xtask: Add Anaconda liveimg installation test

Add 'cargo xtask anaconda' command that validates bootc containers can
be installed via Anaconda's liveimg kickstart directive. This is an
end-to-end integration test that:

- Exports a bootc container to tar format using 'bootc container export'
- Downloads and caches Anaconda installer ISOs (CentOS Stream 10, Fedora)
- Generates kickstart files with liveimg --url=file:// directive
- Uses virtiofs to share the tar with the VM (avoids HTTP server complexity)
- Boots VM in UEFI mode with proper BLS boot entry generation
- Monitors installation via Anaconda's virtio serial progress channel
- Verifies installation using bcvk (disk inspection) and optionally SSH

The test handles several tricky aspects of bootc + Anaconda integration:

1. BLS entry generation: bootc tar exports don't include Boot Loader
   Specification entries (they need root partition UUID). We generate
   these in the kickstart %post script.

2. SSH in chroot: The %post script runs in a chroot where services
   can't be started, only enabled. We configure sshd to start on
   first boot rather than trying to start it during installation.

3. Bootloader installation: Uses bootupctl to install the bootloader
   in the Anaconda %post environment.

Usage:
  cargo xtask anaconda [--ssh] [--installer-type=centos-stream-10] \
    <container-image> <output-disk>

Assisted-by: OpenCode (Claude Sonnet 4)

Author: cgwalters

.github/workflows/ci.yml

@@ -267,10 +267,49 @@ jobs:
           name: tmt-log-PR-${{ github.event.number }}-fedora-43-coreos-${{ env.ARCH }}
           path: /var/tmp/tmt
 
+  # Test Anaconda installation with SSH verification
+  # Tests the complete Anaconda workflow including SSH access to installed systems
+  test-anaconda:
+    needs: package
+    runs-on: ubuntu-24.04
+
+    strategy:
+      fail-fast: false
+      matrix:
+        test_os: [fedora-43, centos-9]
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Bootc Ubuntu Setup
+        uses: bootc-dev/actions/bootc-ubuntu-setup@main
+        with:
+          libvirt: true
+
+      - name: Setup env
+        run: |
+          BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
+          echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
+          echo "BOOTC_variant=ostree" >> $GITHUB_ENV
+
+      - name: Download package artifacts
+        uses: actions/download-artifact@v7
+        with:
+          name: packages-${{ matrix.test_os }}
+          path: target/packages/
+
+      - name: Build container and run Anaconda SSH test
+        run: |
+          BOOTC_SKIP_PACKAGE=1 just build
+          # Run Anaconda test with SSH verification directly
+          just test-anaconda localhost/bootc /tmp/bootc-anaconda-${{ matrix.test_os }}.raw --ssh -- bootc status
+          just clean-local-images
+
+
+
   # Sentinel job for required checks - configure this job name in repository settings
   required-checks:
     if: always()
-    needs: [cargo-deny, validate, package, test-integration, test-coreos]
+    needs: [cargo-deny, validate, package, test-integration, test-coreos, test-anaconda]
     runs-on: ubuntu-latest
     steps:
       - run: exit 1
@@ -279,4 +318,5 @@ jobs:
           needs.validate.result != 'success' ||
           needs.package.result != 'success' ||
           needs.test-integration.result != 'success' ||
-          needs.test-coreos.result != 'success'
+          needs.test-coreos.result != 'success' ||
+          needs.test-anaconda.result != 'success'

Cargo.lock

@@ -132,6 +132,21 @@ test-tmt-on-coreos *ARGS:
 run-container-external-tests:
    ./tests/container/run {{base_img}}
 
+# Run end-to-end Anaconda installation test
+[group('testing')]
+test-anaconda IMAGE=base_img OUTPUT="test-disk.raw" *ARGS:
+    cargo xtask anaconda {{IMAGE}} {{OUTPUT}} {{ARGS}}
+
+# Test with auto-detected installer
+[group('testing')]
+test-anaconda-auto IMAGE=base_img OUTPUT="test-disk.raw" *ARGS:
+    cargo xtask anaconda --installer-type auto {{IMAGE}} {{OUTPUT}} {{ARGS}}
+
+# Test with CentOS Stream installer
+[group('testing')]
+test-anaconda-centos IMAGE=base_img OUTPUT="test-disk.raw" *ARGS:
+    cargo xtask anaconda --installer-type centos-stream {{IMAGE}} {{OUTPUT}} {{ARGS}}
+
 # Remove all test VMs created by tmt tests
 [group('testing')]
 tmt-vm-cleanup:

Justfile

@@ -421,8 +421,13 @@ pub(crate) enum ContainerOpts {
     /// SELinux labeling. The output is written to stdout by default or to a specified file.
     ///
     /// Example:
-    ///   bootc container export /target > output.tar
+    ///   bootc container export --experimental /target > output.tar
+    #[clap(hide = true)]
     Export {
+        /// Acknowledge that this is an experimental command that may change or be removed.
+        #[clap(long)]
+        experimental: bool,
+
         /// Format for export output
         #[clap(long, default_value = "tar")]
         format: ExportFormat,
@@ -1661,12 +1666,16 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 args,
             } => crate::ukify::build_ukify(&rootfs, &kargs, &args),
             ContainerOpts::Export {
+                experimental,
                 format,
                 target,
                 output,
                 kernel_in_boot,
                 disable_selinux,
             } => {
+                if !experimental {
+                    anyhow::bail!("This command requires --experimental");
+                }
                 crate::container_export::export(
                     &format,
                     &target,

crates/lib/src/cli.rs

@@ -28,11 +28,13 @@ xshell = { workspace = true }
 
 # Crate-specific dependencies
 cargo_metadata = "0.23"
+tokio = { version = "1", features = ["process", "time", "rt-multi-thread", "macros", "io-util", "net"] }
 mandown = "1.1.0"
 rand = "0.9"
 serde_yaml = "0.9"
 tar = "0.4"
 itertools = "0.14.0"
+shlex = { workspace = true }
 
 [lints]
 workspace = true