bootc icon indicating copy to clipboard operation
bootc copied to clipboard
verified publisher icon containers

install: Verify target supports fsverity early on

Open shi2wei3 opened this issue 2 months ago • 2 comments

Failed to reboot to original system (xfs) after bootc install ghcr.io/bootc-dev/dev-bootc:stream10-uki

# podman run -ti --rm --privileged --pid=host --security-opt label=type:unconfined_t -v /var/lib/containers:/var/lib/containers -v /dev:/
dev -v /:/target ghcr.io/bootc-dev/dev-bootc:stream10-uki bootc install to-existing-root --composefs-backend --acknowledge-destructive
Installing image: docker://ghcr.io/bootc-dev/dev-bootc:stream10-uki
Digest: sha256:bc013b1612a470db61e6a9e45452286afd3741518f9cd3d7d43eaaa28528d7f1
Fetching config 73342bfa908c498ec230dda4eeb0a8b3af2cc29d093ceb4cfe43dedc64418ecf
...
...
...
Fetching layer d83d2c94c45599e8247985017bbcd4cd11254a6e23aadf30228f05c18c782042
error: Installing to filesystem: Unable to pull container image containers-storage:ghcr.io/bootc-dev/dev-bootc:stream10-uki: Failed to pull config Descriptor { media_type: ImageConfig, digest: Digest { algorithm: Sha256, value: "sha256:73342bfa908c498ec230dda4eeb0a8b3af2cc29d093ceb4cfe43dedc64418ecf", split: 6 }, size: 16283, urls: None, annotations: None, platform: None, artifact_type: None, data: None }: Enabling verity digest: Filesystem does not support fs-verity
# reboot

Console log after reboot

BdsDxe: failed to load Boot0002 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x4,0x0)/Scsi(0x0,0x0): Not Found

>>Start PXE over IPv4.
  PXE-E16: No valid offer received.
BdsDxe: failed to load Boot0003 "UEFI PXEv4 (MAC:525400123456)" from PciRoot(0x0)/Pci(0x2,0x0)/MAC(525400123456,0x1)/IPv4(0.0.0.0,0x0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0): Not Found

>>Start PXE over IPv6.
  PXE-E16: No valid offer received.
BdsDxe: failed to load Boot0004 "UEFI PXEv6 (MAC:525400123456)" from PciRoot(0x0)/Pci(0x2,0x0)/MAC(525400123456,0x1)/IPv6(0000:0000:0000:0000:0000:0000:0000:0000,0x0,Static,0000:0000:0000:0000:0000:0000:0000:0000,0x40,0000:0000:0000:0000:0000:0000:0000:0000): Not Found

shi2wei3 avatar Nov 24 '25 12:11 shi2wei3

This seems simple to do when we are running inside the target image as all we have to do is look at the cmdline and make sure it's of the form composefs=?abc123...

Handling this when we have a remote target image is a bit tricky

Johan-Liebert1 avatar Nov 25 '25 11:11 Johan-Liebert1

We should change the overall installation flow to not wipe /boot upfront, that would fix most of the issues.

cgwalters avatar Nov 25 '25 15:11 cgwalters