WIP: to-disk test flow & fixes

Author: travier

examples/.gitignore

@@ -0,0 +1,9 @@
+test.img
+backups
+bootc-bls/bootc
+bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
+bootc-uki/VARS_CUSTOM.secboot.qcow2.template
+bootc-uki/bootc
+bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
+bootc-uki/secureboot/
+systemd-bootx64.efi

examples/bootc-bls/build

@@ -4,15 +4,12 @@ set -eux
 
 cd "${0%/*}"
 
-cargo build --release --bin bootc --bin bootc-initramfs-setup
+# cargo build --release --features=composefs-backend
 
 cp ../../target/release/bootc .
 cp ../../target/release/bootc-initramfs-setup extra/usr/lib/dracut/modules.d/37bootc/
 
-mkdir -p tmp
-
 podman build \
     -t quay.io/fedora/fedora-bootc-bls:42 \
     -f Containerfile \
-    --iidfile=tmp/iid \
     .

examples/bootc-uki/Containerfile.stage1

@@ -4,7 +4,7 @@ COPY bootc /usr/bin
 
 RUN passwd -d root
 
-# need to have composefs setup root in the initramfs so we need this
+# need to have bootc-initramfs-setup in the initramfs so we need this
 RUN set -x; \
     kver=$(cd /usr/lib/modules && echo *); \
     dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver;

examples/bootc-uki/Containerfile.stage2

@@ -9,10 +9,12 @@ RUN --mount=type=secret,id=key \
     set -eux
 
     mkdir -p /etc/kernel /etc/dracut.conf.d
-    echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} selinux=1 enforcing=0 systemd.debug_shell=1 root=UUID=6523f8ae-3eb1-4e2a-a05a-18b695ae656f rw" > /etc/kernel/cmdline
+    echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} selinux=1 enforcing=0 audit=0 systemd.debug_shell=1 root=UUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 rw" > /etc/kernel/cmdline
 
+    rm "/etc/yum.repos.d/fedora-cisco-openh264.repo"
     dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
     kver=$(cd /usr/lib/modules && echo *)
+    mkdir -p "/boot/EFI/Linux"
     ukify build \
         --linux "/usr/lib/modules/$kver/vmlinuz" \
         --initrd "/usr/lib/modules/$kver/initramfs.img" \
@@ -24,7 +26,7 @@ RUN --mount=type=secret,id=key \
         --secureboot-certificate "/run/secrets/cert" \
         --measure \
         --json pretty \
-        --output "/boot/$kver.efi"
+        --output "/boot/EFI/Linux/$kver.efi"
     sbsign \
         --key "/run/secrets/key" \
         --cert "/run/secrets/cert" \
@@ -39,7 +41,7 @@ RUN --mount=type=bind,from=kernel,target=/_mount/kernel <<EOF
     mkdir -p /boot/EFI/Linux
     # We put the UKI in /boot for now due to composefs verity not being the
     # same due to mtime of /usr/lib/modules being changed
-    cp /_mount/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi
+    cp -r /_mount/kernel/boot/* /boot/
 EOF
 
 FROM base as final-final

examples/bootc-uki/build.base

@@ -4,15 +4,17 @@ set -eux
 
 cd "${0%/*}"
 
-cargo build --release --bin bootc --bin bootc-initramfs-setup
+# cargo build --release --features=composefs-backend
+
+IMAGE="quay.io/fedora/fedora-bootc-base-uki:42"
 
 cp ../../target/release/bootc .
 cp ../../target/release/bootc-initramfs-setup extra/usr/lib/dracut/modules.d/37bootc/
 
 mkdir -p tmp
 
 podman build \
-    -t quay.io/fedora/fedora-bootc-base-uki:42 \
+    -t "$IMAGE" \
     -f Containerfile.stage1 \
     --iidfile=tmp/iid \
     .

examples/bootc-uki/build.final

@@ -4,11 +4,15 @@ set -eux
 
 cd "${0%/*}"
 
-cargo build --release --bin bootc
+# cargo build --release --features=composefs-backend
+
+IMAGE="quay.io/fedora/fedora-bootc-base-uki:42"
 
 cp ../../target/release/bootc .
 
-rm -rf tmp/sysroot
+mount /dev/vdb3 tmp
+
+# rm -rf tmp/sysroot
 mkdir -p tmp/sysroot/composefs
 
 IMAGE_ID="$(sed s/sha256:// tmp/iid)"
@@ -37,11 +41,12 @@ sudo podman build \
     --build-arg=COMPOSEFS_FSVERITY="${COMPOSEFS_FSVERITY}" \
     -f Containerfile.stage2 \
     --secret=id=key,src=secureboot/db.key \
-    --secret=id=cert,src=secureboot/db.crt \
-    --iidfile=tmp/iid2
+    --secret=id=cert,src=secureboot/db.crt
 
 rm -rf tmp/efi
 mkdir -p tmp/efi
 ./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
 ./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}"
 ./bootc internals cfs --repo tmp/sysroot/composefs oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi
+
+umount tmp

examples/bootc-uki/install-grub.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+bootc_project="/srv/bootc"
+IMAGE="quay.io/fedora/fedora-bootc-bls:42"
+
+if [[ "$PWD" != "$bootc_project/examples" ]]; then
+    echo "Run this command from $bootc_project/examples"
+    exit 1
+fi
+
+if [[ ! -f systemd-bootx64.efi ]]; then
+    echo "Needs /srv/bootc/examples/systemd-bootx64.efi to exists for now"
+    exit 1
+fi
+
+rm -rf ./test.img
+rm -rf ./test.img
+truncate -s 15G test.img
+
+#    --env RUST_LOG=debug \
+#    --env RUST_BACKTRACE=1 \
+# -v /srv/bootc/target/release/bootc:/usr/bin/bootc:ro,Z \
+podman run \
+    --rm --privileged \
+    --pid=host \
+    -v /dev:/dev \
+    -v /var/lib/containers:/var/lib/containers \
+    -v /var/tmp:/var/tmp \
+    -v $PWD:/output \
+    --security-opt label=type:unconfined_t \
+    "${IMAGE}" \
+    bootc install to-disk \
+        --composefs-native \
+        --bootloader=systemd \
+        --source-imgref "containers-storage:$IMAGE" \
+        --target-imgref="$IMAGE" \
+        --target-transport="docker" \
+        --filesystem=ext4 \
+        --wipe \
+        --generic-image \
+        --via-loopback \
+        --karg "selinux=1" \
+        --karg "enforcing=0" \
+        --karg "audit=0" \
+        /output/test.img
+
+# Manual systemd-boot installation
+losetup /dev/loop0 test.img
+partx --update /dev/loop0
+mkdir -p efi
+mount /dev/loop0p2 efi
+
+cp systemd-bootx64.efi efi/EFI/fedora/grubx64.efi
+mkdir -p efi/loader
+echo "timeout 5" > efi/loader/loader.conf
+rm -rf efi/EFI/fedora/grub.cfg
+
+umount efi
+losetup -d /dev/loop0