For the use case of updating Konflux lockfiles we want
to be able to easily render the manifests to a tempdir without
installing to `/`.
Move the install of the build script to the main container
build so `install-manifests` only touches manifests.
Signed-off-by: Colin Walters <walters@verbum.org>
Make it possible to set the repos image with a build argument, e.g.:
--build-arg=REPOS_IMAGE=quay.io/fedora/fedora:42
Currently it's only possible use the --from argument, e.g.:
--from=quay.io/fedora/fedora:42
Signed-off-by: Miguel Martín <mmartinv@redhat.com>
There's a crazy history around this; what we really want is
to have this reliably generated by tmpfiles.d, the handling
for which I want to move to bootc. For now let's wedge this
into finalize.d alongside the few others here.
Signed-off-by: Colin Walters <walters@verbum.org>
This fronts the functionality currently implemented in rpm-ostree,
for the same reason as we have `build-rootfs`; the functionality
may move elsewhere in the future.
Signed-off-by: Colin Walters <walters@verbum.org>
Motivated by trimming the package set of minimal to be smaller
to match its name.
But more generally, I think the solution most of the time we hit a
"multiple things have a provides" isn't to hardcode what we want,
but to exclude what we don't want.
Ideally of course...there'd be something like
`ProvidesDisfavored: iptables` that `iptables-legacy` could
use.
Signed-off-by: Colin Walters <walters@verbum.org>
I just saw the sqlite-shm corruption in
https://gitlab.com/redhat/centos-stream/containers/bootc/-/merge_requests/437#note_2372766792
so let's just go ahead and turn on rpmdb_normalize which
also aids the reproducibility of the rpmdb.
While we're here let's also add a long overdue "unit test" for
the rootfs. This operates as a container build that mounts
the container-under-test as part of a multi-stage build.
Signed-off-by: Colin Walters <walters@verbum.org>
While "cross builds" and using a separate repos container can
feel very clean (instead of mutating the builder container)
it's actually much closer to our default intention to support building
a new version of the base image from the image itself.
So make the source root optional (i.e. it defaults to `/`).
This will improve the default UX, but also more specifically
will fix the issue that cachi2 breaks the separate source root flow.
Signed-off-by: Colin Walters <walters@verbum.org>
As part of all of this we're de-emphasizing "tier-x" and focusing
on making it ergonomic to either build up from minimal, or down+up
from standard.
Second, also add a CI test for our derived image.
Signed-off-by: Colin Walters <walters@verbum.org>
- Embed the manifests into the container image
- Add bootc-base-imagectl which is a tightly controlled frontend
to execute on those manifests.
For now, we don't attempt to rework how we build the standard
image to actually look like `dnf install`, but we show that
it can work.
Signed-off-by: Colin Walters <walters@verbum.org>
I want to make it clearer which manifests are actually
"toplevels" versus which are just for inclusion.
Move fedora-generic to its own subdirectory for this reason.
Signed-off-by: Colin Walters <walters@verbum.org>
Followup to the naming standardization. Now `fedora-bootc.yaml`
is effectively a deprecated alias only used by the legacy pungi configs.
Signed-off-by: Colin Walters <walters@verbum.org>
This is generally useful for the same reason dpkg/rpm packages
have descriptions. But it's also specifically preparation
for the base image builder having a list operation to show
available configurations.
Signed-off-by: Colin Walters <walters@verbum.org>
We have a legacy of trying to support using e.g. kernel-rt. But
it adds complexity in the inheritance because minimal/manifest.yaml
isn't standalone, it also needs a kernel.
As part of custom base images I want to simplify this.
In order to use kernel-rt, we'll just say that you build a
minimal base, and then swap to kernel-rt as a secondary step
for now.
Signed-off-by: Colin Walters <walters@verbum.org>
The "tiers" nomenclature ended up being unhelpful since
we introduced "tier-x" which is between tier-0 and tier-1.
We also never exposed the tier naming outside of our source
code. In preparation for doing so, rename to tier-0 to
"minimal" which is a bit more descriptive.
Renaming the other images will follow.
Signed-off-by: Colin Walters <walters@verbum.org>
The platform-engineering include is using a truly ancient buildah
image. Stop including that and bump to the latest.
Signed-off-by: Colin Walters <walters@verbum.org>
This takes some of the logic from what's currently in custom base image branch
and applies it here for the main branch.
We need this in order to not depend on the logic that was
removed in https://github.com/containers/buildah/issues/5952
Note that with the latest rpm-ostree v2025.5 `--source-root`
is significantly improved and we don't need to manually copy
dnf variables or gpg keys.
This is only used by Fedora CoreOS derivatives, and
we don't include the corresponding sudo rule.
The motivation here is that this group in particular has
no corresponding systemd sysusers.d, and a future bootc
is going to check for that.
Closes: https://gitlab.com/fedora/bootc/base-images/-/issues/41
Signed-off-by: Colin Walters <walters@verbum.org>
It's not desired by default in RHEL 10 or below yet, ref
https://issues.redhat.com/browse/RHEL-77077
AFAICS, it's already explicitly specified in the fedora-coreos manifest,
so dropping it here shouldn't affect FCOS.
Of course I think what we *really* want here is distribution
conditionals.
Signed-off-by: Colin Walters <walters@verbum.org>
This empty directory is required by some RPM scripts. Historically
rpm-ostree's script invocations made this by default, but that
doesn't happen with direct rpm or dnf.
Signed-off-by: Colin Walters <walters@verbum.org>
This MR adds two configurations to enable kernel-install integration,
this will enable using dnf or rpm to install kernels.
- /usr/lib/kernel/install.conf: enables the hook that tells kernel-install
to defer the logic to rpm-ostree, this currently only on f42
- dnf.conf: ensures dnf only keeps one kernel package
