particle-os/debian-bootc-base-images
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial debian support

Browse source
This commit is contained in:
robojerk 2025-08-30 12:36:18 -07:00
parent 4c5a458148
commit 904a1d01ba
36 changed files with 986 additions and 372 deletions
Download patch file Download diff file Expand all files Collapse all files

57
minimal/basic-fixes.yaml
View file

@ -1,35 +1,30 @@
# Fix general bugs
# Basic fixes for Debian minimal base images
postprocess:
# See also https://github.com/openshift/os/blob/f6cde963ee140c02364674db378b2bc4ac42675b/common.yaml#L156
# This one is undoes the effect of
# # RHEL-only: Disable /tmp on tmpfs.
#Wants=tmp.mount
# in /usr/lib/systemd/system/basic.target
# We absolutely must have tmpfs-on-tmp for multiple reasons,
# but the biggest is that when we have composefs for / it's read-only,
# and for units with ProtectSystem=full systemd clones / but needs
# a writable place.
# Fix common issues and set up essential configuration
- |
#!/usr/bin/env bash
set -xeuo pipefail
mkdir -p /usr/lib/systemd/system/local-fs.target.wants
if test '!' -f /usr/lib/systemd/system/local-fs.target.wants/tmp.mount; then
ln -sf ../tmp.mount /usr/lib/systemd/system/local-fs.target.wants
fi
# See https://github.com/containers/bootc/issues/358
# basically systemd-tmpfiles doesn't follow symlinks; ordinarily our
# tmpfiles.d unit for `/var/roothome` is fine, but this actually doesn't
# work if we want to use tmpfiles.d to write to `/root/.ssh` because
# tmpfiles gives up on that before getting to `/var/roothome`.
#
# Redirect stdout to /dev/null because of some weird stdout issue
# with newer rpm-ostree: https://github.com/coreos/rpm-ostree/pull/5388#issuecomment-2971623787
sed -i -e 's, /root, /var/roothome,' /usr/lib/tmpfiles.d/provision.conf > /dev/null
# Because /var/roothome is also defined in rpm-ostree-0-integration.conf
# we need to delete /var/roothome
#
# Redirect stdout to /dev/null because of some weird stdout issue
# with newer rpm-ostree: https://github.com/coreos/rpm-ostree/pull/5388#issuecomment-2971623787
sed -i -e '/^d- \/var\/roothome /d' /usr/lib/tmpfiles.d/provision.conf > /dev/null
# Fix locale issues
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
echo "LANG=en_US.UTF-8" > /etc/default/locale
# Set up timezone
echo "UTC" > /etc/timezone
# Fix permissions on essential files
chmod 644 /etc/default/locale
chmod 644 /etc/timezone
# Ensure proper hostname configuration
echo "debian-atomic" > /etc/hostname
# Set up basic networking
cat > /etc/network/interfaces << 'EOF'
auto lo
iface lo inet loopback
EOF
# Fix systemd configuration
systemctl enable systemd-networkd
systemctl enable systemd-resolved

23
minimal/bootc.yaml
View file

@ -1,13 +1,14 @@
# The bootc components.
# Bootc configuration for Debian minimal base images
packages:
- systemd
- bootc
# Required by bootc install, sgdisk has been replaced by Rust crate
# in bootc https://github.com/containers/bootc/pull/775
- xfsprogs e2fsprogs dosfstools
# Bootc core components
- bootc
- bootc-ostree
exclude-packages:
# Exclude kernel-debug-core to make sure that it doesn't somehow get
# chosen as the package to satisfy the `kernel-core` dependency from
# the kernel package.
- kernel-debug-core
# Bootc configuration
bootc:
# Enable bootc functionality
- enable=true
# OSTree integration
- ostree-support=true
# Container runtime support
- container-support=true

50
minimal/bootupd.yaml
View file

@ -1,41 +1,15 @@
# Integration with https://github.com/coreos/bootupd and bootloader logic
# xref https://github.com/coreos/fedora-coreos-tracker/issues/510
# Bootupd configuration for Debian minimal base images
packages:
# Bootupd for bootloader management
- bootupd
# bootloader
packages-aarch64:
- grub2-efi-aa64 efibootmgr shim
packages-ppc64le:
- grub2 ostree-grub2
packages-riscv64:
- grub2-efi-riscv64 efibootmgr
# Don't specify just `shim` for now because riscv isn't built in
# main koji instance yet and thus isn't signed. Here we specify
# the path to the provided file so when we do switch to the signed
# `shim` package it will transparently happen and we can clean up
# this packagelist entry later.
- /boot/efi/EFI/fedora/shimriscv64.efi
packages-s390x:
# For zipl
- s390utils-core
packages-x86_64:
- grub2 grub2-efi-x64 efibootmgr shim
- microcode_ctl
conditional-include:
- if: basearch != "s390x"
# And remove some cruft from grub2
include: grub2-removals.yaml
postprocess:
- |
#!/bin/bash
set -xeuo pipefail
# Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
/usr/bin/bootupctl backend generate-update-metadata
- |
#!/bin/bash
# Workaround for https://issues.redhat.com/browse/RHEL-78104
set -xeuo pipefail
rm -vrf /usr/lib/ostree-boot/loader
# Bootupd configuration
bootupd:
# Enable bootupd functionality
- enable=true
# OSTree integration
- ostree-support=true
# Bootloader configuration
- bootloader: grub
# EFI support
- efi-support: true

45
minimal/initramfs.yaml
View file

@ -1,28 +1,17 @@
# Configuration for the initramfs
postprocess:
- |
#!/usr/bin/env bash
set -xeuo pipefail
mkdir -p /usr/lib/dracut/dracut.conf.d
cat > /usr/lib/dracut/dracut.conf.d/20-bootc-base.conf << 'EOF'
# We want a generic image; hostonly makes no sense as part of a server side build
hostonly=no
# Dracut will always fail to set security.selinux xattrs at build time
# https://github.com/dracut-ng/dracut-ng/issues/1561
export DRACUT_NO_XATTR=1
add_dracutmodules+=" kernel-modules dracut-systemd systemd-initrd base ostree "
EOF
cat > /usr/lib/dracut/dracut.conf.d/22-bootc-generic.conf << 'EOF'
# Extra modules that we want by default that are known to exist in the kernel
add_dracutmodules+=" virtiofs "
EOF
cat > /usr/lib/dracut/dracut.conf.d/49-bootc-tpm2-tss.conf << 'EOF'
# We want this for systemd-cryptsetup tpm2 locking
add_dracutmodules+=" tpm2-tss "
EOF
cat > /usr/lib/dracut/dracut.conf.d/59-altfiles.conf << 'EOF'
# https://issues.redhat.com/browse/RHEL-49590
# On image mode systems we use nss-altfiles for passwd and group,
# this makes sure dracut uses them which also fixes kdump writing to NFS.
install_items+=" /usr/lib/passwd /usr/lib/group "
EOF
# Initramfs configuration for Debian minimal base images
packages:
# Initramfs tools
- initramfs-tools
- initramfs-tools-core
# Initramfs configuration
initramfs:
# Enable initramfs generation
- enable=true
# Include essential modules
- modules:
- ext4
- xfs
- btrfs
- overlay
- ostree

42
minimal/kernel-install.yaml
View file

@ -1,25 +1,19 @@
# Configuration to enable kernel-install integration
postprocess:
- |
#!/usr/bin/env bash
set -xeuo pipefail
source /usr/lib/os-release
echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
# take over. Rpm-ostree will use this to know that it is responsible\n\
# to run dracut and ensure that there is only one kernel in the image\n\
layout=ostree" | tee /usr/lib/kernel/install.conf > /dev/null
# By default dnf keeps multiple versions of the kernel, with this
# configuration we tell dnf to treat the kernel as everything else.
# https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
# Let's add the config to a distribution configuration file if dnf5
# is used, we append to /etc/dnf/dnf.conf if not.
# Also set protect_running_kernel=False, dnf/yum pre-dates Containers and
# uses uname to protect the running kernel even on Container builds.
if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
echo -e "[main]\nprotect_running_kernel=False" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-protect_running_kernel.conf
else
echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
echo "protect_running_kernel=False" >> /etc/dnf/dnf.conf
fi
# Kernel install configuration for Debian minimal base images
packages:
# Kernel installation tools
- linux-base
- linux-image-amd64
# Kernel install configuration
kernel-install:
# Enable kernel installation
- enable=true
# Use systemd-boot for UEFI systems
- bootloader: systemd-boot
# Kernel install directory
- install-dir: /boot/ostree
# Initramfs configuration
- initramfs: true
# Kernel command line
- cmdline: "ro root=LABEL=ROOT ostree=/ostree/boot.1/debian/14/x86_64/minimal/0"

20
minimal/kernel.yaml
View file

@ -1,6 +1,18 @@
# Enable the Linux kernel; see also kernel-rt.
# Debian kernel configuration for minimal base images
packages:
- kernel
# Essential kernel packages - let apt resolve the version
- linux-image-amd64
- linux-headers-amd64
# Only specify specific version if absolutely necessary for compatibility
# - linux-image-6.1.0-13-amd64 # Commented out - let apt resolve
exclude-packages:
- kernel-debug
# Kernel configuration
kernel:
# Ensure kernel supports essential features
- CONFIG_DEVTMPFS=y
- CONFIG_CGROUPS=y
- CONFIG_NAMESPACES=y
- CONFIG_SECCOMP=y
- CONFIG_BLK_DEV_INITRD=y
- CONFIG_EFI_STUB=y
- CONFIG_EFI=y

34
minimal/manifest.yaml
View file

@ -1,5 +1,5 @@
metadata:
summary: Effectively just bootc, systemd, kernel, and dnf as a starting point.
summary: Minimal Debian bootc base image with essential boot infrastructure.
edition: "2024"
@ -9,7 +9,7 @@ variables:
# Be minimal
recommends: false
# Default to `bash` in our container, the same as other containers we ship.
# Default to systemd init in our container
container-cmd:
- /sbin/init
@ -31,18 +31,28 @@ include:
- basic-fixes.yaml
- kernel-install.yaml
- systemd-presets.yaml
- partitioning.yaml
packages:
# this is implied by dependencies but let's make it explicit
# Essential system utilities
- coreutils
# We need dnf for building derived container images. In Fedora, this pulls
# in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
# just `dnf` once the `dnf` package is retired from Fedora.
- /usr/bin/dnf
# Even in minimal, we have this. If you don't want SELinux today, you'll need
# to build a custom image.
- selinux-policy-targeted
# And we want container-selinux because trying to layer it on later currently causes issues.
# Package management - we need apt for building derived container images
- apt
- apt-utils
# System initialization
- systemd
- systemd-sysv
# Kernel and boot infrastructure
- linux-image-amd64
- initramfs-tools
# OSTree support
- ostree
# Basic networking
- netbase
- ifupdown
# Security (optional - can be removed if not needed)
- selinux-policy-default
# Container support
- container-selinux
# Needed for tpm2 bound luks
# TPM support for LUKS encryption
- tpm2-tools

26
minimal/ostree.yaml
View file

@ -1,15 +1,15 @@
# OSTree configuration for Debian minimal base images
packages:
- ostree nss-altfiles
# OSTree core packages
- ostree
- ostree-utils
- libostree-1-1
postprocess:
# Set up default root config
- |
#!/usr/bin/env bash
set -xeuo pipefail
mkdir -p /usr/lib/ostree
cat > /usr/lib/ostree/prepare-root.conf << EOF
[composefs]
enabled = yes
[sysroot]
readonly = true
EOF
# OSTree configuration
ostree:
# Enable OSTree functionality
- enable=true
# Repository configuration
- repo-path=/ostree/repo
# Boot configuration
- boot-path=/boot/ostree

38
minimal/partitioning.yaml Normal file
View file

@ -0,0 +1,38 @@
# Partitioning configuration for Debian minimal base images
# Following Fedora's proven partition scheme:
# /boot/efi (ESP) - EFI System Partition
# /boot - Boot partition (separate from root)
# / (root) - Root filesystem (read-only for atomic systems)
partitions:
# EFI System Partition (ESP)
efi:
size: 512M
filesystem: vfat
mountpoint: /boot/efi
flags: [esp, boot]
label: EFI-SYSTEM
# Boot partition (separate from root)
boot:
size: 1G
filesystem: ext4
mountpoint: /boot
label: BOOT
# Root filesystem
root:
size: 100% # Use remaining space
filesystem: ext4
mountpoint: /
label: ROOT
# Partition table
partition_table: gpt
# Bootloader configuration
bootloader:
type: grub
target: both # UEFI and BIOS
efi_directory: /boot/efi
boot_directory: /boot

66
minimal/postprocess-conf.yaml
View file

@ -1,37 +1,29 @@
# This file configures things relevant to `rpm-ostree compose postprocess`.
# We want content lifecycled with the image
opt-usrlocal: "root"
# https://github.com/CentOS/centos-bootc/issues/167
machineid-compat: true
rpmdb: target
# We never want rpmdb.sqlite-shm as it's unreproducible
rpmdb-normalize: true
ignore-removed-users:
- root
ignore-removed-groups:
- root
# By default users and groups are injected to nss-altfiles
# which is immutable. This list moves a selected set
# to /etc/group instead, which is mutable per system
# and allows local users to become part of these groups.
etc-group-members:
- wheel
- systemd-journal
- tss # https://issues.redhat.com/browse/BIFROST-618
- adm
conditional-include:
- if: passwd_mode == "full"
include: check-passwd.yaml
- if: passwd_mode == "nobody"
include: check-passwd-nobody.yaml
- if: passwd_mode == "none"
include:
check-passwd:
type: "none"
check-groups:
type: "none"
# Post-processing configuration for Debian minimal base images
postprocess:
# Set up essential system configuration
- |
#!/usr/bin/env bash
set -xeuo pipefail
# Create essential directories
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/systemd/system
mkdir -p /etc/ostree
# Configure APT for minimal system
cat > /etc/apt/apt.conf.d/99-minimal << 'EOF'
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::Assume-Yes "true";
EOF
# Set up OSTree configuration
cat > /etc/ostree/ostree.conf << 'EOF'
[core]
repo_mode=bare
EOF
# Ensure proper permissions
chmod 755 /etc/apt/apt.conf.d
chmod 644 /etc/apt/apt.conf.d/99-minimal
chmod 644 /etc/ostree/ostree.conf

50
minimal/systemd-presets.yaml
View file

@ -1,30 +1,20 @@
# Postprocessing relating to systemd presets on the system.
postprocess:
- |
#!/bin/bash
set -xeuo pipefail
# Override some of the default presets.
cat <<EOF > usr/lib/systemd/system-preset/85-bootc.preset
# Disable dnf-makecache.timer on bootc/image mode systems
# https://github.com/coreos/fedora-coreos-tracker/issues/1896#issuecomment-2848251507
disable dnf-makecache.timer
EOF
# Enable bootloader-update.service on F43+.
# https://github.com/coreos/fedora-coreos-tracker/issues/1468#issuecomment-2996654547
# https://fedoraproject.org/wiki/Changes/AutomaticBootloaderUpdatesBootc
- |
#!/bin/bash
set -xeuo pipefail
source /usr/lib/os-release
if [ $ID == "fedora" ] && [ ${VERSION_ID} -ge 43 ]; then
echo "enable bootloader-update.service" >> /usr/lib/systemd/system-preset/85-bootc.preset
fi
# Undo RPM scripts enabling units; we want the presets to be canonical
# https://github.com/projectatomic/rpm-ostree/issues/1803
- |
#!/bin/bash
set -xeuo pipefail
rm -rf /etc/systemd/system/*
systemctl preset-all
rm -rf /etc/systemd/user/*
systemctl --user --global preset-all
# Systemd presets for Debian minimal base images
systemd-presets:
# Enable essential systemd services
enable:
- systemd-networkd
- systemd-resolved
- systemd-timesyncd
- systemd-udevd
- systemd-logind
# Disable unnecessary services
disable:
- systemd-firstboot
- systemd-hwdb-update
- systemd-machine-id-commit
- systemd-pstore
- systemd-random-seed
- systemd-sysctl
- systemd-user-sessions
- systemd-vconsole-setup

31
minimal/tmpfiles.yaml
View file

@ -1,8 +1,25 @@
postprocess:
# Tmpfiles configuration for Debian minimal base images
tmpfiles:
# Essential system directories
- |
#!/bin/bash
set -xeuo pipefail
cat >/usr/lib/tmpfiles.d/bootc-base-rpmstate.conf <<'EOF'
# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=771713
d /var/lib/rpm-state 0755 - - -
EOF
# Create essential directories with proper permissions
d /var/log 0755 root root -
d /var/cache 0755 root root -
d /var/tmp 1777 root root -
d /tmp 1777 root root -
d /run 0755 root root -
# OSTree specific directories
d /ostree 0755 root root -
d /sysroot 0755 root root -
# Boot directories
d /boot/ostree 0755 root root -
# Systemd directories
d /etc/systemd/system 0755 root root -
d /etc/systemd/user 0755 root root -
# APT directories
d /var/lib/apt 0755 root root -
d /var/cache/apt 0755 root root -