The current custom base image flow of rebuilding a "built-in" image with
custom repos and then adding your own content separate is reasonable,
but it would be nice if one could augment the list of packages to
install in that initial build rather than as a separate transaction.
Then, you don't have to cleanup after dnf and `/var` content, re-inject
repo definitions, and refetch repo metadata. It also allows building
container images with additional packages without `dnf` necessarily
being in the package set.
We don't want to leak rpm-ostree implementation details, nor do we want
to invent a new format. So just add support for a `--install` arg and a
generic `--args-file` to pass arguments via a file.
We then generate a new treefile on the fly to extend the `packages`
list.
I'm sure there is a reason for why it is the way it is, which I will
learn about, but the way it is currently set up makes it hard to run
commands in the target system (like `rpm -q`) without doing a chroot
and doing a chroot requires some setup to happen.
I guess the nice thing about the way it is prior is we get to the look
at the filesystem untouched by the container runtime; which can
definitely be useful for tests.
This works around two issues:
- First, rpm switched to reading users/groups directly for
its implementation of systemd-sysusers, which meant
it no longer reads via nss, which breaks nss-altfiles.
xref: https://github.com/rpm-software-management/rpm/pull/2503#issuecomment-1536435351
and below.
- Second, even if that was fixed, `keylime` wants to add
its user to the group, which can't be done when it's a system
uid.
Since nothing in the OS content is owned by this group, we can
move underneath `/etc` by default.
Signed-off-by: Colin Walters <walters@verbum.org>
I just saw the sqlite-shm corruption in
https://gitlab.com/redhat/centos-stream/containers/bootc/-/merge_requests/437#note_2372766792
so let's just go ahead and turn on rpmdb_normalize which
also aids the reproducibility of the rpmdb.
While we're here let's also add a long overdue "unit test" for
the rootfs. This operates as a container build that mounts
the container-under-test as part of a multi-stage build.
Signed-off-by: Colin Walters <walters@verbum.org>
As part of all of this we're de-emphasizing "tier-x" and focusing
on making it ergonomic to either build up from minimal, or down+up
from standard.
Second, also add a CI test for our derived image.
Signed-off-by: Colin Walters <walters@verbum.org>
- Embed the manifests into the container image
- Add bootc-base-imagectl which is a tightly controlled frontend
to execute on those manifests.
For now, we don't attempt to rework how we build the standard
image to actually look like `dnf install`, but we show that
it can work.
Signed-off-by: Colin Walters <walters@verbum.org>
