From 6edd1f538424ee727b15a792cb9d6946deb1fb8e Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 17 Dec 2025 13:19:24 -0500
Subject: [PATCH] build-sys: Always build a "from scratch" image

This changes things so we always run through https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/
in our default builds, which helps work around https://github.com/containers/composefs-rs/issues/132

But it will also help clean up our image building in general
a bit.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Dockerfile                              | 31 +++++++++++++++++++++----
 Justfile                                |  6 ++++-
 crates/tests-integration/src/install.rs |  2 +-
 3 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 48232c76..410b06e5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,14 +15,10 @@ COPY . /src
 FROM scratch as packaging
 COPY contrib/packaging /
 
-FROM $base as base
-# Mark this as a test image (moved from --label build flag to fix layer caching)
-LABEL bootc.testimage="1"
-
 # This image installs build deps, pulls in our source code, and installs updated
 # bootc binaries in /out. The intention is that the target rootfs is extracted from /out
 # back into a final stage (without the build deps etc) below.
-FROM base as buildroot
+FROM $base as buildroot
 # Flip this off to disable initramfs code
 ARG initramfs=1
 # This installs our buildroot, and we want to cache it independently of the rest.
@@ -40,6 +36,31 @@ FROM buildroot as sdboot-content
 # Writes to /out
 RUN /src/contrib/packaging/configure-systemdboot download
 
+# We always do a "from scratch" build
+# https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/
+# because this fixes https://github.com/containers/composefs-rs/issues/132
+# NOTE: Until we have https://gitlab.com/fedora/bootc/base-images/-/merge_requests/317
+#       this stage will end up capturing whatever RPMs we find at this time.
+# NOTE: This is using the *stock* bootc binary, not the one we want to build from
+#       local sources. We'll override it later.
+# NOTE: All your base belong to me.
+FROM $base as target-base
+RUN /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
+
+FROM scratch as base
+COPY --from=target-base /target-rootfs/ /
+# Note we don't do any customization here yet
+# Mark this as a test image
+LABEL bootc.testimage="1"
+# Otherwise standard metadata
+LABEL containers.bootc 1
+LABEL ostree.bootable 1
+# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
+ENV container=oci
+# Optional labels that only apply when running this image as a container. These keep the default entry point running under systemd.
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]
+
 # NOTE: Every RUN instruction past this point should use `--network=none`; we want to ensure
 # all external dependencies are clearly delineated.
 
diff --git a/Justfile b/Justfile
index 2dab9990..0085e057 100644
--- a/Justfile
+++ b/Justfile
@@ -43,7 +43,11 @@ lbi_images := "quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.a
 generic_buildargs := ""
 # Args for package building (no secrets needed, just builds RPMs)
 base_buildargs := generic_buildargs + " --build-arg=base=" + base + " --build-arg=variant=" + variant
-buildargs := base_buildargs + " --secret=id=secureboot_key,src=target/test-secureboot/db.key --secret=id=secureboot_cert,src=target/test-secureboot/db.crt"
+# - scratch builds need extra perms per https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/
+# - we do secure boot signing here, so provide the keys
+buildargs := base_buildargs \
+             + " --cap-add=all --security-opt=label=type:container_runtime_t --device /dev/fuse" \
+             + " --secret=id=secureboot_key,src=target/test-secureboot/db.key --secret=id=secureboot_cert,src=target/test-secureboot/db.crt"
 # Args for build-sealed (no base arg, it sets that itself)
 sealed_buildargs := "--build-arg=variant=" + variant + " --secret=id=secureboot_key,src=target/test-secureboot/db.key --secret=id=secureboot_cert,src=target/test-secureboot/db.crt"
 
diff --git a/crates/tests-integration/src/install.rs b/crates/tests-integration/src/install.rs
index 8487c035..66db08bc 100644
--- a/crates/tests-integration/src/install.rs
+++ b/crates/tests-integration/src/install.rs
@@ -38,7 +38,7 @@ fn delete_ostree_deployments(sh: &Shell, image: &str) -> Result<(), anyhow::Erro
     if !Path::new("/ostree/deploy/").exists() {
         return Ok(());
     }
-    let mounts = &["-v", "/ostree:/ostree", "-v", "/boot:/boot"];
+    let mounts = &["-v", "/ostree:/sysroot/ostree", "-v", "/boot:/boot"];
     cmd!(
         sh,
         "sudo {BASE_ARGS...} {mounts...} {image} bootc state wipe-ostree"