examples: Add bootc UKI & BLS examples

Dockerfile

@@ -39,8 +39,8 @@ EORUN
 # bootc binaries in /out. The intention is that the target rootfs is extracted from /out
 # back into a final stae (without the build deps etc) below.
 FROM base as build
-# Flip this on to enable initramfs code
-ARG initramfs=0
+# Flip this off to disable initramfs code
+ARG initramfs=1
 # This installs our package dependencies, and we want to cache it independently of the rest.
 # Basically we don't want changing a .rs file to blow out the cache of packages. So we only
 # copy files necessary

tests/build.sh

@@ -45,7 +45,7 @@ DISK=target/bootc-integration-test.qcow2
 rm -vf "${DISK}"
 # testcloud barfs on .raw
 if test -n "${bcvk}"; then
-  bcvk to-disk --format=qcow2 --disk-size "${SIZE}" localhost/bootc-integration "${DISK}"
+  bcvk to-disk --format=qcow2 --disk-size "${SIZE}" --filesystem ext4 localhost/bootc-integration "${DISK}"
 else
   TMPDISK=target/bootc-integration-test.raw
   truncate -s "${SIZE}" "${TMPDISK}"
@@ -59,7 +59,7 @@ else
     -v $(pwd)/target:/target \
     localhost/bootc-integration \
     bootc install to-disk \
-    --filesystem "xfs" \
+    --filesystem "ext4" \
     --karg=console=ttyS0,115200n8 \
     --generic-image \
     --via-loopback \

tmt/plans/integration.fmf

@@ -53,3 +53,10 @@ execute:
     how: fmf
     test:
         - /tmt/tests/test-25-soft-reboot
+
+/test-26-examples-build:
+  summary: Test bootc examples build scripts
+  discover:
+    how: fmf
+    test:
+        - /tmt/tests/test-26-examples-build

tmt/tests/booted/readonly/051-test-initramfs.nu

@@ -8,6 +8,11 @@ if (not ("/usr/lib/bootc/initramfs-setup" | path exists)) {
     exit 0
 }
 
+if (not (open /proc/cmdline | str contains composefs)) {
+    print "No composefs in cmdline"
+    exit 0
+}
+
 journalctl -b -t bootc-root-setup.service --grep=OK
 
 tap ok

tmt/tests/examples/bootc-bls/Containerfile

@@ -0,0 +1,10 @@
+FROM quay.io/fedora/fedora-bootc:42
+COPY extra /
+COPY bootc /usr/bin
+
+RUN passwd -d root
+
+# need to have bootc-initramfs-setup in the initramfs so we need this
+RUN set -x; \
+    kver=$(cd /usr/lib/modules && echo *); \
+    dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver;

tmt/tests/examples/bootc-bls/build

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+cp /usr/bin/bootc .
+cp /usr/lib/bootc/initramfs-setup extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
+
+mkdir -p tmp
+
+podman build \
+    -t quay.io/fedora/fedora-bootc-bls:42 \
+    -f Containerfile \
+    --iidfile=tmp/iid \
+    .

tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf

@@ -0,0 +1,3 @@
+# we need to force these in via the initramfs because we don't have modules in
+# the base image
+force_drivers+=" virtio_net vfat "

tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service

@@ -0,0 +1,34 @@
+# Copyright (C) 2013 Colin Walters <[email protected]>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+DefaultDependencies=no
+ConditionKernelCommandLine=composefs
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+Before=initrd-switch-root.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bootc-initramfs-setup
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes

tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/bootc-initramfs-setup" /usr/bin/bootc-initramfs-setup
+    inst \
+        "${moddir}/bootc-initramfs-setup.service" \
+        "${systemdsystemunitdir}/bootc-initramfs-setup.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'bootc-initramfs-setup.service'
+}

tmt/tests/examples/bootc-uki/Containerfile.stage1

@@ -0,0 +1,10 @@
+FROM quay.io/fedora/fedora-bootc:42
+COPY extra /
+COPY bootc /usr/bin
+
+RUN passwd -d root
+
+# need to have composefs setup root in the initramfs so we need this
+RUN set -x; \
+    kver=$(cd /usr/lib/modules && echo *); \
+    dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver;

tmt/tests/examples/bootc-uki/Containerfile.stage2

@@ -0,0 +1,46 @@
+FROM quay.io/fedora/fedora-bootc-base-uki:42 AS base
+
+FROM base as kernel
+
+ARG COMPOSEFS_FSVERITY
+
+RUN --mount=type=secret,id=key \
+    --mount=type=secret,id=cert <<EOF
+    set -eux
+
+    mkdir -p /etc/kernel /etc/dracut.conf.d
+    echo "console=ttyS0,115200 composefs=${COMPOSEFS_FSVERITY} selinux=1 enforcing=0 systemd.debug_shell=1 root=UUID=6523f8ae-3eb1-4e2a-a05a-18b695ae656f rw" > /etc/kernel/cmdline
+
+    dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
+    kver=$(cd /usr/lib/modules && echo *)
+    ukify build \
+        --linux "/usr/lib/modules/$kver/vmlinuz" \
+        --initrd "/usr/lib/modules/$kver/initramfs.img" \
+        --uname="${kver}" \
+        --cmdline "@/etc/kernel/cmdline" \
+        --os-release "@/etc/os-release" \
+        --signtool sbsign \
+        --secureboot-private-key "/run/secrets/key" \
+        --secureboot-certificate "/run/secrets/cert" \
+        --measure \
+        --json pretty \
+        --output "/boot/$kver.efi"
+    sbsign \
+        --key "/run/secrets/key" \
+        --cert "/run/secrets/cert" \
+        "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \
+        --output "/boot/systemd-bootx64.efi"
+EOF
+
+FROM base as final
+
+RUN --mount=type=bind,from=kernel,target=/_mount/kernel <<EOF
+    kver=$(cd /usr/lib/modules && echo *)
+    mkdir -p /boot/EFI/Linux
+    # We put the UKI in /boot for now due to composefs verity not being the
+    # same due to mtime of /usr/lib/modules being changed
+    cp /_mount/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi
+EOF
+
+FROM base as final-final
+COPY --from=final /boot /boot

tmt/tests/examples/bootc-uki/build.base

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+cp /usr/bin/bootc .
+cp /usr/lib/bootc/initramfs-setup extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
+
+mkdir -p tmp
+
+podman build \
+    -t quay.io/fedora/fedora-bootc-base-uki:42 \
+    -f Containerfile.stage1 \
+    --iidfile=tmp/iid \
+    .

tmt/tests/examples/bootc-uki/build.final

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+cp /usr/bin/bootc .
+
+rm -rf tmp/sysroot
+mkdir -p tmp/sysroot/composefs
+
+IMAGE_ID="$(sed s/sha256:// tmp/iid)"
+./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
+COMPOSEFS_FSVERITY="$(./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}")"
+
+# See: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
+# Alternative to generate keys for testing: `sbctl create-keys`
+if [[ ! -d "secureboot" ]]; then
+    echo "Generating test Secure Boot keys"
+    mkdir secureboot
+    pushd secureboot > /dev/null
+    uuidgen --random > GUID.txt
+    openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Platform Key/" -out PK.crt
+    openssl x509 -outform DER -in PK.crt -out PK.cer
+    openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Key Exchange Key/" -out KEK.crt
+    openssl x509 -outform DER -in KEK.crt -out KEK.cer
+    openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Signature Database key/" -out db.crt
+    openssl x509 -outform DER -in db.crt -out db.cer
+    popd > /dev/null
+fi
+
+# For debugging, add --no-cache to podman command
+sudo podman build \
+    -t quay.io/fedora/fedora-bootc-uki:42 \
+    --build-arg=COMPOSEFS_FSVERITY="${COMPOSEFS_FSVERITY}" \
+    -f Containerfile.stage2 \
+    --secret=id=key,src=secureboot/db.key \
+    --secret=id=cert,src=secureboot/db.crt \
+    --iidfile=tmp/iid2
+
+rm -rf tmp/efi
+mkdir -p tmp/efi
+./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}"
+./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}"
+./bootc internals cfs --repo tmp/sysroot/composefs oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi

tmt/tests/examples/bootc-uki/build_vars

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -eux
+
+cd "${0%/*}"
+
+if [[ ! -d "secureboot" ]]; then
+    echo "fail"
+    exit 1
+fi
+
+# See: https://github.com/rhuefi/qemu-ovmf-secureboot
+# $ dnf install -y python3-virt-firmware
+GUID=$(cat secureboot/GUID.txt)
+virt-fw-vars --input "/usr/share/edk2/ovmf/OVMF_VARS_4M.secboot.qcow2" \
+    --secure-boot  \
+    --set-pk  $GUID "secureboot/PK.crt" \
+    --add-kek $GUID "secureboot/KEK.crt" \
+    --add-db  $GUID "secureboot/db.crt" \
+    -o "VARS_CUSTOM.secboot.qcow2.template"

tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf

@@ -0,0 +1,3 @@
+# we need to force these in via the initramfs because we don't have modules in
+# the base image
+force_drivers+=" virtio_net vfat "

tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service

@@ -0,0 +1,34 @@
+# Copyright (C) 2013 Colin Walters <[email protected]>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+DefaultDependencies=no
+ConditionKernelCommandLine=composefs
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+Before=initrd-switch-root.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bootc-initramfs-setup
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes

tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/bootc-initramfs-setup" /usr/bin/bootc-initramfs-setup
+    inst \
+        "${moddir}/bootc-initramfs-setup.service" \
+        "${systemdsystemunitdir}/bootc-initramfs-setup.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'bootc-initramfs-setup.service'
+}

tmt/tests/examples/bootc-uki/install-grub.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eux
+
+curl http://192.168.122.1:8000/bootc -o bootc
+chmod +x bootc
+
+IMAGE=quay.io/fedora/fedora-bootc-uki:42
+
+#    --env RUST_LOG=debug \
+#    --env RUST_BACKTRACE=1 \
+podman run \
+    --rm --privileged \
+    --pid=host \
+    -v /dev:/dev \
+    -v /var/lib/containers:/var/lib/containers \
+    -v /srv/bootc:/usr/bin/bootc:ro,Z \
+    -v /var/tmp:/var/tmp \
+    --security-opt label=type:unconfined_t \
+    "${IMAGE}" \
+    bootc install to-disk \
+        --composefs-native \
+        --boot=uki \
+        --source-imgref="containers-storage:${IMAGE}" \
+        --target-imgref="${IMAGE}" \
+        --target-transport="docker" \
+        /dev/vdb \
+        --filesystem=ext4 \
+        --wipe