tests: Add sealed composefs case for upgrades

cgwalters · cgwalters · commit 0cfbed769d98 · 2026-03-23T13:31:45.000Z
The goal is ensuring we have upgrade coverage also for sealed UKIs;
most of the other update code paths (because tmt doesn't make it easy
to have a registry) do on-machine synthetic updates.

Assisted-by: OpenCode (claude-opus-4)
Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/Justfile b/Justfile
@@ -141,7 +141,7 @@ test-composefs bootloader filesystem boot_type seal_state *ARGS:
                 --seal-state={{seal_state}} \
                 --boot-type={{boot_type}} \
                 {{ARGS}} \
-                $(if [ "{{boot_type}}" = "uki" ]; then echo "readonly composefs-upgrade"; else echo "integration"; fi)
+                $(if [ "{{boot_type}}" = "uki" ]; then echo "readonly image-upgrade-reboot"; else echo "integration"; fi)
 
 # Run upgrade test: boot VM from published base image (with tmt deps added),
 # upgrade to locally-built image, reboot, then run readonly tests to verify.
diff --git a/tmt/tests/booted/test-image-upgrade-reboot.nu b/tmt/tests/booted/test-image-upgrade-reboot.nu
@@ -11,6 +11,10 @@
 # bootc switch <into that image> --apply
 # Verify we boot into the new image
 #
+# For composefs builds, it additionally verifies that composefs is
+# still active after upgrade.  For sealed UKI builds, it checks that
+# both the original and upgrade UKIs exist on the ESP.
+#
 use std assert
 use tap.nu
 
@@ -21,6 +25,7 @@ journalctl --list-boots
 
 let st = bootc status --json | from json
 let booted = $st.status.booted.image
+let is_composefs = (tap is_composefs)
 
 # Parse the kernel commandline into a list.
 # This is not a proper parser, but good enough
@@ -50,6 +55,12 @@ RUN touch /usr/share/testing-bootc-upgrade-apply
         podman build -t $imgsrc .
     }
 
+    # For composefs, save state so we can verify it's preserved after upgrade.
+    if $is_composefs {
+        "true" | save /var/was-composefs
+        $st.status.booted.composefs.verity | save /var/original-verity
+    }
+
     # Now, switch into the new image
     print $"Applying ($imgsrc)"
     bootc switch --transport containers-storage ($imgsrc)
@@ -63,7 +74,47 @@ def second_boot [] {
     assert equal $booted.image.image $"(imgsrc)"
 
     # Verify the new file exists
-    "/usr/share/testing-bootc-upgrade-apply" | path exists
+    assert ("/usr/share/testing-bootc-upgrade-apply" | path exists) "upgrade marker file should exist"
+
+    # If the previous boot was composefs, verify composefs survived the upgrade
+    let was_composefs = ("/var/was-composefs" | path exists)
+    if $was_composefs {
+        assert $is_composefs "composefs should still be active after upgrade"
+
+        let composefs_info = $st.status.booted.composefs
+        print $"composefs info: ($composefs_info)"
+
+        assert (($composefs_info.verity | str length) > 0) "composefs verity digest should be present"
+
+        # For UKI boot type, verify both the original and upgrade UKIs exist on the ESP
+        if ($composefs_info.bootType | str downcase) == "uki" {
+            let bootloader = ($composefs_info.bootloader | str downcase)
+
+            let boot_dir = if $bootloader == "systemd" {
+                mkdir /var/tmp/efi
+                mount /dev/disk/by-partlabel/EFI-SYSTEM /var/tmp/efi
+                "/var/tmp/efi/EFI/Linux/bootc"
+            } else {
+                "/sysroot/boot/EFI/Linux/bootc"
+            }
+
+            let original_verity = (open /var/original-verity | str trim)
+            let upgrade_verity = $composefs_info.verity
+
+            print $"boot_dir: ($boot_dir)"
+            print $"original verity: ($original_verity)"
+            print $"upgrade verity: ($upgrade_verity)"
+
+            # The two verities must differ since the upgrade image has different content
+            assert ($original_verity != $upgrade_verity) "upgrade should produce a different verity digest"
+
+            # There should be two .efi UKI files on the ESP: one for the booted
+            # deployment (upgrade) and one for the rollback (original)
+            let efi_files = (glob $"($boot_dir)/*.efi")
+            print $"EFI files: ($efi_files)"
+            assert (($efi_files | length) >= 2) $"expected at least 2 UKIs on ESP, found ($efi_files | length)"
+        }
+    }
 
     tap ok
 }
