diff --git a/Dockerfile b/Dockerfile index 3fe6785b8..66f97342f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -39,8 +39,8 @@ EORUN # bootc binaries in /out. The intention is that the target rootfs is extracted from /out # back into a final stae (without the build deps etc) below. FROM base as build -# Flip this on to enable initramfs code -ARG initramfs=0 +# Flip this off to disable initramfs code +ARG initramfs=1 # This installs our package dependencies, and we want to cache it independently of the rest. # Basically we don't want changing a .rs file to blow out the cache of packages. So we only # copy files necessary diff --git a/tests/build.sh b/tests/build.sh index 642d0601d..ae0d5cd13 100755 --- a/tests/build.sh +++ b/tests/build.sh @@ -45,7 +45,7 @@ DISK=target/bootc-integration-test.qcow2 rm -vf "${DISK}" # testcloud barfs on .raw if test -n "${bcvk}"; then - bcvk to-disk --format=qcow2 --disk-size "${SIZE}" localhost/bootc-integration "${DISK}" + bcvk to-disk --format=qcow2 --disk-size "${SIZE}" --filesystem ext4 localhost/bootc-integration "${DISK}" else TMPDISK=target/bootc-integration-test.raw truncate -s "${SIZE}" "${TMPDISK}" @@ -59,7 +59,7 @@ else -v $(pwd)/target:/target \ localhost/bootc-integration \ bootc install to-disk \ - --filesystem "xfs" \ + --filesystem "ext4" \ --karg=console=ttyS0,115200n8 \ --generic-image \ --via-loopback \ diff --git a/tmt/plans/integration.fmf b/tmt/plans/integration.fmf index 34ad9416e..40d0facc6 100644 --- a/tmt/plans/integration.fmf +++ b/tmt/plans/integration.fmf @@ -53,3 +53,10 @@ execute: how: fmf test: - /tmt/tests/test-25-soft-reboot + +/test-26-examples-build: + summary: Test bootc examples build scripts + discover: + how: fmf + test: + - /tmt/tests/test-26-examples-build diff --git a/tmt/tests/booted/readonly/051-test-initramfs.nu b/tmt/tests/booted/readonly/051-test-initramfs.nu index 150054eee..0af5f3941 100644 --- a/tmt/tests/booted/readonly/051-test-initramfs.nu +++ b/tmt/tests/booted/readonly/051-test-initramfs.nu @@ -8,6 +8,11 @@ if (not ("/usr/lib/bootc/initramfs-setup" | path exists)) { exit 0 } +if (not (open /proc/cmdline | str contains composefs)) { + print "No composefs in cmdline" + exit 0 +} + journalctl -b -t bootc-root-setup.service --grep=OK tap ok diff --git a/tmt/tests/examples/bootc-bls/Containerfile b/tmt/tests/examples/bootc-bls/Containerfile new file mode 100644 index 000000000..73f114730 --- /dev/null +++ b/tmt/tests/examples/bootc-bls/Containerfile @@ -0,0 +1,10 @@ +FROM quay.io/fedora/fedora-bootc:42 +COPY extra / +COPY bootc /usr/bin + +RUN passwd -d root + +# need to have bootc-initramfs-setup in the initramfs so we need this +RUN set -x; \ + kver=$(cd /usr/lib/modules && echo *); \ + dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver; diff --git a/tmt/tests/examples/bootc-bls/build b/tmt/tests/examples/bootc-bls/build new file mode 100755 index 000000000..38e45edbd --- /dev/null +++ b/tmt/tests/examples/bootc-bls/build @@ -0,0 +1,16 @@ +#!/bin/bash + +set -eux + +cd "${0%/*}" + +cp /usr/bin/bootc . +cp /usr/lib/bootc/initramfs-setup extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup + +mkdir -p tmp + +podman build \ + -t quay.io/fedora/fedora-bootc-bls:42 \ + -f Containerfile \ + --iidfile=tmp/iid \ + . diff --git a/tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf b/tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf new file mode 100644 index 000000000..d1adac96f --- /dev/null +++ b/tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf @@ -0,0 +1,3 @@ +# we need to force these in via the initramfs because we don't have modules in +# the base image +force_drivers+=" virtio_net vfat " diff --git a/tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service b/tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service new file mode 100644 index 000000000..15fdc5801 --- /dev/null +++ b/tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service @@ -0,0 +1,34 @@ +# Copyright (C) 2013 Colin Walters +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see . + +[Unit] +DefaultDependencies=no +ConditionKernelCommandLine=composefs +ConditionPathExists=/etc/initrd-release +After=sysroot.mount +Requires=sysroot.mount +Before=initrd-root-fs.target +Before=initrd-switch-root.target + +OnFailure=emergency.target +OnFailureJobMode=isolate + +[Service] +Type=oneshot +ExecStart=/usr/bin/bootc-initramfs-setup +StandardInput=null +StandardOutput=journal +StandardError=journal+console +RemainAfterExit=yes diff --git a/tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh b/tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh new file mode 100755 index 000000000..b1c56206f --- /dev/null +++ b/tmt/tests/examples/bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh @@ -0,0 +1,20 @@ +#!/usr/bin/bash + +check() { + return 0 +} + +depends() { + return 0 +} + +install() { + inst \ + "${moddir}/bootc-initramfs-setup" /usr/bin/bootc-initramfs-setup + inst \ + "${moddir}/bootc-initramfs-setup.service" \ + "${systemdsystemunitdir}/bootc-initramfs-setup.service" + + $SYSTEMCTL -q --root "${initdir}" add-wants \ + 'initrd-root-fs.target' 'bootc-initramfs-setup.service' +} diff --git a/tmt/tests/examples/bootc-uki/Containerfile.stage1 b/tmt/tests/examples/bootc-uki/Containerfile.stage1 new file mode 100644 index 000000000..175f3e253 --- /dev/null +++ b/tmt/tests/examples/bootc-uki/Containerfile.stage1 @@ -0,0 +1,10 @@ +FROM quay.io/fedora/fedora-bootc:42 +COPY extra / +COPY bootc /usr/bin + +RUN passwd -d root + +# need to have composefs setup root in the initramfs so we need this +RUN set -x; \ + kver=$(cd /usr/lib/modules && echo *); \ + dracut -vf --install "/etc/passwd /etc/group" /usr/lib/modules/$kver/initramfs.img $kver; diff --git a/tmt/tests/examples/bootc-uki/Containerfile.stage2 b/tmt/tests/examples/bootc-uki/Containerfile.stage2 new file mode 100644 index 000000000..964a6f2ae --- /dev/null +++ b/tmt/tests/examples/bootc-uki/Containerfile.stage2 @@ -0,0 +1,46 @@ +FROM quay.io/fedora/fedora-bootc-base-uki:42 AS base + +FROM base as kernel + +ARG COMPOSEFS_FSVERITY + +RUN --mount=type=secret,id=key \ + --mount=type=secret,id=cert < /etc/kernel/cmdline + + dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned + kver=$(cd /usr/lib/modules && echo *) + ukify build \ + --linux "/usr/lib/modules/$kver/vmlinuz" \ + --initrd "/usr/lib/modules/$kver/initramfs.img" \ + --uname="${kver}" \ + --cmdline "@/etc/kernel/cmdline" \ + --os-release "@/etc/os-release" \ + --signtool sbsign \ + --secureboot-private-key "/run/secrets/key" \ + --secureboot-certificate "/run/secrets/cert" \ + --measure \ + --json pretty \ + --output "/boot/$kver.efi" + sbsign \ + --key "/run/secrets/key" \ + --cert "/run/secrets/cert" \ + "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" \ + --output "/boot/systemd-bootx64.efi" +EOF + +FROM base as final + +RUN --mount=type=bind,from=kernel,target=/_mount/kernel < /dev/null + uuidgen --random > GUID.txt + openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Platform Key/" -out PK.crt + openssl x509 -outform DER -in PK.crt -out PK.cer + openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Key Exchange Key/" -out KEK.crt + openssl x509 -outform DER -in KEK.crt -out KEK.cer + openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Test Signature Database key/" -out db.crt + openssl x509 -outform DER -in db.crt -out db.cer + popd > /dev/null +fi + +# For debugging, add --no-cache to podman command +sudo podman build \ + -t quay.io/fedora/fedora-bootc-uki:42 \ + --build-arg=COMPOSEFS_FSVERITY="${COMPOSEFS_FSVERITY}" \ + -f Containerfile.stage2 \ + --secret=id=key,src=secureboot/db.key \ + --secret=id=cert,src=secureboot/db.crt \ + --iidfile=tmp/iid2 + +rm -rf tmp/efi +mkdir -p tmp/efi +./bootc internals cfs --repo tmp/sysroot/composefs oci pull containers-storage:"${IMAGE_ID}" +./bootc internals cfs --repo tmp/sysroot/composefs oci compute-id --bootable "${IMAGE_ID}" +./bootc internals cfs --repo tmp/sysroot/composefs oci prepare-boot "${IMAGE_ID}" --bootdir tmp/efi diff --git a/tmt/tests/examples/bootc-uki/build_vars b/tmt/tests/examples/bootc-uki/build_vars new file mode 100755 index 000000000..8008414b4 --- /dev/null +++ b/tmt/tests/examples/bootc-uki/build_vars @@ -0,0 +1,20 @@ +#!/bin/bash + +set -eux + +cd "${0%/*}" + +if [[ ! -d "secureboot" ]]; then + echo "fail" + exit 1 +fi + +# See: https://github.com/rhuefi/qemu-ovmf-secureboot +# $ dnf install -y python3-virt-firmware +GUID=$(cat secureboot/GUID.txt) +virt-fw-vars --input "/usr/share/edk2/ovmf/OVMF_VARS_4M.secboot.qcow2" \ + --secure-boot \ + --set-pk $GUID "secureboot/PK.crt" \ + --add-kek $GUID "secureboot/KEK.crt" \ + --add-db $GUID "secureboot/db.crt" \ + -o "VARS_CUSTOM.secboot.qcow2.template" diff --git a/tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf b/tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf new file mode 100644 index 000000000..d1adac96f --- /dev/null +++ b/tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/dracut.conf.d/37composefs.conf @@ -0,0 +1,3 @@ +# we need to force these in via the initramfs because we don't have modules in +# the base image +force_drivers+=" virtio_net vfat " diff --git a/tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service b/tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service new file mode 100644 index 000000000..15fdc5801 --- /dev/null +++ b/tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service @@ -0,0 +1,34 @@ +# Copyright (C) 2013 Colin Walters +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see . + +[Unit] +DefaultDependencies=no +ConditionKernelCommandLine=composefs +ConditionPathExists=/etc/initrd-release +After=sysroot.mount +Requires=sysroot.mount +Before=initrd-root-fs.target +Before=initrd-switch-root.target + +OnFailure=emergency.target +OnFailureJobMode=isolate + +[Service] +Type=oneshot +ExecStart=/usr/bin/bootc-initramfs-setup +StandardInput=null +StandardOutput=journal +StandardError=journal+console +RemainAfterExit=yes diff --git a/tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh b/tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh new file mode 100755 index 000000000..b1c56206f --- /dev/null +++ b/tmt/tests/examples/bootc-uki/extra/usr/lib/dracut/modules.d/37bootc/module-setup.sh @@ -0,0 +1,20 @@ +#!/usr/bin/bash + +check() { + return 0 +} + +depends() { + return 0 +} + +install() { + inst \ + "${moddir}/bootc-initramfs-setup" /usr/bin/bootc-initramfs-setup + inst \ + "${moddir}/bootc-initramfs-setup.service" \ + "${systemdsystemunitdir}/bootc-initramfs-setup.service" + + $SYSTEMCTL -q --root "${initdir}" add-wants \ + 'initrd-root-fs.target' 'bootc-initramfs-setup.service' +} diff --git a/tmt/tests/examples/bootc-uki/install-grub.sh b/tmt/tests/examples/bootc-uki/install-grub.sh new file mode 100755 index 000000000..885826046 --- /dev/null +++ b/tmt/tests/examples/bootc-uki/install-grub.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -eux + +curl http://192.168.122.1:8000/bootc -o bootc +chmod +x bootc + +IMAGE=quay.io/fedora/fedora-bootc-uki:42 + +# --env RUST_LOG=debug \ +# --env RUST_BACKTRACE=1 \ +podman run \ + --rm --privileged \ + --pid=host \ + -v /dev:/dev \ + -v /var/lib/containers:/var/lib/containers \ + -v /srv/bootc:/usr/bin/bootc:ro,Z \ + -v /var/tmp:/var/tmp \ + --security-opt label=type:unconfined_t \ + "${IMAGE}" \ + bootc install to-disk \ + --composefs-native \ + --boot=uki \ + --source-imgref="containers-storage:${IMAGE}" \ + --target-imgref="${IMAGE}" \ + --target-transport="docker" \ + /dev/vdb \ + --filesystem=ext4 \ + --wipe diff --git a/tmt/tests/examples/bootc-uki/install-systemd-boot.sh b/tmt/tests/examples/bootc-uki/install-systemd-boot.sh new file mode 100755 index 000000000..08e92107b --- /dev/null +++ b/tmt/tests/examples/bootc-uki/install-systemd-boot.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +set -eux + +curl http://192.168.122.1:8000/bootc -o bootc +chmod +x bootc + +IMAGE=quay.io/fedora/fedora-bootc-uki:42 + +if [[ ! -f /srv/systemd-bootx64.efi ]]; then + echo "Needs /srv/systemd-bootx64.efi to exists for now" + exit 1 +fi + +# --env RUST_LOG=debug \ +# --env RUST_BACKTRACE=1 \ +podman run \ + --rm --privileged \ + --pid=host \ + -v /dev:/dev \ + -v /var/lib/containers:/var/lib/containers \ + -v /srv/bootc:/usr/bin/bootc:ro,Z \ + -v /var/tmp:/var/tmp \ + --security-opt label=type:unconfined_t \ + "${IMAGE}" \ + bootc install to-disk \ + --composefs-native \ + --boot=uki \ + --source-imgref="containers-storage:${IMAGE}" \ + --target-imgref="${IMAGE}" \ + --target-transport="docker" \ + /dev/vdb \ + --filesystem=ext4 \ + --wipe + +mkdir -p efi +mount /dev/vdb2 /srv/efi + +# Manual systemd-boot installation +cp /srv/systemd-bootx64.efi /srv/efi/EFI/fedora/grubx64.efi +mkdir -p /srv/efi/loader +echo "timeout 5" > /srv/efi/loader/loader.conf +rm -rf /srv/efi/EFI/fedora/grub.cfg + +umount efi diff --git a/tmt/tests/test-26-examples-build.fmf b/tmt/tests/test-26-examples-build.fmf new file mode 100644 index 000000000..7c556d74a --- /dev/null +++ b/tmt/tests/test-26-examples-build.fmf @@ -0,0 +1,18 @@ +summary: Test bootc examples build scripts +test: | + #!/bin/bash + set -eux + + # Test bootc-bls example + echo "Testing bootc-bls example..." + cd examples/bootc-bls + ./build + + # Test bootc-uki example + echo "Testing bootc-uki example..." + cd ../bootc-uki + ./build.base + ./build.final + + echo "All example builds completed successfully" +duration: 45m