osbuild: use bootc install to deploy the container

[jbtrystram]

Instead of deploying the container to the tree then copy all the contents to the disk image, use bootc to directly manage the installation to the target filesystems.

Right now this requires to use the image as the buildroot so this requires python (for osbuild). This is tracked in [1].

[1] bootc-dev/bootc#1410 Requires osbuild/osbuild#2149

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[gemini-code-assist]

Code Review

The pull request introduces changes to use bootc install to deploy the container, which simplifies the image build process. There are a few critical issues in the YAML manifest related to copy-paste errors that lead to incorrect configurations for the 4k image builds and missing options for loopback devices. These issues need to be addressed.

[dustymabe]

I switched the CI on this to run against rawhide (contains python) so we could actually test the change.

[dustymabe]

A few diffs picked up by cosa diff --metal from #4226

cosa-diff-metal.txt

We should probably profile each diff (maybe in coreos/fedora-coreos-tracker#1827) and evaluate whether it's a change we want to make or not.

[dustymabe]

I can't get a built qemu image to boot. I suspect probably the root= and boot= UUIDs added on the kernel command line?

[jbtrystram]

I can't get a built qemu image to boot. I suspect probably the root= and boot= UUIDs added on the kernel command line?

do you mind sharing more logs ? What I am getting locally is ignition failing on coreos/fedora-coreos-tracker#1250

[dustymabe]

Ahh. I see that too now:

[    4.726843] ignition[875]: Ignition failed: failed to create users/groups: failed to configure users: failed to create user "core": exit status 10: Cmd: "useradd" "--root" "/sysroot" "--create-home" "--password" "*" "--comment" "CoreOS Admin" "--groups" "adm,sudo,systemd-journal,wheel" "core" Stdout: "" Stderr: "useradd: cannot lock /etc/group; try again later.\n"

[jbtrystram]

I can't get a built qemu image to boot. I suspect probably the root= and boot= UUIDs added on the kernel command line?

looks like removing those make the boot process go further (ignition completes), and out of the initramfs but fail to mount the boot partition.

[jbtrystram]

Blocked on bootc-dev/bootc#1441

[jbtrystram]

ok this works with the following PRs :

• install: ommit mountspec kargs when --root-mount-spec is empty  bootc-dev/bootc#1451
• stages/bootc.install-to-filesystem: add more knobs osbuild/osbuild#2152
• stages/ignition: parametrize the path to boot osbuild/osbuild#2149

for the bootc PR, it can be built then added into the image through overrides/rootfs. Make sure to build rawhide.

[jbtrystram]

follow-up : either find a way to get the boot components inside cosa, or change the bootc code to call bootupd from the deployed root . I think the latter is preferable.
I filed bootc-dev/bootc#1455

[jbtrystram]

follow-up : either find a way to get the boot components inside cosa, or change the bootc code to call bootupd from the deployed root . I think the latter is preferable. I filed bootc-dev/bootc#1455

Made bootc-dev/bootc#1460
With this, we no longer require to use the container as the buildroot, cosa works, so we could do that on all streams.

[jbtrystram]

Alright, marking this as ready for review as all the bits are in place.
I guess i need to update the osbuild manifest or the other arches as well, but I'll do that after a review to reduce the amount of back and forth.

This will need a release of bootc.

[dustymabe]

Some comments.

I think there are a few things we need to iron out before we can really move forward with this:

1. supporting both old and new paths at the same time

Do we need to? Usually when we make a change this large we roll it out slowly, which means we have to support both ways for some time.

This PR is ignoring that fact, but TBH looking at OSBuild configs that support both would be pretty intimidating, so I'm not excited about trying to do that either. I'd be interested in @jlebon or @travier's thoughts.

2. We need to make sure any/every diff that exists between images generated this way and the old way are considered and acknowleged as acceptable before we'd make this change.

[dustymabe]

Thank you for your patience here JB. I don't see anything too alarming in the patch set here. Mostly small stuff.

I do want to spend some time with this change testing it out locally and poking around the built images. I'll try to do so tomorrow.

[dustymabe]

A couple of things:

1. Trying to build the live media failed with:

Verifying that repacked image matches digest                                                                                                                                                                                                                                  
Packing successful!                                                                                                                                                                                                                                                           
Kernel binary linked: /run/osbuild/tree/tmp_1cwx4nh/tmp-rootfs-dir/boot/vmlinuz-6.17.0-0.rc7.250924gcec1e6e5d1ab3.58.fc44.x86_64                                                                                                                                              
Kernel HMAC linked: /run/osbuild/tree/tmp_1cwx4nh/tmp-rootfs-dir/boot/.vmlinuz-6.17.0-0.rc7.250924gcec1e6e5d1ab3.58.fc44.x86_64.hmac                                                                                                                                          
Creating erofs with -zlzma,level=6 -Eall-fragments,fragdedupe=inode -C1048576 --quiet                                                  
Traceback (most recent call last):                                                                                                     
  File "/run/osbuild/bin/org.osbuild.coreos.live-artifacts.mono", line 967, in <module>                                                
    r = main(workdir=tmdir,                                                                                                            
             tree=args["tree"],                                                                                                        
             inputs=args["inputs"],                                                                                                    
             options=args["options"],                                                                                                  
             loop_client=remoteloop.LoopClient("/run/osbuild/api/remoteloop"))                                                         
  File "/run/osbuild/bin/org.osbuild.coreos.live-artifacts.mono", line 929, in main                                                    
    blsentry_kargs, osname = mkrootfs_metal(paths, workdir, img_metal, fstype, fsoptions, loop_client)                                 
                             ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                 
  File "/run/osbuild/bin/org.osbuild.coreos.live-artifacts.mono", line 638, in mkrootfs_metal                                          
    with open(os.path.join(tmp_rootfs_dir, ALEPH_FILENAME), encoding='utf8') as f:                                                     
         ~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                           
FileNotFoundError: [Errno 2] No such file or directory: '/run/osbuild/tree/tmp_1cwx4nh/tmp-rootfs-dir/.aleph-version.json'

2. The metal diff did show some differences (attached from-metal-ls-diff.txt and to-metal-ls-diff.txt).

• ./.aleph-version.json and the corresponding ./.coreos-aleph-version.json symlink are now just ./.bootc-aleph.json.
• There are ./boot/efi/EFI/fedora/bootuuid.cfg and ./boot/grub2/bootuuid.cfg that I think in the past we generate on first boot for CoreOS, is that right?
• ./boot/grub2/locale is missing a bunch of files that were there before (not sure if this is important).
• A bunch of new files in ./ostree/bootc/storage/
• The ref for the container seems to now include more information (i.e. about the pullspec) ./ostree/repo/refs/heads/ostree/container/image/docker_3A__2F__2F_quay_2E_io -> ./ostree/repo/refs/heads/ostree/container/image/docker_3A__2F__2F_ostree-image-signed_3A_docker_3A__2F__2F_quay_2E_io

from-metal-ls-diff.txt
to-metal-ls-diff.txt

[jbtrystram]

A couple of things:
....

Thank you so much for looking into this Dusty ! another set of eyes is really helpful.
I'll try to address these this week

[jbtrystram]

There are ./boot/efi/EFI/fedora/bootuuid.cfg and ./boot/grub2/bootuuid.cfg that I think in the past we generate on first boot for CoreOS, is that right?

See #4224 (comment)

./.aleph-version.json and the corresponding ./.coreos-aleph-version.json symlink are now just ./.bootc-aleph.json

We'll have to re-add this symlink in a postprocess I guess. I can change stages/org.osbuild.ostree.aleph to have it take an argument that only does the symlink if the aleph already exist. Note that this aleph is generated by bootc and have different content than ours.
I guess I need to dig into what we use this for

A bunch of new files in ./ostree/bootc/storage/

Looks like this is a leaked overlay mount, see this todo

[jbtrystram]

Added a commit that fixes the missing aleph file symlink. This also fixes the live artifact build

Requires osbuild/osbuild#2226

[jbtrystram]

@dustymabe : Rebased and updated. I included a manifest knob and a env var to make use of the bootc manifest.

* `./boot/grub2/locale` is missing a bunch of files that were there before (not sure if this is important).

It looks like those come from running grub-mkconfig but our boot partition should be populated with bootupd, so I don't understand how that differ. I could not find any lead in the bootupd code.

* The `ref` for the container seems to now include more information (i.e. about the pullspec) `./ostree/repo/refs/heads/ostree/container/image/docker_3A__2F__2F_quay_2E_io` -> `./ostree/repo/refs/heads/ostree/container/image/docker_3A__2F__2F_ostree-image-signed_3A_docker_3A__2F__2F_quay_2E_io`

Do you know any code that rely on the output of ostree refs ? A quick search didn't yield much

[jbtrystram]

It looks like those come from running grub-mkconfig but our boot partition should be populated with bootupd, so I don't understand how that differ. I could not find any lead in the bootupd code.

OK i dug more on this and it's another instance of bootc-dev/bootc#1559
In the previous manifest we were using a chroot before calling bootupd which made sure bootupd (and by extension grub2) would pull content from the target root. I fixed the missing grub static config in bootupd by manually pulling them when --src-root is passed, but the locale aren't present in the build root so they are not copied.

It would be nicer to have bootc actually chroot before calling bootupd, because it would have the added benefit to use the bootupd (and other) binaries that will ship on the image rather than what is in the buildroot.

Another way would be to use our image as the buildroot, but once again, we don't ship python.

[jbtrystram]

Ok I cleaned up the commits and addressed everything.
I started a full test run with a COSA image containing this PR and the manifest config knob in the staging pipeline

[jbtrystram]

Ok I cleaned up the commits and addressed everything. I started a full test run with a COSA image containing this PR and the manifest config knob in the staging pipeline

a few tests are failing, i'll look into it tomorrow

[jbtrystram]

Next up is bootc-dev/bootc#1710 ( we want to set sysroot.bls-append-except-default in the ostree repo config) and also /sysroot is not labeled correctly

[jbtrystram]

Fixed the labels issue in the last commit

[jbtrystram]

Failing tests :

ext.config.kdump.crash
ext.config.butane.grub-users
ext.config.ignition.remote
 kdump.crash.ssh
ext.config.networking.ifname-karg.everyboot-systemd-link-file
 kdump.crash.nfs
 ext.config.networking.rd-net-timeout-carrier
multipath.day1
ext.config.ignition.kargs

Except ext.config.butane.grub-users which is due to a missing ostree repo config, all of these failing tests are failing due to the /boot/grub2/bootuuid.cfg :

From what I understand, during the boot, coreos-gpt-setup.service assigns a new UUID to the partition, and coreos-boot-edit.service writes that new uuid to /boot/grub2/bootuuid.cfg.
However, when ignition needs to reboot (e.g. for applying a karg), the reboot happens between the two. So the UUID that bootc had written is no longer valid, preventing the reboot.

This does not happen in the non-bootc case because that bootuuid.cfg does not exist at first boot, trigerring grub to look for the boot label and not the partition uuid.

[jbtrystram]

Failing tests :

ext.config.kdump.crash
ext.config.butane.grub-users
ext.config.ignition.remote
 kdump.crash.ssh
ext.config.networking.ifname-karg.everyboot-systemd-link-file
 kdump.crash.nfs
 ext.config.networking.rd-net-timeout-carrier
multipath.day1
ext.config.ignition.kargs

Except ext.config.butane.grub-users which is due to a missing ostree repo config, all of these failing tests are failing due to the /boot/grub2/bootuuid.cfg :

From what I understand, during the boot, coreos-gpt-setup.service assigns a new UUID to the partition, and coreos-boot-edit.service writes that new uuid to /boot/grub2/bootuuid.cfg. However, when ignition needs to reboot (e.g. for applying a karg), the reboot happens between the two. So the UUID that bootc had written is no longer valid, preventing the reboot.

This does not happen in the non-bootc case because that bootuuid.cfg does not exist at first boot, trigerring grub to look for the boot label and not the partition uuid.

alright I was able to work around this with the following changes in our initrd services in FCOS :

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.service
index 629bb60f..f2d9c134 100644
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.service
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.service
@@ -28,3 +28,6 @@ OnFailureJobMode=isolate
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/sbin/coreos-gpt-setup /dev/disk/by-label/boot
+# MountFlags=slave is so the umount of /boot is guaranteed to happen.
+# /boot will only be mounted for the lifetime of the unit.
+MountFlags=slave
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.sh
index 11cebd34..8042b735 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.sh
@@ -26,6 +26,19 @@ if [ "${PTUUID:-}" != "$UNINITIALIZED_GUID" ]; then
     exit 0
 fi
 
+
+# Mount /boot. Note that we mount /boot but we don't unmount it because we
+# are run in a systemd unit with MountFlags=slave so it is unmounted for us.
+bootmnt=/mnt/boot_partition/
+bootdev=/dev/disk/by-label/boot
+mount -o rw ${bootdev} ${bootmnt}
+# Make sure we delete any pre-existing bootuuid.cfg
+# bootc install stamps it during the disk image creation
+# since we are changing the uuid here we want to remove this file
+# otherwise it will prevent a reboot
+rm -f ${bootmnt}/grub2/bootuuid.cfg
+
+
 echo "Randomizing disk GUID"
 sgdisk --disk-guid=R --move-second-header "$PKNAME"
 udevadm settle || :

I'll push a container and start the test suite

[jbtrystram]

hmmm ok 1 last test failure : ext.config.boot.grub2-install
Which would be solved if bootc was chrooting before the bootupd invocation.

Pipeline run : https://jenkins-fedora-coreos-pipeline.apps.ocp.stg.fedoraproject.org/blue/organizations/jenkins/jbtrystram-build/detail/jbtrystram-build/8/pipeline