dockerfile/uki: Rework to remove kernel + initrd

Now that we can pass kernel and initrd paths to `bootc ukify`, rework
our UKI Dockerfile to remove kernel + initrd from the final layer
and only keep the UKI

This still will not *remove* the kernel + initrd from the tarball but
have whiteout instead

See #2027 (comment)

Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>

Author: Johan-Liebert1

Dockerfile

@@ -83,7 +83,7 @@ RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     # Install systemd-ukify and systemd-boot for UKIs
     # This also installs systemd-boot for the grub UKI case which is not ideal...
     if [[ "${boot_type}" == "uki" ]]; then
-        pkgs_to_install+=(systemd-ukify)
+        pkgs_to_install+=(systemd-ukify binutils)
     fi
 
     if [[ ${#pkgs_to_install[@]} -gt 0 ]]; then
@@ -135,7 +135,12 @@ ARG pkgversion
 ARG SOURCE_DATE_EPOCH
 ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
 # Build RPM directly from source, using cached target directory
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
+RUN --network=none \
+    --mount=type=tmpfs,target=/run \
+    --mount=type=tmpfs,target=/tmp \
+    --mount=type=cache,target=/src/target \
+    --mount=type=cache,target=/var/roothome \
+    RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
 
 # Build a systemd-sysext containing just the bootc binary.
 # Skips RPM machinery entirely for fast incremental rebuilds.
@@ -218,7 +223,7 @@ COPY --from=update-generated-from-code /src/docs/src/*.schema.json /docs/src/
 # ----
 
 # Perform all filesystem transformations except generating the sealed UKI (if configured)
-FROM base as base-penultimate
+FROM base as base-penultimate-source
 ARG variant
 ARG bootloader
 ARG boot_type
@@ -234,6 +239,7 @@ if [[ "${bootloader}" == "systemd" ]]; then
 fi
 
 if [[ "${boot_type}" == "uki" ]]; then
+    bootc container inspect --rootfs / --json | jq -r '.kernel.version' > /var/kernel_ver
     cp /run/packaging/seal-uki /usr/bin/seal-uki
     cp /run/packaging/finalize-uki /usr/bin/finalize-uki
     cp /run/packaging/initialize-sealing-tools /usr/bin/initialize-sealing-tools
@@ -246,6 +252,10 @@ rm -rf /var/cache
 rm -rf /run/rhsm
 
 EORUN
+
+FROM base-penultimate-source as base-penultimate
+ARG boot_type
+
 # Configure the rootfs
 ARG rootfs=""
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
@@ -260,9 +270,19 @@ RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp
 COPY --from=packaging /usr-extras/ /usr/
 # Clean up package manager caches
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
-    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    --mount=type=bind,from=base-penultimate-source,src=/,target=/run/base-penultimate-src \
+    --mount=type=bind,from=packaging,src=/,target=/run/packaging <<EORUN
     /run/packaging/cleanup
 
+    # Remove kernel + initrd if UKI
+    if [[ "${boot_type}" == "uki" ]]; then
+        kver=$(cat /run/base-penultimate-src/var/kernel_ver)
+
+        rm -v "/usr/lib/modules/$kver/vmlinuz"
+        rm -v "/usr/lib/modules/$kver/initramfs.img"
+    fi
+EORUN
+
 # Generate the sealed UKI in a separate stage
 # This computes the composefs digest from base-penultimate and creates a signed UKI
 # We need our newly-built bootc for the compute-composefs-digest command
@@ -278,18 +298,29 @@ RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=secret,id=secureboot_key \
     --mount=type=secret,id=secureboot_cert \
+    --mount=type=bind,from=base-penultimate-source,src=/,target=/run/base-penultimate-src \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     --mount=type=bind,from=base-penultimate,src=/,target=/run/target <<EORUN
 set -xeuo pipefail
 
-allow_missing_verity=false
+allow_missing_verity=()
 
 if [[ $filesystem == "xfs" ]]; then
-    allow_missing_verity=true
+    allow_missing_verity=(--allow-missing-verity)
 fi
 
 if test "${boot_type}" = "uki"; then
-  /run/packaging/seal-uki /run/target /out /run/secrets $allow_missing_verity $seal_state
+  kver=$(cat "/run/base-penultimate-src/var/kernel_ver")
+
+  /run/packaging/seal-uki \
+      --target /run/target \
+      --output /out \
+      --secrets /run/secrets \
+      "${allow_missing_verity[@]}" \
+      --kernel "/run/base-penultimate-src/usr/lib/modules/$kver/vmlinuz" \
+      --kver "$kver" \
+      --initramfs "/run/base-penultimate-src/usr/lib/modules/$kver/initramfs.img" \
+      --seal-state $seal_state
 fi
 EORUN
 
@@ -299,11 +330,13 @@ ARG variant
 ARG boot_type
 # Copy the sealed UKI and finalize the image (remove raw kernel, create symlinks)
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,from=base-penultimate-source,src=/,target=/run/base-penultimate-src \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     --mount=type=bind,from=sealed-uki,src=/,target=/run/sealed-uki <<EORUN
 set -xeuo pipefail
 if test "${boot_type}" = "uki"; then
-  /run/packaging/finalize-uki /run/sealed-uki/out
+  kver=$(cat "/run/base-penultimate-src/var/kernel_ver")
+  /run/packaging/finalize-uki /run/sealed-uki/out "$kver"
 fi
 EORUN
 # And finally, test our linting

contrib/packaging/finalize-uki

@@ -20,13 +20,8 @@ set -xeuo pipefail
 # Path to directory containing the generated UKI
 uki_src=$1
 shift
-
-# Find the kernel version from the current system
-kver=$(bootc container inspect --json | jq -r '.kernel.version')
-if [ -z "$kver" ] || [ "$kver" = "null" ]; then
-  echo "Error: No kernel found" >&2
-  exit 1
-fi
+kver=$1
+shift
 
 # Create the EFI directory structure
 mkdir -p /boot/EFI/Linux
@@ -36,12 +31,6 @@ mkdir -p /boot/EFI/Linux
 target=/boot/EFI/Linux/${kver}.efi
 cp "${uki_src}/${kver}.efi" "${target}"
 
-# Remove the raw kernel and initramfs since we're using a UKI now.
-# NOTE: We intentionally keep these for now until bcvk is updated to extract
-# kernel/initramfs from UKIs in subdirectories. Once bcvk PR #144 is fixed
-# to look for .efi files in /usr/lib/modules/<kver>/, we can uncomment this.
-# rm -v "/usr/lib/modules/${kver}/vmlinuz" "/usr/lib/modules/${kver}/initramfs.img"
-
 # NOTE: We used to create a symlink from /usr/lib/modules/${kver}/${kver}.efi to the UKI
 # for tooling compatibility. However, composefs-boot's find_uki_components() doesn't
 # handle symlinks correctly and fails with "is not a regular file". The UKI is already

contrib/packaging/seal-uki

@@ -2,32 +2,82 @@
 # Generate a sealed UKI with embedded composefs digest
 set -xeuo pipefail
 
-# Path to the desired root filesystem
-target=$1
-shift
-# Write to this directory
-output=$1
-shift
-# Path to secrets directory
-secrets=$1
-shift
-allow_missing_verity=$1
-shift
-seal_state=$1
-shift
-
-if [[ $seal_state == "sealed" && $allow_missing_verity == "true" ]]; then
+missing_verity=()
+
+while [ ! -z "${1:-}" ]; do
+    case "$1" in
+        # Path to the desired root filesystem
+        "--target")
+            target="$2"
+            shift
+            shift
+        ;;
+
+        # Write to this directory
+        "--output")
+            output="$2"
+            shift
+            shift
+        ;;
+
+        # Path to secrets directory
+        "--secrets")
+            secrets="$2"
+            shift
+            shift
+        ;;
+
+        "--allow-missing-verity")
+            missing_verity=(--allow-missing-verity)
+            shift
+        ;;
+
+        "--seal-state")
+            seal_state="$2"
+            shift
+            shift
+        ;;
+
+        # The kernel version
+        "--kver")
+            kver="$2"
+            shift
+            shift
+        ;;
+
+        # Path to the kernel
+        "--kernel")
+            kernel="$2"
+            shift
+            shift
+        ;;
+
+        # Path to the initrd
+        "--initramfs")
+            initramfs="$2"
+            shift
+            shift
+        ;;
+
+        * )
+            echo "Argument $1 not understood"
+            exit 1
+        ;;
+    esac
+done
+
+if [[ $seal_state == "sealed" && ${#missing_verity[@]} -gt 0 ]]; then
     echo "Cannot have missing verity with sealed UKI" >&2
     exit 1
 fi
 
-# Find the kernel version (needed for output filename)
-kver=$(bootc container inspect --rootfs "${target}" --json | jq -r '.kernel.version')
-if [ -z "$kver" ] || [ "$kver" = "null" ]; then
-  echo "Error: No kernel found" >&2
-  exit 1
+if [[ -z $kernel || -z $initramfs || -z $kver ]]; then
+    echo "kernel, initramfs and kver are required" >&2
+    exit 1
 fi
 
+kernel_params=(--kernel "$kernel" --initramfs "$initramfs" --kver "$kver")
+
 mkdir -p "${output}"
 
 # Baseline ukify options
@@ -45,12 +95,6 @@ fi
 # Baseline container ukify options
 containerukifyargs=(--rootfs "${target}")
 
-missing_verity=()
-
-if [[ $allow_missing_verity == "true" ]]; then
-    missing_verity+=(--allow-missing-verity)
-fi
-
 # Build the UKI using bootc container ukify
 # This computes the composefs digest, reads kargs from kargs.d, and invokes ukify
-bootc container ukify "${containerukifyargs[@]}" "${missing_verity[@]}" -- "${ukifyargs[@]}"
+bootc container ukify "${containerukifyargs[@]}" "${kernel_params[@]}" "${missing_verity[@]}" -- "${ukifyargs[@]}"

crates/tests-integration/src/container.rs

@@ -51,6 +51,8 @@ pub(crate) fn test_bootc_container_inspect() -> Result<()> {
         .as_bool()
         .expect("kernel.unified should be a boolean");
 
+    println!("kernel: {kernel:#?}");
+
     let is_uki = std::env::var("BOOTC_boot_type").is_ok_and(|var| var == "uki");
 
     if let Some(variant) = std::env::var("BOOTC_variant").ok() {

tmt/tests/Dockerfile.upgrade

@@ -13,6 +13,16 @@ ARG filesystem=ext4
 FROM scratch AS packaging
 COPY contrib/packaging /
 
+# Get kernel + initrd from the UKI
+FROM localhost/bootc as kernel
+RUN <<-EOF
+    kver=$(bootc container inspect --rootfs / --json | jq -r '.kernel.version')
+    echo $kver > /var/kernel_ver
+
+    objcopy -O binary --only-section=.initrd /boot/EFI/Linux/*.efi /boot/initramfs.img
+    objcopy -O binary --only-section=.linux /boot/EFI/Linux/*.efi /boot/vmlinuz
+EOF
+
 # Create the upgrade content (a simple marker file).
 # For UKI builds, we also remove the existing UKI so that seal-uki can
 # regenerate it with the correct composefs digest for this derived image.
@@ -36,16 +46,28 @@ RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp
     --mount=type=secret,id=secureboot_key \
     --mount=type=secret,id=secureboot_cert \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    --mount=type=bind,from=kernel,src=/,target=/run/kernel \
     --mount=type=bind,from=upgrade-base,src=/,target=/run/target <<EORUN
 set -xeuo pipefail
 
-allow_missing_verity=false
-if [ "${filesystem}" = "xfs" ]; then
-    allow_missing_verity=true
+allow_missing_verity=()
+
+if [[ $filesystem == "xfs" ]]; then
+    allow_missing_verity=(--allow-missing-verity)
 fi
 
 if test "${boot_type}" = "uki"; then
-  /run/packaging/seal-uki /run/target /out /run/secrets "${allow_missing_verity}" "${seal_state}"
+  kver=$(cat /run/kernel/var/kernel_ver)
+
+  /run/packaging/seal-uki \
+      --target /run/target \
+      --output /out \
+      --secrets /run/secrets \
+      "${allow_missing_verity[@]}" \
+      --kernel "/run/kernel/boot/vmlinuz" \
+      --kver "$kver" \
+      --initramfs "/run/kernel/boot/initramfs.img" \
+      --seal-state $seal_state
 fi
 EORUN
 

tmt/tests/booted/tap.nu

@@ -89,26 +89,49 @@ export def make_uki_containerfile [containerfile: string] {
         return $containerfile
     }
 
-    let allow_missing_verity = $st.status.booted.composefs.missingVerityAllowed
+    let allow_missing_verity = if $st.status.booted.composefs.missingVerityAllowed {
+        "--allow-missing-verity"
+    } else {
+        ""
+    }
+
     # TODO: Handle sealed UKI
     let seal_state = "unsealed"
 
     let uki_stuff = $"
+        FROM base as kernel
+        RUN <<-EOF
+            kver=$\(bootc container inspect --rootfs / --json | jq -r '.kernel.version'\)
+            echo $kver > /var/kernel_ver
+
+            objcopy -O binary --only-section=.initrd /boot/EFI/Linux/*.efi /boot/initramfs.img
+            objcopy -O binary --only-section=.linux /boot/EFI/Linux/*.efi /boot/vmlinuz
+        EOF
+
         FROM base as base-final
         RUN rm -rf /boot/EFI/Linux/*.efi
 
         FROM base as sealed-uki
         RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \\
             --mount=type=bind,from=base-final,src=/,target=/run/target \\
-            /usr/bin/seal-uki /run/target /out /run/secrets ($allow_missing_verity) ($seal_state)
+            --mount=type=bind,from=kernel,src=/,target=/run/kernel \\
+              /usr/bin/seal-uki \\
+                  --target /run/target \\
+                  --output /out \\
+                  --secrets /run/secrets ($allow_missing_verity) \\
+                  --kernel /run/kernel/boot/vmlinuz \\
+                  --kver $\(cat /run/kernel/var/kernel_ver\) \\
+                  --initramfs /run/kernel/boot/initramfs.img \\
+                  --seal-state ($seal_state)
 
         FROM base-final
 
         # Copy the sealed UKI and finalize the image remove raw kernel, create symlinks
         RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \\
             --mount=type=bind,from=sealed-uki,src=/,target=/run/sealed-uki \\
-            /usr/bin/finalize-uki /run/sealed-uki/out
-    "
+            --mount=type=bind,from=kernel,src=/,target=/run/kernel \\
+            /usr/bin/finalize-uki /run/sealed-uki/out $\(cat /run/kernel/var/kernel_ver\)
+    " | lines | each { str trim } | str join "\n"
 
     return $"($containerfile)\n($uki_stuff)"
 }