first commit

README.md

@@ -0,0 +1,224 @@
+# Debian Atomic Infrastructure Files
+
+This directory contains the missing systemd services, configuration files, and infrastructure components needed to make Debian work with OSTree and bootc-image-builder, based on our analysis of the successful Fedora Atomic system.
+
+## 📁 Directory Structure
+
+```
+debian-atomic-files/
+├── ostree-systemd/           # OSTree systemd services and configuration
+├── bootc/                    # Bootc systemd services and infrastructure
+├── apt-ostree-systemd/       # APT-OSTree systemd services and kernel hooks
+├── ostree-dracut/           # OSTree dracut module
+└── README.md                # This file
+```
+
+## 🎯 Purpose
+
+These files address the **critical missing infrastructure** that prevents Debian from working with OSTree and bootc-image-builder. Based on our analysis of the successful Fedora Atomic system, we discovered that **28+ systemd services** are required for a functional OSTree system, and Debian packages are missing most of them.
+
+## 📦 Package Structure
+
+### 1. `ostree-systemd` Package
+
+**Purpose**: Provides essential OSTree systemd services and configuration files.
+
+**Files**:
+- `systemd/system/ostree-prepare-root.service` - Handles OSTree deployment during initramfs
+- `systemd/system/ostree-remount.service` - Manages OSTree bind mounts after boot
+- `systemd/system/ostree-state-overlay@.service` - Template for OSTree state overlays
+- `systemd/system/ostree-finalize-staged.service` - Finalizes staged deployments
+- `systemd/system/ostree-finalize-staged-hold.service` - Prevents finalization conflicts
+- `systemd/system/ostree-boot-complete.service` - Completes boot process
+- `ostree/prepare-root.conf` - OSTree configuration (composefs, readonly sysroot)
+- `tmpfiles.d/ostree-tmpfiles.conf` - Runtime directory creation and cleanup
+
+**Installation Path**: `/usr/lib/systemd/system/`, `/usr/lib/ostree/`, `/usr/lib/tmpfiles.d/`
+
+### 2. `bootc` Package
+
+**Purpose**: Provides bootc infrastructure for automatic updates, filesystem growth, and cleanup.
+
+**Files**:
+- `systemd/system/bootc-fetch-apply-updates.service` - Automatic updates service
+- `systemd/system/bootc-fetch-apply-updates.timer` - Timer for automatic updates (1h after boot, then every 8h)
+- `systemd/system/bootc-generic-growpart.service` - Auto-grow root filesystem on VMs
+- `systemd/system/bootc-destructive-cleanup.service` - Cleanup after installations
+- `systemd/system/bootc-publish-rhsm-facts.service` - Publish facts to subscription manager
+- `systemd/system/bootc-status-updated.target` - Status coordination target
+- `systemd/system/bootc-status-updated-onboot.target` - Boot status target
+- `systemd/system/bootc-root-setup.service` - Bootc root setup in initramfs
+
+**Installation Path**: `/usr/lib/systemd/system/`
+
+### 3. `bootc-dracut` Package
+
+**Purpose**: Provides bootc dracut configuration for initramfs generation.
+
+**Files**:
+- `usr/lib/dracut.conf.d/10-bootc-base.conf` - Bootc dracut configuration (hostonly=no, add ostree module)
+
+**Installation Path**: `/usr/lib/dracut.conf.d/`
+
+### 4. `apt-ostree` Package (Enhanced)
+
+**Purpose**: APT-OSTree package should include all systemd services and kernel installation hooks (like rpm-ostree does).
+
+**Files**:
+- `systemd/system/apt-ostreed.service` - APT-OSTree system management daemon
+- `systemd/system/apt-ostree-bootstatus.service` - Log boot status to journal
+- `systemd/system/apt-ostree-countme.service` - Analytics reporting service
+- `systemd/system/apt-ostree-countme.timer` - Weekly analytics timer
+- `systemd/system/apt-ostree-fix-shadow-mode.service` - Fix shadow permissions
+- `systemd/system/apt-ostreed-automatic.service` - Automatic updates service
+- `systemd/system/apt-ostreed-automatic.timer` - Automatic updates timer
+- `kernel/install.d/05-aptostree.install` - Kernel installation hook for OSTree
+- `kernel/install.conf` - Kernel install configuration (layout=ostree)
+- `tmpfiles.d/apt-ostree-0-integration.conf` - APT-OSTree tmpfiles integration
+- `tmpfiles.d/apt-ostree-0-integration-opt-usrlocal.conf` - /usr/local and /opt directory setup
+- `tmpfiles.d/apt-ostree-0-integration-opt-usrlocal-compat.conf` - Backwards compatibility for /usr/local
+- `apt-ostreed.conf` - APT-OSTree daemon configuration
+- `org.debian.aptostree1.conf` - D-Bus policy configuration
+
+**Installation Path**: `/usr/lib/systemd/system/`, `/usr/lib/kernel/install.d/`, `/usr/lib/kernel/`, `/usr/lib/tmpfiles.d/`, `/etc/`, `/usr/share/dbus-1/system.d/`
+
+**Note**: These files should be bundled with the `apt-ostree` package itself, not as a separate package.
+
+### 5. `ostree-dracut` Package
+
+**Purpose**: Provides OSTree dracut module for initramfs integration.
+
+**Files**:
+- `modules.d/98ostree/module-setup.sh` - OSTree dracut module setup script
+
+**Installation Path**: `/usr/lib/dracut/modules.d/98ostree/`
+
+## 🔧 What Each File Does
+
+### OSTree Systemd Services
+
+**`ostree-prepare-root.service`**:
+- **Purpose**: Handles OSTree deployment during initramfs phase
+- **Function**: Runs `/usr/lib/ostree/ostree-prepare-root /sysroot`
+- **Timing**: After `sysroot.mount`, before `initrd-root-fs.target`
+- **Critical**: This is what makes OSTree deployment work during boot
+
+**`ostree-remount.service`**:
+- **Purpose**: Handles OSTree bind mounts after boot
+- **Function**: Runs `/usr/lib/ostree/ostree-remount` binary
+- **Timing**: After `var.mount`, before `local-fs.target`
+- **Critical**: Manages overlay filesystems for `/etc`, `/var`, etc.
+
+**`ostree-state-overlay@.service`**:
+- **Purpose**: Template service for OSTree state overlays
+- **Function**: Runs `ostree admin state-overlay %i /%I`
+- **Critical**: Enables writable overlays on read-only OSTree deployments
+
+**`ostree-finalize-staged.service`**:
+- **Purpose**: Finalizes staged deployments
+- **Function**: Runs `ostree admin finalize-staged` on service stop
+- **Timing**: After `local-fs.target`, before `basic.target`
+- **Critical**: Required for proper deployment finalization
+
+**`ostree-boot-complete.service`**:
+- **Purpose**: Completes boot process and handles soft-reboot cleanup
+- **Function**: Runs `ostree admin boot-complete`
+- **Timing**: After `sysinit.target`, before `ostree-finalize-staged.service`
+- **Critical**: Handles boot completion and cleanup
+
+### Bootc Systemd Services
+
+**`bootc-fetch-apply-updates.service` + `.timer`**:
+- **Purpose**: Automatic updates via `bootc upgrade --apply --quiet`
+- **Timer**: Runs 1h after boot, then every 8h with 2h randomization
+- **Critical**: Provides automatic update functionality
+
+**`bootc-generic-growpart.service`**:
+- **Purpose**: Automatically grow root filesystem on VMs
+- **Function**: Runs `/usr/libexec/bootc-generic-growpart`
+- **Condition**: Only runs on VMs with `/sysroot` mounted
+- **Critical**: Handles filesystem growth automatically
+
+**`bootc-destructive-cleanup.service`**:
+- **Purpose**: Cleanup after alongside installation
+- **Function**: Runs `/usr/lib/bootc/fedora-bootc-destructive-cleanup`
+- **Critical**: Cleans up after destructive operations
+
+### APT-OSTree Services
+
+**`apt-ostreed.service`**:
+- **Purpose**: APT-OSTree system management daemon
+- **Type**: DBus service (`org.debian.aptostree1`)
+- **Function**: Runs `apt-ostree start-daemon`
+- **Critical**: Provides system management API
+
+**`apt-ostree-bootstatus.service`**:
+- **Purpose**: Log booted deployment status to journal
+- **Function**: Runs `apt-ostree status -b`
+- **Critical**: Provides boot status logging
+
+### Kernel Installation Hooks
+
+**`05-aptostree.install`**:
+- **Purpose**: OSTree-aware kernel installation hook
+- **Function**: Delegates to `apt-ostree kernel-install` for OSTree systems
+- **Critical**: Ensures proper kernel installation in OSTree environment
+
+**`install.conf`**:
+- **Purpose**: Kernel install configuration
+- **Content**: `layout=ostree`
+- **Critical**: Tells kernel-install to use OSTree-specific hooks
+
+### Dracut Module
+
+**`98ostree/module-setup.sh`**:
+- **Purpose**: OSTree dracut module for initramfs
+- **Function**: Installs OSTree binaries and services into initramfs
+- **Critical**: Required for OSTree integration in initramfs
+
+## 🚀 Implementation Strategy
+
+### Phase 1: Create Debian Packages
+1. **`ostree-systemd`** - Essential OSTree services
+2. **`bootc`** - Bootc infrastructure
+3. **`ostree-dracut`** - Dracut module
+4. **`apt-ostree`** - Enhanced with systemd services and kernel hooks
+
+### Phase 2: Package Installation
+```bash
+# Install the packages
+sudo dpkg -i ostree-systemd_*.deb
+sudo dpkg -i bootc_*.deb
+sudo dpkg -i ostree-dracut_*.deb
+sudo dpkg -i apt-ostree_*.deb  # Enhanced with systemd services
+```
+
+### Phase 3: Test with bootc-image-builder
+```bash
+# Use existing bootc-image-builder with Debian container
+bootc-image-builder build --config debian-atomic.yaml
+```
+
+## 🎯 Expected Results
+
+After installing these packages, Debian should have:
+- ✅ **Complete OSTree infrastructure** (28+ systemd services)
+- ✅ **Proper kernel installation hooks** for OSTree
+- ✅ **Dracut integration** for initramfs
+- ✅ **Automatic update functionality** via bootc
+- ✅ **Filesystem growth and cleanup** capabilities
+- ✅ **Compatibility with bootc-image-builder**
+
+## 📋 Next Steps
+
+1. **Create Debian packages** from these files
+2. **Test package installation** on Debian system
+3. **Build Debian Atomic container** with apt-ostree
+4. **Test with bootc-image-builder** to create bootable image
+5. **Boot test** the resulting image
+
+## 🔍 Key Insights
+
+**The problem was not in the build process** - `bootc-image-builder` works fine. The problem was **missing package infrastructure** in Debian. These files provide the missing systemd services, configuration files, and hooks that make OSTree work properly.
+
+**This approach is much more manageable** than initially thought - we just need to package these files and install them, then use the existing proven build process.

apt-ostree-systemd/apt-ostreed.conf

@@ -0,0 +1,9 @@
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# For option meanings, see apt-ostreed.conf(5).
+
+[Daemon]
+#AutomaticUpdatePolicy=none
+#IdleExitTimeout=60
+#LockLayering=false
+#Recommends=true

apt-ostree-systemd/kernel/install.conf

@@ -0,0 +1,4 @@
+# kernel-install will not try to run dracut and allow apt-ostree to
+# take over. Apt-ostree will use this to know that it is responsible
+# to run dracut and ensure that there is only one kernel in the image
+layout=ostree

apt-ostree-systemd/kernel/install.d/05-aptostree.install

@@ -0,0 +1,9 @@
+#!/usr/bin/bash
+# Check if install.conf is missing or does not include layout=ostree
+if [ ! -f /usr/lib/kernel/install.conf ] || ! grep -q layout=ostree /usr/lib/kernel/install.conf; then
+    exit 0
+fi
+# This is the hook that has kernel-install call into apt-ostree kernel-install
+if test -x /usr/bin/apt-ostree; then
+    exec /usr/bin/apt-ostree kernel-install "$@"
+fi

apt-ostree-systemd/org.debian.aptostree1.conf

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
+
+<!DOCTYPE busconfig PUBLIC
+  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <!-- Only root can own the service -->
+  <policy user="root">
+    <allow own="org.debian.aptostree1"/>
+    <allow send_destination="org.debian.aptostree1"/>
+  </policy>
+
+  <!-- Allow anyone to call into the service - we'll reject callers using PolicyKit -->
+  <policy context="default">
+    <deny send_destination="org.debian.aptostree1"/>
+
+    <allow send_destination="org.debian.aptostree1"
+           send_interface="org.freedesktop.DBus.Introspectable"/>
+
+    <allow send_destination="org.debian.aptostree1"
+           send_interface="org.freedesktop.DBus.ObjectManager"/>
+
+    <allow send_destination="org.debian.aptostree1"
+           send_interface="org.freedesktop.DBus.Peer"/>
+
+    <allow send_destination="org.debian.aptostree1"
+           send_interface="org.freedesktop.DBus.Properties"
+           send_member="Get"/>
+
+    <allow send_destination="org.debian.aptostree1"
+           send_interface="org.freedesktop.DBus.Properties"
+           send_member="GetAll"/>
+
+    <allow send_destination="org.debian.aptostree1"
+           send_interface="org.debian.aptostree1.OS"/>
+
+    <allow send_destination="org.debian.aptostree1"
+           send_interface="org.debian.aptostree1.Sysroot"/>
+  </policy>
+</busconfig>

apt-ostree-systemd/systemd/system/apt-ostree-bootstatus.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Log apt-ostree Booted Deployment Status To Journal
+Documentation=man:apt-ostree(1)
+ConditionPathExists=/run/ostree-booted
+
+[Service]
+Type=oneshot
+ExecStart=apt-ostree status -b
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

apt-ostree-systemd/systemd/system/apt-ostree-countme.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Weekly apt-ostree Count Me reporting
+Documentation=man:apt-ostree-countme.service(8)
+ConditionPathExists=/run/ostree-booted
+
+[Service]
+Type=oneshot
+User=apt-ostree
+DynamicUser=yes
+StateDirectory=apt-ostree-countme
+StateDirectoryMode=750
+ExecStart=apt-ostree countme

apt-ostree-systemd/systemd/system/apt-ostree-countme.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Weekly apt-ostree Count Me reporting
+Documentation=man:apt-ostree-countme.service(8)
+ConditionPathExists=/run/ostree-booted
+
+[Timer]
+OnCalendar=weekly
+RandomizedDelaySec=1d
+Persistent=true
+
+[Install]
+WantedBy=timers.target

apt-ostree-systemd/systemd/system/apt-ostree-fix-shadow-mode.service

@@ -0,0 +1,25 @@
+[Unit]
+# apt-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
+# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
+Description=Update permissions for /etc/shadow
+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
+# This new stamp file is written by the Rust code, and obsoletes
+# the old /etc/.apt-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=!/etc/.apt-ostree-shadow-mode-fixed2.stamp
+ConditionPathExists=/run/ostree-booted
+# Filter out non-traditional ostree setups (e.g. live boots)
+ConditionKernelCommandLine=ostree
+# Because we read the sysroot
+RequiresMountsFor=/boot
+# Make sure this is started before any unprivileged (interactive) user has access to the system.
+Before=systemd-user-sessions.service
+
+[Service]
+Type=oneshot
+ExecStart=apt-ostree fix-shadow-perms
+RemainAfterExit=yes
+# So we can remount /sysroot writable in our own namespace
+MountFlags=slave
+
+[Install]
+WantedBy=multi-user.target

apt-ostree-systemd/systemd/system/apt-ostreed-automatic.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=APT-OSTree Automatic Update
+Documentation=man:apt-ostree(1) man:apt-ostreed.conf(5)
+ConditionPathExists=/run/ostree-booted
+
+[Service]
+Type=simple
+ExecStart=apt-ostree upgrade --quiet --trigger-automatic-update-policy

apt-ostree-systemd/systemd/system/apt-ostreed-automatic.timer

@@ -0,0 +1,14 @@
+[Unit]
+Description=APT-OSTree Automatic Update Trigger
+Documentation=man:apt-ostree(1) man:apt-ostreed.conf(5)
+ConditionPathExists=/run/ostree-booted
+After=network-online.target
+Wants=network-online.target
+
+[Timer]
+OnBootSec=1h
+OnUnitInactiveSec=1d
+Persistent=true
+
+[Install]
+WantedBy=timers.target

apt-ostree-systemd/systemd/system/apt-ostreed.service

@@ -0,0 +1,32 @@
+[Unit]
+Description=APT-OSTree System Management Daemon
+Documentation=man:apt-ostree(1)
+ConditionPathExists=/ostree
+RequiresMountsFor=/boot
+
+[Service]
+# See similar code in apt-ostree-countme.service
+User=apt-ostree
+DynamicUser=yes
+# As of right now, our primary API is DBus.  But see also https://github.com/coreos/rpm-ostree/issues/3850
+Type=dbus
+BusName=org.debian.aptostree1
+# To use the read-only sysroot bits
+MountFlags=slave
+# We have no business accessing /var/roothome or /var/home.  In general
+# the ostree design clearly avoids touching those, but since systemd offers
+# us easy tools to toggle on protection, let's use them.  In the future
+# it'd be nice to do something like using DynamicUser=yes for the main service,
+# and have a system apt-ostreed-transaction.service that runs privileged
+# but as a subprocess.
+ProtectHome=true
+NotifyAccess=main
+# Significantly bump this timeout from the default because
+# we do a lot of stuff on daemon startup.
+TimeoutStartSec=5m
+# We start this main process with full privileges; it may spawn unprivileged processes
+# with the apt-ostree user.
+ExecStart=+apt-ostree start-daemon
+ExecReload=apt-ostree reload
+# disable/enable downloading filelists
+Environment="DOWNLOAD_FILELISTS=false"

apt-ostree-systemd/tmpfiles.d/apt-ostree-0-integration-opt-usrlocal-compat.conf

@@ -0,0 +1,5 @@
+# Traditionally, /usr/local has been a link to /var/usrlocal and /opt to /var/opt.
+# A new model now is to allow OSTree commit content in those directories. For
+# backwards compatibility, we keep the /var paths but flip the symlinks around.
+L /var/usrlocal - - - - ../usr/local
+L /var/opt - - - - ../usr/lib/opt

apt-ostree-systemd/tmpfiles.d/apt-ostree-0-integration-opt-usrlocal.conf

@@ -0,0 +1,5 @@
+# Traditionally, /usr/local has been a link to /var/usrlocal and /opt to /var/opt.
+# A new model now is to allow OSTree commit content in those directories. But
+# this dropin implements the old model.
+d /var/opt 0755 root root -
+d /var/usrlocal 0755 root root -

apt-ostree-systemd/tmpfiles.d/apt-ostree-0-integration.conf

@@ -0,0 +1,18 @@
+d /var/home 0755 root root -
+d /var/srv 0755 root root -
+d /var/roothome 0700 root root -
+d /var/mnt 0755 root root -
+d /run/media 0755 root root -
+L /var/lib/dpkg - - - - ../../usr/share/dpkg
+
+# this is normally owned by `filesystem`, but for multiple reasons, this doesn't
+# work in the apt-ostree flow
+d /usr/local/bin 0755 root root -
+d /usr/local/etc 0755 root root -
+d /usr/local/games 0755 root root -
+d /usr/local/include 0755 root root -
+d /usr/local/lib 0755 root root -
+d /usr/local/man 0755 root root -
+d /usr/local/sbin 0755 root root -
+d /usr/local/share 0755 root root -
+d /usr/local/src 0755 root root -

bootc-dracut/usr/lib/dracut.conf.d/10-bootc-base.conf

@@ -0,0 +1,7 @@
+# Typically we want want a generic image and
+# hostonly makes no sense as part of a server side build.
+# (really hostonly=no should be the default if dracut detects that
+#  it's in a container or so)
+hostonly=no
+# We require ostree in the initramfs
+add_dracutmodules+=" ostree "

bootc-systemd/systemd/system/bootc-root-setup.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=bootc setup root
+Documentation=man:bootc(1)
+DefaultDependencies=no
+# For now
+ConditionKernelCommandLine=ostree
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+After=ostree-prepare-root.service
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/bootc/initramfs-setup setup-root
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes

bootc/systemd/system/bootc-destructive-cleanup.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Cleanup previous the installation after an alongside installation
+Documentation=man:bootc(8)
+ConditionPathExists=/sysroot/etc/bootc-destructive-cleanup
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/bootc/fedora-bootc-destructive-cleanup
+PrivateMounts=true
+
+[Install]
+WantedBy=multi-user.target

bootc/systemd/system/bootc-fetch-apply-updates.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=Apply bootc updates
+Documentation=man:bootc(8)
+ConditionPathExists=/run/ostree-booted
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bootc upgrade --apply --quiet

bootc/systemd/system/bootc-fetch-apply-updates.timer

@@ -0,0 +1,14 @@
+[Unit]
+Description=Apply bootc updates
+Documentation=man:bootc(8)
+ConditionPathExists=/run/ostree-booted
+
+[Timer]
+OnBootSec=1h
+# This time is relatively arbitrary and obviously expected to be overridden/changed
+OnUnitInactiveSec=8h
+# When deploying a large number of systems, it may be beneficial to increase this value to help with load on the registry.
+RandomizedDelaySec=2h
+
+[Install]
+WantedBy=timers.target

bootc/systemd/system/bootc-generic-growpart.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Bootc Fallback Root Filesystem Grow
+Documentation=https://gitlab.com/fedora/bootc/docs
+# For now we skip bare metal cases, and we also have nothing to do
+# for containers.
+ConditionVirtualization=vm
+# This helps verify that we're running in a bootc/ostree based target.
+ConditionPathIsMountPoint=/sysroot
+# For someone making a smaller image, assume they have this handled.
+ConditionPathExists=/usr/bin/growpart
+# We want to run before any e.g. large container images might be pulled.
+DefaultDependencies=no
+Requires=sysinit.target
+After=sysinit.target
+Before=basic.target
+
+[Service]
+ExecStart=/usr/libexec/bootc-generic-growpart
+# So we can temporarily remount the sysroot writable
+MountFlags=slave
+# Just to auto-cleanup our temporary files
+PrivateTmp=yes

bootc/systemd/system/bootc-publish-rhsm-facts.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Publish bootc facts to Red Hat Subscription Manager
+Documentation=man:bootc(8)
+ConditionPathExists=/etc/rhsm/facts
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bootc internals publish-rhsm-facts
+
+[Install]
+WantedBy=bootc-status-updated.target
+WantedBy=bootc-status-updated-onboot.target

bootc/systemd/system/bootc-status-updated-onboot.target

@@ -0,0 +1,7 @@
+[Unit]
+Description=Target for bootc status changes on boot
+Documentation=man:bootc-status-updated.target(8)
+ConditionPathExists=/run/ostree-booted
+
+[Install]
+WantedBy=multi-user.target

bootc/systemd/system/bootc-status-updated.target

@@ -0,0 +1,5 @@
+[Unit]
+Description=Target for bootc status changes
+Documentation=man:bootc-status-updated.target(8)
+StopWhenUnneeded=true
+ConditionPathExists=/run/ostree-booted

install.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+# Debian Atomic Infrastructure Installation Script
+# This script installs the missing OSTree infrastructure files to a Debian system
+
+set -e
+
+echo "🚀 Installing Debian Atomic Infrastructure Files"
+echo "================================================"
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then
+    echo "❌ Please run as root (use sudo)"
+    exit 1
+fi
+
+# Create directories
+echo "📁 Creating directories..."
+mkdir -p /usr/lib/systemd/system
+mkdir -p /usr/lib/ostree
+mkdir -p /usr/lib/tmpfiles.d
+mkdir -p /usr/lib/kernel/install.d
+mkdir -p /usr/lib/dracut/modules.d/98ostree
+mkdir -p /usr/lib/dracut.conf.d
+mkdir -p /usr/share/dbus-1/system.d
+
+# Install OSTree systemd services
+echo "🔧 Installing OSTree systemd services..."
+cp ostree-systemd/systemd/system/*.service /usr/lib/systemd/system/
+cp ostree-systemd/ostree/prepare-root.conf /usr/lib/ostree/
+cp ostree-systemd/tmpfiles.d/ostree-tmpfiles.conf /usr/lib/tmpfiles.d/
+
+# Install bootc services
+echo "🔧 Installing bootc services..."
+cp bootc/systemd/system/*.service /usr/lib/systemd/system/
+cp bootc-systemd/systemd/system/*.service /usr/lib/systemd/system/
+cp bootc/systemd/system/*.timer /usr/lib/systemd/system/
+cp bootc/systemd/system/*.target /usr/lib/systemd/system/
+
+# Install bootc dracut configuration
+echo "🔧 Installing bootc dracut configuration..."
+cp bootc-dracut/usr/lib/dracut.conf.d/*.conf /usr/lib/dracut.conf.d/
+
+# Install APT-OSTree services
+echo "🔧 Installing APT-OSTree services..."
+cp apt-ostree-systemd/systemd/system/*.service /usr/lib/systemd/system/
+cp apt-ostree-systemd/systemd/system/*.timer /usr/lib/systemd/system/
+cp apt-ostree-systemd/kernel/install.d/*.install /usr/lib/kernel/install.d/
+cp apt-ostree-systemd/kernel/install.conf /usr/lib/kernel/
+cp apt-ostree-systemd/tmpfiles.d/*.conf /usr/lib/tmpfiles.d/
+cp apt-ostree-systemd/apt-ostreed.conf /etc/
+cp apt-ostree-systemd/org.debian.aptostree1.conf /usr/share/dbus-1/system.d/
+
+# Make kernel install hook executable
+chmod +x /usr/lib/kernel/install.d/05-aptostree.install
+
+# Install OSTree dracut module
+echo "🔧 Installing OSTree dracut module..."
+cp ostree-dracut/modules.d/98ostree/module-setup.sh /usr/lib/dracut/modules.d/98ostree/
+chmod +x /usr/lib/dracut/modules.d/98ostree/module-setup.sh
+
+# Reload systemd
+echo "🔄 Reloading systemd..."
+systemctl daemon-reload
+
+echo "✅ Installation complete!"
+echo ""
+echo "📋 Installed components:"
+echo "  - OSTree systemd services (6 services)"
+echo "  - Bootc systemd services (8 services + timers + targets)"
+echo "  - APT-OSTree systemd services (4 services + timer)"
+echo "  - Kernel installation hooks (1 hook + config)"
+echo "  - OSTree dracut module (1 module)"
+echo ""
+echo "🎯 Next steps:"
+echo "  1. Test with apt-ostree compose tree"
+echo "  2. Test with apt-ostree compose container-encapsulate"
+echo "  3. Test with bootc-image-builder"
+echo "  4. Boot test the resulting image"
+echo ""
+echo "🔍 To verify installation:"
+echo "  systemctl list-units --type=service | grep -E '(ostree|bootc|apt-ostree)'"
+echo "  ls -la /usr/lib/kernel/install.d/05-aptostree.install"
+echo "  ls -la /usr/lib/dracut/modules.d/98ostree/module-setup.sh"

ostree-dracut/modules.d/98ostree/module-setup.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/bash
+installkernel() {
+    instmods erofs overlay
+}
+
+check() {
+    if [[ -x $systemdutildir/systemd ]] && [[ -x /usr/lib/ostree/ostree-prepare-root ]]; then
+       return 255
+    fi
+    return 1
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    dracut_install /usr/lib/ostree/ostree-prepare-root
+    for r in /usr/lib /etc; do
+        if test -f "$r/ostree/prepare-root.conf"; then
+            inst_simple "$r/ostree/prepare-root.conf"
+        fi
+    done
+    inst_simple "${systemdsystemunitdir}/ostree-prepare-root.service"
+    mkdir -p "${initdir}${systemdsystemconfdir}/initrd-root-fs.target.wants"
+    ln_r "${systemdsystemunitdir}/ostree-prepare-root.service" \
+        "${systemdsystemconfdir}/initrd-root-fs.target.wants/ostree-prepare-root.service"
+}

ostree-systemd/ostree/prepare-root.conf

@@ -0,0 +1,4 @@
+[composefs]
+enabled = yes
+[sysroot]
+readonly = true

ostree-systemd/systemd/system/ostree-boot-complete.service

@@ -0,0 +1,39 @@
+# Copyright (C) 2022 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+Description=OSTree Complete Boot
+Documentation=man:ostree(1)
+ConditionKernelCommandLine=ostree
+# For now, this is the only condition on which we start, but it's
+# marked as a triggering condition in case in the future we want
+# to do something else.
+ConditionPathExists=|/boot/ostree/finalize-failure.stamp
+# Also run when soft-reboot cleanup is needed
+ConditionPathExists=|/run/ostree/nextroot-booted
+# We start early
+DefaultDependencies=no
+After=sysinit.target
+RequiresMountsFor=/boot
+# Ensure that we propagate the failure into the current boot before
+# any further finalization attempts.
+Before=ostree-finalize-staged.service
+
+[Service]
+Type=oneshot
+# To write to /boot while keeping it read-only
+MountFlags=slave
+RemainAfterExit=yes
+ExecStart=/usr/bin/ostree admin boot-complete

ostree-systemd/systemd/system/ostree-finalize-staged-hold.service

@@ -0,0 +1,25 @@
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+Description=OSTree Finalize Staged Hold
+Documentation=man:ostree(1)
+DefaultDependencies=no
+ConditionPathExists=/run/ostree-booted
+
+[Service]
+Type=simple
+RemainAfterExit=yes
+ExecStart=/bin/true

ostree-systemd/systemd/system/ostree-finalize-staged.service

@@ -0,0 +1,52 @@
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+# For some implementation discussion, see:
+# https://lists.freedesktop.org/archives/systemd-devel/2018-March/040557.html
+[Unit]
+Description=OSTree Finalize Staged Deployment
+Documentation=man:ostree(1)
+ConditionPathExists=/run/ostree-booted
+DefaultDependencies=no
+
+RequiresMountsFor=/sysroot /boot
+After=local-fs.target
+Before=basic.target final.target
+# We want to make sure the transaction logs are persisted to disk:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1751272
+After=systemd-journal-flush.service
+Conflicts=final.target
+
+# Start the hold unit and ensure it stays active throughout this
+# service.
+Wants=ostree-finalize-staged-hold.service
+After=ostree-finalize-staged-hold.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStop=/usr/bin/ostree admin finalize-staged
+# This is a quite long timeout intentionally; the failure mode
+# here is that people don't get an upgrade.  We need to handle
+# cases with slow rotational media, etc.
+TimeoutStopSec=5m
+# OSTree should never touch /var at all...except, we need to remove
+# the /var/.updated flag, so we can't just `InaccessiblePaths=/var` right now.
+# For now, let's at least use ProtectHome just so we have some sandboxing
+# of that.
+ProtectHome=yes
+# And we shouldn't affect the current deployment's /etc.
+ReadOnlyPaths=/etc
+# We write to /sysroot and /boot of course.

ostree-systemd/systemd/system/ostree-prepare-root.service

@@ -0,0 +1,35 @@
+# Copyright (C) 2013 Colin Walters <walters@verbum.org>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+Description=OSTree Prepare OS/
+Documentation=man:ostree(1)
+DefaultDependencies=no
+ConditionKernelCommandLine=ostree
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/ostree/ostree-prepare-root /sysroot
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes

ostree-systemd/systemd/system/ostree-remount.service

@@ -0,0 +1,40 @@
+# Copyright (C) 2013 Colin Walters <walters@verbum.org>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+Description=OSTree Remount OS/ Bind Mounts
+Documentation=man:ostree(1)
+DefaultDependencies=no
+ConditionKernelCommandLine=ostree
+OnFailure=emergency.target
+Conflicts=umount.target
+# Run after core mounts
+After=-.mount var.mount
+After=systemd-remount-fs.service
+# But we run *before* most other core bootup services that need write access to /etc and /var
+Before=local-fs.target umount.target
+Before=systemd-random-seed.service plymouth-read-write.service systemd-journal-flush.service
+Before=systemd-tmpfiles-setup.service systemd-rfkill.service systemd-rfkill.socket
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/ostree/ostree-remount
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+
+[Install]
+WantedBy=local-fs.target

ostree-systemd/systemd/system/ostree-state-overlay@.service

@@ -0,0 +1,36 @@
+# Copyright (C) 2023 Red Hat Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+Description=OSTree State Overlay On /%I
+Documentation=man:ostree(1)
+DefaultDependencies=no
+ConditionKernelCommandLine=ostree
+# run after /var is setup since that's where the upperdir is stored
+# and after boot.mount so we can load the sysroot
+After=var.mount boot.mount
+# but before local-fs.target, which we consider ourselves a part of
+Before=local-fs.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/ostree admin state-overlay %i /%I
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+
+[Install]
+WantedBy=local-fs.target

ostree-systemd/tmpfiles.d/ostree-tmpfiles.conf

@@ -0,0 +1,21 @@
+# Copyright (C) 2017 Colin Walters <walters@verbum.org>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+# ostree runtime configuration
+d /run/ostree 0755 root root -
+# https://github.com/ostreedev/ostree/issues/393
+# Note this can eventually be removed now that we
+# write to the deployment backing dir.
+R! /var/tmp/ostree-unlock-ovl.*

verify.sh

@@ -0,0 +1,147 @@
+#!/bin/bash
+# Debian Atomic Infrastructure Verification Script
+# This script verifies that all required files are installed correctly
+
+echo "🔍 Verifying Debian Atomic Infrastructure Installation"
+echo "====================================================="
+
+# Check OSTree systemd services
+echo "📋 Checking OSTree systemd services..."
+ostree_services=(
+    "ostree-prepare-root.service"
+    "ostree-remount.service"
+    "ostree-state-overlay@.service"
+    "ostree-finalize-staged.service"
+    "ostree-finalize-staged-hold.service"
+    "ostree-boot-complete.service"
+)
+
+for service in "${ostree_services[@]}"; do
+    if [ -f "/usr/lib/systemd/system/$service" ]; then
+        echo "  ✅ $service"
+    else
+        echo "  ❌ $service - MISSING"
+    fi
+done
+
+# Check bootc services
+echo "📋 Checking bootc services..."
+bootc_services=(
+    "bootc-fetch-apply-updates.service"
+    "bootc-fetch-apply-updates.timer"
+    "bootc-generic-growpart.service"
+    "bootc-destructive-cleanup.service"
+    "bootc-publish-rhsm-facts.service"
+    "bootc-status-updated.target"
+    "bootc-status-updated-onboot.target"
+    "bootc-root-setup.service"
+)
+
+for service in "${bootc_services[@]}"; do
+    if [ -f "/usr/lib/systemd/system/$service" ]; then
+        echo "  ✅ $service"
+    else
+        echo "  ❌ $service - MISSING"
+    fi
+done
+
+# Check APT-OSTree services
+echo "📋 Checking APT-OSTree services..."
+apt_ostree_services=(
+    "apt-ostreed.service"
+    "apt-ostree-bootstatus.service"
+    "apt-ostree-countme.service"
+    "apt-ostree-countme.timer"
+    "apt-ostree-fix-shadow-mode.service"
+    "apt-ostreed-automatic.service"
+    "apt-ostreed-automatic.timer"
+)
+
+for service in "${apt_ostree_services[@]}"; do
+    if [ -f "/usr/lib/systemd/system/$service" ]; then
+        echo "  ✅ $service"
+    else
+        echo "  ❌ $service - MISSING"
+    fi
+done
+
+# Check configuration files
+echo "📋 Checking configuration files..."
+config_files=(
+    "/usr/lib/ostree/prepare-root.conf"
+    "/usr/lib/tmpfiles.d/ostree-tmpfiles.conf"
+    "/usr/lib/tmpfiles.d/apt-ostree-0-integration.conf"
+    "/usr/lib/tmpfiles.d/apt-ostree-0-integration-opt-usrlocal.conf"
+    "/usr/lib/tmpfiles.d/apt-ostree-0-integration-opt-usrlocal-compat.conf"
+    "/usr/lib/kernel/install.conf"
+    "/etc/apt-ostreed.conf"
+    "/usr/share/dbus-1/system.d/org.debian.aptostree1.conf"
+    "/usr/lib/dracut.conf.d/10-bootc-base.conf"
+)
+
+for file in "${config_files[@]}"; do
+    if [ -f "$file" ]; then
+        echo "  ✅ $file"
+    else
+        echo "  ❌ $file - MISSING"
+    fi
+done
+
+# Check kernel installation hooks
+echo "📋 Checking kernel installation hooks..."
+if [ -f "/usr/lib/kernel/install.d/05-aptostree.install" ]; then
+    echo "  ✅ 05-aptostree.install"
+    if [ -x "/usr/lib/kernel/install.d/05-aptostree.install" ]; then
+        echo "  ✅ 05-aptostree.install (executable)"
+    else
+        echo "  ❌ 05-aptostree.install (not executable)"
+    fi
+else
+    echo "  ❌ 05-aptostree.install - MISSING"
+fi
+
+# Check dracut module
+echo "📋 Checking dracut module..."
+if [ -f "/usr/lib/dracut/modules.d/98ostree/module-setup.sh" ]; then
+    echo "  ✅ 98ostree/module-setup.sh"
+    if [ -x "/usr/lib/dracut/modules.d/98ostree/module-setup.sh" ]; then
+        echo "  ✅ 98ostree/module-setup.sh (executable)"
+    else
+        echo "  ❌ 98ostree/module-setup.sh (not executable)"
+    fi
+else
+    echo "  ❌ 98ostree/module-setup.sh - MISSING"
+fi
+
+# Check systemd daemon reload
+echo "📋 Checking systemd daemon status..."
+if systemctl daemon-reload >/dev/null 2>&1; then
+    echo "  ✅ systemd daemon reload successful"
+else
+    echo "  ❌ systemd daemon reload failed"
+fi
+
+# Count total services
+echo "📊 Summary:"
+ostree_count=$(ls /usr/lib/systemd/system/ostree-*.service 2>/dev/null | wc -l)
+bootc_count=$(ls /usr/lib/systemd/system/bootc-*.service 2>/dev/null | wc -l)
+apt_ostree_count=$(ls /usr/lib/systemd/system/apt-ostree*.service 2>/dev/null | wc -l)
+total_services=$((ostree_count + bootc_count + apt_ostree_count))
+
+echo "  - OSTree services: $ostree_count"
+echo "  - Bootc services: $bootc_count"
+echo "  - APT-OSTree services: $apt_ostree_count"
+echo "  - Total services: $total_services"
+
+if [ $total_services -ge 18 ]; then
+    echo "  ✅ Installation looks complete!"
+else
+    echo "  ❌ Installation appears incomplete (expected ~18+ services)"
+fi
+
+echo ""
+echo "🎯 Next steps:"
+echo "  1. Test with apt-ostree compose tree"
+echo "  2. Test with apt-ostree compose container-encapsulate"
+echo "  3. Test with bootc-image-builder"
+echo "  4. Boot test the resulting image"