examples: Add initial examples for bls & uki, bootc & FCOS

Co-Authored-By: Pragyan Poudyal <[email protected]>
Co-Authored-By: John Eckersberg <[email protected]>
Signed-off-by: Timothée Ravier <[email protected]>

Author: 3 people

examples/.gitignore

@@ -0,0 +1,11 @@
+*.addon.efi
+*.ign
+*.img
+*.qcow2
+backups
+bootc
+bootc-bls/iid
+bootc-bls/secureboot
+bootc-bls/tmp
+bootc-initramfs-setup
+systemd-bootx64.efi

examples/bootc-bls/Containerfile

@@ -0,0 +1,71 @@
+FROM quay.io/fedora/fedora-bootc:42
+COPY . /
+
+RUN <<EOF
+set -euxo pipefail
+
+# Disable root password for debug/testing/demos
+passwd -d root
+
+if [[ "$(grep -c "VARIANT=\"CoreOS\"" /etc/os-release)" -eq 1 ]]; then
+    # Disable some units that currently don't work for us
+    sed -i 's/enable coreos-warn-invalid-mounts.service//' \
+        /usr/lib/systemd/system-preset/45-fcos.preset
+    sed -i 's/enable coreos-populate-lvmdevices.service//' \
+        /usr/lib/systemd/system-preset/45-coreos-populate-lvmdevices.preset
+    sed -i 's/enable coreos-oci-migration-motd.service//' \
+        /usr/lib/systemd/system-preset/35-oci-migration.preset
+
+    # Fix dependencies
+    sed -i 's|ExecStart=/usr/sbin/coreos-boot-edit|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.service
+    sed -i 's|ExecStart=/usr/bin/rdcore verify-unique-fs-label --rereadpt boot|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-unique-boot.service 
+
+    sed -i 's/ConditionKernelCommandLine=ostree/ConditionKernelCommandLine=composefs/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/*
+    sed -i 's/After=ostree-prepare-root.service/After=bootc-initramfs-setup.service/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/*
+    sed -i 's/Requires=ostree-prepare-root.service/Requires=bootc-initramfs-setup.service/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/*
+
+    sed -i '/Type=oneshot/a ExecStart=bash -c "udevadm settle; sleep 1"' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.service
+
+    sed -i 's|ExecStart=/usr/sbin/ignition-ostree-mount-var mount|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-var.service
+    sed -i 's|ExecStop=/usr/sbin/ignition-ostree-mount-var umount|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-var.service
+
+    sed -i 's|ExecStart=/usr/sbin/ignition-ostree-firstboot-uuid boot|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-boot.service
+    sed -i 's|ExecStart=/usr/sbin/ignition-ostree-firstboot-uuid root|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-root.service
+
+    sed -i 's/find/find fsverity/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
+
+    sed -i 's|chcon -v --reference "${saved_root}" /sysroot  # the root of the fs itself|chcon -v system_u:object_r:root_t:s0 /sysroot  # the root of the fs itself|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+    sed -i '/chattr +i/d' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+    sed -i '/chcon -v system_u:object_r:root_t:s0 \/sysroot  # the root of the fs itself/a echo "Enabling fs-verity again..."' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+    sed -i '/echo "Enabling fs-verity again..."/a find /sysroot/composefs/objects -type f -exec fsverity enable {} \\;' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+
+    # We don't want openh264
+    rm -f '/etc/yum.repos.d/fedora-cisco-openh264.repo'
+
+    # Install fsverity utils to re-enable fsverity on repo objects after
+    # transposefs step when reprovisionning the root disk
+    dnf install -y fsverity-utils
+    dnf clean all
+fi
+
+# Rebuild the initramfs to get bootc-initramfs-setup
+kver=$(cd /usr/lib/modules && echo *)
+dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver
+
+bootc container lint
+EOF

examples/bootc-bls/Containerfile.cocl

@@ -0,0 +1,87 @@
+ARG BASE
+FROM $BASE
+
+FROM quay.io/afrosi_rh/kbs-client-image:latest as kbc
+FROM quay.io/confidential-clusters/clevis-pin-trustee as clevis
+FROM quay.io/confidential-clusters/ignition:clevis-pin-trustee as ignition
+
+FROM $BASE
+COPY . /
+
+COPY --from=kbc /usr/local/bin/kbs-client /usr/bin/trustee-attester
+COPY --from=clevis /usr/bin/clevis-pin-trustee /usr/bin/clevis-pin-trustee
+COPY --from=clevis /usr/bin/clevis-encrypt-trustee /usr/bin/clevis-encrypt-trustee
+COPY --from=clevis /usr/bin/clevis-decrypt-trustee /usr/bin/clevis-decrypt-trustee
+COPY --from=ignition /usr/bin/ignition /usr/lib/dracut/modules.d/30ignition/ignition
+
+RUN <<EOF
+set -euxo pipefail
+
+# Disable root password for debug/testing/demos
+passwd -d root
+
+if [[ "$(grep -c "VARIANT=\"CoreOS\"" /etc/os-release)" -eq 1 ]]; then
+    # Disable some units that currently don't work for us
+    sed -i 's/enable coreos-warn-invalid-mounts.service//' \
+        /usr/lib/systemd/system-preset/45-fcos.preset
+    sed -i 's/enable coreos-populate-lvmdevices.service//' \
+        /usr/lib/systemd/system-preset/45-coreos-populate-lvmdevices.preset
+    sed -i 's/enable coreos-oci-migration-motd.service//' \
+        /usr/lib/systemd/system-preset/35-oci-migration.preset
+
+    # Fix dependencies
+    sed -i 's|ExecStart=/usr/sbin/coreos-boot-edit|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.service
+    sed -i 's|ExecStart=/usr/bin/rdcore verify-unique-fs-label --rereadpt boot|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-unique-boot.service 
+
+    sed -i 's/ConditionKernelCommandLine=ostree/ConditionKernelCommandLine=composefs/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/*
+    sed -i 's/After=ostree-prepare-root.service/After=bootc-initramfs-setup.service/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/*
+    sed -i 's/Requires=ostree-prepare-root.service/Requires=bootc-initramfs-setup.service/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/*
+
+    sed -i '/Type=oneshot/a ExecStart=bash -c "udevadm settle; sleep 1"' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.service
+
+    sed -i 's|ExecStart=/usr/sbin/ignition-ostree-mount-var mount|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-var.service
+    sed -i 's|ExecStop=/usr/sbin/ignition-ostree-mount-var umount|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-var.service
+
+    sed -i 's|ExecStart=/usr/sbin/ignition-ostree-firstboot-uuid boot|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-boot.service
+    sed -i 's|ExecStart=/usr/sbin/ignition-ostree-firstboot-uuid root|ExecStart=true|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-root.service
+
+    sed -i 's/find/find fsverity/' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
+
+    sed -i 's|chcon -v --reference "${saved_root}" /sysroot  # the root of the fs itself|chcon -v system_u:object_r:root_t:s0 /sysroot  # the root of the fs itself|' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+    sed -i '/chattr +i/d' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+    sed -i '/chcon -v system_u:object_r:root_t:s0 \/sysroot  # the root of the fs itself/a echo "Enabling fs-verity again..."' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+    sed -i '/echo "Enabling fs-verity again..."/a find /sysroot/composefs/objects -type f -exec fsverity enable {} \\;' \
+        /usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
+
+    # We don't want openh264
+    rm -f '/etc/yum.repos.d/fedora-cisco-openh264.repo'
+
+    # Install fsverity utils to re-enable fsverity on repo objects after
+    # transposefs step when reprovisionning the root disk
+    dnf install -y fsverity-utils
+    dnf clean all
+fi
+
+# Rebuild the initramfs to get bootc-initramfs-setup & our other dracut modules
+kver=$(cd /usr/lib/modules && echo *)
+dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver
+
+bootc container lint
+EOF
+
+# RUN sed -i "s/42.20250901.3.0/42.20250901.3.1/g" /usr/lib/os-release
+# LABEL org.opencontainers.image.version=42.20250901.3.0

examples/bootc-bls/Containerfile.systemdboot

@@ -0,0 +1,3 @@
+FROM quay.io/fedora/fedora-bootc-bls:42 AS base
+
+COPY /systemd-bootx64.efi /usr/lib/bootupd/updates/EFI/fedora/grubx64.efi

examples/bootc-bls/Containerfile.uki

@@ -0,0 +1,65 @@
+FROM quay.io/fedora/fedora-bootc-bls:42 AS base
+
+FROM base as kernel
+
+ARG COMPOSEFS_FSVERITY
+
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert <<EOF
+    set -eux
+
+    mkdir -p /etc/kernel /etc/dracut.conf.d
+    {
+    printf "composefs=${COMPOSEFS_FSVERITY} root=UUID=910678ff-f77e-4a7d-8d53-86f2ac47a823 rw"
+    printf " selinux=1 enforcing=0 audit=0"
+    # printf " console=tty0 console=ttyS0,115000n"
+    printf " console=ttyS0,115000n rd.systemd.debug_shell=1 rd.systemd.default_debug_tty=tty0"
+    printf "\n"
+    } > /etc/kernel/cmdline
+
+    rm -f "/etc/yum.repos.d/fedora-cisco-openh264.repo"
+    dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+
+    kver=$(cd /usr/lib/modules && echo *)
+    mkdir -p "/boot/EFI/Linux"
+    mkdir -p "/boot/EFI/Linux/$kver.efi.extra.d"
+
+    ukify build \
+        --linux "/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
+        --cmdline "@/etc/kernel/cmdline" \
+        --os-release "@/etc/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/EFI/Linux/$kver.efi"
+
+    ukify build \
+        --cmdline "ignition.firstboot ignition.platform.id=qemu" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --output "/boot/EFI/Linux/$kver.efi.extra.d/ignition.addon.efi"
+
+    # sbsign \
+    #     --key "/run/secrets/key" \
+    #     --cert "/run/secrets/cert" \
+    #     "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
+    #     --output "/boot/systemd-bootx64.efi"
+EOF
+
+FROM base as final
+
+RUN --mount=type=bind,from=kernel,target=/_mount/kernel <<EOF
+    kver=$(cd /usr/lib/modules && echo *)
+    mkdir -p /boot/EFI/Linux
+    # We put the UKI in /boot for now due to composefs verity not being the
+    # same due to mtime of /usr/lib/modules being changed
+    cp -r /_mount/kernel/boot/* /boot/
+EOF
+
+FROM base as final-final
+COPY --from=final /boot /boot

examples/bootc-bls/build-bootc-bls

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+FROM="${FROM:-quay.io/fedora/fedora-bootc:42}"
+TAG="${TAG:-quay.io/fedora/fedora-bootc-bls:42}"
+EXTRA="${EXTRA:-extra}"
+CONTAINERFILE="${CONTAINERFILE:-Containerfile}"
+
+# cargo build --release --features=composefs-backend
+
+mkdir -p "${EXTRA}/usr/bin/"
+cp ../../target/release/bootc "${EXTRA}/usr/bin/"
+cp ../../target/release/bootc-initramfs-setup "${EXTRA}/usr/lib/dracut/modules.d/37bootc/"
+
+mkdir -p tmp
+
+podman build \
+    --from "${FROM}" \
+    --build-arg BASE="${FROM}" \
+    -t "${TAG}" \
+    -f "${CONTAINERFILE}" \
+    --iidfile=iid \
+    "${EXTRA}"

examples/bootc-bls/build-bootc-uki

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+# cargo build --release --features=composefs-backend
+
+FROM="${FROM:-quay.io/fedora/fedora-bootc-bls:42}"
+TAG="${TAG:-quay.io/fedora/fedora-bootc-uki:42}"
+
+# See: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
+# Alternative to generate keys for testing: `sbctl create-keys`
+if [[ ! -d "secureboot" ]]; then
+    echo "Generating test Secure Boot keys"
+    mkdir secureboot
+    pushd secureboot > /dev/null
+    uuidgen --random > GUID.txt
+    openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Platform Key/" -out PK.crt
+    openssl x509 -outform DER -in PK.crt -out PK.cer
+    openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Key Exchange Key/" -out KEK.crt
+    openssl x509 -outform DER -in KEK.crt -out KEK.cer
+    openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Signature Database key/" -out db.crt
+    openssl x509 -outform DER -in db.crt -out db.cer
+    popd > /dev/null
+fi
+
+if [[ ! -f "systemd-bootx64.efi" ]]; then
+    # Sign systemd-boot once and re-use it for all builds to keep it unchanged
+    sudo podman run --rm \
+        --security-opt label=disable \
+        --volume "$PWD/secureboot/db.key:/run/secrets/key" \
+        --volume "$PWD/secureboot/db.crt:/run/secrets/cert" \
+        --volume "$PWD:/var/srv" \
+        --workdir "/var/srv" \
+        "${FROM}" \
+        bash -c "rm -f '/etc/yum.repos.d/fedora-cisco-openh264.repo'; dnf install -y sbsigntools systemd-boot-unsigned; sbsign --key '/run/secrets/key' --cert '/run/secrets/cert' '/usr/lib/systemd/boot/efi/systemd-bootx64.efi' --output '/var/srv/systemd-bootx64.efi'"
+fi
+
+# Replace GRUB with a signed systemd-boot binary
+sudo podman build \
+    --from "${FROM}" \
+    -t "${FROM}-systemdboot" \
+    --iidfile=iid \
+    -f Containerfile.systemdboot
+
+cp ../../target/release/bootc .
+
+# Workaround: Mount a filesystem where fs-verity is enabled
+mount /dev/vdb3 tmp
+
+# rm -rf tmp/sysroot
+mkdir -p tmp/sysroot/composefs
+
+IMAGE_ID="$(sed s/sha256:// iid)"
+./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
+COMPOSEFS_FSVERITY=$(./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}")
+
+# For debugging, add --no-cache to podman command
+sudo podman build \
+    --from "${FROM}-systemdboot" \
+    -t "${TAG}" \
+    --build-arg=COMPOSEFS_FSVERITY="${COMPOSEFS_FSVERITY}" \
+    -f Containerfile.uki \
+    --secret=id=key,src=secureboot/db.key \
+    --secret=id=cert,src=secureboot/db.crt
+
+# rm -rf tmp/efi
+# mkdir -p tmp/efi
+# ./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
+# ./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}"
+# ./bootc internals cfs --repo tmp/sysroot/composefs oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi
+
+umount tmp

examples/bootc-bls/build-fcos-bls

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+export FROM="quay.io/fedora/fedora-coreos:42.20250901.3.0"
+export TAG="quay.io/fedora/fedora-coreos-bls:42.20250901.3.0"
+exec ./build-bootc-bls

examples/bootc-bls/build-fcos-bls-cocl

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+export FROM="quay.io/fedora/fedora-coreos:42.20250901.3.0"
+export TAG="quay.io/fedora/fedora-coreos-bls-cocl:42.20250901.3.0"
+# export TAG="quay.io/fedora/fedora-coreos-bls-cocl:42.20250901.3.1"
+export CONTAINERFILE="Containerfile.cocl"
+export EXTRA="extra-cocl"
+exec ./build-bootc-bls

examples/bootc-bls/build-fcos-uki

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+export FROM="quay.io/fedora/fedora-coreos-bls:42.20250901.3.0"
+export TAG="quay.io/fedora/fedora-coreos-uki:42.20250901.3.0"
+exec ./build-bootc-uki