Skip to content

Composefs-native backend #1314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 21 commits into
base: main
Choose a base branch
from
Draft

Composefs-native backend #1314

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
6cfb4be
cli/install: Add `composefs` option to `InstallToDiskOpts`
Johan-Liebert1 May 7, 2025
d03feb2
cli: Handle compatibility with latest composefs-rs
Johan-Liebert1 May 7, 2025
6be5560
install: Pull composefs repository
Johan-Liebert1 May 7, 2025
b3d1952
install/composefs: Write boot entries
Johan-Liebert1 May 13, 2025
83227f5
Grub wip
Johan-Liebert1 May 16, 2025
97b902c
Use discoverable partition specification for rootfs UUID
Johan-Liebert1 May 20, 2025
151963e
Bump composefs-rs
Johan-Liebert1 May 20, 2025
200d669
install/composefs: Update composefs install options
Johan-Liebert1 Jun 11, 2025
dbcce3f
install/composefs: Introduce flag for bls/uki boot
Johan-Liebert1 Jun 11, 2025
79f3957
install/composefs: Get image and transport `source_imgref`
Johan-Liebert1 Jun 11, 2025
42632ce
install/composefs: Return result from opts.validate
Johan-Liebert1 Jun 17, 2025
eac8e4d
install/composefs: Handle kargs for BLS
Johan-Liebert1 Jun 17, 2025
edcf721
install/composefs: Put UKI in the ESP
Johan-Liebert1 Jun 17, 2025
af8fa4e
cli/composefs: Implement `status` cmd for compoesfs booted system
Johan-Liebert1 Jun 20, 2025
770a57b
install/composefs: Create origin file
Johan-Liebert1 Jun 24, 2025
8e68e45
install/composefs: Move state to `/state/deploy/<image_id>`
Johan-Liebert1 Jun 26, 2025
8d9b923
cli: Implement `bootc status` for composefs native booted system
Johan-Liebert1 Jun 26, 2025
4383a35
install/composefs: Implement `bootc upgrade`
Johan-Liebert1 Jun 30, 2025
3c7a2e6
cli/composefs: Show staged/rollback deployments
Johan-Liebert1 Jul 1, 2025
ab8cdc9
composefs/install: Write entries as staged
Johan-Liebert1 Jul 2, 2025
6098379
cli/composefs: Implement `bootc switch`
Johan-Liebert1 Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions lib/src/cli.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ use fn_error_context::context;
use indoc::indoc;
use ostree::gio;
use ostree_container::store::PrepareResult;
use ostree_ext::composefs::fsverity;
use ostree_ext::composefs::fsverity::{self, FsVerityHashValue};
use ostree_ext::container as ostree_container;
use ostree_ext::container_utils::ostree_booted;
use ostree_ext::keyfileext::KeyFileExt;
Expand Down Expand Up @@ -1199,7 +1199,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
let fd =
std::fs::File::open(&path).with_context(|| format!("Reading {path}"))?;
let digest: fsverity::Sha256HashValue = fsverity::measure_verity(&fd)?;
let digest = hex::encode(digest);
let digest = digest.to_hex();
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be squashed with the previous commit, and it may make sense to have a "bump composefs-rs" prep PR split out right?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, that makes sense. I'll put this in a separate PR

println!("{digest}");
Ok(())
}
Expand Down
99 changes: 72 additions & 27 deletions lib/src/install.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,20 @@ use chrono::prelude::*;
use clap::ValueEnum;
use fn_error_context::context;
use ostree::gio;
use ostree_ext::composefs::{
fsverity::{FsVerityHashValue, Sha256HashValue},
oci::pull as composefs_oci_pull,
repository::Repository as ComposefsRepository,
util::Sha256Digest,
};
use ostree_ext::oci_spec;
use ostree_ext::ostree;
use ostree_ext::ostree_prepareroot::{ComposefsState, Tristate};
use ostree_ext::prelude::Cast;
use ostree_ext::sysroot::SysrootLock;
use ostree_ext::{container as ostree_container, ostree_prepareroot};
use ostree_ext::{
container as ostree_container, container::ImageReference as OstreeExtImgRef, ostree_prepareroot,
};
#[cfg(feature = "install-to-disk")]
use rustix::fs::FileTypeExt;
use rustix::fs::MetadataExt as _;
Expand Down Expand Up @@ -241,6 +249,9 @@ pub(crate) struct InstallToDiskOpts {
#[clap(long)]
#[serde(default)]
pub(crate) via_loopback: bool,

#[clap(long)]
pub(crate) composefs: bool,
}

#[derive(ValueEnum, Debug, Copy, Clone, PartialEq, Eq, Serialize, Deserialize)]
Expand Down Expand Up @@ -363,6 +374,7 @@ pub(crate) struct SourceInfo {
}

// Shared read-only global state
#[derive(Debug)]
pub(crate) struct State {
pub(crate) source: SourceInfo,
/// Force SELinux off in target system
Expand Down Expand Up @@ -1425,10 +1437,32 @@ impl BoundImages {
}
}

async fn initialize_composefs_repository(
state: &State,
root_setup: &RootSetup,
) -> Result<(Sha256Digest, impl FsVerityHashValue)> {
let rootfs_dir = &root_setup.physical_root;

rootfs_dir
.create_dir_all("composefs")
.context("Creating dir 'composefs'")?;

tracing::warn!("STATE: {state:#?}");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd recommend dbg! for this type of stuff; it will build locally but not pass CI so it can't be accidentally merged.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I intend to remove all these logs. They were only for debugging purposes

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep that makes sense, what I meant is that use dbg! locally. (Or use tracing::debug! and keep the tracing in there and just use the tracing selector to ensure you see what you want...we are really chatty with a big env RUST_LOG=debug unfortunately today, mostly in container fetches)


let repo: ComposefsRepository<Sha256HashValue> =
ComposefsRepository::open_path(rootfs_dir, "composefs").expect("failed to open_path");

let OstreeExtImgRef { transport, name } = &state.target_imgref.imgref;

// transport's display is already of type "<transport_type>:"
composefs_oci_pull(&Arc::new(repo), &format!("{transport}{name}",), None).await
}

async fn install_to_filesystem_impl(
state: &State,
rootfs: &mut RootSetup,
cleanup: Cleanup,
composefs: bool,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would make sense as part of state

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was conflicted on where to put this. Thanks for the review. I'll add this to State

) -> Result<()> {
if matches!(state.selinux_state, SELinuxFinalState::ForceTargetDisabled) {
rootfs.kargs.push("selinux=0".to_string());
Expand Down Expand Up @@ -1457,34 +1491,45 @@ async fn install_to_filesystem_impl(

let bound_images = BoundImages::from_state(state).await?;

// Initialize the ostree sysroot (repo, stateroot, etc.)
if composefs {
// Load a fd for the mounted target physical root
let (id, verity) = initialize_composefs_repository(state, rootfs).await?;

{
let (sysroot, has_ostree, imgstore) = initialize_ostree_root(state, rootfs).await?;

install_with_sysroot(
state,
rootfs,
&sysroot,
&boot_uuid,
bound_images,
has_ostree,
&imgstore,
)
.await?;
tracing::warn!(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment re dbg! or this one could also make sense as a tracing::debug! that gets left in right?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, yes. We can keep this one as debug

"id = {id}, verity = {verity}",
id = hex::encode(id),
verity = verity.to_hex()
);
} else {
// Initialize the ostree sysroot (repo, stateroot, etc.)

{
let (sysroot, has_ostree, imgstore) = initialize_ostree_root(state, rootfs).await?;

install_with_sysroot(
state,
rootfs,
&sysroot,
&boot_uuid,
bound_images,
has_ostree,
&imgstore,
)
.await?;

if matches!(cleanup, Cleanup::TriggerOnNextBoot) {
let sysroot_dir = crate::utils::sysroot_dir(&sysroot)?;
tracing::debug!("Writing {DESTRUCTIVE_CLEANUP}");
sysroot_dir.atomic_write(format!("etc/{}", DESTRUCTIVE_CLEANUP), b"")?;
}
if matches!(cleanup, Cleanup::TriggerOnNextBoot) {
let sysroot_dir = crate::utils::sysroot_dir(&sysroot)?;
tracing::debug!("Writing {DESTRUCTIVE_CLEANUP}");
sysroot_dir.atomic_write(format!("etc/{}", DESTRUCTIVE_CLEANUP), b"")?;
}

// We must drop the sysroot here in order to close any open file
// descriptors.
};
// We must drop the sysroot here in order to close any open file
// descriptors.
};

// Run this on every install as the penultimate step
install_finalize(&rootfs.physical_root_path).await?;
// Run this on every install as the penultimate step
install_finalize(&rootfs.physical_root_path).await?;
}

// Finalize mounted filesystems
if !rootfs.skip_finalize {
Expand Down Expand Up @@ -1547,7 +1592,7 @@ pub(crate) async fn install_to_disk(mut opts: InstallToDiskOpts) -> Result<()> {
(rootfs, loopback_dev)
};

install_to_filesystem_impl(&state, &mut rootfs, Cleanup::Skip).await?;
install_to_filesystem_impl(&state, &mut rootfs, Cleanup::Skip, opts.composefs).await?;

// Drop all data about the root except the bits we need to ensure any file descriptors etc. are closed.
let (root_path, luksdev) = rootfs.into_storage();
Expand Down Expand Up @@ -1933,7 +1978,7 @@ pub(crate) async fn install_to_filesystem(
skip_finalize,
};

install_to_filesystem_impl(&state, &mut rootfs, cleanup).await?;
install_to_filesystem_impl(&state, &mut rootfs, cleanup, false).await?;

// Drop all data about the root except the path to ensure any file descriptors etc. are closed.
drop(rootfs);
Expand Down
4 changes: 2 additions & 2 deletions ostree-ext/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ version = "0.15.3"
# Note that we re-export the oci-spec types
# that are exported by this crate, so when bumping
# semver here you must also bump our semver.
containers-image-proxy = "0.7.0"
containers-image-proxy = "0.7.1"
# We re-export this library too.
ostree = { features = ["v2025_1"], version = "0.20.0" }

# Private dependencies
anyhow = { workspace = true }
bootc-utils = { path = "../utils" }
camino = { workspace = true, features = ["serde1"] }
composefs = { git = "https://github.com/containers/composefs-rs", rev = "821eeae93e48f1ee381c49b8cd4d22fda92d27a2" }
composefs = { git = "https://github.com/containers/composefs-rs", rev = "b1bd9c1d253c9b15bbf8e04068ad96edd974ccd0" }
chrono = { workspace = true }
olpc-cjson = "0.1.1"
clap = { workspace = true, features = ["derive","cargo"] }
Expand Down