feat: Add bootc container ukify command
#1960
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new bootc container ukify command, which is a great addition for simplifying the creation of Unified Kernel Images. The new command correctly encapsulates the logic for finding kernel artifacts and constructing kernel arguments, which was previously handled in a shell script. The seal-uki script is now much cleaner and more maintainable by using this new command. The implementation in Rust is solid, and the associated configuration and documentation changes are appropriate. I have a couple of suggestions to improve the API design in the new Rust code.
jeckersb
force-pushed
the
container-ukify
branch
from
245a08e to
463c094
Compare
| @@ -0,0 +1,3 @@ | |||
| # WORKAROUND: SELinux must be permissive for sealed UKI boot | |||
| # See https://github.com/bootc-dev/bootc/issues/1826 | |||
| kargs = ["enforcing=0"] | |||
There was a problem hiding this comment.
But this will now be set for the ostree tests too...I don't think we want that.
There was a problem hiding this comment.
So how about for now let's keep this in seal-uki ?
There was a problem hiding this comment.
This will mean that container ukify will need to take arbitrary cmdline args for now. I guess we'll just mark it as hidden, don't mention in the docs, and print a big scary warning that it will eventually be removed when we fix the enforcing thing?
There was a problem hiding this comment.
Leaving this unresolved until we agree that the current approach of hidden --karg with scary warning is ok for now.
crates/lib/src/ukify.rs
Outdated
| // Compute paths for kernel and initrd | ||
| let modules_dir = format!("usr/lib/modules/{kver}"); | ||
| let vmlinuz_path = rootfs.join(&modules_dir).join("vmlinuz"); | ||
| let initramfs_path = rootfs.join(&modules_dir).join("initramfs.img"); |
There was a problem hiding this comment.
Hmm another copy of this code is pretty unfortunate, let's have find_kernel return it?
There was a problem hiding this comment.
I updated Kernel to keep track of modules_dir and then vmlinuz and initramfs are derived from that. One TODO here is that means modules_dir ends up being serialized with container inspect --json (but not in human-readable). So from here we either (a) hide serialization of modules_dir, or (b) add modules_dir to human-readable output.
There was a problem hiding this comment.
I was thinking we have a different internal only struct with more data that has impl Into the type we serialize for now
There was a problem hiding this comment.
Ok find_kernel now returns a KernelInternal wrapper that also tracks the paths for vmlinuz and initramfs. The ergonomics aren't great in a few places but it works. Let me know what you think.
| --os-release "@${target}/usr/lib/os-release" \ | ||
| # Build the UKI using bootc container ukify | ||
| # This computes the composefs digest, reads kargs from kargs.d, and invokes ukify | ||
| bootc container ukify --rootfs "${target}" \ |
There was a problem hiding this comment.
This definitely looks nicer!
jeckersb
force-pushed
the
container-ukify
branch
from
463c094 to
e437c63
Compare
jeckersb
force-pushed
the
container-ukify
branch
from
e437c63 to
0e6f4a8
Compare
Add a new subcommand that builds a Unified Kernel Image (UKI) by computing the necessary arguments from a container image and invoking ukify. This simplifies the sealed image build workflow by having bootc internally compute: - The composefs digest (via existing compute-composefs-digest logic) - Kernel arguments from /usr/lib/bootc/kargs.d/*.toml files - Paths to kernel, initrd, and os-release Any additional arguments are passed through to ukify unchanged, allowing full control over signing, output paths, and other ukify options. The seal-uki script is updated to use this new command instead of manually computing these values and invoking ukify directly. Also adds kargs.d configuration files for the sealed UKI workflow: - 10-rootfs-rw.toml: Mount root filesystem read-write - 21-console-hvc0.toml: Console configuration for QEMU/virtio Closes: bootc-dev#1955 Assisted-by: OpenCode (Opus 4.5) Signed-off-by: John Eckersberg <[email protected]>
jeckersb
force-pushed
the
container-ukify
branch
from
0e6f4a8 to
dc7e71a
Compare
2 participants
Add a new subcommand that builds a Unified Kernel Image (UKI) by
computing the necessary arguments from a container image and invoking
ukify. This simplifies the sealed image build workflow by having bootc
internally compute:
Any additional arguments are passed through to ukify unchanged, allowing
full control over signing, output paths, and other ukify options.
The seal-uki script is updated to use this new command instead of
manually computing these values and invoking ukify directly.
Also adds kargs.d configuration files for the sealed UKI workflow:
Closes: #1955
Assisted-by: OpenCode (Opus 4.5)
Signed-off-by: John Eckersberg [email protected]