Various composefs enhancements

- Add build infrastructure to toplevel to seal
- Change the install logic to detect UKIs and automatically
  enable composefs

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

Cargo.lock

@@ -0,0 +1,62 @@
+# Override via --build-arg=base=<image> to use a different base
+ARG base=localhost/bootc
+# This is where we get the tools to build the UKI
+ARG buildroot=quay.io/fedora/fedora:42
+FROM $base AS base
+
+FROM $buildroot as buildroot-base
+RUN <<EORUN
+set -xeuo pipefail
+dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+dnf clean all
+EORUN
+
+# This must be provided and computed via cfs oci compute-id
+ARG COMPOSEFS_FSVERITY
+
+FROM buildroot-base as kernel
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert \
+    --mount=type=bind,from=base,target=/target \
+     <<EOF
+    set -eux
+
+    # Inject the composefs kernel argument and specify a root with the x86_64 DPS UUID.
+    # TODO: Discoverable partition fleshed out, or drop root UUID as systemd-stub extension
+    # TODO: https://github.com/containers/composefs-rs/issues/183
+    cmdline="composefs=${COMPOSEFS_FSVERITY} root=UUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 console=ttyS0,114800n8 enforcing=0 rw"
+
+    kver=$(cd /target/usr/lib/modules && echo *)
+    ukify build \
+        --linux "/target/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/target/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
+        --cmdline "${cmdline}" \
+        --os-release "@/target/usr/lib/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/$kver.efi"
+    sbsign \
+        --key "/run/secrets/key" \
+        --cert "/run/secrets/cert" \
+        "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
+        --output "/boot/systemd-bootx64.efi"
+EOF
+
+FROM base as final
+
+RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
+    kver=$(cd /usr/lib/modules && echo *)
+    mkdir -p /boot/EFI/Linux
+    # We put the UKI in /boot for now due to composefs verity not being the
+    # same due to mtime of /usr/lib/modules being changed
+    cp /run/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi
+EOF
+
+FROM base as final-final
+COPY --from=final /boot /boot
+# Override the default
+LABEL containers.bootc=sealed

Dockerfile.cfsuki

@@ -13,12 +13,22 @@
 build *ARGS:
     podman build --jobs=4 -t localhost/bootc {{ARGS}} .
 
+build-sealed *ARGS:
+    podman build --jobs=4 -t localhost/bootc-unsealed {{ARGS}} .
+    cargo xtask build-sealed localhost/bootc-unsealed localhost/bootc
+
 # This container image has additional testing content and utilities
 build-integration-test-image *ARGS:
     cd hack && podman build --jobs=4 -t localhost/bootc-integration -f Containerfile {{ARGS}} .
     # Keep these in sync with what's used in hack/lbi
     podman pull -q --retry 5 --retry-delay 5s quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.access.redhat.com/ubi9/podman:latest
 
+# Like build-integration-test-image but sealed
+build-sealed-integration-test-image *ARGS:
+    just build {{ARGS}}
+    just build-integration-test-image
+    cargo xtask build-sealed localhost/bootc-integration localhost/bootc-integration-sealed
+
 # Only used by ci.yml right now
 build-install-test-image: build-integration-test-image
     cd hack && podman build -t localhost/bootc-integration-install -f Containerfile.drop-lbis

Justfile

@@ -1,7 +1,7 @@
-use std::ffi::OsStr;
 use std::fs::create_dir_all;
 use std::io::Write;
 use std::path::Path;
+use std::ffi::OsStr;
 
 use anyhow::{anyhow, Context, Result};
 use bootc_blockdev::find_parent_devices;
@@ -126,6 +126,23 @@ fi
     )
 }
 
+/// Returns `true` if detect the target rootfs carries a UKI.
+pub(crate) fn container_root_has_uki(root: &Dir) -> Result<bool> {
+    let Some(efi_linux) = root.open_dir_optional(EFI_LINUX)? else {
+        return Ok(false);
+    };
+    for entry in efi_linux.entries()? {
+        let entry = entry?;
+        let name = entry.file_name();
+        let name = Path::new(&name);
+        let extension = name.extension().and_then(|v| v.to_str());
+        if extension == Some("efi") {
+            return Ok(true);
+        }
+    }
+    Ok(false)
+}
+
 pub fn get_esp_partition(device: &str) -> Result<(String, Option<String>)> {
     let device_info = bootc_blockdev::partitions_of(Utf8Path::new(device))?;
     let esp = device_info

crates/lib/src/bootc_composefs/boot.rs

@@ -6,13 +6,15 @@ use std::ffi::{CString, OsStr, OsString};
 use std::io::Seek;
 use std::os::unix::process::CommandExt;
 use std::process::Command;
+use std::sync::Arc;
 
 use anyhow::{ensure, Context, Result};
-use camino::Utf8PathBuf;
+use camino::{Utf8Path, Utf8PathBuf};
 use cap_std_ext::cap_std;
 use cap_std_ext::cap_std::fs::Dir;
 use clap::Parser;
 use clap::ValueEnum;
+use composefs_boot::BootOps as _;
 use etc_merge::{compute_diff, print_diff};
 use fn_error_context::context;
 use indoc::indoc;
@@ -23,11 +25,13 @@ use ostree_ext::composefs::fsverity::FsVerityHashValue;
 use ostree_ext::composefs::splitstream::SplitStreamWriter;
 use ostree_ext::container as ostree_container;
 use ostree_ext::container_utils::ostree_booted;
+use ostree_ext::containers_image_proxy::ImageProxyConfig;
 use ostree_ext::keyfileext::KeyFileExt;
 use ostree_ext::ostree;
 use ostree_ext::sysroot::SysrootLock;
 use schemars::schema_for;
 use serde::{Deserialize, Serialize};
+use tempfile::tempdir_in;
 
 #[cfg(feature = "composefs-backend")]
 use crate::bootc_composefs::{
@@ -40,9 +44,11 @@ use crate::bootc_composefs::{
 };
 use crate::deploy::RequiredHostSpec;
 use crate::lints;
+use crate::podstorage::set_additional_image_store;
 use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
 use crate::spec::Host;
 use crate::spec::ImageReference;
+use crate::store::ComposefsRepository;
 use crate::utils::sigpolicy_from_opt;
 
 /// Shared progress options
@@ -315,6 +321,12 @@ pub(crate) enum ContainerOpts {
         #[clap(long)]
         no_truncate: bool,
     },
+    /// Output the bootable composefs digest.
+    #[clap(hide = true)]
+    ComputeComposefsDigest {
+        /// Identifier for image; if not provided, the running image will be used.
+        image: Option<String>,
+    },
 }
 
 /// Subcommands which operate on images.
@@ -1335,6 +1347,55 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 )?;
                 Ok(())
             }
+            ContainerOpts::ComputeComposefsDigest { image } => {
+                // Allocate a tempdir
+                let td = tempdir_in("/var/tmp")?;
+                let td = td.path();
+                let td = &Dir::open_ambient_dir(td, cap_std::ambient_authority())?;
+
+                td.create_dir("repo")?;
+                let repo = td.open_dir("repo")?;
+                let mut repo =
+                    ComposefsRepository::open_path(&repo, ".").context("Init cfs repo")?;
+                // We don't need to hard require verity on the *host* system, we're just computing a checksum here
+                repo.set_insecure(true);
+                let repo = &Arc::new(repo);
+
+                let mut proxycfg = ImageProxyConfig::default();
+
+                let image = if let Some(image) = image {
+                    image
+                } else {
+                    let host_container_store = Utf8Path::new("/run/host-container-storage");
+                    // If no image is provided, assume that we're running in a container in privileged mode
+                    // with access to the container storage.
+                    let container_info = crate::containerenv::get_container_execution_info(&root)?;
+                    let iid = container_info.imageid;
+                    tracing::debug!("Computing digest of {iid}");
+
+                    if !host_container_store.try_exists()? {
+                        anyhow::bail!("Must be readonly mount of host container store: {host_container_store}");
+                    }
+                    // And ensure we're finding the image in the host storage
+                    let mut cmd = Command::new("skopeo");
+                    set_additional_image_store(&mut cmd, "/run/host-container-storage");
+                    proxycfg.skopeo_cmd = Some(cmd);
+                    iid
+                };
+
+                let imgref = format!("containers-storage:{image}");
+                let (imgid, verity) = composefs_oci::pull(repo, &imgref, None, Some(proxycfg))
+                    .await
+                    .context("Pulling image")?;
+                let imgid = hex::encode(imgid);
+                let mut fs = composefs_oci::image::create_filesystem(repo, &imgid, Some(&verity))
+                    .context("Populating fs")?;
+                fs.transform_for_boot(&repo).context("Preparing for boot")?;
+                let id = fs.compute_image_id();
+                println!("{}", id.to_hex());
+
+                Ok(())
+            }
         },
         Opt::Image(opts) => match opts {
             ImageOpts::List {

crates/lib/src/cli.rs

@@ -139,7 +139,6 @@ ExecStart=bootc internals fixup-etc-fstab\n\
 #[cfg(test)]
 mod tests {
     use camino::Utf8Path;
-    use cap_std_ext::cmdext::CapStdExtCommandExt as _;
 
     use super::*;
 

crates/lib/src/generator.rs

@@ -247,7 +247,7 @@ pub(crate) struct InstallConfigOpts {
     pub(crate) stateroot: Option<String>,
 }
 
-#[derive(Debug, Clone, clap::Parser, Serialize, Deserialize, PartialEq, Eq)]
+#[derive(Debug, Default, Clone, clap::Parser, Serialize, Deserialize, PartialEq, Eq)]
 pub(crate) struct InstallComposefsOpts {
     #[clap(long, default_value_t)]
     #[serde(default)]
@@ -438,6 +438,10 @@ pub(crate) struct State {
     pub(crate) container_root: Dir,
     pub(crate) tempdir: TempDir,
 
+    /// Set if we have determined that composefs is required
+    #[allow(dead_code)]
+    pub(crate) composefs_required: bool,
+
     // If Some, then --composefs_native is passed
     #[cfg(feature = "composefs-backend")]
     pub(crate) composefs_options: Option<InstallComposefsOpts>,
@@ -793,6 +797,7 @@ async fn install_container(
     let sepolicy = sepolicy.as_ref();
     let stateroot = state.stateroot();
 
+    // TODO factor out this
     let (src_imageref, proxy_cfg) = if !state.source.in_host_mountns {
         (state.source.imageref.clone(), None)
     } else {
@@ -1221,20 +1226,28 @@ async fn verify_target_fetch(
     Ok(())
 }
 
+fn root_has_uki(root: &Dir) -> Result<bool> {
+    #[cfg(feature = "composefs-backend")]
+    return crate::bootc_composefs::boot::container_root_has_uki(root);
+
+    #[cfg(not(feature = "composefs-backend"))]
+    Ok(false)
+}
+
 /// Preparation for an install; validates and prepares some (thereafter immutable) global state.
 async fn prepare_install(
     config_opts: InstallConfigOpts,
     source_opts: InstallSourceOpts,
     target_opts: InstallTargetOpts,
-    _composefs_opts: Option<InstallComposefsOpts>,
+    composefs_options: Option<InstallComposefsOpts>,
 ) -> Result<Arc<State>> {
     tracing::trace!("Preparing install");
     let rootfs = cap_std::fs::Dir::open_ambient_dir("/", cap_std::ambient_authority())
         .context("Opening /")?;
 
     let host_is_container = crate::containerenv::is_container(&rootfs);
     let external_source = source_opts.source_imgref.is_some();
-    let source = match source_opts.source_imgref {
+    let (source, target_rootfs) = match source_opts.source_imgref {
         None => {
             ensure!(host_is_container, "Either --source-imgref must be defined or this command must be executed inside a podman container.");
 
@@ -1259,11 +1272,13 @@ async fn prepare_install(
             };
             tracing::trace!("Read container engine info {:?}", container_info);
 
-            SourceInfo::from_container(&rootfs, &container_info)?
+            let source = SourceInfo::from_container(&rootfs, &container_info)?;
+            (source, Some(rootfs.try_clone()?))
         }
         Some(source) => {
             crate::cli::require_root(false)?;
-            SourceInfo::from_imageref(&source, &rootfs)?
+            let source = SourceInfo::from_imageref(&source, &rootfs)?;
+            (source, None)
         }
     };
 
@@ -1291,6 +1306,15 @@ async fn prepare_install(
     };
     tracing::debug!("Target image reference: {target_imgref}");
 
+    let composefs_required = if let Some(root) = target_rootfs.as_ref() {
+        root_has_uki(root)?
+    } else {
+        false
+    };
+    tracing::debug!("Composefs required: {composefs_required}");
+    let composefs_options =
+        composefs_options.or_else(|| composefs_required.then_some(InstallComposefsOpts::default()));
+
     // We need to access devices that are set up by the host udev
     bootc_mount::ensure_mirrored_host_mount("/dev")?;
     // We need to read our own container image (and any logically bound images)
@@ -1371,8 +1395,9 @@ async fn prepare_install(
         container_root: rootfs,
         tempdir,
         host_is_container,
+        composefs_required,
         #[cfg(feature = "composefs-backend")]
-        composefs_options: _composefs_opts,
+        composefs_options,
     });
 
     Ok(state)

crates/lib/src/install.rs

@@ -127,6 +127,17 @@ fn new_podman_cmd_in(storage_root: &Dir, run_root: &Dir) -> Result<Command> {
     Ok(cmd)
 }
 
+/// Adjust the provided command (skopeo or podman e.g.) to reference
+/// the provided path as an additional image store.
+pub fn set_additional_image_store<'c>(
+    cmd: &'c mut Command,
+    ais: impl AsRef<Utf8Path>,
+) -> &'c mut Command {
+    let ais = ais.as_ref();
+    let storage_opt = format!("additionalimagestore={ais}");
+    cmd.env("STORAGE_OPTS", storage_opt)
+}
+
 /// Ensure that "podman" is the first thing to touch the global storage
 /// instance. This is a workaround for https://github.com/bootc-dev/bootc/pull/1101#issuecomment-2653862974
 /// Basically podman has special upgrade logic for when it is the first thing