container: Add export --format=tar command

Some people want to use container build tools, but for compatibility
with older systems export a tar format of the OS state e.g.
Anaconda liveimg expects this.

Basically this is only *slightly* more than just `tar cf`; we need
to handle SELinux labeling and move the kernel.

Ref: #1957

Assisted-by: OpenCode (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

.github/workflows/ci.yml

@@ -304,10 +304,45 @@ jobs:
           name: tmt-log-PR-${{ github.event.number }}-fedora-43-coreos-${{ env.ARCH }}
           path: /var/tmp/tmt
 
+  # Test the container export -> Anaconda liveimg install path.
+  # Builds localhost/bootc, exports as tarball, installs via Anaconda in QEMU,
+  # and verifies the resulting disk boots.
+  test-container-export:
+    needs: package
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Bootc Ubuntu Setup
+        uses: bootc-dev/actions/bootc-ubuntu-setup@main
+        with:
+          libvirt: true
+
+      - name: Setup env
+        run: |
+          echo "BOOTC_base=quay.io/centos-bootc/centos-bootc:stream10" >> $GITHUB_ENV
+
+      - name: Download package artifacts
+        uses: actions/download-artifact@v7
+        with:
+          name: packages-centos-10
+          path: target/packages/
+
+      - name: Build and run container export test
+        run: |
+          BOOTC_SKIP_PACKAGE=1 just test-container-export
+
+      - name: Archive test logs
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: container-export-test-${{ env.ARCH }}
+          path: target/anaconda-test/*.log
+
   # Sentinel job for required checks - configure this job name in repository settings
   required-checks:
     if: always()
-    needs: [cargo-deny, validate, package, test-integration, test-coreos]
+    needs: [cargo-deny, validate, package, test-integration, test-coreos, test-container-export]
     runs-on: ubuntu-latest
     steps:
       - run: exit 1
@@ -316,4 +351,5 @@ jobs:
           needs.validate.result != 'success' ||
           needs.package.result != 'success' ||
           needs.test-integration.result != 'success' ||
-          needs.test-coreos.result != 'success'
+          needs.test-coreos.result != 'success' ||
+          needs.test-container-export.result != 'success'

Cargo.lock

@@ -108,7 +108,7 @@ test-tmt *ARGS: build
 [group('core')]
 test-container: build build-units
     podman run --rm --read-only localhost/bootc-units /usr/bin/bootc-units
-    podman run --rm --env=BOOTC_variant={{variant}} --env=BOOTC_base={{base}} {{base_img}} bootc-integration-tests container
+    podman run --rm --env=BOOTC_variant={{variant}} --env=BOOTC_base={{base}} --mount=type=image,source={{base_img}},target=/run/target {{base_img}} bootc-integration-tests container
 
 # Build and test sealed composefs images
 [group('core')]
@@ -138,6 +138,28 @@ test-composefs-grub filesystem:
 validate:
     podman build {{base_buildargs}} --target validate .
 
+# Test container export via Anaconda liveimg install in a QEMU VM
+[group('testing')]
+test-container-export: build
+    #!/bin/bash
+    set -xeuo pipefail
+    iso=target/anaconda-test/boot.iso
+    if [ ! -f "$iso" ]; then
+        # Determine the ISO download URL from the base image's os-release
+        eval $(podman run --rm {{base_img}} bash -c '. /etc/os-release && echo "ID=$ID VERSION_ID=$VERSION_ID"')
+        case "${ID}-${VERSION_ID}" in
+            centos-10)
+                url="https://mirror.stream.centos.org/10-stream/BaseOS/x86_64/iso/CentOS-Stream-10-latest-x86_64-boot.iso" ;;
+            fedora-*)
+                url="https://download.fedoraproject.org/pub/fedora/linux/releases/${VERSION_ID}/Everything/x86_64/iso/Fedora-Everything-netinst-x86_64-${VERSION_ID}-1.1.iso" ;;
+            *)
+                echo "Unsupported OS: ${ID}-${VERSION_ID}" >&2; exit 1 ;;
+        esac
+        mkdir -p target/anaconda-test
+        curl -L --retry 3 --progress-bar -o "$iso" "$url"
+    fi
+    cargo xtask anaconda-test --iso "$iso" {{base_img}}
+
 # ============================================================================
 # Testing variants and utilities
 # ============================================================================

Justfile

@@ -419,6 +419,41 @@ pub(crate) enum ContainerOpts {
         #[clap(last = true)]
         args: Vec<OsString>,
     },
+    /// Export container filesystem as a tar archive.
+    ///
+    /// This command exports the container filesystem in a bootable format with proper
+    /// SELinux labeling. The output is written to stdout by default or to a specified file.
+    ///
+    /// Example:
+    ///   bootc container export /target > output.tar
+    #[clap(hide = true)]
+    Export {
+        /// Format for export output
+        #[clap(long, default_value = "tar")]
+        format: ExportFormat,
+
+        /// Output file (defaults to stdout)
+        #[clap(long, short = 'o')]
+        output: Option<Utf8PathBuf>,
+
+        /// Copy kernel and initramfs from /usr/lib/modules to /boot for legacy compatibility.
+        /// This is useful for installers that expect the kernel in /boot.
+        #[clap(long)]
+        kernel_in_boot: bool,
+
+        /// Disable SELinux labeling in the exported archive.
+        #[clap(long)]
+        disable_selinux: bool,
+
+        /// Path to the container filesystem root
+        target: Utf8PathBuf,
+    },
+}
+
+#[derive(Debug, Clone, ValueEnum, PartialEq, Eq)]
+pub(crate) enum ExportFormat {
+    /// Export as tar archive
+    Tar,
 }
 
 /// Subcommands which operate on images.
@@ -1631,6 +1666,22 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 allow_missing_verity,
                 args,
             } => crate::ukify::build_ukify(&rootfs, &kargs, &args, allow_missing_verity),
+            ContainerOpts::Export {
+                format,
+                target,
+                output,
+                kernel_in_boot,
+                disable_selinux,
+            } => {
+                crate::container_export::export(
+                    &format,
+                    &target,
+                    output.as_deref(),
+                    kernel_in_boot,
+                    disable_selinux,
+                )
+                .await
+            }
         },
         Opt::Completion { shell } => {
             use clap_complete::aot::generate;