build-sys: Many changes

[cgwalters]

See individual commits.

This is mainly with an eye to reworking our sealing, for which we needed to do a "scratch" build and as soon as we do that we might as well just take the step of consolidating our integration test and base image etc.

This was developed iteratively, and I did at least do a build test of each individual stage.

[gemini-code-assist]

Code Review

This pull request introduces a significant and beneficial refactoring of the build system. Key changes include moving to a 'from scratch' base image build, consolidating the integration test image into the main build flow, and streamlining the process by building packages separately before injecting them into the final image. These changes greatly improve the structure and maintainability of the build process. My review includes a couple of suggestions for further cleanup, such as removing a now-redundant Containerfile and fixing a minor style issue in a shell script.

[jeckersb]

I won't have time to test this but the eyeball test looks sane, especially grateful for breaking it up into individual commits so I can more easily follow your train of thought 👏

[henrywang]

Our bot updated bcvk version in PR #1867.

[cgwalters]

OK, fixed some more things; ended up adding an env var to shortcut things and skip package builds, it was just too fragile without that. The main thing I overlooked is that the unit/integration test depchains ended up pulling in package builds too.

[cgwalters]

Hum, not sure yet why most but not all of the cfs tests failed.

And now I see this blocks on #1225

Details

# PR #1864 CI Failure Investigation - Composefs Boot Failures

Summary

PR #1864 ("build-sys: Many changes") introduces a "from scratch" image build approach
using bootc-base-imagectl build-rootfs --manifest=standard. This causes composefs
sealed UKI boot failures on certain distros.

Test Results Pattern

Distro	ostree	composefs-sealeduki-sdboot
Fedora 42	PARTIAL (upgrade tests fail with ostree.final-diffid)	PASS
Fedora 43	PARTIAL	FAIL - SSH timeout, VM doesn't boot
Fedora 44	PARTIAL	FAIL - SSH timeout, VM doesn't boot
CentOS 9	PARTIAL	(excluded from matrix)
CentOS 10	PARTIAL	FAIL - SSH timeout, VM doesn't boot

Key observation: Fedora 42 composefs works, but Fedora 43/44 and CentOS 10 don't.

Main Branch Status

On main branch (run 20343724695), ALL composefs and ostree tests PASS.
This confirms the issue is introduced by PR #1864.

Key Changes in PR #1864

1. "From scratch" image build - Uses bootc-base-imagectl build-rootfs --manifest=standard
   instead of directly layering on top of the base image. This is to fix
   Incorrect mtime when generating EROFS from OCI image containers/composefs-rs#132

2. Cloud-init always enabled - Removed the conditional cloudinit argument from
   provision-derived.sh. Cloud-init is now always installed AND enabled via:

   ln -s ../cloud-init.target /usr/lib/systemd/system/default.target.wants

3. Dockerfile consolidation - Removed separate hack/Containerfile for integration
   tests, consolidated into main Dockerfile.

Composefs Sealed UKI Build Process

The sealed composefs image is built via Dockerfile.cfsuki:

1. Compute composefs digest: hack/compute-composefs-digest $input_image
2. Build UKI with hardcoded cmdline:

   cmdline="composefs=${COMPOSEFS_FSVERITY} console=ttyS0,115200n8 console=hvc0 enforcing=0 rw"
   

3. Sign UKI with test secureboot keys
4. Place UKI in /boot/EFI/Linux/

Note: The cmdline is hardcoded and does NOT read from /usr/lib/bootc/kargs.d/.

Failure Details

For failing distros (Fedora 43/44, CentOS 10):

• VM is created successfully by bcvk
• Installation completes ("Installation completed successfully!")
• VM starts but never becomes SSH-accessible
• SSH timeout after 60 attempts (~3 minutes of waiting)
• No kernel panic or boot error visible in logs

Potential Causes to Investigate

1. Initramfs differences - The "from scratch" build may produce different initramfs
   content that doesn't work correctly with composefs sealed boot on newer distros.

2. Cloud-init interaction - Cloud-init being enabled might interfere with bcvk's
   SSH key injection, though Fedora 42 works with the same cloud-init setup.

3. Kernel/dracut version differences - Fedora 43/44 and CentOS 10 may have different
   kernel or dracut versions that behave differently with the sealed composefs boot.

4. Missing kargs - The hardcoded cmdline in Dockerfile.cfsuki may be missing
   required kernel arguments for newer distros.

5. Network configuration - The "from scratch" build may be missing network
   configuration that the base images normally provide.

Cloud-init Version Differences

• Fedora 42: cloud-init-24.2-5.fc42 - services: cloud-init.service
• Fedora 43: cloud-init-25.2-7.fc43 - services: cloud-init-main.service (renamed!)
• CentOS 10: cloud-init-24.4-6.el10 - services: cloud-init.service

The service rename in cloud-init 25 (Fedora 43) may cause issues if something
expects the old service name, but CentOS 10 uses cloud-init 24.x and still fails.

Files to Examine

• Dockerfile - New from-scratch build logic
• Dockerfile.cfsuki - Sealed composefs UKI build
• hack/build-sealed - Script that builds sealed image
• hack/provision-derived.sh - Provisioning script (cloud-init changes)
• hack/compute-composefs-digest - Computes composefs fsverity digest

Next Steps

1. Check if main branch composefs tests use the same bcvk/test infrastructure
2. Compare initramfs contents between working (F42) and failing (F43/C10) images
3. Try to get console output from failing VMs to see where boot hangs
4. Consider reverting the cloud-init enabling change to test if that's the cause
5. Test if the "from scratch" build works correctly on failing distros for non-sealed boot

[cgwalters]

OK and then the next problem is the "from scratch" is really painful for composefs installs due to containers/composefs-rs#62

[cgwalters]

OK, I think now we're just down to the failures in those selinux-policy tests. Not sure what's up with that.