Skip to content
This repository has been archived by the owner on Nov 7, 2024. It is now read-only.

store: Support importing images without /ostree #674

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

cgwalters
Copy link
Member

A sticking point keeping ostree in the picture here for
containers was SELinux handling. When we started this
effort I'd feared rewriting.

But recently we changed things such that we label derived images
using the policy from the final root.

This is a relatively small change in code size and complexity,
that allows us to import images that don't have "ostree stuff"
in them at all, i.e. there's no /ostree/repo/objects.

The advantage here is that this significantly simplifies
constructing base images.

The main disadvantage today for people who build images
this way is that we end up re-labeling and re-checksumming all objects.

But, the real fix for that in the future will be for us to
rework things such that we support security.selinux for example
as native xattrs in the tar stream.

cgwalters added a commit to cgwalters/bootc that referenced this pull request Oct 24, 2024
Pairs with ostreedev/ostree-rs-ext#674
to enable consuming containers that don't have `/ostree`.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this pull request Oct 24, 2024
Pairs with ostreedev/ostree-rs-ext#674
to enable consuming containers that don't have `/ostree`.

Signed-off-by: Colin Walters <[email protected]>
Copy link
Collaborator

@djach7 djach7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the same testing failure as #673 but apart from that it builds and tests for me. LGTM but I'm going to keep reading and digging in because there's a lot here that I'm not familiar with.

cgwalters added a commit to cgwalters/bootc that referenced this pull request Oct 24, 2024
Pairs with ostreedev/ostree-rs-ext#674
to enable consuming containers that don't have `/ostree`.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this pull request Oct 24, 2024
Pairs with ostreedev/ostree-rs-ext#674
to enable consuming containers that don't have `/ostree`.

Signed-off-by: Colin Walters <[email protected]>
@cgwalters
Copy link
Member Author

I'm picking this one back up, fixing conflicts and adding tests

A sticking point keeping ostree in the picture here for
containers was SELinux handling. When we started this
effort I'd feared rewriting.

But recently we changed things such that we label derived images
using the policy from the final root.

This is a relatively small change in code size and complexity,
that allows us to import images that don't have "ostree stuff"
in them at all, i.e. there's no `/ostree/repo/objects`.

The advantage here is that this significantly simplifies
constructing base images.

The main disadvantage today for people who build images
this way is that we end up re-labeling and re-checksumming all objects.

But, the real fix for that in the future will be for us to
rework things such that we support `security.selinux` for example
as native xattrs in the tar stream.

Signed-off-by: Colin Walters <[email protected]>
@cgwalters
Copy link
Member Author

OK rebased 🏄 and now with tests!

However, something kind of left open here is basically nailing down things like:

  • Do we require ostree/ and sysroot to be in the image, or do we just...make them if they don't exist?

cgwalters added a commit to cgwalters/bootc that referenced this pull request Nov 1, 2024
Pairs with ostreedev/ostree-rs-ext#674
to enable consuming containers that don't have `/ostree`.

Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters marked this pull request as ready for review November 1, 2024 18:42
@cgwalters
Copy link
Member Author

OK for reference, this gets to running with bootc install and almost to booting for me with this patch (and containers/bootc#844 ).

FROM quay.io/fedora/fedora:41
RUN <<EORUN

set -xeuo pipefail
dnf -y install rpm-ostree kernel systemd bootc bootupd ostree xfsprogs dosfstools \
               grub2 grub2-efi-x64 efibootmgr shim microcode_ctl \
               NetworkManager openssh nss-altfiles
dnf clean all

kver=$(cd /usr/lib/modules && echo *)
echo "kver=$kver"
# The kernel is duplicated in /boot, and the initramfs needs regenerating
rm -vf /boot/vmlinuz* /boot/initramfs*
dracut --no-hostonly /usr/lib/modules/$kver/initramfs.img "$kver"
mkdir -p /usr/lib/ostree-boot
mv /boot/* /usr/lib/ostree-boot
# FIXME drop this requirement for bootupd
ln -sr /usr/lib/sysimage/rpm /usr/share/rpm
bootupctl -vvvv backend generate-update-metadata
mkdir /sysroot
ln -s sysroot/ostree .
EORUN
LABEL containers.bootc=1

So we can use this as an optimization target.

@cgwalters cgwalters marked this pull request as draft November 1, 2024 18:50
@cgwalters
Copy link
Member Author

Although moving back to draft as this technically breaks semver, and I'd like to do another release with other fixes before we do this one.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants