bootc-dev · cgwalters · Nov 19, 2025 · Nov 16, 2025 · Nov 16, 2025 · Nov 16, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -8,6 +8,9 @@
 # Toplevel build bits
 !Makefile
 !Cargo.*
+# License and doc files needed for RPM
+!LICENSE-*
+!README.md
 # We do build manpages from markdown
 !docs/
 # We use the spec file

diff --git a/Dockerfile b/Dockerfile
@@ -10,50 +10,37 @@ ARG base=quay.io/centos-bootc/centos-bootc:stream10
 FROM scratch as src
 COPY . /src
 
+# And this image only captures contrib/packaging separately
+# to ensure we have more precise cache hits.
+FROM scratch as packaging
+COPY contrib/packaging /
+
 FROM $base as base
-# We could inject other content here
+# Mark this as a test image (moved from --label build flag to fix layer caching)
+LABEL bootc.testimage="1"
 
 # This image installs build deps, pulls in our source code, and installs updated
 # bootc binaries in /out. The intention is that the target rootfs is extracted from /out
 # back into a final stage (without the build deps etc) below.
-FROM base as build
+FROM base as buildroot
 # Flip this off to disable initramfs code
 ARG initramfs=1
-# This installs our package dependencies, and we want to cache it independently of the rest.
-# Basically we don't want changing a .rs file to blow out the cache of packages. So we only
-# copy files necessary
-COPY contrib/packaging /tmp/packaging
-RUN <<EORUN
-set -xeuo pipefail
-. /usr/lib/os-release
-case $ID in
-  centos|rhel) dnf config-manager --set-enabled crb;;
-  fedora) dnf -y install dnf-utils 'dnf5-command(builddep)';;
-esac
-# Handle version skew, xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
-dnf -y distro-sync ostree{,-libs} systemd
-# Install base build requirements
-dnf -y builddep /tmp/packaging/bootc.spec
-# And extra packages
-grep -Ev -e '^#' /tmp/packaging/fedora-extra.txt | xargs dnf -y install
-rm /tmp/packaging -rf
-EORUN
+# Version for RPM build (optional, computed from git in Justfile)
+ARG pkgversion=
+# This installs our buildroot, and we want to cache it independently of the rest.
+# Basically we don't want changing a .rs file to blow out the cache of packages.
+RUN --mount=type=bind,from=packaging,target=/run/packaging /run/packaging/install-buildroot
 # Now copy the rest of the source
 COPY --from=src /src /src
 WORKDIR /src
 # See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
 # We aren't using the full recommendations there, just the simple bits.
 # First we download all of our Rust dependencies
 RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
-# Then on general principle all the stuff from the Makefile runs with no network
-RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none <<EORUN
-set -xeuo pipefail
-make
-make install-all DESTDIR=/out
-if test "${initramfs:-}" = 1; then
-  make install-initramfs-dracut DESTDIR=/out
-fi
-EORUN
+
+FROM buildroot as build
+# Build RPM directly from source, using cached target directory
+RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none RPM_VERSION=${pkgversion} /src/contrib/packaging/build-rpm
 
 # This "build" includes our unit tests
 FROM build as units
@@ -70,76 +57,14 @@ RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothom
 FROM base
 # See the Justfile for possible variants
 ARG variant
-RUN <<EORUN
-set -xeuo pipefail
-case "${variant}" in
-  *-sdboot)
-    dnf -y install systemd-boot-unsigned
-    # And uninstall bootupd
-    rpm -e bootupd
-    rm /usr/lib/bootupd/updates -rf
-    dnf clean all
-    rm -rf /var/cache /var/lib/{dnf,rhsm} /var/log/*
-  ;;
-esac
-EORUN
+RUN --mount=type=bind,from=packaging,target=/run/packaging /run/packaging/configure-variant "${variant}"
 # Support overriding the rootfs at build time conveniently
 ARG rootfs=
-RUN <<EORUN
-set -xeuo pipefail
-# Do we have an explicit build-time override? Then write it.
-if test -n "$rootfs"; then
-  cat > /usr/lib/bootc/install/80-rootfs-override.toml <<EOF
-[install.filesystem.root]
-type = "$rootfs"
-EOF
-else
-  # Query the default rootfs
-  base_rootfs=$(bootc install print-configuration | jq -r '.filesystem.root.type // ""')
-  # No filesystem override set. If we're doing composefs, we need a FS that
-  # supports fsverity. If btrfs is available we'll pick that, otherwise ext4.
-  fs=
-  case "${variant}" in
-    composefs*)
-      btrfs=$(grep -qEe '^CONFIG_BTRFS_FS' /usr/lib/modules/*/config && echo btrfs || true)
-      fs=${btrfs:-ext4}
-      ;;
-    *)
-      # No explicit filesystem set and we're not using composefs. Default to xfs
-      # with the rationale that we're trying to get filesystem coverage across
-      # all the cases in general.
-      if test -z "${base_rootfs}"; then
-        fs=xfs
-      fi 
-      ;;
-  esac
-  if test -n "$fs"; then
-    cat > /usr/lib/bootc/install/80-ext4-composefs.toml <<EOF
-[install.filesystem.root]
-type = "${fs}"
-EOF
-  fi
-fi
-
-# Ensure we've flushed out prior state (i.e. files no longer shipped from the old version);
-# and yes, we may need to go to building an RPM in this Dockerfile by default.
-(set +x; rpm -ql bootc | while read line; do if test -f $line; then rm -v $line; fi; done)
-EORUN
-# Create a layer that is our new binaries
-COPY --from=build /out/ /
-# We have code in the initramfs so we always need to regenerate it
-RUN --network=none <<EORUN
-set -xeuo pipefail
-if test -x /usr/lib/bootc/initramfs-setup; then
-   kver=$(cd /usr/lib/modules && echo *);
-   env DRACUT_NO_XATTR=1 dracut -vf /usr/lib/modules/$kver/initramfs.img $kver
-fi
-# Only in this containerfile, inject a file which signifies
-# this comes from this development image. This can be used in
-# tests to know we're doing upstream CI.
-touch /usr/lib/.bootc-dev-stamp
-# And test our own linting
-## Workaround for https://github.com/bootc-dev/bootc/issues/1546
-rm -rf /root/buildinfo
-bootc container lint --fatal-warnings
-EORUN
+RUN --mount=type=bind,from=packaging,target=/run/packaging /run/packaging/configure-rootfs "${variant}" "${rootfs}"
+# Install the RPM built in the build stage
+# This replaces the manual file deletion hack and COPY, ensuring proper package management
+# Use rpm -Uvh with --oldpackage to allow replacing with dev version
+COPY --from=build /out/*.rpm /tmp/
+RUN --mount=type=bind,from=packaging,target=/run/packaging --network=none /run/packaging/install-rpm-and-setup /tmp
+# Finally, testour own linting
+RUN bootc container lint --fatal-warnings
diff --git a/Justfile b/Justfile
@@ -17,7 +17,16 @@ variant := env("BOOTC_variant", "ostree")
 base := env("BOOTC_base", "quay.io/centos-bootc/centos-bootc:stream10")
 
 testimage_label := "bootc.testimage=1"
-base_buildargs := "--jobs 4 --label=" + testimage_label
+# We used to have --jobs=4 here but sometimes that'd hit this
+# ```
+#   [2/3] STEP 2/2: RUN --mount=type=bind,from=context,target=/run/context <<EORUN (set -xeuo pipefail...)
+#   --> Using cache b068d42ac7491067cf5fafcaaf2f09d348e32bb752a22c85bbb87f266409554d
+#   --> b068d42ac749
+#   + cd /run/context/
+#   /bin/sh: line 3: cd: /run/context/: Permission denied
+# ```
+# TODO: Gather more info and file a buildah bug
+base_buildargs := ""
 buildargs := "--build-arg=base=" + base + " --build-arg=variant=" + variant
 
 # Build the container image from current sources.
@@ -27,9 +36,33 @@ build:
     podman build {{base_buildargs}} -t localhost/bootc-bin {{buildargs}} .
     ./tests/build-sealed {{variant}} localhost/bootc-bin localhost/bootc
 
+# Build packages (e.g. RPM) using a container buildroot
+_packagecontainer:
+    #!/bin/bash
+    set -xeuo pipefail
+    # Compute version from git (matching xtask.rs gitrev logic)
+    if VERSION=$(git describe --tags --exact-match 2>/dev/null); then
+        VERSION="${VERSION#v}"
+        VERSION="${VERSION//-/.}"
+    else
+        COMMIT=$(git rev-parse HEAD | cut -c1-10)
+        COMMIT_TS=$(git show -s --format=%ct)
+        TIMESTAMP=$(date -u -d @${COMMIT_TS} +%Y%m%d%H%M)
+        VERSION="${TIMESTAMP}.g${COMMIT}"
+    fi
+    echo "Building RPM with version: ${VERSION}"
+    podman build {{base_buildargs}} {{buildargs}} --build-arg=pkgversion=${VERSION} -t localhost/bootc-pkg --target=build .
+
+# Build a packages (e.g. RPM) into target/
+# Any old packages will be removed.
+package: _packagecontainer
+    mkdir -p target
+    rm -vf target/*.rpm
+    podman run --rm localhost/bootc-pkg tar -C /out/ -cf - . | tar -C target/ -xvf -
+
 # This container image has additional testing content and utilities
 build-integration-test-image: build
-    cd hack && podman build {{base_buildargs}} -t localhost/bootc-integration-bin {{buildargs}} -f Containerfile .
+    cd hack && podman build {{base_buildargs}} -t localhost/bootc-integration-bin -f Containerfile .
     ./tests/build-sealed {{variant}} localhost/bootc-integration-bin localhost/bootc-integration
     # Keep these in sync with what's used in hack/lbi
     podman pull -q --retry 5 --retry-delay 5s quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.access.redhat.com/ubi9/podman:latest

diff --git a/Makefile b/Makefile
@@ -25,10 +25,6 @@
 
 prefix ?= /usr
 
-SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)
-# https://reproducible-builds.org/docs/archives/
-TAR_REPRODUCIBLE = tar --mtime="@${SOURCE_DATE_EPOCH}" --sort=name --owner=0 --group=0 --numeric-owner --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime
-
 # Enable rhsm if we detect the build environment is RHEL-like.
 # We may in the future also want to include Fedora+derivatives as
 # the code is really tiny.
@@ -71,6 +67,9 @@ install:
 	if [ "$$ID" = "fedora" ] || [[ "$$ID_LIKE" == *"fedora"* ]]; then \
 	install -D -m 0755 -t $(DESTDIR)/$(prefix)/lib/bootc contrib/scripts/fedora-bootc-destructive-cleanup; \
 	fi
+	install -D -m 0644 -t $(DESTDIR)/usr/lib/systemd/system crates/initramfs/*.service
+	install -D -m 0755 target/release/bootc-initramfs-setup $(DESTDIR)/usr/lib/bootc/initramfs-setup
+	install -D -m 0755 -t $(DESTDIR)/usr/lib/dracut/modules.d/51bootc crates/initramfs/dracut/module-setup.sh
 
 # Run this to also take over the functionality of `ostree container` for example.
 # Only needed for OS/distros that have callers invoking `ostree container` and not bootc.
@@ -80,23 +79,10 @@ install-ostree-hooks:
 	  ln -sf ../../../bin/bootc $(DESTDIR)$(prefix)/libexec/libostree/ext/$$x; \
 	done
 
-# Install code in the initramfs, off by default except in builds from git main right now
-# Also the systemd unit hardcodes /usr so we give up the farce of supporting $(prefix)
-install-initramfs:
-	install -D -m 0644 -t $(DESTDIR)/usr/lib/systemd/system crates/initramfs/*.service
-	install -D -m 0755 target/release/bootc-initramfs-setup $(DESTDIR)/usr/lib/bootc/initramfs-setup
-
-# Install initramfs files, including dracut module
-install-initramfs-dracut: install-initramfs
-	install -D -m 0755 -t $(DESTDIR)/usr/lib/dracut/modules.d/51bootc crates/initramfs/dracut/module-setup.sh
-
 # Install the main binary, the ostree hooks, and the integration test suite.
 install-all: install install-ostree-hooks
 	install -D -m 0755 target/release/tests-integration $(DESTDIR)$(prefix)/bin/bootc-integration-tests
 
-bin-archive: all
-	$(MAKE) install DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf
-
 build-unit-tests:
 	cargo t --no-run
 

diff --git a/baseimage/dracut/usr/lib/dracut.conf.d/10-bootc-base.conf b/baseimage/dracut/usr/lib/dracut.conf.d/10-bootc-base.conf
@@ -3,5 +3,5 @@
 # (really hostonly=no should be the default if dracut detects that
 #  it's in a container or so)
 hostonly=no
-# We require ostree in the initramfs
-add_dracutmodules+=" ostree "
+# We require ostree and our own module in the initramfs
+add_dracutmodules+=" ostree bootc "
diff --git a/ci/Dockerfile.fcos b/ci/Dockerfile.fcos