From 3ad21af367c3fe7c29fbda2979153017438d3c62 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 16 Jan 2026 14:03:49 -0500 Subject: [PATCH 1/3] build-sys: Enable CentOS Stream compose repos to avoid version skew The base image may be built from a compose that has newer packages than what's available on the public mirrors. This causes version skew where packages like bootupd have different versions between the base image and our built image. For example, bootupd 0.2.32 changed the EFI file layout from /usr/lib/bootupd/updates/EFI/ to /usr/lib/efi/, and if we build with an older bootupd from mirrors while the target image has the newer layout, bootloader installation fails. Enable the CentOS Stream compose repos with higher priority to ensure we get matching versions. xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174 Signed-off-by: Colin Walters Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters --- Dockerfile | 5 ++++ contrib/packaging/enable-compose-repos | 33 ++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100755 contrib/packaging/enable-compose-repos diff --git a/Dockerfile b/Dockerfile index 11ca9ab5c..ac0c8f0b7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -47,6 +47,11 @@ RUN --mount=type=tmpfs,target=/run /src/contrib/packaging/configure-systemdboot # local sources. We'll override it later. # NOTE: All your base belong to me. FROM $base as target-base +# Handle version skew between base image and mirrors for CentOS Stream +# xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174 +RUN --mount=type=tmpfs,target=/run \ + --mount=type=bind,from=packaging,src=/,target=/run/packaging \ + /run/packaging/enable-compose-repos RUN --mount=type=tmpfs,target=/run /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs FROM scratch as base diff --git a/contrib/packaging/enable-compose-repos b/contrib/packaging/enable-compose-repos new file mode 100755 index 000000000..41b10c9bb --- /dev/null +++ b/contrib/packaging/enable-compose-repos @@ -0,0 +1,33 @@ +#!/bin/bash +# Enable compose repos to avoid version skew between base image and mirrors +# xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174 +set -euo pipefail + +. /usr/lib/os-release + +case "${ID}" in + centos) + # The base image may have been built from a compose that has newer packages + # than what's available on the public mirrors. Enable the compose repos + # with higher priority to ensure we get matching versions. + cat > /etc/yum.repos.d/centos-compose.repo << 'EOF' +[compose-baseos] +name=CentOS Stream $releasever Compose BaseOS +baseurl=https://composes.stream.centos.org/stream-$releasever/production/latest-CentOS-Stream/compose/BaseOS/$basearch/os/ +gpgcheck=0 +enabled=1 +priority=1 + +[compose-appstream] +name=CentOS Stream $releasever Compose AppStream +baseurl=https://composes.stream.centos.org/stream-$releasever/production/latest-CentOS-Stream/compose/AppStream/$basearch/os/ +gpgcheck=0 +enabled=1 +priority=1 +EOF + echo "Enabled CentOS Stream compose repos" + ;; + *) + # No compose repo needed for other distros + ;; +esac From f168dbeec813ef459672b15ce254513b44602e83 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 16 Jan 2026 14:41:44 -0500 Subject: [PATCH 2/3] build-sys: Enable GPG checking for CentOS compose repos Use gpgcheck=1 and reference the official CentOS GPG key instead of disabling signature verification. This ensures package integrity during builds while still using compose repos to avoid version skew. Assisted-by: OpenCode (Claude Sonnet 4) Signed-off-by: Colin Walters --- contrib/packaging/enable-compose-repos | 27 ++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/contrib/packaging/enable-compose-repos b/contrib/packaging/enable-compose-repos index 41b10c9bb..20b5ba30d 100755 --- a/contrib/packaging/enable-compose-repos +++ b/contrib/packaging/enable-compose-repos @@ -10,22 +10,33 @@ case "${ID}" in # The base image may have been built from a compose that has newer packages # than what's available on the public mirrors. Enable the compose repos # with higher priority to ensure we get matching versions. - cat > /etc/yum.repos.d/centos-compose.repo << 'EOF' + + # Extract the gpgkey from the existing centos.repo - c9s uses + # RPM-GPG-KEY-centosofficial while c10s uses RPM-GPG-KEY-centosofficial-SHA256 + gpgkey=$(grep -m1 '^gpgkey=' /etc/yum.repos.d/centos.repo | cut -d= -f2) + if [[ -z "${gpgkey}" ]]; then + echo "Error: Could not find gpgkey in /etc/yum.repos.d/centos.repo" >&2 + exit 1 + fi + + cat > /etc/yum.repos.d/centos-compose.repo << EOF [compose-baseos] -name=CentOS Stream $releasever Compose BaseOS -baseurl=https://composes.stream.centos.org/stream-$releasever/production/latest-CentOS-Stream/compose/BaseOS/$basearch/os/ -gpgcheck=0 +name=CentOS Stream \$releasever Compose BaseOS +baseurl=https://composes.stream.centos.org/stream-\$releasever/production/latest-CentOS-Stream/compose/BaseOS/\$basearch/os/ +gpgcheck=1 enabled=1 priority=1 +gpgkey=${gpgkey} [compose-appstream] -name=CentOS Stream $releasever Compose AppStream -baseurl=https://composes.stream.centos.org/stream-$releasever/production/latest-CentOS-Stream/compose/AppStream/$basearch/os/ -gpgcheck=0 +name=CentOS Stream \$releasever Compose AppStream +baseurl=https://composes.stream.centos.org/stream-\$releasever/production/latest-CentOS-Stream/compose/AppStream/\$basearch/os/ +gpgcheck=1 enabled=1 priority=1 +gpgkey=${gpgkey} EOF - echo "Enabled CentOS Stream compose repos" + echo "Enabled CentOS Stream compose repos (gpgkey: ${gpgkey})" ;; *) # No compose repo needed for other distros From 0ade2c3bc2ee96a82b705376eb46d6dc504e4c93 Mon Sep 17 00:00:00 2001 From: ckyrouac Date: Fri, 16 Jan 2026 15:24:16 -0500 Subject: [PATCH 3/3] tmt: Fix var-mount test to use booted container image Use copy-to-storage to add the booted container to podman storage instead of pulling a remote image. This matches the pattern used by other TMT tests and ensures we test the actual bootc under test. Changes: - Use localhost/bootc from copy-to-storage instead of remote image - Disable LBIs via bind mount of /usr/share/empty - Remove unnecessary host modifications (usr-overlay, dnf install, etc.) - Use 100%FREE for root LV to ensure sufficient space for deployment Assisted-by: OpenCode (Opus 4.5) Signed-off-by: ckyrouac Signed-off-by: Colin Walters --- .../test-install-to-filesystem-var-mount.sh | 33 +++++++------------ 1 file changed, 12 insertions(+), 21 deletions(-) diff --git a/tmt/tests/booted/test-install-to-filesystem-var-mount.sh b/tmt/tests/booted/test-install-to-filesystem-var-mount.sh index be9dd1d7b..5fe76d8a6 100644 --- a/tmt/tests/booted/test-install-to-filesystem-var-mount.sh +++ b/tmt/tests/booted/test-install-to-filesystem-var-mount.sh @@ -16,28 +16,20 @@ set -xeuo pipefail -# Use a generic target image to test skew between the bootc binary doing -# the install and the target image -TARGET_IMAGE="docker://quay.io/centos-bootc/centos-bootc:stream10" +# Build a derived image with LBIs removed for installation +TARGET_IMAGE="localhost/bootc-install" echo "Testing bootc install to-filesystem with separate /var mount" -# Disable SELinux enforcement for the install -setenforce 0 +# Copy the currently booted image to container storage for podman to use +bootc image copy-to-storage -# Enable usr-overlay to allow modifications -bootc usr-overlay - -# Install required packages (bootc images are immutable, so we need to install -# after usr-overlay is enabled) -dnf install -y parted lvm2 dosfstools e2fsprogs - -# Mask off conflicting ostree state -if test -d /sysroot/ostree; then - mount --bind /usr/share/empty /sysroot/ostree -fi -rm -vrf /usr/lib/bootupd/updates -rm -vrf /usr/lib/bootc/bound-images.d +# Build a derived image that removes LBIs +cat > /tmp/Containerfile.drop-lbis <<'EOF' +FROM localhost/bootc +RUN rm -rf /usr/lib/bootc/bound-images.d/* +EOF +podman build -t "$TARGET_IMAGE" -f /tmp/Containerfile.drop-lbis # Create a 12GB sparse disk image in /var/tmp (not /tmp which may be tmpfs) DISK_IMG=/var/tmp/disk-var-mount-test.img @@ -91,7 +83,7 @@ vgcreate BL "$LVM_PART" # Create logical volumes lvcreate -L 4G -n var02 BL -lvcreate -L 5G -n root02 BL +lvcreate -l 100%FREE -n root02 BL # Create filesystems on logical volumes mkfs.ext4 -F /dev/BL/var02 @@ -122,8 +114,7 @@ echo "Filesystem layout:" mount | grep /var/mnt/target || true df -h /var/mnt/target /var/mnt/target/boot /var/mnt/target/boot/efi /var/mnt/target/var -# Run bootc install to-filesystem -# This should succeed and handle the separate /var mount correctly +# Run bootc install to-filesystem from within the container image under test podman run \ --rm --privileged \ -v /var/mnt/target:/target \