Release 1.11.0

Resolves: #RHEL-134017
Resolves: #RHEL-130799
Resolves: #RHEL-131317
Signed-off-by: Xiaofeng Wang <xiaofwan@redhat.com>

.gitignore

@@ -46,3 +46,5 @@
 /bootc-1.8.0.tar.zstd
 /bootc-1.10.0.tar.zstd
 /bootc-1.10.0-vendor.tar.zstd
+/bootc-1.11.0.tar.zstd
+/bootc-1.11.0-vendor.tar.zstd

0000-test-soft-reboot-selinux-policy.patch

@@ -0,0 +1,36 @@
+diff --git i/tmt/tests/booted/test-soft-reboot-selinux-policy.nu w/tmt/tests/booted/test-soft-reboot-selinux-policy.nu
+index ca06efea..d5a057e7 100644
+--- i/tmt/tests/booted/test-soft-reboot-selinux-policy.nu
++++ w/tmt/tests/booted/test-soft-reboot-selinux-policy.nu
+@@ -32,11 +32,30 @@ def initial_build [] {
+ 
+     bootc image copy-to-storage
+ 
++    # copy-to-storage does not copy repo file
++    # but OSCI gating test needs repo to install package
++    let os = open /usr/lib/os-release
++        | lines
++        | filter {|l| $l != "" and not ($l | str starts-with "#") }
++        | parse "{key}={value}"
++        | reduce {|it, acc|
++            $acc | upsert $it.key ($it.value | str trim -c '"')
++    }
++    mut repo_copy = ""
++
++    if $os.ID == "rhel" {
++        cp /etc/yum.repos.d/rhel.repo .
++        $repo_copy = "COPY rhel.repo /etc/yum.repos.d/"
++    }
++
+     # Create a derived container that installs a custom SELinux policy module
+     # Installing a policy module will change the compiled policy checksum
+     # Following Colin's suggestion and the composefs-rs example
+     # We create a minimal policy module and install it
+-    "FROM localhost/bootc
++    $"
++FROM localhost/bootc
++($repo_copy)
++
+ # Install tools needed to build and install SELinux policy modules
+ RUN dnf install -y selinux-policy-devel checkpolicy policycoreutils
+ 

Containerfile.packit

@@ -1,53 +0,0 @@
-# Build image for system-reinstall-bootc test
-
-# Use centos-bootc:stream10 as default
-FROM quay.io/centos-bootc/centos-bootc:stream10
-
-WORKDIR /bootc-test
-
-# Save testing farm run files
-COPY ARTIFACTS /var/ARTIFACTS
-# Copy bootc repo
-COPY test-artifacts /var/share/test-artifacts
-
-ARG GATING
-RUN <<EORUN
-set -xeuo pipefail
-. /usr/lib/os-release
-if [[ $ID == "rhel" ]]; then
-    cp rhel.repo /etc/yum.repos.d/
-fi
-# OSCI uses /var/lib/tmt/scripts to save tmt-* commands
-# Fedora CI and Packit use /usr/local/bin
-if [[ -d scripts ]]; then
-    mkdir -p /var/lib/tmt
-    cp -r scripts /var/lib/tmt/
-else
-    cp -r bin /usr/local
-fi
-cp test-artifacts.repo /etc/yum.repos.d/
-dnf -y update bootc
-# Required by tmt avc checking after test
-dnf -y install audit
-./provision-derived.sh
-
-# For test-22-logically-bound-install
-cp -a lbi/usr/. /usr
-for x in curl.container curl-base.image podman.image; do
-    ln -s /usr/share/containers/systemd/$x /usr/lib/bootc/bound-images.d/$x
-done
-
-# Add some testing kargs into our dev builds
-install -D -t /usr/lib/bootc/kargs.d test-kargs/*
-# Also copy in some default install configs we use for testing
-install -D -t /usr/lib/bootc/install/ install-test-configs/*
-
-# Remove bootc repo, bootc updated already
-rm -rf /var/share/test-artifacts /etc/yum.repos.d/test-artifacts.repo
-# Clean up dnf
-dnf -y clean all
-rm -rf /var/cache /var/lib/dnf
-
-# Finally, test our own linting
-# bootc container lint --fatal-warnings
-EORUN

bootc.spec

@@ -1,4 +1,5 @@
 %bcond_without check
+%bcond_with tests
 %if 0%{?rhel} >= 9 || 0%{?fedora} > 41
     %bcond_without ostree_ext
 %else
@@ -21,7 +22,7 @@
 %endif
 
 Name:           bootc
-Version:        1.10.0
+Version:        1.11.0
 Release:        %{autorelease}
 Summary:        Bootable container system
 
@@ -38,6 +39,9 @@ URL:            https://github.com/bootc-dev/bootc
 Source0:        %{url}/releases/download/v%{version}/bootc-%{version}.tar.zstd
 Source1:        %{url}/releases/download/v%{version}/bootc-%{version}-vendor.tar.zstd
 
+# Patch for test-soft-reboot-selinux-policy
+Patch0: 0000-test-soft-reboot-selinux-policy.patch
+
 # https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval
 ExcludeArch:    %{ix86}
 
@@ -84,52 +88,73 @@ Recommends: podman
 %description -n system-reinstall-bootc
 This package provides a utility to simplify reinstalling the current system to a given bootc image.
 
+%if %{with tests}
+%package tests
+Summary: Integration tests for bootc
+Requires: %{name} = %{version}-%{release}
+
+%description tests
+This package contains the integration test suite for bootc.
+%endif
+
 %global system_reinstall_bootc_install_podman_path %{_prefix}/lib/system-reinstall-bootc/install-podman
 
+%if 0%{?container_build}
+# Source is already at /src, no subdirectory
+%global _buildsubdir .
+%endif
+
 %prep
+%if ! 0%{?container_build}
 %autosetup -p1 -a1
 # Default -v vendor config doesn't support non-crates.io deps (i.e. git)
 cp .cargo/vendor-config.toml .
 %cargo_prep -N
 cat vendor-config.toml >> .cargo/config.toml
 rm vendor-config.toml
+%else
+# Container build: source already at _builddir (/src), nothing to extract
+# RPM's %mkbuilddir creates a subdirectory; symlink it back to the source
+cd ..
+rm -rf %{name}-%{version}-build
+ln -s . %{name}-%{version}-build
+cd %{name}-%{version}-build
+%endif
 
 %build
-# Build the main bootc binary
-%if %new_cargo_macros
-    %cargo_build %{?with_rhsm:-f rhsm}
-%else
-    %cargo_build %{?with_rhsm:--features rhsm}
-%endif
-
-# Build the system reinstallation CLI binary
-%global cargo_args -p system-reinstall-bootc
 export SYSTEM_REINSTALL_BOOTC_INSTALL_PODMAN_PATH=%{system_reinstall_bootc_install_podman_path}
-%if %new_cargo_macros
-    # In cargo-rpm-macros, the cargo_build macro does flag processing,
-    # so we need to pass '--' to signify that cargo_args is not part
-    # of the macro args
-    %cargo_build -- %cargo_args
-%else
-    # Older macros from rust-toolset do *not* do flag processing, so
-    # '--' would be passed through to cargo directly, which is not
-    # what we want.
-    %cargo_build %cargo_args
-%endif
-
+# Build this first to avoid feature skew
 make manpages
 
+# Build all binaries
+%if 0%{?container_build}
+# Container build: use cargo directly with cached dependencies to avoid RPM macro overhead
+cargo build -j%{_smp_build_ncpus} --release %{?with_rhsm:--features rhsm} --bins
+%else
+# Non-container build: use RPM macros for proper dependency tracking
+%if %new_cargo_macros
+    %cargo_build %{?with_rhsm:-f rhsm} -- --bins
+%else
+    %cargo_build %{?with_rhsm:--features rhsm} -- --bins
+%endif
+%endif
+
+%if ! 0%{?container_build}
 %cargo_vendor_manifest
 # https://pagure.io/fedora-rust/rust-packaging/issue/33
 sed -i -e '/https:\/\//d' cargo-vendor.txt
 %cargo_license_summary
 %{cargo_license} > LICENSE.dependencies
+%endif
 
 %install
 %make_install INSTALL="install -p -c"
 %if %{with ostree_ext}
 make install-ostree-hooks DESTDIR=%{?buildroot}
 %endif
+%if %{with tests}
+install -D -m 0755 target/release/tests-integration %{buildroot}%{_bindir}/bootc-integration-tests
+%endif
 mkdir -p %{buildroot}/%{dirname:%{system_reinstall_bootc_install_podman_path}}
 cat >%{?buildroot}/%{system_reinstall_bootc_install_podman_path} <<EOF
 #!/bin/bash
@@ -153,12 +178,15 @@ fi
 %files -f bootcdoclist.txt
 %license LICENSE-MIT
 %license LICENSE-APACHE
+%if ! 0%{?container_build}
 %license LICENSE.dependencies
 %license cargo-vendor.txt
+%endif
 %doc README.md
 %{_bindir}/bootc
 %{_prefix}/lib/bootc/
 %{_prefix}/lib/systemd/system-generators/*
+%{_prefix}/lib/dracut/modules.d/51bootc/
 %if %{with ostree_ext}
 %{_prefix}/libexec/libostree/ext/*
 %endif
@@ -169,5 +197,10 @@ fi
 %{_bindir}/system-reinstall-bootc
 %{system_reinstall_bootc_install_podman_path}
 
+%if %{with tests}
+%files tests
+%{_bindir}/bootc-integration-tests
+%endif
+
 %changelog
 %autochangelog

os-image-map.json

@@ -0,0 +1,18 @@
+{
+  "base": {
+    "rhel-10.2": "images.paas.redhat.com/bootc/rhel-bootc:latest-10.2",
+    "rhel-9.8": "images.paas.redhat.com/bootc/rhel-bootc:latest-9.8",
+    "centos-9": "quay.io/centos-bootc/centos-bootc:stream9",
+    "centos-10": "quay.io/centos-bootc/centos-bootc:stream10",
+    "fedora-42": "quay.io/fedora/fedora-bootc:42",
+    "fedora-43": "quay.io/fedora/fedora-bootc:43",
+    "fedora-44": "quay.io/fedora/fedora-bootc:rawhide"
+  },
+  "buildroot-base": {
+    "centos-9": "quay.io/centos/centos:stream9",
+    "centos-10": "quay.io/centos/centos:stream10",
+    "fedora-42": "quay.io/fedora/fedora:42",
+    "fedora-43": "quay.io/fedora/fedora:43",
+    "fedora-44": "quay.io/fedora/fedora:rawhide"
+  }
+}

plans/all.fmf

@@ -5,7 +5,7 @@ discover:
 execute:
   how: tmt
 environment:
-    NIGHTLY_COMPOSE_SITE: download.eng.bos.redhat.com
+    NIGHTLY_COMPOSE_SITE: download.devel.redhat.com
 prepare:
   # Install image mode system on package mode system
   - how: install
@@ -24,8 +24,8 @@ prepare:
     script:
       - pwd && ls -al && ls -al /var/share/test-artifacts && mkdir -p bootc && cp /var/share/test-artifacts/*.src.rpm bootc
       - cd bootc && ls -al && rpm2cpio *.src.rpm | cpio -idmv && rm -f *-vendor.tar.zstd && zstd -d *.tar.zstd && tar -xvf *.tar -C . --strip-components=1 && ls -al
-      # Remove the "cp" line in next release
-      - cp provision-packit.sh bootc/hack && cp Containerfile.packit bootc/hack
+      # Remove the "cp" line in next release, the fix already added in bootc upstream
+      - cp os-image-map.json bootc/hack
       - cd bootc/hack && ./provision-packit.sh
   # tmt-reboot and reboot do not work in this case
   # reboot in ansible is the only way to reboot in tmt prepare
@@ -34,58 +34,67 @@ prepare:
     playbook:
       - https://github.com/bootc-dev/bootc/raw/refs/heads/main/hack/packit-reboot.yml
 
-/readonly-tests:
+/plan-01-readonly:
   summary: Execute booted readonly/nondestructive tests
   discover+:
     how: fmf
     test:
-        - /tmt/tests/test-01-readonly
+      - /tmt/tests/tests/test-01-readonly
+  extra-try_bind_storage: true
 
-/test-20-local-upgrade:
+/plan-20-image-pushpull-upgrade:
   summary: Execute local upgrade tests
   discover+:
     how: fmf
     test:
-        - /tmt/tests/test-20-local-upgrade
+      - /tmt/tests/tests/test-20-image-pushpull-upgrade
 
-/test-21-logically-bound-switch:
+/plan-21-logically-bound-switch:
   summary: Execute logically bound images tests for switching images
   discover+:
     how: fmf
     test:
-        - /tmt/tests/test-21-logically-bound-switch
+      - /tmt/tests/tests/test-21-logically-bound-switch
 
-/test-22-logically-bound-install:
-  summary: Execute logically bound images tests for switching images
+/plan-22-logically-bound-install:
+  summary: Execute logically bound images tests for installing image
   discover+:
     how: fmf
     test:
-        - /tmt/tests/test-22-logically-bound-install
+      - /tmt/tests/tests/test-22-logically-bound-install
 
-/test-23-install-outside-container:
+/plan-23-install-outside-container:
   summary: Execute tests for installing outside of a container
   discover+:
     how: fmf
     test:
-        - /tmt/tests/test-23-install-outside-container
+      - /tmt/tests/tests/test-23-install-outside-container
 
-/test-24-local-upgrade-reboot:
-  summary: Execute local upgrade tests with automated reboot
+/plan-23-usroverlay:
+  summary: Execute tests for bootc usrover
   discover+:
     how: fmf
     test:
-        - /tmt/tests/test-24-local-upgrade-reboot
+      - /tmt/tests/tests/test-23-usroverlay
 
-/test-25-soft-reboot:
-  summary: Soft reboot support
+/plan-24-image-upgrade-reboot:
+  summary: Execute local upgrade tests
   discover+:
     how: fmf
     test:
-        - /tmt/tests/test-25-soft-reboot
+      - /tmt/tests/tests/test-24-image-upgrade-reboot
+  extra-try_bind_storage: true
 
-/test-28-factory-reset:
-  summary: Factory reset
-  discover:
+/plan-25-soft-reboot:
+  summary: Execute soft reboot test
+  discover+:
     how: fmf
     test:
-        - /tmt/tests/test-28-factory-reset
+      - /tmt/tests/tests/test-25-soft-reboot
+
+/plan-29-soft-reboot-selinux-policy:
+  summary: Test soft reboot with SELinux policy changes
+  discover+:
+    how: fmf
+    test:
+      - /tmt/tests/tests/test-29-soft-reboot-selinux-policy

provision-packit.sh

@@ -1,93 +0,0 @@
-#!/bin/bash
-set -exuo pipefail
-
-# Check environment
-printenv
-
-# temp folder to save building files and folders
-BOOTC_TEMPDIR=$(mktemp -d)
-trap 'rm -rf -- "$BOOTC_TEMPDIR"' EXIT
-
-# Copy files and folders in hack to TEMPDIR
-cp -a . "$BOOTC_TEMPDIR"
-
-# Keep testing farm run folder
-cp -r /var/ARTIFACTS "$BOOTC_TEMPDIR"
-
-# Copy bootc repo
-cp -r /var/share/test-artifacts "$BOOTC_TEMPDIR"
-
-ARCH=$(uname -m)
-# Get OS info
-source /etc/os-release
-
-# Some rhts-*, rstrnt-* and tmt-* commands are in /usr/local/bin
-if [[ -d /var/lib/tmt/scripts ]]; then
-    cp -r /var/lib/tmt/scripts "$BOOTC_TEMPDIR"
-    ls -al "${BOOTC_TEMPDIR}/scripts"
-else
-    cp -r /usr/local/bin "$BOOTC_TEMPDIR"
-    ls -al "${BOOTC_TEMPDIR}/bin"
-fi
-
-# Get base image URL
-TEST_OS="${ID}-${VERSION_ID}"
-BASE=$(jq -r --arg v "$TEST_OS" '.[$v]' < os-image-map.json)
-
-if [[ "$ID" == "rhel" ]]; then
-    # OSCI gating only
-    CURRENT_COMPOSE_ID=$(skopeo inspect --no-tags --retry-times=5 --tls-verify=false "docker://${BASE}" | jq -r '.Labels."redhat.compose-id"')
-
-    if [[ -n ${CURRENT_COMPOSE_ID} ]]; then
-        if [[ ${CURRENT_COMPOSE_ID} == *-updates-* ]]; then
-            BATCH_COMPOSE="updates/"
-        else
-            BATCH_COMPOSE=""
-        fi
-    else
-        BATCH_COMPOSE="updates/"
-        CURRENT_COMPOSE_ID=latest-RHEL-$VERSION_ID
-    fi
-
-    # use latest compose if specific compose is not accessible
-    RC=$(curl -skIw '%{http_code}' -o /dev/null "http://${NIGHTLY_COMPOSE_SITE}/rhel-${VERSION_ID%%.*}/nightly/${BATCH_COMPOSE}RHEL-${VERSION_ID%%.*}/${CURRENT_COMPOSE_ID}/STATUS")
-    if [[ $RC != "200" ]]; then
-        CURRENT_COMPOSE_ID=latest-RHEL-${VERSION_ID%%}
-    fi
-
-    # generate rhel repo
-    tee "${BOOTC_TEMPDIR}/rhel.repo" >/dev/null <<REPOEOF
-[rhel-baseos]
-name=baseos
-baseurl=http://${NIGHTLY_COMPOSE_SITE}/rhel-${VERSION_ID%%.*}/nightly/${BATCH_COMPOSE}RHEL-${VERSION_ID%%.*}/${CURRENT_COMPOSE_ID}/compose/BaseOS/${ARCH}/os/
-enabled=1
-gpgcheck=0
-
-[rhel-appstream]
-name=appstream
-baseurl=http://${NIGHTLY_COMPOSE_SITE}/rhel-${VERSION_ID%%.*}/nightly/${BATCH_COMPOSE}RHEL-${VERSION_ID%%.*}/${CURRENT_COMPOSE_ID}/compose/AppStream/${ARCH}/os/
-enabled=1
-gpgcheck=0
-REPOEOF
-    cp "${BOOTC_TEMPDIR}/rhel.repo" /etc/yum.repos.d
-fi
-
-ls -al /etc/yum.repos.d
-cat /etc/yum.repos.d/test-artifacts.repo
-ls -al /var/share/test-artifacts
-
-# copy bootc rpm repo into image building root
-cp /etc/yum.repos.d/test-artifacts.repo "$BOOTC_TEMPDIR"
-
-# Let's check things in hack folder
-ls -al "$BOOTC_TEMPDIR"
-
-# Do not use just because it's only available on Fedora, not on CS and RHEL
-podman build --jobs=4 --from "$BASE" -v "$BOOTC_TEMPDIR":/bootc-test:z -t localhost/bootc-integration -f "${BOOTC_TEMPDIR}/Containerfile.packit" "$BOOTC_TEMPDIR"
-
-# Keep these in sync with what's used in hack/lbi
-podman pull -q --retry 5 --retry-delay 5s quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.access.redhat.com/ubi9/podman:latest
-
-# Run system-reinstall-bootc
-# TODO make it more scriptable instead of expect + send
-./system-reinstall-bootc.exp

sources

@@ -1,2 +1,2 @@
-SHA512 (bootc-1.10.0.tar.zstd) = bf091786d6dd68ceb4741533a95261b3035c65d0d536d3fa5e6eee2b7ebda0b25efbf6aedf651b2cade8bdd93d39490bb2f3fab2f380a9422458e23e9b918051
-SHA512 (bootc-1.10.0-vendor.tar.zstd) = 7e291d34ef83b69d801828b99a9645d98f750c90c563774f601fd4bf84c9236e2f0964dfae2d4c46243f9b1d891d21cd8a8b5418e26a8282a1ca553bb5575aa3
+SHA512 (bootc-1.11.0.tar.zstd) = f3bc4ca8d99abe5154fbccf84694bd5aebdb819d90a83ad119aee7ae4469b2e4f5313e6ce65831c007d88ddabe144bc9757793d16963a9d52ff66912057049f0
+SHA512 (bootc-1.11.0-vendor.tar.zstd) = 2198d4cf9e9e44e30f1f3e998e8d640afa5fa7d2b0904a6d1ea972ff637e2a55e37fbf2b2e18454736208cec6541b98c0bd685bc8fd959346aa2be1b4aaa1729