Tests for unsealed composefs UKI#2146
Conversation
Johan-Liebert1
force-pushed
the
uki-tests
branch
from
b65888f to
2beb2eb
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for Unified Kernel Images (UKIs) within the composefs framework, including tools for sealing and finalizing UKIs and a new dumpfile_path option for the ukify command. It also adds a missing_verity_allowed flag to track and display fs-verity enforcement status in bootc status. The integration test suite is significantly updated with a new composefs garbage collection test for UKIs and a helper function to wrap container builds for UKI environments. Feedback focuses on improving maintainability by combining conditional package installations in the Dockerfile and refactoring repetitive logic in the new UKI test scripts into helper functions.
| mkdir /var/tmp/efi | ||
| mount /dev/disk/by-partlabel/EFI-SYSTEM /var/tmp/efi |
There was a problem hiding this comment.
This test file has some repeated logic that could be refactored into helper functions to improve maintainability and readability.
-
EFI Mount Setup: The commands to create and mount the EFI directory are repeated in
second_boot,third_boot,fourth_boot, andfifth_boot.def setup_efi_mount [] { mkdir /var/tmp/efi mount /dev/disk/by-partlabel/EFI-SYSTEM /var/tmp/efi } -
Image Build and Switch: The logic for building a new container image and switching to it is also duplicated.
def build_and_switch [name: string, content: string] { mut containerfile = $" FROM localhost/bootc as base ($content) " $containerfile = (tap build_uki_img $containerfile) echo $containerfile | podman build -t $"localhost/bootc-($name)" . -f - bootc switch --transport containers-storage $"localhost/bootc-($name)" }
By using these helpers, the boot stage functions would become much cleaner and more focused on their specific assertions.
Johan-Liebert1
force-pushed
the
uki-tests
branch
from
2beb2eb to
895ba5a
Compare
|
Centos10 seems to be failing with Edit: #2145 fixes this |
Johan-Liebert1
force-pushed
the
uki-tests
branch
from
895ba5a to
bf66218
Compare
Add a flag to create a dumpfile for `bootc ukify` command. This is extremely helpful for debugging Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
For the status command for composefs backend, in verbose mode, show whether FsVerity is enforced or not. This is also helpful for us in tests for UKI as while building a UKI we'd want to know whether the current system has FsVerity enforced or not. Reading `/proc/cmdline` is an option, but a concrete API helps immensely Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
For unsealed UKIs now we install systemd-ukify in our container images and also copy our UKI build scripts in the image to help us build UKIs in our tests. We don't yet have all tests for sealed UKIs because we don't have a proper way of passing our keys to the test VMs A nu shell function wraps all container image definitions and updates them to also build for UKI images Update tests to also work with UKIs Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Also, fix a logic error in the BLS GC test where we were checking for the non-existence of a non-existent path Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>
Johan-Liebert1
force-pushed
the
uki-tests
branch
from
bf66218 to
19d13bb
Compare
1 participant
No description provided.