Update approach to handling boot resources

Drop the hidden "meta" layer approach where we try to preserve the image
without the boot resources and move to a model where we explicitly
delete the /boot directory if it exists.  This makes creating images a
lot cleaner and more natural, shown by the cleanup in the examples.

At the same time we also add support for finding resources from the
locations that they're present in bootc images: /usr/lib/modules in
versioned subdirectories with vmlinuz and initramfs.img.

Add some example "simple" writer code that can write the boot resources
to a given directory.  We deal with the /usr/lib/modules cases by
converting them into Type #1 boot entries and writing them as such.
Other consumers of this API might want to do other things, such as
producing grub entries, etc.

Overhaul the cfsctl oci prepare-boot command to use the new stuff.

Fixes #35
Fixes #21

Signed-off-by: Allison Karlitskaya <[email protected]>

Author: allisonkarlitskaya

examples/bls/Containerfile

@@ -16,9 +16,5 @@ RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     systemctl enable systemd-networkd
     passwd -d root
     mkdir /sysroot
-    mkdir /composefs-meta
-    mv /boot /composefs-meta
-    mkdir /boot
 EOF
 COPY cfsctl /usr/bin
-RUN true  # hack to get an extra layer

examples/bls/Containerfile.arch

@@ -22,9 +22,5 @@ RUN <<EOF
     systemctl enable systemd-networkd systemd-resolved sshd
     passwd -d root
     mkdir /sysroot
-    mkdir /composefs-meta
-    mv /boot /composefs-meta
-    mkdir /boot
 EOF
 COPY cfsctl /usr/bin
-RUN true

examples/bls/Containerfile.rawhide

@@ -16,9 +16,5 @@ RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     systemctl enable systemd-networkd
     passwd -d root
     mkdir /sysroot
-    mkdir /composefs-meta
-    mv /boot /composefs-meta
-    mkdir /boot
 EOF
 COPY cfsctl /usr/bin
-RUN true  # hack to get an extra layer

examples/bls/Containerfile.rhel9

@@ -23,9 +23,5 @@ RUN --mount=type=cache,target=/var/cache/dnf <<EOF
     systemctl enable tmp.mount
     passwd -d root
     mkdir /sysroot
-    mkdir /composefs-meta
-    mv /boot /composefs-meta
-    mkdir /boot
 EOF
 COPY cfsctl /usr/bin
-RUN true  # hack to get an extra layer

examples/bls/Containerfile.ubuntu

@@ -34,9 +34,5 @@ RUN <<EOF
     systemctl enable systemd-networkd systemd-resolved
     passwd -d root
     mkdir /sysroot
-    mkdir /composefs-meta
-    mv /boot /composefs-meta
-    mkdir /boot
 EOF
 COPY cfsctl /usr/bin
-RUN true

examples/bls/build

@@ -49,19 +49,9 @@ podman build \
     .
 
 BASE_ID="$(sed s/sha256:// tmp/base.iid)"
-${CFSCTL} oci pull containers-storage:${BASE_ID}
-BASE_IMAGE_FSVERITY="$(${CFSCTL} oci compute-id --bootable "${BASE_ID}")"
-${CFSCTL} oci prepare-boot "${BASE_ID}" --bootdir tmp/efi
 
-OPTIONS="console=ttyS0,115200 composefs=${BASE_IMAGE_FSVERITY} rw"
-BLE="$(echo tmp/efi/loader/entries/*.conf)"
-test -f "${BLE}"
-if grep '^options ' "${BLE}"; then
-    sed -i "s|^options .*$|\0 ${OPTIONS}|" "${BLE}"
-else
-    echo "options    ${OPTIONS}" >> "${BLE}"
-fi
-sed -i 's@ /boot/@ /@' "${BLE}"
+${CFSCTL} oci pull containers-storage:${BASE_ID}
+${CFSCTL} oci prepare-boot "${BASE_ID}" --bootdir tmp/efi --cmdline console=ttyS0,115200 --entry-id=example --cmdline rw
 
 ../common/install-systemd-boot
 ../common/make-image "${os}-bls-efi.qcow2"

examples/uki/Containerfile

@@ -52,9 +52,5 @@ RUN --mount=type=cache,target=/var/cache/libdnf5 <<EOF
     dnf --setopt keepcache=1 install -y kernel btrfs-progs systemd-boot-unsigned systemd-ukify
 EOF
 
-# This could (better?) be done from cfsctl...
 FROM base AS bootable
-COPY --from=kernel /boot /composefs-meta/boot
-# https://github.com/containers/buildah/issues/5950
-RUN --mount=type=tmpfs,target=/run \
-    rm -rf /composefs-meta
+COPY --from=kernel /boot /boot

examples/uki/Containerfile.arch

@@ -31,9 +31,5 @@ RUN <<EOF
     mkinitcpio -p linux
 EOF
 
-# This could (better?) be done from cfsctl...
 FROM base AS bootable
-COPY --from=kernel /boot /composefs-meta/boot
-# https://github.com/containers/buildah/issues/5950
-RUN --mount=type=tmpfs,target=/run \
-    rm -rf /composefs-meta
+COPY --from=kernel /boot /boot

examples/uki/build

@@ -54,10 +54,6 @@ ${PODMAN_BUILD} \
 
 FINAL_ID="$(sed s/sha256:// tmp/final.iid)"
 ${CFSCTL} oci pull containers-storage:"${FINAL_ID}"
-FINAL_IMAGE_FSVERITY="$(${CFSCTL} oci compute-id --bootable "${FINAL_ID}")"
-
-## IMPORTANT: the filesystems of the base and final images are identical
-test "${BASE_IMAGE_FSVERITY}" = "${FINAL_IMAGE_FSVERITY}"
 ${CFSCTL} oci prepare-boot "${FINAL_ID}" --bootdir tmp/efi
 
 ../common/install-systemd-boot

examples/unified-secureboot/Containerfile

@@ -44,9 +44,5 @@ RUN --mount=type=cache,target=/var/cache/libdnf5 \
     dnf --setopt keepcache=1 install -y kernel btrfs-progs systemd-boot-unsigned systemd-ukify sbsigntools
 EOF
 
-# This could (better?) be done from cfsctl...
 FROM base AS bootable
-COPY --from=kernel /boot /composefs-meta/boot
-# https://github.com/containers/buildah/issues/5950
-RUN --mount=type=tmpfs,target=/run \
-    rm -rf /composefs-meta
+COPY --from=kernel /boot /boot