bootc Bootc switch issues

At the bottom is a wrapper script I use to do podman build and bootc switch. Bug 1 is known I think, we have to do chcon to solve an selinux issue. Bug 2 is if you try and bootc switch to a container with the same name as the current one, it does nothing (even though one may have made an edit to the container image since, etc.). I workaround this by getting the sha from podman images -q, but it should be able to recognise it's not the same image as currently booted.

#!/bin/bash

main() {
  set -exu -o pipefail

  if [ "$EUID" -ne 0 ]; then
    echo "Please run as root"
    return 1
  fi

  podman build -t bootc -f Containerfile-bootc

  # Bug 1, selinux issue, need to chcon
  bootc usr-overlay || true
  chcon --reference /usr/bin/rpm-ostree /usr/bin/bootc

  # Bug 2, if you try a bootc switch to a new image with the same name
  # nothing happens, use the sha from "podman images -q" to workaround it
  local id="$(podman images -q localhost/bootc)"
  bootc switch --transport containers-storage "$id"
}

main "$@"

Jan 14 '25 14:01 ericcurtin

Once you've done the switch, you can use bootc upgrade.

Jan 14 '25 15:01 cgwalters

bootc upgrade doesn't have a --transport option

Jan 14 '25 15:01 ericcurtin

Maybe I have a funny workflow, but I kinda like it, I just rebuild a locally maintained Containerfile when I want to update or add more software, means I can use dnf or any other install technique I want (within reason)

Jan 14 '25 15:01 ericcurtin

Once you have done a switch, you don't need to re-specify the transport each time for upgrade.

Jan 14 '25 16:01 cgwalters

Ah ok interesting, I'll try that

Jan 14 '25 16:01 ericcurtin

Bug 1, selinux issue, need to chcon

Are you overriding the bootc binary in the container build somehow? What host version is this? Is it specific to having usroverlay on for you? More info please.

Jan 14 '25 16:01 cgwalters

It's this Containerfile specifically:

FROM quay.io/fedora/fedora-kinoite:41

RUN dnf install -y alacritty black clang cmake codespell distrobox dnf4 \
      fedora-workstation-repositories gcc hyperfine keepassxc libcurl-devel \
      make nvtop podman python3-tqdm qemu-kvm the_silver_searcher vim \
      python3-flake8 bats httpd-tools docker

chcon fails without doing bootc usr-overlay first

Jan 14 '25 18:01 ericcurtin

Can you paste the output of env RUST_LOG=debug bootc upgrade say without the chcon? Also paste the output of ls -Z /usr/bin/ostree.

Jan 17 '25 18:01 cgwalters

I'm off now but I'll do it Monday, just for the record this is an rpm-ostree Kinoite system converted to bootc via "bootc switch". That's the easiest way to install a Silverblue/Kinoite bare metal machine that I know of, start with an rpm-ostree .iso .

Jan 17 '25 19:01 ericcurtin

$ ls -Z /usr/bin/ostree
system_u:object_r:install_exec_t:s0 /usr/bin/ostree

env RUST_LOG=debug bootc switch --transport containers-storage e6293f73bcc3
DEBUG argv0=None
DEBUG Re-executing current process for _ostree_unshared
DEBUG argv0=Some("bootc")
DEBUG Already in a mount namespace
DEBUG Current security context is unconfined_u:system_r:install_t:s0-s0:c0.c1023
DEBUG We have install_t
DEBUG Staged: Some(Deployment { inner: TypedObjectRef { inner: 0x55b63cceb780, type: OstreeDeployment } })
DEBUG Rollback queued=false
DEBUG Wrote merge commit ccb98fdf847f7acd18ff9cb64ab8850bc0d1f6de576e743c8cd0fc73b9a48dff
DEBUG Wrote merge commit ab33953e0719791455f9a51fce1c8df2d1a572d55374b5469af7380cc08318cd
DEBUG Wrote merge commit 51f23f8b3bbe5aa316bfda603015706f3a2c0580fe63854927522c112950722e
Image specification is unchanged.

Jan 21 '25 11:01 ericcurtin

DEBUG Current security context is unconfined_u:system_r:install_t:s0-s0:c0.c1023

That looks like the working version, right? I am looking for logs from the failing scenario.

Jan 23 '25 13:01 cgwalters