ukify: Allow passing custom kernel, initramfs

Johan-Liebert1 · Johan-Liebert1 · commit ce8443a7bb60 · 2026-05-15T13:36:31.000+05:30
While building a sealed UKI image we'd want to remove the original kernel + initramfs from the final image and have only the final UKI present. This was not possible before as `bootc container ukify` expected kernel + initramfs to be present in `usr/lib/modules` of container root Fixes: #2185 Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com> wip
diff --git a/crates/lib/src/cli.rs b/crates/lib/src/cli.rs
@@ -442,6 +442,19 @@ pub(crate) enum ContainerOpts {
         #[clap(long)]
         write_dumpfile_to: Option<Utf8PathBuf>,
 
+        /// The kernel version.
+        /// Required if kernel is passed
+        #[clap(long, requires = "kernel")]
+        kver: Option<String>,
+
+        /// Path to the kernel
+        #[clap(long, requires = "initramfs", requires = "kver")]
+        kernel: Option<Utf8PathBuf>,
+
+        /// Path to the initramfs
+        #[clap(long, requires = "kernel")]
+        initramfs: Option<Utf8PathBuf>,
+
         /// Additional arguments to pass to ukify (after `--`).
         #[clap(last = true)]
         args: Vec<OsString>,
@@ -1893,12 +1906,32 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 kargs,
                 allow_missing_verity,
                 write_dumpfile_to,
+                kernel,
+                kver,
+                initramfs,
                 args,
             } => {
+                let kernel = match (kernel, initramfs) {
+                    (Some(path), Some(initramfs)) => Some(crate::kernel::KernelInternal {
+                        kernel: crate::kernel::Kernel {
+                            unified: false,
+                            version: kver
+                                .ok_or_else(|| anyhow::anyhow!("Expected kver to be present"))?,
+                        },
+                        k_type: crate::kernel::KernelType::Vmlinuz { path, initramfs },
+                    }),
+
+                    (None, None) => None,
+
+                    // Shouldn't happen due to clap constraints but for sanity
+                    _ => anyhow::bail!("--kernel and --initramfs must be provided together"),
+                };
+
                 crate::ukify::build_ukify(
                     &rootfs,
                     &kargs,
                     &args,
+                    kernel,
                     allow_missing_verity,
                     write_dumpfile_to.as_deref(),
                 )
diff --git a/crates/lib/src/ukify.rs b/crates/lib/src/ukify.rs
@@ -15,6 +15,7 @@ use fn_error_context::context;
 
 use crate::bootc_composefs::digest::compute_composefs_digest;
 use crate::bootc_composefs::status::ComposefsCmdline;
+use crate::kernel::KernelInternal;
 
 /// Build a UKI from the given rootfs.
 ///
@@ -30,6 +31,7 @@ pub(crate) async fn build_ukify(
     rootfs: &Utf8Path,
     extra_kargs: &[String],
     args: &[OsString],
+    kernel: Option<KernelInternal>,
     allow_missing_fsverity: bool,
     write_dumpfile_to: Option<&Utf8Path>,
 ) -> Result<()> {
@@ -52,30 +54,46 @@ pub(crate) async fn build_ukify(
     let root = Dir::open_ambient_dir(rootfs, cap_std_ext::cap_std::ambient_authority())
         .with_context(|| format!("Opening rootfs {rootfs}"))?;
 
-    // Find the kernel
-    let kernel = crate::kernel::find_kernel(&root)?
-        .ok_or_else(|| anyhow::anyhow!("No kernel found in {rootfs}"))?;
+    let kernel_final = match kernel {
+        Some(ref kernel) => kernel,
+        None => &crate::kernel::find_kernel(&root)?
+            .ok_or_else(|| anyhow::anyhow!("No kernel found in {rootfs}"))?,
+    };
 
     // Extract vmlinuz and initramfs paths, or bail if this is already a UKI
-    let (vmlinuz_path, initramfs_path) = match kernel.k_type {
+    let (vmlinuz_path, initramfs_path) = match &kernel_final.k_type {
         crate::kernel::KernelType::Vmlinuz { path, initramfs } => (path, initramfs),
         crate::kernel::KernelType::Uki { path, .. } => {
             anyhow::bail!("Cannot build UKI: rootfs already contains a UKI at {path}");
         }
     };
 
     // Verify kernel and initramfs exist
-    if !root
-        .try_exists(&vmlinuz_path)
-        .context("Checking for vmlinuz")?
-    {
-        anyhow::bail!("Kernel not found at {vmlinuz_path}");
-    }
-    if !root
-        .try_exists(&initramfs_path)
-        .context("Checking for initramfs")?
-    {
-        anyhow::bail!("Initramfs not found at {initramfs_path}");
+    //
+    // NOTE: Not using cap_std here as the vmlinuz/initramfs path from
+    // args can be outside of "rootfs"
+    if kernel.is_some() {
+        if !vmlinuz_path.exists() {
+            anyhow::bail!("Kernel not found at {vmlinuz_path}");
+        }
+
+        if !initramfs_path.exists() {
+            anyhow::bail!("Initramfs not found at {initramfs_path}");
+        }
+    } else {
+        if !root
+            .try_exists(&vmlinuz_path)
+            .context("Checking for vmlinuz")?
+        {
+            anyhow::bail!("Kernel not found at {vmlinuz_path}");
+        }
+
+        if !root
+            .try_exists(&initramfs_path)
+            .context("Checking for initramfs")?
+        {
+            anyhow::bail!("Initramfs not found at {initramfs_path}");
+        }
     }
 
     // Compute the composefs digest
@@ -105,7 +123,7 @@ pub(crate) async fn build_ukify(
         .arg("--initrd")
         .arg(&initramfs_path)
         .arg("--uname")
-        .arg(&kernel.kernel.version)
+        .arg(&kernel_final.kernel.version)
         .arg("--cmdline")
         .arg(&cmdline_str)
         .arg("--os-release")
@@ -132,7 +150,7 @@ mod tests {
         let tempdir = tempfile::tempdir().unwrap();
         let path = Utf8Path::from_path(tempdir.path()).unwrap();
 
-        let result = build_ukify(path, &[], &[], false, None).await;
+        let result = build_ukify(path, &[], &[], None, false, None).await;
         assert!(result.is_err());
         let err = format!("{:#}", result.unwrap_err());
         assert!(
@@ -150,7 +168,7 @@ mod tests {
         fs::create_dir_all(tempdir.path().join("boot/EFI/Linux")).unwrap();
         fs::write(tempdir.path().join("boot/EFI/Linux/test.efi"), b"fake uki").unwrap();
 
-        let result = build_ukify(path, &[], &[], false, None).await;
+        let result = build_ukify(path, &[], &[], None, false, None).await;
         assert!(result.is_err());
         let err = format!("{:#}", result.unwrap_err());
         assert!(
diff --git a/docs/src/man/bootc-container-ukify.8.md b/docs/src/man/bootc-container-ukify.8.md
@@ -35,6 +35,18 @@ Any additional arguments after `--` are passed through to ukify unchanged.
 
     Write a dumpfile to this path
 
+**--kver**=*KVER*
+
+    The kernel version. Required if kernel is passed
+
+**--kernel**=*KERNEL*
+
+    Path to the kernel
+
+**--initramfs**=*INITRAMFS*
+
+    Path to the initramfs
+
 <!-- END GENERATED OPTIONS -->
 
 # EXAMPLES
