Various composefs enhancements

- Change the install logic to detect UKIs and automatically
  enable composefs
- Move sealing bits to the toplevel
- Add Justfile entrypoints
- Add basic end-to-end CI coverage (install + run) using
  our integration tests
- Change lints to ignore `/boot/EFI`

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

.github/actions/bootc-ubuntu-setup/action.yml

@@ -25,22 +25,22 @@ runs:
     - name: Free up disk space on runner
       shell: bash
       run: |
+        set -xeuo pipefail
         sudo df -h
         unwanted=('^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*'
                   azure-cli google-chrome-stable firefox mono-devel)
         for x in ${unwanted[@]}; do
-          sudo apt-get remove -y $x > /dev/null
+          sudo apt-get remove -y $x
         done
         # Start other removal operations in parallel
-        sudo docker image prune --all --force > /dev/null &
-        sudo rm -rf /usr/share/dotnet /opt/ghc /usr/local/lib/android &
-        # Wait for all background processes to complete
-        wait
+        sudo docker image prune --all --force
+        sudo rm -rf /usr/share/dotnet /opt/ghc /usr/local/lib/android
         sudo df -h
     # This is the default on e.g. Fedora derivatives, but not Debian
     - name: Enable unprivileged /dev/kvm access
       shell: bash
       run: |
+        set -xeuo pipefail
         echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
         sudo udevadm control --reload-rules
         sudo udevadm trigger --name-match=kvm
@@ -65,5 +65,17 @@ runs:
       if: ${{ inputs.libvirt == 'true' }}
       shell: bash
       run: |
-        set -eux
-        sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm qemu-utils libvirt-daemon-system
+        set -xeuo pipefail
+        sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system
+        # Something in the stack is overriding this, but we want session right now for bcvk
+        echo LIBVIRT_DEFAULT_URI=qemu:///session >> $GITHUB_ENV
+        td=$(mktemp -d)
+        cd $td
+        # Install bcvk
+        curl -LO https://github.com/bootc-dev/bcvk/releases/download/v0.5.1/bcvk-x86_64-unknown-linux-gnu.tar.gz
+        echo '1c9bb9e2b1e39d64c93b847350dd028832da27e7f7b0296b14ebfc2fb66b5c2c  bcvk-x86_64-unknown-linux-gnu.tar.gz' > sums
+        sha256sum -c sums
+        tar zxvf bcvk*.tar.gz
+        sudo install -T bcvk-$(arch)-*linux-gnu /usr/bin/bcvk
+        cd -
+        rm -rf "$td"

.github/workflows/ci.yml

@@ -19,6 +19,9 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
+  # Something seems to be setting this in the default GHA runners, which breaks bcvk
+  # as the default runner user doesn't have access
+  LIBVIRT_DEFAULT_URI: "qemu:///session"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -189,3 +192,29 @@ jobs:
         with:
           name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ env.ARCH }}-${{ matrix.tmt_plan }}
           path: /var/tmp/tmt
+  # This variant does composefs testing
+  test-integration-cfs:
+    strategy:
+      fail-fast: false
+      matrix:
+        test_os: [centos-10]
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bootc Ubuntu Setup
+        uses: ./.github/actions/bootc-ubuntu-setup
+        with:
+          libvirt: true
+
+      - name: Build container
+        run: just build-sealed
+
+      - name: Setup upterm session
+        uses: owenthereal/action-upterm@v1
+        with:
+          limit-access-to-users: cgwalters
+
+      - name: Test
+        run: just test-composefs

Cargo.lock

@@ -0,0 +1,70 @@
+# Override via --build-arg=base=<image> to use a different base
+ARG base=localhost/bootc
+# This is where we get the tools to build the UKI
+ARG buildroot=quay.io/fedora/fedora:42
+FROM $base AS base
+
+FROM $buildroot as buildroot-base
+RUN <<EORUN
+set -xeuo pipefail
+dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+dnf clean all
+EORUN
+
+FROM buildroot-base as kernel
+# Must be passed
+ARG COMPOSEFS_FSVERITY
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert \
+    --mount=type=bind,from=base,target=/target \
+     <<EOF
+    set -eux
+
+    # Should be generated externally
+    test -n "${COMPOSEFS_FSVERITY}"
+
+    # Inject the composefs kernel argument and specify a root with the x86_64 DPS UUID.
+    # TODO: Discoverable partition fleshed out, or drop root UUID as systemd-stub extension
+    # TODO: https://github.com/containers/composefs-rs/issues/183
+    cmdline="composefs=${COMPOSEFS_FSVERITY} root=UUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 console=ttyS0,114800n8 enforcing=0 rw"
+
+    kver=$(cd /target/usr/lib/modules && echo *)
+    ukify build \
+        --linux "/target/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/target/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
+        --cmdline "${cmdline}" \
+        --os-release "@/target/usr/lib/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/$kver.efi"
+    sbsign \
+        --key "/run/secrets/key" \
+        --cert "/run/secrets/cert" \
+        "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
+        --output "/boot/systemd-bootx64.efi"
+EOF
+
+FROM base as final
+
+RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
+    kver=$(cd /usr/lib/modules && echo *)
+    mkdir -p /boot/EFI/Linux
+    # We put the UKI in /boot for now due to composefs verity not being the
+    # same due to mtime of /usr/lib/modules being changed
+    target=/boot/EFI/Linux/$kver.efi
+    cp /run/kernel/boot/$kver.efi $target
+    # And remove the defaults
+    rm -v /usr/lib/modules/${kver}/{vmlinuz,initramfs.img}
+    # Symlink into the /usr/lib/modules location
+    ln -sr $target /usr/lib/modules/${kver}/$(basename $kver.efi)
+    bootc container lint --fatal-warnings
+EOF
+
+FROM base as final-final
+COPY --from=final /boot /boot
+# Override the default
+LABEL containers.bootc=sealed

Dockerfile.cfsuki

@@ -13,12 +13,21 @@
 build *ARGS:
     podman build --jobs=4 -t localhost/bootc {{ARGS}} .
 
+# Build a sealed image from current sources. This will default to
+# generating Secure Boot keys in target/test-secureboot.
+build-sealed *ARGS:
+    podman build --jobs=4 -t localhost/bootc-unsealed {{ARGS}} .
+    ./tests/build-sealed localhost/bootc-unsealed localhost/bootc
+
 # This container image has additional testing content and utilities
 build-integration-test-image *ARGS:
     cd hack && podman build --jobs=4 -t localhost/bootc-integration -f Containerfile {{ARGS}} .
     # Keep these in sync with what's used in hack/lbi
     podman pull -q --retry 5 --retry-delay 5s quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.access.redhat.com/ubi9/podman:latest
 
+test-composefs: build-sealed
+    cargo run --release -p tests-integration -- composefs-bcvk localhost/bootc
+
 # Only used by ci.yml right now
 build-install-test-image: build-integration-test-image
     cd hack && podman build -t localhost/bootc-integration-install -f Containerfile.drop-lbis

Justfile

@@ -51,7 +51,7 @@ use crate::install::{RootSetup, State};
 /// Contains the EFP's filesystem UUID. Used by grub
 pub(crate) const EFI_UUID_FILE: &str = "efiuuid.cfg";
 /// The EFI Linux directory
-const EFI_LINUX: &str = "EFI/Linux";
+pub(crate) const EFI_LINUX: &str = "EFI/Linux";
 
 /// Timeout for systemd-boot bootloader menu
 const SYSTEMD_TIMEOUT: &str = "timeout 5";
@@ -126,6 +126,26 @@ fi
     )
 }
 
+/// Returns `true` if detect the target rootfs carries a UKI.
+pub(crate) fn container_root_has_uki(root: &Dir) -> Result<bool> {
+    let Some(boot) = root.open_dir_optional(crate::install::BOOT)? else {
+        return Ok(false);
+    };
+    let Some(efi_linux) = boot.open_dir_optional(EFI_LINUX)? else {
+        return Ok(false);
+    };
+    for entry in efi_linux.entries()? {
+        let entry = entry?;
+        let name = entry.file_name();
+        let name = Path::new(&name);
+        let extension = name.extension().and_then(|v| v.to_str());
+        if extension == Some("efi") {
+            return Ok(true);
+        }
+    }
+    Ok(false)
+}
+
 pub fn get_esp_partition(device: &str) -> Result<(String, Option<String>)> {
     let device_info = bootc_blockdev::partitions_of(Utf8Path::new(device))?;
     let esp = device_info
@@ -1001,3 +1021,34 @@ pub(crate) fn setup_composefs_boot(
 
     Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use cap_std_ext::cap_std;
+
+    #[test]
+    fn test_root_has_uki() -> Result<()> {
+        // Test case 1: No boot directory
+        let tempdir = cap_std_ext::cap_tempfile::tempdir(cap_std::ambient_authority())?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 2: boot directory exists but no EFI/Linux
+        tempdir.create_dir(crate::install::BOOT)?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 3: boot/EFI/Linux exists but no .efi files
+        tempdir.create_dir_all("boot/EFI/Linux")?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 4: boot/EFI/Linux exists with non-.efi file
+        tempdir.atomic_write("boot/EFI/Linux/readme.txt", b"some file")?;
+        assert_eq!(container_root_has_uki(&tempdir)?, false);
+
+        // Test case 5: boot/EFI/Linux exists with .efi file
+        tempdir.atomic_write("boot/EFI/Linux/bootx64.efi", b"fake efi binary")?;
+        assert_eq!(container_root_has_uki(&tempdir)?, true);
+
+        Ok(())
+    }
+}

crates/lib/src/bootc_composefs/boot.rs

@@ -6,13 +6,15 @@ use std::ffi::{CString, OsStr, OsString};
 use std::io::Seek;
 use std::os::unix::process::CommandExt;
 use std::process::Command;
+use std::sync::Arc;
 
 use anyhow::{ensure, Context, Result};
-use camino::Utf8PathBuf;
+use camino::{Utf8Path, Utf8PathBuf};
 use cap_std_ext::cap_std;
 use cap_std_ext::cap_std::fs::Dir;
 use clap::Parser;
 use clap::ValueEnum;
+use composefs_boot::BootOps as _;
 use etc_merge::{compute_diff, print_diff};
 use fn_error_context::context;
 use indoc::indoc;
@@ -23,11 +25,13 @@ use ostree_ext::composefs::fsverity::FsVerityHashValue;
 use ostree_ext::composefs::splitstream::SplitStreamWriter;
 use ostree_ext::container as ostree_container;
 use ostree_ext::container_utils::ostree_booted;
+use ostree_ext::containers_image_proxy::ImageProxyConfig;
 use ostree_ext::keyfileext::KeyFileExt;
 use ostree_ext::ostree;
 use ostree_ext::sysroot::SysrootLock;
 use schemars::schema_for;
 use serde::{Deserialize, Serialize};
+use tempfile::tempdir_in;
 
 #[cfg(feature = "composefs-backend")]
 use crate::bootc_composefs::{
@@ -40,9 +44,11 @@ use crate::bootc_composefs::{
 };
 use crate::deploy::RequiredHostSpec;
 use crate::lints;
+use crate::podstorage::set_additional_image_store;
 use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
 use crate::spec::Host;
 use crate::spec::ImageReference;
+use crate::store::ComposefsRepository;
 use crate::utils::sigpolicy_from_opt;
 
 /// Shared progress options
@@ -315,6 +321,12 @@ pub(crate) enum ContainerOpts {
         #[clap(long)]
         no_truncate: bool,
     },
+    /// Output the bootable composefs digest.
+    #[clap(hide = true)]
+    ComputeComposefsDigest {
+        /// Identifier for image; if not provided, the running image will be used.
+        image: Option<String>,
+    },
 }
 
 /// Subcommands which operate on images.
@@ -1335,6 +1347,55 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 )?;
                 Ok(())
             }
+            ContainerOpts::ComputeComposefsDigest { image } => {
+                // Allocate a tempdir
+                let td = tempdir_in("/var/tmp")?;
+                let td = td.path();
+                let td = &Dir::open_ambient_dir(td, cap_std::ambient_authority())?;
+
+                td.create_dir("repo")?;
+                let repo = td.open_dir("repo")?;
+                let mut repo =
+                    ComposefsRepository::open_path(&repo, ".").context("Init cfs repo")?;
+                // We don't need to hard require verity on the *host* system, we're just computing a checksum here
+                repo.set_insecure(true);
+                let repo = &Arc::new(repo);
+
+                let mut proxycfg = ImageProxyConfig::default();
+
+                let image = if let Some(image) = image {
+                    image
+                } else {
+                    let host_container_store = Utf8Path::new("/run/host-container-storage");
+                    // If no image is provided, assume that we're running in a container in privileged mode
+                    // with access to the container storage.
+                    let container_info = crate::containerenv::get_container_execution_info(&root)?;
+                    let iid = container_info.imageid;
+                    tracing::debug!("Computing digest of {iid}");
+
+                    if !host_container_store.try_exists()? {
+                        anyhow::bail!("Must be readonly mount of host container store: {host_container_store}");
+                    }
+                    // And ensure we're finding the image in the host storage
+                    let mut cmd = Command::new("skopeo");
+                    set_additional_image_store(&mut cmd, "/run/host-container-storage");
+                    proxycfg.skopeo_cmd = Some(cmd);
+                    iid
+                };
+
+                let imgref = format!("containers-storage:{image}");
+                let (imgid, verity) = composefs_oci::pull(repo, &imgref, None, Some(proxycfg))
+                    .await
+                    .context("Pulling image")?;
+                let imgid = hex::encode(imgid);
+                let mut fs = composefs_oci::image::create_filesystem(repo, &imgid, Some(&verity))
+                    .context("Populating fs")?;
+                fs.transform_for_boot(&repo).context("Preparing for boot")?;
+                let id = fs.compute_image_id();
+                println!("{}", id.to_hex());
+
+                Ok(())
+            }
         },
         Opt::Image(opts) => match opts {
             ImageOpts::List {

crates/lib/src/cli.rs

@@ -139,7 +139,6 @@ ExecStart=bootc internals fixup-etc-fstab\n\
 #[cfg(test)]
 mod tests {
     use camino::Utf8Path;
-    use cap_std_ext::cmdext::CapStdExtCommandExt as _;
 
     use super::*;