sys: Remove separate integration test image The previous commit consolidated test content (nushell, cloud-init, etc.) into the base image. This completes that work by removing the separate `build-integration-test-image` target and updating all references. Now `just build` produces the complete test-ready image directly, simplifying the build pipeline and eliminating the intermediate `localhost/bootc-integration` image. Also adds SKIP_CONFIGS support for the coreos testing workflow, which skips LBIs, test kargs, and install configs that would conflict with FCOS. Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-06 14:56:15 -05:00
# SKIP_CONFIGS=1 skips LBIs, test kargs, and install configs (for FCOS testing)
ARG SKIP_CONFIGS
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
# Use tmpfs for /run and /tmp with bind mounts inside to avoid leaking mount stubs into the image
RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=src,src=/src/hack,target=/run/hack \
cd /run/hack/ && SKIP_CONFIGS="${SKIP_CONFIGS}" ./provision-derived.sh
build-sys: Always build a "from scratch" image This changes things so we always run through https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/ in our default builds, which helps work around https://github.com/containers/composefs-rs/issues/132 But it will also help clean up our image building in general a bit. Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 13:19:24 -05:00
# Note we don't do any customization here yet
# Mark this as a test image
LABEL bootc.testimage="1"
# Otherwise standard metadata
LABEL containers.bootc 1
LABEL ostree.bootable 1
# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
ENV container=oci
# Optional labels that only apply when running this image as a container. These keep the default entry point running under systemd.
STOPSIGNAL SIGRTMIN+3
CMD ["/sbin/init"]
build-sys: Consistently use `RUN --network=none` and add check Ensure all RUN instructions after the "external dependency cutoff point" marker include `--network=none` right after `RUN`. This enforces that external dependencies are clearly delineated in the early stages of the Dockerfile. The check is part of `cargo xtask check-buildsys` and includes unit tests. Assisted-by: OpenCode (Sonnet 4) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 16:36:30 -05:00
# -------------
# external dependency cutoff point:
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
# NOTE: Every RUN instruction past this point should use `--network=none`; we want to ensure
# all external dependencies are clearly delineated.
build-sys: Consistently use `RUN --network=none` and add check Ensure all RUN instructions after the "external dependency cutoff point" marker include `--network=none` right after `RUN`. This enforces that external dependencies are clearly delineated in the early stages of the Dockerfile. The check is part of `cargo xtask check-buildsys` and includes unit tests. Assisted-by: OpenCode (Sonnet 4) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-17 16:36:30 -05:00
# This is verified in `cargo xtask check-buildsys`.
# -------------
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
FROM buildroot as build
test: Fix Dockerfile ARG issue Signed-off-by: Xiaofeng Wang <henrywangxf@me.com>
2025-11-27 17:03:36 +08:00
# Version for RPM build (optional, computed from git in Justfile)
ARG pkgversion
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
# For reproducible builds, SOURCE_DATE_EPOCH must be exported as ENV for rpmbuild to see it
ARG SOURCE_DATE_EPOCH
ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# Build RPM directly from source, using cached target directory
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
FROM buildroot as sdboot-signed
# The secureboot key and cert are passed via Justfile
# We write the signed binary into /out
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=sdboot-content,src=/,target=/run/sdboot-package \
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
--mount=type=secret,id=secureboot_key \
--mount=type=secret,id=secureboot_cert \
/src/contrib/packaging/configure-systemdboot sign
Updates to build sys and CONTRIBUTING.md The emphasis here is on trying to have the `Justfile` be the default entrypoint, wrapping other tools. - Replace mentions of podman-bootc with bcvk since I hope the latter supercedes the former - Unify the unit test entrypoint - Set up /var/tmp as a tmpdir to fix the etc merge test (otherwise, selinux failures w/tmp) - Run the unit+container tests in integration.yml - Have `just validate` run in a container Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-22 14:48:13 -04:00
# This "build" includes our unit tests
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
FROM build as units
Updates to build sys and CONTRIBUTING.md The emphasis here is on trying to have the `Justfile` be the default entrypoint, wrapping other tools. - Replace mentions of podman-bootc with bcvk since I hope the latter supercedes the former - Unify the unit test entrypoint - Set up /var/tmp as a tmpdir to fix the etc merge test (otherwise, selinux failures w/tmp) - Run the unit+container tests in integration.yml - Have `just validate` run in a container Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-22 14:48:13 -04:00
# A place that we're more likely to be able to set xattrs
VOLUME /var/tmp
ENV TMPDIR=/var/tmp
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make install-unit-tests
Updates to build sys and CONTRIBUTING.md The emphasis here is on trying to have the `Justfile` be the default entrypoint, wrapping other tools. - Replace mentions of podman-bootc with bcvk since I hope the latter supercedes the former - Unify the unit test entrypoint - Set up /var/tmp as a tmpdir to fix the etc merge test (otherwise, selinux failures w/tmp) - Run the unit+container tests in integration.yml - Have `just validate` run in a container Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-22 14:48:13 -04:00
# This just does syntax checking
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
FROM buildroot as validate
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome make validate
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
# Common base for final images: configures variant, rootfs, and injects extra content
FROM base as final-common
Rework GHA testing: Use bcvk, cover composefs with tmt Part 1: Use bcvk For local tests, right now testcloud+tmt doesn't support UEFI, see https://github.com/teemtee/tmt/issues/4203 This is a blocker for us doing more testing with UKIs. In this patch we switch to provisioning VMs with bcvk, which fixes this - but beyond that a really compelling thing about this is that bcvk is *also* designed to be ergonomic and efficient beyond just being a test runner, with things like virtiofs mounting of host container storage, etc. In other words, bcvk is the preferred way to run local virt with bootc, and this makes our TMT tests use it. Now a major downside of this though is we're effectively implementing a new "provisioner" for tmt (bypassing the existing `virtual`). In the more medium term I think we want to add `bcvk` as a provisioner option to tmt. Anyways for now, this works by discovers test plans via `tmt plan ls`, spawning a separate VM per test, and then using uses tmt's connect provisioner to run tests targeting these externally provisioned systems. Part 2: Rework the Justfile and Dockerfile This adds `base` and `variant` arguments which are propagated through the system, and we have a new `variant` for sealed composefs. The readonly tests now pass with composefs. Drop the continuous repo tests...as while we could keep that it's actually a whole *other* entry in this matrix. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-04 09:20:56 -05:00
ARG variant
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
--mount=type=bind,from=sdboot-content,src=/,target=/run/sdboot-content \
--mount=type=bind,from=sdboot-signed,src=/,target=/run/sdboot-signed \
Rework sealed build process Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-02 20:45:40 -05:00
/run/packaging/configure-variant "${variant}"
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
ARG rootfs=""
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
/run/packaging/configure-rootfs "${variant}" "${rootfs}"
build-sys: Inject hvc0 by default In order to debug failures more reliably we really always want a virtual console. It turns out the Fedora kernel configs for a while have done https://gitlab.com/cki-project/kernel-ark/-/commit/9a0d7ce2af11ef7b9a3bc3073e13dc9983b7e245 which means hvc0 is available from very early boot. I am probably going to argue to do this in all Fedora derivatives by default soon but let's start here. Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-18 22:06:44 -05:00
COPY --from=packaging /usr-extras/ /usr/
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
# Final target: installs pre-built packages from the 'packages' build context.
# Use with: podman build --target=final --build-context packages=path/to/packages
# We use --build-context instead of -v to avoid volume mount stubs leaking into /run.
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
FROM final-common as final
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
build-sys: Use tmpfs for /run to prevent mount stub leakage When using --mount=type=bind,target=/run/foo, podman/buildah creates the mount point directory in the image layer even though the mounted content is not committed. These empty directory stubs pollute /run in the final image. Fix by using --mount=type=tmpfs,target=/run with bind mounts nested inside. This ensures /run remains empty in the committed layer. Also move the lint invocation in Dockerfile.cfsuki to a separate RUN command so it runs after the bind mount is released. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-14 13:54:38 -05:00
--mount=type=bind,from=packaging,src=/,target=/run/packaging \
--mount=type=bind,from=packages,src=/,target=/run/packages \
build-sys: Various improvements Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild, enabling bit-for-bit reproducible RPM builds. This is useful for verification and caching. Then fix the idempotency of the default `just build` to ensure we're not incorrectly invalidating caches. Add `just check-buildsys` command that builds packages twice and verifies checksums match, confirming reproducibility. The CI package job now uses this to catch regressions. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-12-16 13:31:22 -05:00
/run/packaging/install-rpm-and-setup /run/packages
build-sys: Add tmpfs mount for /tmp, allow lint to see /tmp and /run In C9S there's something leaking files in `/tmp` so let's just enforce use of tmpfs for `/run` at build time too. But fix `RUN bootc container lint` to *not* have those mounts becuase otherwise we don't actually see the leaked content. Assisted-by: Cursor (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-20 15:21:05 +00:00
# lint: allow non-tmpfs
RUN --network=none <<EORUN
set -xeuo pipefail
# workaround for https://github.com/containers/buildah/pull/6233
rm -vrf /run/systemd
bootc container lint --fatal-warnings
EORUN
Copy Permalink