cfs: Hard error on external kargs with UKIs

I thought about this with the cloud-init disablement for now
with bcvk. It already works to just not enable `cloud-init.target`
which we were already doing.

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

crates/lib/src/bootc_composefs/boot.rs

@@ -856,11 +856,7 @@ pub(crate) fn setup_composefs_uki_boot(
 ) -> Result<()> {
     let (root_path, esp_device, bootloader, is_insecure_from_opts, uki_addons) = match setup_type {
         BootSetupType::Setup((root_setup, state, ..)) => {
-            if let Some(v) = &state.config_opts.karg {
-                if v.len() > 0 {
-                    tracing::warn!("kargs passed for UKI will be ignored");
-                }
-            }
+            state.require_no_kargs_for_uki()?;
 
             let esp_part = esp_in(&root_setup.device_info)?;
 

crates/lib/src/install.rs

@@ -523,6 +523,20 @@ impl State {
         Ok(())
     }
 
+    /// Return an error if kernel arguments are provided, intended to be used for UKI paths
+    pub(crate) fn require_no_kargs_for_uki(&self) -> Result<()> {
+        if self
+            .config_opts
+            .karg
+            .as_ref()
+            .map(|v| !v.is_empty())
+            .unwrap_or_default()
+        {
+            anyhow::bail!("Cannot use externally specified kernel arguments with UKI");
+        }
+        Ok(())
+    }
+
     fn stateroot(&self) -> &str {
         self.config_opts
             .stateroot

crates/xtask/src/xtask.rs

@@ -531,9 +531,6 @@ fn check_dependencies(sh: &Shell) -> Result<()> {
 }
 
 const COMMON_INST_ARGS: &[&str] = &[
-    // We don't use cloud-init with bcvk right now, but it needs to be there for
-    // testing-farm+tmt
-    "--karg=ds=iid-datasource-none",
     // TODO: Pass down the Secure Boot keys for tests if present
     "--firmware=uefi-insecure",
     "--label=bootc.test=1",

hack/Containerfile

@@ -9,13 +9,11 @@ COPY . /
 
 # An intermediate layer which caches the extended RPMS
 FROM localhost/bootc as extended
-# We support e.g. adding cloud-init
-ARG variant=
 # And this layer has additional stuff for testing, such as nushell etc.
 RUN --mount=type=bind,from=context,target=/run/context <<EORUN
 set -xeuo pipefail
 cd /run/context/
-./provision-derived.sh "$variant"
+./provision-derived.sh
 EORUN
 
 # And the configs

hack/Containerfile.packit

@@ -29,7 +29,7 @@ cp test-artifacts.repo /etc/yum.repos.d/
 dnf -y update bootc
 # Required by tmt avc checking after test
 dnf -y install audit
-./provision-derived.sh
+./provision-derived.sh cloudinit
 
 # For test-22-logically-bound-install
 cp -a lbi/usr/. /usr

hack/provision-derived.sh

@@ -4,6 +4,13 @@ set -xeu
 # using it in our test suite because it's better than bash. First,
 # enable EPEL to get it.
 
+cloudinit=0
+case ${1:-} in
+  cloudinit) cloudinit=1 ;;
+  "") ;;
+  *) echo "Unhandled flag: ${1:-}" 1>&2; exit 1 ;;
+esac
+
 # Ensure this is pre-created
 mkdir -p -m 0700 /var/roothome
 mkdir -p ~/.config/nushell
@@ -39,25 +46,23 @@ esac
 
 # Extra packages we install
 grep -Ev -e '^#' packages.txt | xargs dnf -y install
-dnf clean all
 
 # Cloud bits
 cat <<KARGEOF >> /usr/lib/bootc/kargs.d/20-console.toml
 kargs = ["console=ttyS0,115200n8"]
 KARGEOF
-# And cloud-init stuff, unless we're doing a UKI which is always
-# tested with bcvk
-if test '!' -d /boot/EFI; then
+if test $cloudinit = 1; then
+  dnf -y install cloud-init
   ln -s ../cloud-init.target /usr/lib/systemd/system/default.target.wants
-fi
-
-# Allow root SSH login for testing with bcvk/tmt
+  # Allow root SSH login for testing with bcvk/tmt
 mkdir -p /etc/cloud/cloud.cfg.d
 cat > /etc/cloud/cloud.cfg.d/80-enable-root.cfg <<'CLOUDEOF'
 # Enable root login for testing
 disable_root: false
 CLOUDEOF
+fi
 
+dnf clean all
 # Stock extra cleaning of logs and caches in general (mostly dnf)
 rm /var/log/* /var/cache /var/lib/{dnf,rpm-state,rhsm} -rf
 # And clean root's homedir