UKI Cleanup#2200
Conversation
Johan-Liebert1
added
the
ci/merge
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the UKI (Unified Kernel Image) build process to support passing explicit kernel and initramfs paths via CLI arguments, reducing reliance on auto-discovery within the rootfs. Key changes include updating the seal-uki and finalize-uki scripts to use named arguments, modifying Dockerfile stages to extract and clean up kernel components, and extending the Rust library and CLI to handle the new parameters. Review feedback identified a potential path resolution bug in the Rust file existence checks, a filename mismatch in the upgrade test Dockerfile, and suggested improvements for error handling and validation in the seal-uki script.
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
cb42d78 to
8a3ed64
Compare
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
7 times, most recently
from
66dc0e3 to
3a9dc2b
Compare
| cat >> /tmp/Containerfile.drop-lbis <<-EOF | ||
| FROM base as kernel | ||
| RUN <<-RUNEOF | ||
| objcopy -O binary --only-section=.initrd /boot/EFI/Linux/*.efi /boot/initramfs.img |
There was a problem hiding this comment.
We were discussing maybe having this in bootc - bootc internals uki extract?
| how: fmf | ||
| test: | ||
| - /tmt/tests/tests/test-37-install-no-boot-dir | ||
| extra-fixme_skip_if_composefs: true |
There was a problem hiding this comment.
How is this related?
From live chat - we probably want to test at a basic level that composefs tests actually install that way
There was a problem hiding this comment.
Oh, this is failing for another reason. I kinda lumped it with the bootloader=none one
There was a problem hiding this comment.
Actually this is failing for composefs because bootloader=none is not supported for composefs and this test fails when trying to install bootloader for composefs. For ostree, the bootloader installation is simply skipped with bootloader=none
I did end up fixing a containers-storage permission issue while debugging this
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
3a9dc2b to
8e581d4
Compare
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
8e581d4 to
503b07a
Compare
| ) -> Result<ImgConfigManifest> { | ||
| use containers_image_proxy::{ImageProxy, ImageReference, Transport}; | ||
|
|
||
| let imgref = ImageReference::from_str(&imgref) |
There was a problem hiding this comment.
In the caller we convert it to a string, here we convert back...
There was a problem hiding this comment.
The problem is they're two different types. In the caller we have ostree_container::ImageReference and ImageProxy::open_image_ref asks for containers_image_proxy::ImageReference
There was a problem hiding this comment.
We can convert it to string in Proxy::open_image. I also got confused by the two ImageReference in the codebase with one having Transport as an enum and the other one having it as a string, and we're using both...
There was a problem hiding this comment.
I ended up doing #2204, which does require bootc-dev/containers-image-proxy-rs#138 first
| ostree_ext::container::merge_default_container_proxy_opts(&mut config)?; | ||
| let proxy = containers_image_proxy::ImageProxy::new_with_config(config).await?; | ||
|
|
||
| if imgref.transport == Transport::ContainerStorage { |
There was a problem hiding this comment.
I think this would be the second copy of this, probably worth deduplicating
| RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \ | ||
| --mount=type=bind,from=sealed-uki,src=/,target=/run/sealed-uki \ | ||
| /usr/bin/finalize-uki /run/sealed-uki/out | ||
| cat >> /tmp/Containerfile.drop-lbis <<-EOF |
There was a problem hiding this comment.
This isn't about dropping lbis?
There was a problem hiding this comment.
This is kinda confusing but the original Dockerfile is for removing lbis and we just append UKI stuff to it
| kver=$(bootc container inspect --rootfs /run/base-penultimate-src --json | jq -r '.kernel.version') | ||
|
|
||
| rm -v "/usr/lib/modules/$kver/vmlinuz" | ||
| rm -v "/usr/lib/modules/$kver/initramfs.img" | ||
| fi |
There was a problem hiding this comment.
Since this one would end up being closer to user-facing, I would prefer to streamline this more.
I think what would work best is to have our "base" build process be a stage that generates a single intermediate image with /rootfs and /kernel or so. This could be part of bootc-base-imagectl, or we could have it be part of something more like bootc container split-root-and-uki?
There was a problem hiding this comment.
sgtm. By the "base" build process, are you referring to the Dockerfile (in bootc) or is it about something else?
|
I think we should have the kernel and initrd as required arguments and thus only support the case where they are not in the rootfs anymore as I don't see a use case where someone would want a sealed image with both a UKI and split out kernel and initrd. Edit: That would break the current |
|
Hmm. I kind of lean towards not breaking it at least right away, it seems really easy to continue to support what we have now too. We could mark it deprecated though. |
While building a sealed UKI image we'd want to remove the original kernel + initramfs from the final image and have only the final UKI present. This was not possible before as `bootc container ukify` expected kernel + initramfs to be present in `usr/lib/modules` of container root Fixes: bootc-dev#2185 Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com> wip
Now that we can pass kernel and initrd paths to `bootc ukify`, rework our UKI Dockerfile to remove kernel + initrd from the final layer and only keep the UKI This still will not *remove* the kernel + initrd from the tarball but have whiteout instead See bootc-dev#2027 (comment) Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
vmlinuz and intrd should not be present in UKI images; add test for the same Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Bootloader set to none is not supported with the composefs backend so we skip tests with this option for composefs backend Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
We were defaulting to unprivileged user "nobody" when pulling an image, but pulling from containers-storage was failing as it requires extra privileges. Default to the current user, usually root, when pulling from containers-storage Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
503b07a to
8a5c7ae
Compare
|
Failures are transient & volatile related. Maybe from #2201? |
3 participants
ukify: Allow passing custom kernel, initramfs
While building a sealed UKI image we'd want to remove the original
kernel + initramfs from the final image and have only the final UKI
present. This was not possible before as
bootc container ukifyexpected kernel + initramfs to be present in
usr/lib/modulesofcontainer root
Fixes: #2185
dockerfile/uki: Rework to remove kernel + initrd
Now that we can pass kernel and initrd paths to
bootc ukify, reworkour UKI Dockerfile to remove kernel + initrd from the final layer
and only keep the UKI
This still will not remove the kernel + initrd from the tarball but
have whiteout instead
See #2027 (comment)
test/integration: Test vmlinuz non-existence with UKI
vmlinuz and intrd should not be present in UKI images; add test for the
same