Build via Containerfile and derive from fedora-bootc #3348

jlebon · 2025-02-03T20:23:05Z

This builds Fedora CoreOS using a Containerfile. It uses the FROM scratch flow to do a base compose.

This is structured in a way that we can build FCOS using both podman build and cosa build. This allows us to make the cutover much smoother. So then, we could turn this on in e.g. rawhide first and let it percolate down.

All the heavy lifting is done in the build-rootfs script. The idea is that this script is shared by both FCOS and RHCOS. Random notes:

It's in Python. This is fine, because the builder image is separate from the target rootfs. The bootc-base-imagectl script itself is in Python and so can only be used from the :standard image.
Packages are extracted from the manifest, and fed to bootc-base-imagectl (see
https://gitlab.com/fedora/bootc/base-images/-/merge_requests/178) so it's part of a single compose.
We keep respecting the in-git lockfiles. In the future, how lockfiles work will change (see discussions in Build FCOS from fedora-bootc using podman build fedora-coreos-tracker#1861).
What you see overall is a lot of cosa-isms and rpm-ostree-isms being lifted and carried right into the build script. Things like overlays, versioning, postprocessing, os-release mutating, etc...

Rechunking is expected to be done as a secondary step. Once we have containers/buildah#5952, we can inline it back into the Containerfile.

Requires:

ship bootc-base-imagectl in Fedora (#44) (currently to test this, you need to build fedora-bootc locally yourself)
compose: Cache RPMs if cache dir on separate filesystem rpm-ostree#5391
Some bits of base-imagectl: support --cachedir; use in Containerfile (!180)

jlebon · 2025-02-03T20:24:37Z

This is still in the early phase. It doesn't work yet.

Also note we're using tier-1 for now since there's no tier-x image available yet (https://gitlab.com/fedora/bootc/base-images/-/issues/25).

Edit: now using a tier-x image I built myself.

jlebon · 2025-02-07T18:30:04Z

OK cool, got a successful build with this and coreos/rpm-ostree#5274 which I can even rebase to and boot successfully. We're not rebuilding the initramfs yet nor adding overlays. Those shouldn't be hard though.

jlebon · 2025-05-20T19:32:05Z

Updated this now and updated the PR description with more details! Still working on it (notably, going over preliminary diffs between a cosa-built tree and this).

cgwalters

Looks generally sane to me!

image-default.yaml

Containerfile

build-rootfs

dustymabe · 2025-05-29T21:02:10Z

build-rootfs

+    # inject live/ bits
+    target_path = os.path.join(rootfs, 'usr/share/coreos-assembler/live')
+    shutil.copytree(os.path.join(CONTEXTDIR, "live"), target_path)


I guess we could put this in a proper overlay to not have to special case this.

Yeah, true. It's trivial too to just inject it so will just do that for now to avoid the cosa churn.

manifests/fedora-coreos-base.yaml

dustymabe · 2025-05-29T21:20:56Z

manifests/fedora-coreos-base.yaml

+    set -xeuo pipefail
+    if [ -f /run/.containerenv ]; then
+      grep sudo /usr/lib/group >> /etc/group
+    fi


Should we add these three new postprocess scripts in a manifest that is shared with RHCOS/SCOS?

Maybe. For a first pass, I'm just keeping all these "postprocess moves" in the same manifest as the equivalent compose key they come from to ensure I don't mess up any inheritance in the process.

manifests/fedora-coreos.yaml

dustymabe · 2025-05-29T21:26:08Z

Havne't had a chance to test this out yet. Some comments in the mean time.

jlebon · 2025-06-04T16:58:28Z

Updated for comments!

This now requires https://gitlab.com/fedora/bootc/base-images/-/merge_requests/195.

Split prep patches in #3534.

Dropped the WIP prefix to signal this is nearing completion.

jlebon · 2025-06-04T16:59:54Z

One thing worth highlighting is that if you look at the build-rootfs script, there's only a few keys that we look at currently:

packages
ostree-layers
mutate-os-release
postprocess

Once we switch to the container-native flow, every key other than those could be nuked. At that point, manifests are just a way of organizing those keys into a useful hierarchy to make sharing across streams and across RHCOS/SCOS easier, but it does make it easier to switch to a different way of doing that if we wanted to.

We should be able to revert this soon. Mostly doing this so that we can start building it in CI as part of coreos#3348.

cgwalters · 2025-06-06T16:53:11Z

Thanks again for all of the work on this! It's a giant milestone towards the original vision I had here...been a long, long journey and many parts have been much harder than I thought. But I do believe (hope) that this will pay itself back in a lot of ways.

I mean, one thing for sure that is so much dramatically nicer is that use case of "hey I just want to drop in this one override for one package" is now just FROM <base> RUN dnf -y upgrade foo whereas before...so much bespoke tooling.

If there's anything more I (or the team) can do to help let me know!

This command takes as argument a `containers-transport(5)`-style pullspec and creates a new cosa build dir from it. It essentially bridges the gap between coreos/fedora-coreos-config#3348 and the rest of the cosa pipeline.

cgwalters · 2025-06-11T07:40:40Z

$ podman run --rm -ti quay.io/fedora/fedora-bootc:42 /usr/libexec/bootc-base-imagectl --help                                                        2 06/11/2025 09:29:50 AM
usage: bootc-base-imagectl [-h] [--args-file FILE] {build-rootfs,rechunk,list} ...

(And thank you for that!!!)

mmartinv · 2025-06-11T09:04:34Z

ah, looking at the labels on latest I see :

"Labels": {
        "architecture": "x86_64",
        "bootc.diskimage-builder": "quay.io/centos-bootc/bootc-image-builder",
        "build-date": "2025-06-04T14:01:42",
        "containers.bootc": "1",
        "io.buildah.version": "1.39.0-dev",
        "org.opencontainers.image.version": "43",
        "vcs-ref": "08254c0ba435bed9f8871a0c6b0ed806599ed41c",
        "vcs-type": "git"
}

haven't been rebuilt since june 04th

This is basically my fault: Yesterday I was trying to clean up the failed releases and I accidentally triggered some of them which, for what it seems, were quite old. This should have been fixed with the latest builds from yesterday's compose

This builds RHEL CoreOS using a Containerfile. It uses the [FROM scratch flow](https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/) to do a base compose. This is structured in a way that we can build FCOS using _both_ `podman build` _and_ `cosa build`. This allows us to make the cutover much smoother. This builds on top of coreos/fedora-coreos-config#3348. Notably, the Containerfile and build-rootfs files are shared with FCOS. See that PR message for more details on the overall approach since it applies as well here.

This command takes as argument a `containers-transport(5)`-style pullspec and creates a new cosa build dir from it. It essentially bridges the gap between coreos/fedora-coreos-config#3348 and the rest of the cosa pipeline. co-authored by: Bipin B Narayan <[email protected]>

This builds RHEL CoreOS using a Containerfile. It uses the [FROM scratch flow](https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/) to do a base compose. This is structured in a way that we can build FCOS using _both_ `podman build` _and_ `cosa build`. This allows us to make the cutover much smoother. This builds on top of coreos/fedora-coreos-config#3348. Notably, the Containerfile and build-rootfs files are shared with FCOS. See that PR message for more details on the overall approach since it applies as well here.

This command takes as argument a `containers-transport(5)`-style pullspec and creates a new cosa build dir from it. It essentially bridges the gap between coreos/fedora-coreos-config#3348 and the rest of the cosa pipeline. co-authored by: Bipin B Narayan <[email protected]>

This command takes as argument a `containers-transport(5)`-style pullspec and creates a new cosa build dir from it. It essentially bridges the gap between coreos/fedora-coreos-config#3348 and the rest of the cosa pipeline. Co-authored-by: Jonathan Lebon <[email protected]>

This builds RHEL CoreOS using a Containerfile. It uses the [FROM scratch flow](https://docs.fedoraproject.org/en-US/bootc/building-from-scratch/) to do a base compose. This is structured in a way that we can build FCOS using _both_ `podman build` _and_ `cosa build`. This allows us to make the cutover much smoother. This builds on top of coreos/fedora-coreos-config#3348. Notably, the Containerfile and build-rootfs files are shared with FCOS. See that PR message for more details on the overall approach since it applies as well here.

This command takes as argument a `containers-transport(5)`-style pullspec and creates a new cosa build dir from it. It essentially bridges the gap between coreos/fedora-coreos-config#3348 and the rest of the cosa pipeline. Co-authored-by: Jonathan Lebon <[email protected]>

jlebon force-pushed the pr/derive branch from 2076662 to 9d087ee Compare February 7, 2025 18:03

jlebon mentioned this pull request Feb 7, 2025

Add new treefile-apply experimental command coreos/rpm-ostree#5274

Merged

travier mentioned this pull request Mar 14, 2025

Build FCOS from fedora-bootc using podman build coreos/fedora-coreos-tracker#1861

Closed

jlebon force-pushed the pr/derive branch from 9d087ee to 469b300 Compare May 20, 2025 17:00

jlebon changed the base branch from rawhide to testing-devel May 20, 2025 17:00

jlebon force-pushed the pr/derive branch from 469b300 to 5f38573 Compare May 20, 2025 17:01

jlebon force-pushed the pr/derive branch 2 times, most recently from 5c5f576 to 1ee6ffd Compare May 26, 2025 19:02

cgwalters reviewed May 27, 2025

View reviewed changes

image-default.yaml Show resolved Hide resolved

dustymabe reviewed May 29, 2025

View reviewed changes

jlebon force-pushed the pr/derive branch from 1ee6ffd to 3fa943d Compare June 4, 2025 16:50

jlebon mentioned this pull request Jun 4, 2025

Prep patches for container-native path #3534

Merged

jlebon changed the title ~~WIP: Build via Containerfile and derive from fedora-bootc~~ Build via Containerfile and derive from fedora-bootc Jun 4, 2025

jlebon force-pushed the pr/derive branch 2 times, most recently from 5b02753 to 18af51d Compare June 4, 2025 19:33

jlebon added a commit to jlebon/fedora-coreos-config that referenced this pull request Jun 4, 2025

Containerfile: fast-track bootc-base-imagectl and rpm-ostree

2193c4c

We should be able to revert this soon. Mostly doing this so that we can start building it in CI as part of coreos#3348.

jlebon added a commit to jlebon/fedora-coreos-config that referenced this pull request Jun 4, 2025

Containerfile: fast-track bootc-base-imagectl and rpm-ostree

ac11d32

We should be able to revert this soon. Mostly doing this so that we can start building it in CI as part of coreos#3348.

jlebon force-pushed the pr/derive branch from 2193c4c to ac11d32 Compare June 4, 2025 20:53

manifests: delete extra backtick

24497e1

jlebon added a commit to jlebon/fedora-coreos-config that referenced this pull request Jun 5, 2025

Containerfile: fast-track bootc-base-imagectl and rpm-ostree

112a785

We should be able to revert this soon. Mostly doing this so that we can start building it in CI as part of coreos#3348.

jlebon force-pushed the pr/derive branch from ac11d32 to 112a785 Compare June 5, 2025 18:49

jlebon force-pushed the pr/derive branch from 112a785 to 1a2cb65 Compare June 6, 2025 19:06

jlebon marked this pull request as ready for review June 6, 2025 19:06

jlebon mentioned this pull request Jun 10, 2025

WIP: Add cosa import coreos/coreos-assembler#4137

Closed

jlebon mentioned this pull request Jun 20, 2025

COS-3308: Build via Containerfile and derive from rhel-bootc coreos/rhel-coreos-config#28

Merged

7 tasks

PeaceRebel mentioned this pull request Jun 25, 2025

Add cosa import coreos/coreos-assembler#4164

Merged

Build via Containerfile and derive from fedora-bootc #3348

Build via Containerfile and derive from fedora-bootc #3348

Uh oh!

Conversation

jlebon commented Feb 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jlebon commented Feb 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jlebon commented Feb 7, 2025

Uh oh!

jlebon commented May 20, 2025

Uh oh!

cgwalters left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dustymabe May 29, 2025

Choose a reason for hiding this comment

Uh oh!

jlebon Jun 4, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

dustymabe May 29, 2025

Choose a reason for hiding this comment

Uh oh!

jlebon Jun 4, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dustymabe commented May 29, 2025

Uh oh!

jlebon commented Jun 4, 2025

Uh oh!

jlebon commented Jun 4, 2025

Uh oh!

cgwalters commented Jun 6, 2025

Uh oh!

cgwalters commented Jun 11, 2025

Uh oh!

mmartinv commented Jun 11, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

jlebon commented Feb 3, 2025 •

edited

Loading

jlebon commented Feb 3, 2025 •

edited

Loading