@@ -140,25 +140,72 @@ then you can `cargo b --release` directly in a Fedora 42 container
140140or even on your host system, and then directly run e.g. ` ./target/release/bootc upgrade `
141141etc.
142142
143- ### Testing with composefs (sealed images)
143+ ### Building and testing with the composefs backend
144144
145- To build and test with the experimental composefs backend:
145+ bootc has two storage backends: ` ostree ` (default, production) and ` composefs `
146+ (experimental). The composefs backend has several axes of configuration:
147+
148+ | Variable | Values | Notes |
149+ | ---| ---| ---|
150+ | ` variant ` | ` ostree ` , ` composefs ` | Storage backend |
151+ | ` bootloader ` | ` grub ` , ` systemd ` | systemd-boot required for UKI |
152+ | ` boot_type ` | ` bls ` , ` uki ` | UKI embeds the composefs digest |
153+ | ` seal_state ` | ` unsealed ` , ` sealed ` | Sealed signs the UKI for Secure Boot |
154+ | ` filesystem ` | ` ext4 ` , ` btrfs ` , ` xfs ` | xfs lacks fsverity, incompatible with sealed |
155+
156+ These are controlled via ` BOOTC_ ` -prefixed environment variables.
157+ Using environment variables (rather than ` just ` command-line overrides)
158+ is recommended because they persist across commands in the same shell
159+ session — so ` just build ` followed by ` just test-tmt ` will use the
160+ same configuration:
146161
147162``` bash
148- # Build a sealed image with auto-generated test Secure Boot keys
163+ # Set up a composefs development session
164+ export BOOTC_variant=composefs
165+ export BOOTC_bootloader=systemd
166+ # Now all just targets use these settings:
167+ just build
168+ just test-tmt readonly
169+ just test-container
170+ ```
171+
172+ The constraints are:
173+
174+ - ` sealed ` requires ` boot_type=uki ` (the digest lives in the UKI cmdline)
175+ - ` sealed ` requires ` filesystem ` with fsverity support (` ext4 ` or ` btrfs ` )
176+ - ` uki ` requires ` bootloader=systemd `
177+
178+ Common workflows:
179+
180+ ``` bash
181+ # Simplest composefs build (unsealed, grub, BLS, ext4)
182+ export BOOTC_variant=composefs
183+ just build
184+
185+ # Composefs with systemd-boot
186+ export BOOTC_variant=composefs BOOTC_bootloader=systemd
187+ just build
188+
189+ # Fully sealed image (systemd-boot + signed UKI + Secure Boot)
190+ # This is the most common composefs dev workflow:
149191just build-sealed
150192
151- # Run composefs-specific tests
152- just test-composefs
193+ # Run composefs integration tests (all four params are required)
194+ just test-composefs systemd ext4 bls unsealed
195+
196+ # Run sealed UKI tests
197+ just test-composefs systemd ext4 uki sealed
153198
154- # Validate that composefs digests match between build and install views
199+ # Validate composefs digests match between build and install views
155200# (useful for debugging mtime/metadata issues)
156201just validate-composefs-digest
157202```
158203
159- The ` build-sealed ` target generates test Secure Boot keys in ` target/test-secureboot/ `
160- and builds a complete sealed image with UKI. See [ experimental-composefs.md] ( docs/src/experimental-composefs.md )
161- for more information on sealed images.
204+ The ` build-sealed ` target generates test Secure Boot keys in
205+ ` target/test-secureboot/ ` and builds a complete sealed image with all
206+ the sealed composefs settings. See
207+ [ experimental-composefs.md] ( docs/src/experimental-composefs.md ) for
208+ more information on sealed images.
162209
163210
164211### Debugging via lldb
0 commit comments