UKI Cleanup#2200
Conversation
Johan-Liebert1
added
the
ci/merge
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the UKI (Unified Kernel Image) build process to support passing explicit kernel and initramfs paths via CLI arguments, reducing reliance on auto-discovery within the rootfs. Key changes include updating the seal-uki and finalize-uki scripts to use named arguments, modifying Dockerfile stages to extract and clean up kernel components, and extending the Rust library and CLI to handle the new parameters. Review feedback identified a potential path resolution bug in the Rust file existence checks, a filename mismatch in the upgrade test Dockerfile, and suggested improvements for error handling and validation in the seal-uki script.
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
cb42d78 to
8a3ed64
Compare
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
7 times, most recently
from
66dc0e3 to
3a9dc2b
Compare
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
3a9dc2b to
8e581d4
Compare
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
8e581d4 to
503b07a
Compare
|
I think we should have the kernel and initrd as required arguments and thus only support the case where they are not in the rootfs anymore as I don't see a use case where someone would want a sealed image with both a UKI and split out kernel and initrd. Edit: That would break the current |
|
Hmm. I kind of lean towards not breaking it at least right away, it seems really easy to continue to support what we have now too. We could mark it deprecated though. |
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
503b07a to
8a5c7ae
Compare
|
Failures are transient & volatile related. Maybe from #2201? |
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
8a5c7ae to
cc8a2d8
Compare
github-actions
Bot
added
area/install
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
f2c3424 to
667a0fd
Compare
Don't know if clap has a way to do this, if it does I couldn't find it. We just print our custom warning if |
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
2 times, most recently
from
4d6bed6 to
20e2fed
Compare
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
3e9a91e to
135915e
Compare
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
4 times, most recently
from
866acdc to
c41bdc8
Compare
|
Converting to draft. Still needs a bit more work |
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
4 times, most recently
from
f5c48ad to
e2b3c1d
Compare
Now that we can pass kernel and initrd paths to `bootc ukify`, rework our UKI Dockerfile to remove kernel + initrd from the final layer and only keep the UKI This still will not *remove* the kernel + initrd from the tarball but have whiteout instead See bootc-dev#2027 (comment) Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
vmlinuz and intrd should not be present in UKI images; add test for the same Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
So we can just use bootc to extract the `.linux` and `.initrd` sections from the UKI and not have to use objcopy Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
e2b3c1d to
4df1993
Compare
|
This one's also ready for review |
|
|
||
| rootfs=${1:-/} | ||
|
|
||
| # Temporary: downgrade kernel to last 6.x when 7.0 or 7.1 is present. |
There was a problem hiding this comment.
This can probably be dropped
There was a problem hiding this comment.
f44 still seems to ship with 7.0
There was a problem hiding this comment.
Yes, but the kernel should include the fix now. Anyways we can look at this later.
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
4 times, most recently
from
d7e40d7 to
3538344
Compare
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
Thanks, this is looking closer!
|
|
||
| rootfs=${1:-/} | ||
|
|
||
| # Temporary: downgrade kernel to last 6.x when 7.0 or 7.1 is present. |
There was a problem hiding this comment.
Yes, but the kernel should include the fix now. Anyways we can look at this later.
| # Install the RPM package | ||
| # Use rpm -Uvh with --oldpackage to allow replacing with dev version | ||
| rpm -Uvh --replacepkgs --oldpackage --nosignature "${RPM_DIR}"/*.rpm | ||
| rpm -Uvh --root "${INSTALL_ROOT}" --nodeps --replacepkgs --oldpackage --nosignature "${RPM_DIR}"/*.rpm |
There was a problem hiding this comment.
The problem is that rpm --root doesn't do important things like set up /proc etc in the target root. See e.g. rpm-software-management/dnf5#2270
I also don't like --nodeps - why did you add that?
I think the cleanest, albeit slightly more work is to do:
- Download additional deps early
- Install them after we've constructed the "from scratch" root
- Alternatively, just pass
--installfor all the deps we want
There was a problem hiding this comment.
I also don't like --nodeps - why did you add that?
Without --nodeps the command fails with
error: Failed dependencies:
/usr/bin/bash is needed by bootc-202606220627.g4df1993369-1.fc44.x86_64
/usr/bin/chcon is needed by bootc-202606220627.g4df1993369-1.fc44.x86_64
composefs is needed by bootc-202606220627.g4df1993369-1.fc44.x86_64
ld-linux-x86-64.so.2()(64bit) is needed by bootc-202606220627.g4df1993369-1.fc44.x86_64
ld-linux-x86-64.so.2(GLIBC_2.3)(64bit) is needed by bootc-202606220627.g4df1993369-1.fc44.x86_64
libc.so.6()(64bit) is needed by bootc-202606220627.g4df1993369-1.fc44.x86_64
libc.so.6(GLIBC_2.14)(64bit) is needed by bootc-202606220627.g4df1993369-1.fc44.x86_64
[...]
Possibly because it searches for rpm db which we don't have in the target rootfs?
Installing these in /target-rootfs (after it's generated) works without --nodeps but we need bootc-initramfs-setup in the initrd :/
Install them after we've constructed the "from scratch" root
We need bootc-intramfs-setup in the initrd which is why we have to install these rpms before calling bootc-base-imagectl
There was a problem hiding this comment.
Checking in bootc-base-imagtctl, there does seem to be an --install option, but my guess is that it doesn't expect an arbitrary .rpm file
There was a problem hiding this comment.
Checking in bootc-base-imagtctl, there does seem to be an --install option, but my guess is that it doesn't expect an arbitrary .rpm file
Yes, we'll need to use createrepo and generate a repo file and also ensure it has higher priority. We could enhance base-imagectl for this.
We need bootc-intramfs-setup in the initrd which is why we have to install these rpms before calling bootc-base-imagectl
Right OK. (It's more subtle in that if we kept installing bootc afterwards we would silently be testing the shipped one right? Would be nasty)
But this links with the above, if we just install it as part of the rootfs generation, we don't need --nodeps.
So in a nutshell let's either:
- Set up a (dnf) repo with our built content
- Use
--no-initramfsfor base-imagectl, overlay our content after, and then regenerate the initramfs
? I'm fine with either.
There was a problem hiding this comment.
Probably will have to go with option 1. With Option 2 we can't really "split" the root and kernel unless either we go with extremely mess chroot option or fallback to "mv"
This command is equivalent to
`mv /target-root/usr/lib/modules/$kver/{vmlinuz,initramfs.img} /out/$kver`
We could just use `mv`, but having an actual bootc cmd is cleaner
Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Since we do not want kernel + initrd in the final UKI dockerfile, we now build the initrd inside the `target-rootfs` generated by `bootc-base-imagectl`. Instead of rebuilding the initrd ourselves, now we add `/var/usr` directory to the target-rootfs with `--add-dir` cli option to bootc-base-imagectl. This directory contains our rpms and other configs required for building the initramfs After that's done we split the rootfs and vmlinuz + initrd into /target-rootfs and /kernel/$kver respectively Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Now since we need to build our initramfs before the `fetch` build stage, we need packages built first as we need `bootc` and `bootc-initramfs-setup` binaries Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Johan-Liebert1
force-pushed
the
uki-cleanup
branch
from
3538344 to
2417fcf
Compare
3 participants
ukify: Allow passing custom kernel, initramfs
While building a sealed UKI image we'd want to remove the original
kernel + initramfs from the final image and have only the final UKI
present. This was not possible before as
bootc container ukifyexpected kernel + initramfs to be present in
usr/lib/modulesofcontainer root
Fixes: #2185
dockerfile/uki: Rework to remove kernel + initrd
Now that we can pass kernel and initrd paths to
bootc ukify, reworkour UKI Dockerfile to remove kernel + initrd from the final layer
and only keep the UKI
This still will not remove the kernel + initrd from the tarball but
have whiteout instead
See #2027 (comment)
test/integration: Test vmlinuz non-existence with UKI
vmlinuz and intrd should not be present in UKI images; add test for the
same