Support rootless bootc-image-builder#445
Merged
achilleas-k merged 2 commits intoosbuild:mainfrom Jan 29, 2026
Merged
Conversation
alexlarsson
requested review from
croissanne,
supakeen and
thozza
and removed request for
a team
Contributor
Author
|
Hmm, seems the /dev/loop workaround didn't work that way. I'll try hanging it off in-vm instead. |
maboras-rh
reviewed
Jan 28, 2026
| // Validate checks that the environment is supported (e.g. caller set up the | ||
| // container correctly) | ||
| func Validate(targetArch string) error { | ||
| func Validate(targetArch string, inVm bool) error { |
There was a problem hiding this comment.
I noticed a missing unit-test in setup_test.go. Since the Validate method declaration has changed. I think the tests should be updated to cover this change.
Contributor
Author
There was a problem hiding this comment.
There is no current test for this, but I can look at adding one.
Contributor
Author
There was a problem hiding this comment.
It may be a bit tricky though, as it relies on checking global properties of the current sandbox.
Contributor
Author
There was a problem hiding this comment.
I'm looking at this, and it doesn't really seem useful/possible to unit test this in a reasonable way. Some individual functions it uses are tested , like validateCanRunTargetArch is tested by TestValidateCanRunTargetArch*, but the remaining parts need to have a complete container image built to test.
If we're running in a virtual machine, there is no need to mount /dev in the container (it will be mounted in the vm). This is important because in a rootless container we're not allowed to mount devtmpfs.
If in vm, we don't need --privileged. Also, we can also support rootless containers.
alexlarsson
added a commit
to osbuild/bootc-image-builder
that referenced
this pull request
Jan 29, 2026
This updates to the latest image-builder-cli, adding support for rootless container use (osbuild/image-builder-cli#445). It also updates the use of related APIs to pass runInVm options where needed. With this, I was able to run a rootless bc-i-b conversion. There is one problem, which is that if you mount ~/.local/share/containers/storage on the host to /var/lib/containers/storage in the contained, podman will complain with: Error: database static dir "~/.local/share/containers/storage/libpod" does not match our static dir "/var/lib/containers/storage/libpod": database configuration mismatch Additionally, if you pass the host "/var/lib/containers/storage" into the rootless container you will get read permission errors. There are two workarounds for this. Either you can use e.g. skopeo to copy the bootc container to a separate (non-root) container storage directory and mount that, or you can cover the "db.sql" file in the storage directory to make podman not print the error. Neither of these are super clean, and we should try to figure out a better solution, but for now I was at least able to run a complete image build using: ``` $ touch /tmp/foo $ podman run --rm --security-opt label=type:unconfined_t -ti --privileged \ --network=none -v $PWD/output:/output \ -v ~/.local/share/containers/storage:/var/lib/containers/storage \ -v /tmp/foo:/var/lib/containers/storage/db.sql \ localhost/bootc-image-builder --in-vm \ --rootfs ext4 --type raw \ quay.io/fedora/fedora-bootc:43 ```
alexlarsson
added a commit
to osbuild/bootc-image-builder
that referenced
this pull request
Jan 29, 2026
This updates to the latest image-builder-cli, adding support for rootless container use (osbuild/image-builder-cli#445). It also updates the use of related APIs to pass runInVm options where needed. With this, I was able to run a rootless bc-i-b conversion. There is one problem, which is that if you mount ~/.local/share/containers/storage on the host to /var/lib/containers/storage in the contained, podman will complain with: Error: database static dir "~/.local/share/containers/storage/libpod" does not match our static dir "/var/lib/containers/storage/libpod": database configuration mismatch Additionally, if you pass the host "/var/lib/containers/storage" into the rootless container you will get read permission errors. There are two workarounds for this. Either you can use e.g. skopeo to copy the bootc container to a separate (non-root) container storage directory and mount that, or you can cover the "db.sql" file in the storage directory to make podman not print the error. Neither of these are super clean, and we should try to figure out a better solution, but for now I was at least able to run a complete image build using: ``` $ touch /tmp/foo $ podman run --rm --security-opt label=type:unconfined_t -ti --privileged \ --network=none -v $PWD/output:/output \ -v ~/.local/share/containers/storage:/var/lib/containers/storage \ -v /tmp/foo:/var/lib/containers/storage/db.sql \ localhost/bootc-image-builder --in-vm \ --rootfs ext4 --type raw \ quay.io/fedora/fedora-bootc:43 ```
alexlarsson
added a commit
to osbuild/bootc-image-builder
that referenced
this pull request
Feb 2, 2026
This updates to the latest image-builder-cli, adding support for rootless container use (osbuild/image-builder-cli#445). It also updates the use of related APIs to pass runInVm options where needed. With this, I was able to run a rootless bc-i-b conversion. There is one problem, which is that if you mount `~/.local/share/containers/storage` on the host to `/var/lib/containers/storage` in the container, podman will complain with: ``` Error: database static dir "~/.local/share/containers/storage/libpod" does not match our static dir "/var/lib/containers/storage/libpod": database configuration mismatch ``` Additionally, if you pass the host `/var/lib/containers/storage` into the rootless container you will get read permission errors. There are two workarounds for this. Either you can use e.g. skopeo to copy the bootc container to a separate (non-root) container storage directory and mount that, or you can cover the `db.sql` file in the storage directory to make podman not print the error. Neither of these are super clean, and we should try to figure out a better solution, but for now I was at least able to run a complete image build using the "cover db" apprach like this: ``` $ touch /tmp/foo $ podman run --rm --security-opt label=type:unconfined_t -ti --privileged \ --network=none -v $PWD/output:/output \ -v ~/.local/share/containers/storage:/var/lib/containers/storage \ -v /tmp/foo:/var/lib/containers/storage/db.sql \ localhost/bootc-image-builder --in-vm \ --rootfs ext4 --type raw \ quay.io/fedora/fedora-bootc:43 ```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This MR + a bootc-image-builder with this change:
And a localhost/bootc-image-builder container built with osbuild 171 allows us to run a rootless podman container with b-c-i-b:
Its unfortunate that we have to mount over the db.sql, but if we don't, then we get this error:
I don't know how to avoid this. I tried exposing the user container store using additional image stores, but I ran into tons of issues with bc-i-b and osbuild hardcoding /var/lib/containers/storage, which means the additional image store is ignored. Maybe we can fix those, or maybe we can change podman to avoid this error. Or maybe we can do the workaround in the bootc-i-b setup code.