wip

travier · travier · commit bb67248da330 · 2025-09-24T13:32:49.000+02:00
diff --git a/examples/.gitignore b/examples/.gitignore
@@ -3,12 +3,9 @@
 *.img
 *.qcow2
 backups
-bootc-bls/bootc
-bootc-bls/extra-fcos/usr/bin/bootc
-bootc-bls/extra-fcos/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
-bootc-bls/extra/usr/bin/bootc
-bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
+bootc
 bootc-bls/iid
 bootc-bls/secureboot
 bootc-bls/tmp
+bootc-initramfs-setup
 systemd-bootx64.efi
diff --git a/examples/bootc-bls/Containerfile b/examples/bootc-bls/Containerfile
@@ -53,15 +53,17 @@ if [[ "$(grep -c "VARIANT=\"CoreOS\"" /etc/os-release)" -eq 1 ]]; then
         /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
 
     # We don't want openh264
-    rm -f "/etc/yum.repos.d/fedora-cisco-openh264.repo"
+    rm -f '/etc/yum.repos.d/fedora-cisco-openh264.repo'
 
     # Install fsverity utils to re-enable fsverity on repo objects after
     # transposefs step when reprovisionning the root disk
     dnf install -y fsverity-utils
+    dnf clean all
 fi
-EOF
 
-# need to have bootc-initramfs-setup in the initramfs so we need this
-RUN set -x; \
-    kver=$(cd /usr/lib/modules && echo *); \
-    dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver;
+# Rebuild the initramfs to get bootc-initramfs-setup
+kver=$(cd /usr/lib/modules && echo *)
+dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver
+
+bootc container lint
+EOF
diff --git a/examples/bootc-bls/Containerfile.cocl b/examples/bootc-bls/Containerfile.cocl
@@ -0,0 +1,81 @@
+FROM quay.io/fedora/fedora-coreos:stable
+
+FROM quay.io/afrosi_rh/kbs-client-image:latest as kbc
+FROM quay.io/confidential-clusters/clevis-pin-trustee as clevis
+FROM quay.io/confidential-clusters/ignition:clevis-pin-trustee as ignition
+
+FROM quay.io/fedora/fedora-coreos:stable
+COPY . /
+
+COPY --from=kbc /usr/local/bin/kbs-client /usr/bin/trustee-attester
+COPY --from=clevis /usr/bin/clevis-pin-trustee /usr/bin/clevis-pin-trustee
+COPY --from=clevis /usr/bin/clevis-encrypt-trustee /usr/bin/clevis-encrypt-trustee
+COPY --from=clevis /usr/bin/clevis-decrypt-trustee /usr/bin/clevis-decrypt-trustee
+COPY --from=ignition /usr/bin/ignition /usr/lib/dracut/modules.d/30ignition/ignition
+
+RUN <<EOF
+set -euxo pipefail
+
+# Disable root password for debug/testing/demos
+passwd -d root
+
+if [[ "$(grep -c "VARIANT=\"CoreOS\"" /etc/os-release)" -eq 1 ]]; then
+    # Disable some units that currently don't work for us
+    sed -i 's/enable coreos-warn-invalid-mounts.service//' \
+        /usr/lib/systemd/system-preset/45-fcos.preset
+    sed -i 's/enable coreos-populate-lvmdevices.service//' \
+        /usr/lib/systemd/system-preset/45-coreos-populate-lvmdevices.preset
+
+    # Fix dependencies
+    sed -i 's|ExecStart=/usr/sbin/coreos-boot-edit|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.service
+    sed -i 's|ExecStart=/usr/bin/rdcore verify-unique-fs-label --rereadpt boot|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-unique-boot.service 
+
+    sed -i 's/ConditionKernelCommandLine=ostree/ConditionKernelCommandLine=composefs/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/*
+    sed -i 's/After=ostree-prepare-root.service/After=bootc-initramfs-setup.service/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/*
+    sed -i 's/Requires=ostree-prepare-root.service/Requires=bootc-initramfs-setup.service/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/*
+
+    sed -i '/Type=oneshot/a ExecStart=bash -c "udevadm settle; sleep 1"' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.service
+
+    sed -i 's|ExecStart=/usr/sbin/ignition-ostree-mount-var mount|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-var.service
+    sed -i 's|ExecStop=/usr/sbin/ignition-ostree-mount-var umount|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-var.service
+
+    sed -i 's|ExecStart=/usr/sbin/ignition-ostree-firstboot-uuid boot|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-boot.service
+    sed -i 's|ExecStart=/usr/sbin/ignition-ostree-firstboot-uuid root|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-root.service
+
+    sed -i 's/find/find fsverity/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
+
+    sed -i 's|chcon -v --reference "${saved_root}" /sysroot  # the root of the fs itself|chcon -v system_u:object_r:root_t:s0 /sysroot  # the root of the fs itself|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+    sed -i '/chattr +i/d' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+    sed -i '/chcon -v system_u:object_r:root_t:s0 \/sysroot  # the root of the fs itself/a echo "Enabling fs-verity again..."' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+    sed -i '/echo "Enabling fs-verity again..."/a find /sysroot/composefs/objects -type f -exec fsverity enable {} \\;' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+
+    # We don't want openh264
+    rm -f '/etc/yum.repos.d/fedora-cisco-openh264.repo'
+
+    # Install fsverity utils to re-enable fsverity on repo objects after
+    # transposefs step when reprovisionning the root disk
+    dnf install -y fsverity-utils
+    dnf clean all
+fi
+
+# Rebuild the initramfs to get bootc-initramfs-setup & our other dracut modules
+kver=$(cd /usr/lib/modules && echo *)
+dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver
+
+bootc container lint
+EOF
diff --git a/examples/bootc-bls/Containerfile.systemdboot b/examples/bootc-bls/Containerfile.systemdboot
@@ -0,0 +1,3 @@
+FROM quay.io/fedora/fedora-bootc-bls:42 AS base
+
+COPY /systemd-bootx64.efi /usr/lib/bootupd/updates/EFI/fedora/grubx64.efi
diff --git a/examples/bootc-bls/Containerfile.uki b/examples/bootc-bls/Containerfile.uki
@@ -44,11 +44,11 @@ RUN --mount=type=secret,id=key \
         --secureboot-certificate "/run/secrets/cert" \
         --output "/boot/EFI/Linux/$kver.efi.extra.d/ignition.addon.efi"
 
-    sbsign \
-        --key "/run/secrets/key" \
-        --cert "/run/secrets/cert" \
-        "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
-        --output "/boot/systemd-bootx64.efi"
+    # sbsign \
+    #     --key "/run/secrets/key" \
+    #     --cert "/run/secrets/cert" \
+    #     "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
+    #     --output "/boot/systemd-bootx64.efi"
 EOF
 
 FROM base as final
diff --git a/examples/bootc-bls/build-bootc-bls b/examples/bootc-bls/build-bootc-bls
@@ -7,6 +7,7 @@ cd "${0%/*}"
 FROM="${FROM:-quay.io/fedora/fedora-bootc:42}"
 TAG="${TAG:-quay.io/fedora/fedora-bootc-bls:42}"
 EXTRA="${EXTRA:-extra}"
+CONTAINERFILE="${CONTAINERFILE:-Containerfile}"
 
 # cargo build --release --features=composefs-backend
 
@@ -19,6 +20,6 @@ mkdir -p tmp
 podman build \
     --from "${FROM}" \
     -t "${TAG}" \
-    -f Containerfile \
+    -f "${CONTAINERFILE}" \
     --iidfile=iid \
     "${EXTRA}"
diff --git a/examples/bootc-bls/build-bootc-uki b/examples/bootc-bls/build-bootc-uki
@@ -9,17 +9,6 @@ cd "${0%/*}"
 FROM="${FROM:-quay.io/fedora/fedora-bootc-bls:42}"
 TAG="${TAG:-quay.io/fedora/fedora-bootc-uki:42}"
 
-cp ../../target/release/bootc .
-
-mount /dev/vdb3 tmp
-
-# rm -rf tmp/sysroot
-mkdir -p tmp/sysroot/composefs
-
-IMAGE_ID="$(sed s/sha256:// iid)"
-./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
-COMPOSEFS_FSVERITY=$(./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}")
-
 # See: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
 # Alternative to generate keys for testing: `sbctl create-keys`
 if [[ ! -d "secureboot" ]]; then
@@ -36,9 +25,39 @@ if [[ ! -d "secureboot" ]]; then
     popd > /dev/null
 fi
 
-# For debugging, add --no-cache to podman command
+if [[ ! -f "systemd-bootx64.efi" ]]; then
+    # Sign systemd-boot once and re-use it for all builds to keep it unchanged
+    sudo podman run --rm \
+        --security-opt label=disable \
+        --secret=id=key,src=secureboot/db.key \
+        --secret=id=cert,src=secureboot/db.crt \
+        --volume "$PWD:/var/srv" \
+        --workdir "/var/srv"
+        "${FROM}" \
+        bash -c "rm -f '/etc/yum.repos.d/fedora-cisco-openh264.repo'; dnf install -y sbsigntools systemd-boot-unsigned; sbsign --key '/run/secrets/key' --cert '/run/secrets/cert' '/usr/lib/systemd/boot/efi/systemd-bootx64.efi' --output '/var/srv/systemd-bootx64.efi'"
+fi
+
+# Replace GRUB with a signed systemd-boot binary
 sudo podman build \
     --from "${FROM}" \
+    -t "${TAG}-systemdboot" \
+    -f Containerfile.systemdboot
+
+cp ../../target/release/bootc .
+
+# Workaround: Mount a filesystem where fs-verity is enabled
+mount /dev/vdb3 tmp
+
+# rm -rf tmp/sysroot
+mkdir -p tmp/sysroot/composefs
+
+IMAGE_ID="$(sed s/sha256:// iid)"
+./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
+COMPOSEFS_FSVERITY=$(./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}")
+
+# For debugging, add --no-cache to podman command
+sudo podman build \
+    --from "${FROM}-systemdboot" \
     -t "${TAG}" \
     --build-arg=COMPOSEFS_FSVERITY="${COMPOSEFS_FSVERITY}" \
     -f Containerfile.uki \
diff --git a/examples/bootc-bls/build-fcos-bls b/examples/bootc-bls/build-fcos-bls
@@ -1,5 +1,5 @@
 #!/bin/bash
 
-export FROM="quay.io/fedora/fedora-coreos:stable"
-export TAG="quay.io/fedora/fedora-coreos-bls:stable"
+export FROM="quay.io/fedora/fedora-coreos:42.20250901.3.0"
+export TAG="quay.io/fedora/fedora-coreos-bls:42.20250901.3.0"
 exec ./build-bootc-bls
diff --git a/examples/bootc-bls/build-fcos-bls-cocl b/examples/bootc-bls/build-fcos-bls-cocl
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+export FROM="quay.io/fedora/fedora-coreos:42.20250901.3.0"
+export TAG="quay.io/fedora/fedora-coreos-bls-cocl:42.20250901.3.0"
+export CONTAINERFILE="Containerfile.cocl"
+exec ./build-bootc-bls
diff --git a/examples/bootc-bls/build-fcos-uki b/examples/bootc-bls/build-fcos-uki
@@ -1,5 +1,5 @@
 #!/bin/bash
 
-export FROM="quay.io/fedora/fedora-coreos-bls:stable"
-export TAG="quay.io/fedora/fedora-coreos-uki:stable"
+export FROM="quay.io/fedora/fedora-coreos-bls:42.20250901.3.0"
+export TAG="quay.io/fedora/fedora-coreos-uki:42.20250901.3.0"
 exec ./build-bootc-uki
diff --git a/examples/bootc-bls/build-fcos-uki-cocl b/examples/bootc-bls/build-fcos-uki-cocl
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+export FROM="quay.io/fedora/fedora-coreos-bls-cocl:42.20250901.3.0"
+export TAG="quay.io/fedora/fedora-coreos-uki-cocl:42.20250901.3.0"
+exec ./build-bootc-uki
diff --git a/examples/bootc-bls/extra-cocl/usr/lib/dracut/dracut.conf.d/50trustee.conf b/examples/bootc-bls/extra-cocl/usr/lib/dracut/dracut.conf.d/50trustee.conf
@@ -0,0 +1 @@
+force_drivers+=" sev-guest "
diff --git a/examples/bootc-bls/extra-cocl/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service b/examples/bootc-bls/extra-cocl/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service
@@ -0,0 +1,34 @@
+# Copyright (C) 2013 Colin Walters <walters@verbum.org>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+DefaultDependencies=no
+ConditionKernelCommandLine=composefs
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+Before=initrd-switch-root.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bootc-initramfs-setup
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes
diff --git a/examples/bootc-bls/extra-cocl/usr/lib/dracut/modules.d/37bootc/module-setup.sh b/examples/bootc-bls/extra-cocl/usr/lib/dracut/modules.d/37bootc/module-setup.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/bootc-initramfs-setup" /usr/bin/bootc-initramfs-setup
+    inst \
+        "${moddir}/bootc-initramfs-setup.service" \
+        "${systemdsystemunitdir}/bootc-initramfs-setup.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'bootc-initramfs-setup.service'
+}
diff --git a/examples/bootc-bls/extra-cocl/usr/lib/dracut/modules.d/65clevispin/module-setup.sh b/examples/bootc-bls/extra-cocl/usr/lib/dracut/modules.d/65clevispin/module-setup.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install () {
+   inst /usr/bin/trustee-attester
+	inst /usr/bin/clevis-pin-trustee
+	inst /usr/bin/clevis-encrypt-trustee
+	inst /usr/bin/clevis-decrypt-trustee
+}
diff --git a/examples/libvirt.sh b/examples/libvirt.sh
@@ -52,6 +52,11 @@ main() {
         args+=("uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no")
     fi
 
+    connect_to_console="true"
+    if [[ "${connect_to_console}" == "false" ]]; then
+        args+=('--noautoconsole')
+    fi
+
     set -x
     virt-install --connect="qemu:///system" \
         --name="${name}" \
@@ -63,7 +68,6 @@ main() {
         --network bridge=virbr0 \
         "${IGNITION_DEVICE_ARG[@]}" \
         --machine q35 \
-        --noautoconsole \
         "${args[@]}"
 }
 
diff --git a/examples/to-disk.sh b/examples/to-disk.sh
@@ -51,7 +51,7 @@ partx --update /dev/loop0
 mkdir -p efi
 mount /dev/loop0p2 efi
 
-cp systemd-bootx64.efi efi/EFI/fedora/grubx64.efi
+# cp systemd-bootx64.efi efi/EFI/fedora/grubx64.efi
 mkdir -p efi/loader
 echo "timeout 5" > efi/loader/loader.conf
 rm -rf efi/EFI/fedora/grub.cfg
diff --git a/examples/to-filesystem-uki-cocl.sh b/examples/to-filesystem-uki-cocl.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+export IMAGE="quay.io/fedora/fedora-coreos-uki-cocl:stable"
+export DISKIMAGE="${DISKIMAGE:-test-filesystem-fcos-uki-cocl.img}"
+exec ./to-filesystem-uki.sh
diff --git a/examples/to-filesystem-uki.sh b/examples/to-filesystem-uki.sh
@@ -60,8 +60,9 @@ podman run --rm --net=host --privileged --pid=host \
 # bootc uki addon enable keyboard-layout-fr
 # bootc uki addon install console-ttyS0
 
+# Manual systemd-boot installation
 mount /dev/loop0p1 ./mnt
-cp systemd-bootx64.efi ./mnt/EFI/fedora/grubx64.efi
+# cp systemd-bootx64.efi ./mnt/EFI/fedora/grubx64.efi
 mkdir -p ./mnt/loader
 echo "timeout 5" > ./mnt//loader/loader.conf
 
diff --git a/examples/to-filesystem.sh b/examples/to-filesystem.sh
@@ -53,8 +53,9 @@ podman run --rm --net=host --privileged --pid=host \
             --source-imgref "containers-storage:$IMAGE" \
             /var/mnt
 
+# Manual systemd-boot installation
 mount /dev/loop0p1 ./mnt
-cp systemd-bootx64.efi ./mnt/EFI/fedora/grubx64.efi
+# cp systemd-bootx64.efi ./mnt/EFI/fedora/grubx64.efi
 echo "timeout 5" > ./mnt//loader/loader.conf
 # ignition.firstboot ignition.platform.id=qemu
 # rd.systemd.default_debug_tty=ttyS0

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+FROM quay.io/fedora/fedora-bootc-bls:42 AS base`
	`2`	`+`
	`3`	`+COPY /systemd-bootx64.efi /usr/lib/bootupd/updates/EFI/fedora/grubx64.efi`