Tests for unsealed composefs UKI#2146
Conversation
Johan-Liebert1
force-pushed
the
uki-tests
branch
from
b65888f to
2beb2eb
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for Unified Kernel Images (UKIs) within the composefs framework, including tools for sealing and finalizing UKIs and a new dumpfile_path option for the ukify command. It also adds a missing_verity_allowed flag to track and display fs-verity enforcement status in bootc status. The integration test suite is significantly updated with a new composefs garbage collection test for UKIs and a helper function to wrap container builds for UKI environments. Feedback focuses on improving maintainability by combining conditional package installations in the Dockerfile and refactoring repetitive logic in the new UKI test scripts into helper functions.
| mkdir /var/tmp/efi | ||
| mount /dev/disk/by-partlabel/EFI-SYSTEM /var/tmp/efi |
There was a problem hiding this comment.
This test file has some repeated logic that could be refactored into helper functions to improve maintainability and readability.
-
EFI Mount Setup: The commands to create and mount the EFI directory are repeated in
second_boot,third_boot,fourth_boot, andfifth_boot.def setup_efi_mount [] { mkdir /var/tmp/efi mount /dev/disk/by-partlabel/EFI-SYSTEM /var/tmp/efi } -
Image Build and Switch: The logic for building a new container image and switching to it is also duplicated.
def build_and_switch [name: string, content: string] { mut containerfile = $" FROM localhost/bootc as base ($content) " $containerfile = (tap build_uki_img $containerfile) echo $containerfile | podman build -t $"localhost/bootc-($name)" . -f - bootc switch --transport containers-storage $"localhost/bootc-($name)" }
By using these helpers, the boot stage functions would become much cleaner and more focused on their specific assertions.
Johan-Liebert1
force-pushed
the
uki-tests
branch
from
2beb2eb to
895ba5a
Compare
|
Centos10 seems to be failing with Edit: #2145 fixes this |
Johan-Liebert1
force-pushed
the
uki-tests
branch
3 times, most recently
from
19d13bb to
3edbb84
Compare
Johan-Liebert1
force-pushed
the
uki-tests
branch
2 times, most recently
from
aac13a4 to
93fed9d
Compare
| # summary: Test soft reboot with SELinux policy changes | ||
| # duration: 30m | ||
| # extra: | ||
| # fixme_skip_if_uki: true |
There was a problem hiding this comment.
Okay, since this modifies /etc and /var, it updates mtimes for both and there is a digest mismatch in the UKI vs when we pull the image in the composefs repo. The following is a reproducible example
FROM alpine AS rootfs
RUN touch /etc/new-file
FROM rootfs AS layer1
RUN stat /etc > /var/etc-stat
FROM rootfs AS layer2
COPY --from=layer1 /var/etc-stat /var/etc-stat
RUN stat /etc > /var/etc-stat-final-layerThis is probably an overlayfs thing and not something to do with builders and both docker and podman run into this
There was a problem hiding this comment.
This might not be correct, but the mtime might be different due to the time diff in creating these layers? The time diff here is in millis so that's my guess
/var # cat etc-stat
File: /etc
Size: 22 Blocks: 8 IO Block: 4096 directory
Device: 58h/88d Inode: 10047352 Links: 1
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2026-04-17 11:12:32.773615603 +0000
Modify: 2026-04-17 11:12:33.259270681 +0000
Change: 2026-04-17 11:12:33.259270681 +0000
/var # cat etc-stat-final-layer
File: /etc
Size: 22 Blocks: 8 IO Block: 4096 directory
Device: 58h/88d Inode: 10047352 Links: 1
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2026-04-17 11:12:32.773615603 +0000
Modify: 2026-04-17 11:12:33.486824455 +0000
Change: 2026-04-17 11:12:33.486824455 +0000
In my actual testing with a UKI image, the diff was this
5c5
< /etc 0 40755 94 0 0 0 1776409773.0 - - - security.selinux=system_u:object_r:etc_t:s0
---
> /etc 0 40755 94 0 0 0 1776409786.0 - - - security.selinux=system_u:object_r:etc_t:s0
55015c55015
< /var 0 40755 7 0 0 0 1776409756.0 - - - security.selinux=system_u:object_r:var_t:s0
---
> /var 0 40755 7 0 0 0 1776409786.0 - - - security.selinux=system_u:object_r:var_t:s0
Johan-Liebert1
force-pushed
the
uki-tests
branch
from
93fed9d to
4116785
Compare
Add a flag to create a dumpfile for `bootc ukify` command. This is extremely helpful for debugging Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
For the status command for composefs backend, in verbose mode, show whether FsVerity is enforced or not. This is also helpful for us in tests for UKI as while building a UKI we'd want to know whether the current system has FsVerity enforced or not. Reading `/proc/cmdline` is an option, but a concrete API helps immensely Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
For unsealed UKIs now we install systemd-ukify in our container images and also copy our UKI build scripts in the image to help us build UKIs in our tests. We don't yet have all tests for sealed UKIs because we don't have a proper way of passing our keys to the test VMs A nu shell function wraps all container image definitions and updates them to also build for UKI images Update tests to also work with UKIs Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Also, fix a logic error in the BLS GC test where we were checking for the non-existence of a non-existent path Explicitly disable composefs gc tests for ostree Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
We skip this test for UKI as the container image that's built has different mtime for /var and /etc which results in different digests inside the UKI (computed with stitched overlayfs) vs in the final layer ``` 5c5 < /etc 0 40755 94 0 0 0 1776409773.0 - - - security.selinux=system_u:object_r:etc_t:s0 --- > /etc 0 40755 94 0 0 0 1776409786.0 - - - security.selinux=system_u:object_r:etc_t:s0 55015c55015 < /var 0 40755 7 0 0 0 1776409756.0 - - - security.selinux=system_u:object_r:var_t:s0 --- > /var 0 40755 7 0 0 0 1776409786.0 - - - security.selinux=system_u:object_r:var_t:s0 ``` Probably a different issue as we use "FROM scratch" but Ref: composefs/composefs-rs#132 Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Johan-Liebert1
force-pushed
the
uki-tests
branch
from
4116785 to
7fa736d
Compare
1 participant
No description provided.