Commit 621e141
committed
build-sys: Re-seal upgrade image for composefs UKI builds
The upgrade test image (localhost/bootc-upgrade) was previously a simple
one-layer addition on top of localhost/bootc that did not go through the
sealing pipeline. This meant sealed composefs builds could not properly
test upgrades, since the upgrade image lacked a signed UKI with the
correct composefs digest.
Rework Dockerfile.upgrade into a multi-stage build that mirrors the main
Dockerfile sealing flow: when boot_type=uki, it computes the composefs
digest of the upgrade rootfs, generates and optionally signs a UKI via
seal-uki, and finalizes it with finalize-uki. For non-UKI builds, the
extra stages are effectively no-ops and the image remains a simple
derived layer.
Update _build-upgrade-image in the Justfile to pass the required build
arguments (boot_type, seal_state, filesystem) and build secrets
(secureboot keys). Extra container capabilities (CAP_ALL, fuse device)
are only added for UKI builds that need composefs support.
Assisted-by: OpenCode (claude-opus-4)
Signed-off-by: Colin Walters <walters@verbum.org>1 parent eebb1fe commit 621e141
2 files changed
+81
-5
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
141 | 141 | | |
142 | 142 | | |
143 | 143 | | |
144 | | - | |
| 144 | + | |
145 | 145 | | |
146 | 146 | | |
147 | 147 | | |
| |||
362 | 362 | | |
363 | 363 | | |
364 | 364 | | |
365 | | - | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
| 372 | + | |
| 373 | + | |
| 374 | + | |
| 375 | + | |
| 376 | + | |
| 377 | + | |
| 378 | + | |
| 379 | + | |
| 380 | + | |
| 381 | + | |
| 382 | + | |
366 | 383 | | |
367 | 384 | | |
368 | 385 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
2 | | - | |
3 | | - | |
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
0 commit comments