examples: clean up UKI Containerfiles

This is a similar logic to the previous commit doing the same for bls/
but we make an additional change by installing the kernel up-front.
This helps caching, of course, but it also eliminates the "missing
modules" problem that required us to force the modules we needed to be
present in the initramfs.  This is going to be important when we start
using more modules like vsock support.

Signed-off-by: Allison Karlitskaya <[email protected]>

Author: allisonkarlitskaya

examples/uki/Containerfile

@@ -14,42 +14,50 @@
 #    be baked into the UKI.
 
 FROM fedora:42 AS base
-COPY extra /
 RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     set -eux
 
-    # we should install kernel-modules here, but can't
-    # because it'll pull in the entire kernel with it
-    # it seems to work fine for now....
+    mkdir -p /etc/dracut.conf.d
+    echo export DRACUT_NO_XATTR=1 > /etc/dracut.conf.d/no-xattr.conf
+
     dnf --setopt keepcache=1 install --allowerasing -y \
+        btrfs-progs \
         composefs \
         dosfstools \
+        kernel \
         openssh-server \
         policycoreutils-python-utils \
         selinux-policy-targeted \
         skopeo \
         strace \
         systemd \
+        systemd-boot-unsigned \
+        systemd-ukify \
         util-linux
+EOF
+
+# --- Everything above this line should hopefully stay cached ---
+
+COPY cfsctl /usr/bin
+COPY extra /
+RUN <<EOF
+    set -eux
 
     systemctl enable systemd-networkd
     semanage permissive -a systemd_gpt_generator_t  # for volatile-root workaround
     passwd -d root
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin
 
 FROM base AS kernel
 ARG COMPOSEFS_FSVERITY
 RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     set -eux
+
     mkdir -p /etc/kernel /etc/dracut.conf.d
     echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} rw" > /etc/kernel/cmdline
 
-    # systemd-boot-unsigned: ditto
-    # btrfs-progs: dracut wants to include this in the initramfs
-    # ukify: dracut doesn't want to take our cmdline args?
-    dnf --setopt keepcache=1 install -y kernel btrfs-progs systemd-boot-unsigned systemd-ukify
+    kernel-install add-all
 EOF
 
 FROM base AS bootable

examples/uki/Containerfile.arch

@@ -1,33 +1,39 @@
 FROM archlinux AS base
-COPY extra /
-RUN <<EOF
+RUN --mount=type=cache,target=/var/cache/pacman/pkg \
+    --mount=type=cache,target=/var/lib/pacman/sync <<EOF
     set -eux
 
-    touch /etc/machine-id
-    mkdir -p boot/EFI/Linux
-
     pacman -Syu --noconfirm
     pacman -Sy --noconfirm \
         composefs \
         dosfstools \
         linux \
         openssh \
         strace \
-        skopeo
+        skopeo \
+        systemd-ukify
+EOF
+
+# --- Everything above this line should hopefully stay cached ---
+
+COPY cfsctl /usr/bin
+COPY extra /
+RUN <<EOF
+    set -eux
+
+    touch /etc/machine-id
+    mkdir -p boot/EFI/Linux
 
     systemctl enable systemd-networkd systemd-resolved sshd
     passwd -d root
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin
 
 FROM base AS kernel
 ARG COMPOSEFS_FSVERITY
 RUN <<EOF
     set -eux
-    # systemd-boot-unsigned: ditto
     echo "root=/dev/vda2 console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} rw" > /etc/kernel/cmdline
-    pacman -Sy --noconfirm systemd-ukify
     mkinitcpio -p linux
 EOF
 

examples/uki/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf

@@ -1,6 +1,2 @@
 # we want to make sure the virtio disk drivers get included
 hostonly=no
-
-# we need to force these in via the initramfs because we don't have modules in
-# the base image
-force_drivers+=" virtio_net vfat "

examples/unified-secureboot/Containerfile

@@ -1,29 +1,37 @@
 FROM fedora:42 AS base
-COPY extra /
 RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     set -eux
 
-    # we should install kernel-modules here, but can't
-    # because it'll pull in the entire kernel with it
-    # it seems to work fine for now....
     dnf --setopt keepcache=1 install -y \
+        btrfs-progs \
         composefs \
         dosfstools \
+        kernel \
         mokutil \
         openssh-server \
         policycoreutils-python-utils \
+        sbsigntools \
         selinux-policy-targeted \
         skopeo \
         strace \
         systemd \
+        systemd-boot-unsigned \
+        systemd-ukify \
         util-linux
+EOF
+
+# --- Everything above this line should hopefully stay cached ---
+
+COPY cfsctl /usr/bin
+COPY extra /
+RUN <<EOF
+    set -eux
 
     systemctl enable systemd-networkd
     semanage permissive -a systemd_gpt_generator_t  # for volatile-root workaround
     passwd -d root
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin
 
 FROM base AS kernel
 RUN --mount=type=bind,from=base,target=/mnt/base <<EOF
@@ -38,10 +46,7 @@ EOF
 RUN --mount=type=cache,target=/var/cache/libdnf5 \
     --mount=type=secret,id=key \
     --mount=type=secret,id=cert <<EOF
-    # systemd-boot-unsigned: ditto
-    # btrfs-progs: dracut wants to include this in the initramfs
-    # ukify: dracut doesn't want to take our cmdline args?
-    dnf --setopt keepcache=1 install -y kernel btrfs-progs systemd-boot-unsigned systemd-ukify sbsigntools
+    kernel-install add-all
 EOF
 
 FROM base AS bootable

examples/unified-secureboot/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf

@@ -1,6 +1,2 @@
 # we want to make sure the virtio disk drivers get included
 hostonly=no
-
-# we need to force these in via the initramfs because we don't have modules in
-# the base image
-force_drivers+=" virtio_net vfat "

examples/unified/Containerfile

@@ -1,28 +1,35 @@
 FROM fedora:42 AS base
-COPY extra /
 RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     set -eux
 
-    # we should install kernel-modules here, but can't
-    # because it'll pull in the entire kernel with it
-    # it seems to work fine for now....
     dnf --setopt keepcache=1 install --allowerasing -y \
+        btrfs-progs \
         composefs \
         dosfstools \
+        kernel \
         policycoreutils-python-utils \
         openssh-server \
         selinux-policy-targeted \
         skopeo \
         strace \
         systemd \
+        systemd-boot-unsigned \
+        systemd-ukify \
         util-linux
+EOF
+
+# --- Everything above this line should hopefully stay cached ---
+
+COPY cfsctl /usr/bin
+COPY extra /
+RUN <<EOF
+    set -eux
 
     systemctl enable systemd-networkd
     semanage permissive -a systemd_gpt_generator_t  # for volatile-root workaround
     passwd -d root
     mkdir /sysroot
 EOF
-COPY cfsctl /usr/bin
 
 FROM base AS kernel
 RUN --mount=type=bind,from=base,target=/mnt/base <<EOF
@@ -33,12 +40,7 @@ RUN --mount=type=bind,from=base,target=/mnt/base <<EOF
 
     mkdir -p /etc/kernel /etc/dracut.conf.d
     echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} rw" > /etc/kernel/cmdline
-EOF
-RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
-    # systemd-boot-unsigned: ditto
-    # btrfs-progs: dracut wants to include this in the initramfs
-    # ukify: dracut doesn't want to take our cmdline args?
-    dnf --setopt keepcache=1 install -y kernel btrfs-progs systemd-boot-unsigned systemd-ukify
+    kernel-install add-all
 EOF
 
 FROM base AS bootable

examples/unified/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf

@@ -1,6 +1,2 @@
 # we want to make sure the virtio disk drivers get included
 hostonly=no
-
-# we need to force these in via the initramfs because we don't have modules in
-# the base image
-force_drivers+=" virtio_net vfat "