install: mount esp part before clean_boot_directories()

- On existing ostree OS like FCOS, esp is not mounted after booted,
need to find esp and mount before clean, or the /boot/efi will be
removed.

- Add test to verify bootc install to-existing working on FCOS.

Signed-off-by: Huijing Hei <hhei@redhat.com>

Author: HuijingHei

.github/workflows/ci.yml

@@ -106,6 +106,7 @@ jobs:
           sudo find /ostree/repo/objects -name '*.file' -type f | while read f; do
             sudo fsverity measure $f >/dev/null
           done
+
   # Test that we can build documentation
   docs:
     runs-on: ubuntu-24.04
@@ -197,12 +198,20 @@ jobs:
       - name: Unit and container integration tests
         run: just test-container
 
-      - name: Run TMT tests
+      - name: Run TMT integration tests
         run: |
           if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
             just test-composefs
           else
-            just test-tmt
+            just test-tmt integration
+          fi
+      - name: Run TMT test about bootc install on coreos
+        run: |
+          # Only test fedora-43 on fedora-coreos:testing-devel
+          if [ "${{ matrix.test_os }}" = "fedora-43" ] && [ "${{ matrix.variant }}" = "ostree" ]; then
+            just test-tmt-on-coreos plan-bootc-install-on-coreos
+          else
+            echo "skipped"
           fi
 
       - name: Archive TMT logs

Justfile

@@ -43,6 +43,9 @@ buildargs := base_buildargs + " --secret=id=secureboot_key,src=target/test-secur
 # Args for build-sealed (no base arg, it sets that itself)
 sealed_buildargs := "--build-arg=variant=" + variant + " --secret=id=secureboot_key,src=target/test-secureboot/db.key --secret=id=secureboot_cert,src=target/test-secureboot/db.crt"
 
+# Needed by bootc install on ostree
+fedora-coreos := "quay.io/fedora/fedora-coreos:testing-devel"
+
 # The default target: build the container image from current sources.
 # Note commonly you might want to override the base image via e.g.
 # `just build --build-arg=base=quay.io/fedora/fedora-bootc:42`
@@ -161,6 +164,13 @@ _build-upgrade-image:
 test-tmt-nobuild *ARGS:
     cargo xtask run-tmt --env=BOOTC_variant={{variant}} --upgrade-image={{integration_upgrade_img}} {{integration_img}} {{ARGS}}
 
+# Test bootc install on coreos (FCOS)
+# Assume the localhost/bootc-integration image is up to date, and just run tests.
+# BOOTC_target is the bootc-integration, that will be used for bootc install
+test-tmt-on-coreos *ARGS:
+    @if ! podman image exists {{integration_img}}; then just build-integration-test-image; fi
+    cargo xtask run-tmt --env=BOOTC_variant={{variant}} --env=BOOTC_target={{integration_img}}:latest {{fedora-coreos}} {{ARGS}}
+
 # Cleanup all test VMs created by tmt tests
 tmt-vm-cleanup:
     bcvk libvirt rm --stop --force --label bootc.test=1
@@ -175,6 +185,7 @@ test-container: build-units build-integration-test-image
 clean-local-images:
     podman images --filter "label={{testimage_label}}"
     podman images --filter "label={{testimage_label}}" --format "{{{{.ID}}" | xargs -r podman rmi -f
+    podman rmi {{fedora-coreos}} -f
 
 # Print the container image reference for a given short $ID-VERSION_ID for NAME
 # and 'base' or 'buildroot-base' for TYPE (base image type)

crates/lib/src/bootloader.rs

@@ -4,12 +4,13 @@ use anyhow::{anyhow, bail, Context, Result};
 use bootc_utils::CommandRunExt;
 use camino::Utf8Path;
 use cap_std_ext::cap_std::fs::Dir;
+use cap_std_ext::dirext::CapStdExtDirExt;
 use fn_error_context::context;
 
 use bootc_blockdev::{Partition, PartitionTable};
 use bootc_mount as mount;
 
-use crate::bootc_composefs::boot::mount_esp;
+use crate::bootc_composefs::boot::{get_sysroot_parent_dev, mount_esp};
 use crate::{discoverable_partition_specification, utils};
 
 /// The name of the mountpoint for efi (as a subdirectory of /boot, or at the toplevel)
@@ -26,6 +27,36 @@ pub(crate) fn esp_in(device: &PartitionTable) -> Result<&Partition> {
         .ok_or(anyhow::anyhow!("ESP not found in partition table"))
 }
 
+/// Get esp partition node based on the root dir
+pub(crate) fn get_esp_partition_node(root: &Dir) -> Result<Option<String>> {
+    let device = get_sysroot_parent_dev(&root)?;
+    let base_partitions = bootc_blockdev::partitions_of(Utf8Path::new(&device))?;
+    let esp = base_partitions.find_partition_of_esp()?;
+    if let Some(esp) = esp {
+        return Ok(Some(esp.node.clone()));
+    };
+    Ok(None)
+}
+
+// Mount esp part at /boot/efi
+pub(crate) fn mount_esp_part(root: &Dir, root_path: &Utf8Path, physical_root: &Dir) -> Result<()> {
+    let efi_path = Utf8Path::new("boot").join(crate::bootloader::EFI_DIR);
+    if let Some(esp_fd) = root
+        .open_dir_optional(&efi_path)
+        .context("Opening /boot/efi")?
+    {
+        if let Some(false) = esp_fd.is_mountpoint(".")? {
+            tracing::debug!("Not a mountpoint: /boot/efi");
+            // On ostree env, should use /target/sysroot because of composefs
+            if let Some(esp_part) = get_esp_partition_node(&physical_root)? {
+                bootc_mount::mount(&esp_part, &root_path.join(&efi_path))?;
+                tracing::debug!("Mounted {esp_part} at /boot/efi");
+            }
+        }
+    }
+    Ok(())
+}
+
 /// Determine if the invoking environment contains bootupd, and if there are bootupd-based
 /// updates in the target root.
 #[context("Querying for bootupd")]

crates/lib/src/install.rs

@@ -2168,6 +2168,15 @@ pub(crate) async fn install_to_filesystem(
                 .await??;
         }
         Some(ReplaceMode::Alongside) => {
+            // On existing ostree OS like FCOS, esp is not mounted after booted,
+            // need to find esp and mount before clean
+            if ARCH_USES_EFI {
+                crate::bootloader::mount_esp_part(
+                    &target_rootfs_fd,
+                    &target_root_path,
+                    &rootfs_fd,
+                )?;
+            }
             clean_boot_directories(&target_rootfs_fd, is_already_ostree)?
         }
         None => require_empty_rootdir(&rootfs_fd)?,

crates/xtask/src/tmt.rs

@@ -137,6 +137,25 @@ fn build_firmware_args(sh: &Shell, image: &str) -> Result<Vec<String>> {
     Ok(r)
 }
 
+/// Detect VARIANT_ID from container image by reading os-release
+/// Returns string like "coreos" or empty
+#[context("Detecting distro from image")]
+fn detect_variantid_from_image(sh: &Shell, image: &str) -> Result<Option<String>> {
+    let variant_id = cmd!(
+        sh,
+        "podman run --rm {image} bash -c '. /usr/lib/os-release && echo $VARIANT_ID'"
+    )
+    .read()
+    .context("Failed to run image as container to detect distro")?;
+
+    let variant_id = variant_id.trim();
+    if variant_id.is_empty() {
+        return Ok(None);
+    }
+
+    Ok(Some(variant_id.to_string()))
+}
+
 /// Check if a distro supports --bind-storage-ro
 /// CentOS 9 lacks systemd.extra-unit.* support required for bind-storage-ro
 fn distro_supports_bind_storage_ro(distro: &str) -> bool {
@@ -269,18 +288,25 @@ pub(crate) fn run_tmt(sh: &Shell, args: &RunTmtArgs) -> Result<()> {
 
     // Detect distro from the image
     let distro = detect_distro_from_image(sh, image)?;
+    // Detect VARIANT_ID from the image
+    // As this can not be empty value in context, use "unknown" instead
+    let variant_id = detect_variantid_from_image(sh, image)?.unwrap_or("unknown".to_string());
 
     let context = args
         .context
         .iter()
         .map(|v| format!("--context={}", v))
         .chain(std::iter::once(format!("--context=running_env=image_mode")))
         .chain(std::iter::once(format!("--context=distro={}", distro)))
+        .chain(std::iter::once(format!(
+            "--context=VARIANT_ID={variant_id}"
+        )))
         .collect::<Vec<_>>();
     let preserve_vm = args.preserve_vm;
 
     println!("Using bcvk image: {}", image);
     println!("Detected distro: {}", distro);
+    println!("Detected VARIANT_ID: {variant_id}");
 
     let firmware_args = build_firmware_args(sh, image)?;
 
@@ -387,7 +413,16 @@ pub(crate) fn run_tmt(sh: &Shell, args: &RunTmtArgs) -> Result<()> {
                     distro
                 );
             }
-
+            // Add --filesystem=xfs by default on fedora-coreos
+            // Add --bind-storage-ro if supported
+            if variant_id == "coreos" {
+                if distro.starts_with("fedora") {
+                    opts.push("--filesystem=xfs".to_string());
+                }
+                if supports_bind_storage_ro {
+                    opts.push(BCVK_OPT_BIND_STORAGE_RO.to_string());
+                }
+            }
             opts
         };
 

tmt/plans/tests-install.fmf

@@ -0,0 +1,28 @@
+discover:
+  how: fmf
+execute:
+  how: tmt
+# Because of the two issues, run tmt on github runner directly failed
+# - selinux disabled on ubuntu (https://github.com/teemtee/tmt/issues/3364)
+# - uefi firmware is not supported (https://github.com/teemtee/tmt/issues/4203)
+provision:
+  how: virtual
+  hardware:
+    boot:
+      method: uefi
+  image: fedora-coreos-next
+  user: root
+  memory: 4096
+  disk: 20
+
+/plan-bootc-install-on-coreos:
+  summary: Execute bootc install on ostree OS
+  adjust:
+  - when: VARIANT_ID != coreos
+    enabled: false
+    because: this needs to start an ostree OS firstly
+  discover:
+    how: fmf
+    test:
+      - /tmt/tests/install/test-bootc-install-on-coreos
+  extra-try_bind_storage: true

tmt/tests/examples/test-on-ostree/test-install-on-ostree.sh

@@ -0,0 +1,56 @@
+# number: 50
+# extra:
+#   try_bind_storage: true
+# tmt:
+#   summary: Test bootc install on ostree OS
+#   duration: 30m
+#   adjust:
+#     - when: VARIANT_ID != coreos
+#       enabled: false
+#       because: this needs to start an ostree OS firstly
+#
+#!/bin/bash
+set -eux
+
+echo "Testing bootc install on ostree"
+
+# BOOTC_target is integration image
+[ -n "$BOOTC_target" ]
+
+if [ "$TMT_REBOOT_COUNT" -eq 0 ]; then
+    echo "Running before first reboot"
+    pwd
+    ls -l
+    # Verify testing on ostree OS
+    if [ ! -f "/run/ostree-booted" ]; then
+        echo "Should be ostree OS"
+        exit 1
+    fi
+    podman image exists ${BOOTC_target}
+    # Run bootc install using the same stateroot for shared /var
+    stateroot=$(bootc status --json | jq -r .status.booted.ostree.stateroot)
+
+    # Need bind mount for /run/host-container-storage
+    podman run --rm --privileged \
+        -v /dev:/dev \
+        -v /run/host-container-storage:/run/host-container-storage:ro \
+        -v /:/target \
+        --pid=host \
+        --security-opt label=type:unconfined_t \
+        ${BOOTC_target} \
+            env BOOTC_BOOTLOADER_DEBUG=1 STORAGE_OPTS=additionalimagestore=/run/host-container-storage \
+            bootc install to-existing-root \
+            --stateroot=${stateroot} \
+            --skip-fetch-check \
+            --acknowledge-destructive \
+            --karg=console=ttyS0,115200n8
+
+    bootc status
+    tmt-reboot
+elif [ "$TMT_REBOOT_COUNT" -eq 1 ]; then
+    echo 'After the reboot'
+    booted=$(bootc status --json | jq -r .status.booted.image.image.image)
+    [ ${booted} == ${BOOTC_target} ]
+fi
+
+echo "Run bootc install on ostree OS successfully"

tmt/tests/install.fmf

@@ -0,0 +1,8 @@
+/test-bootc-install-on-coreos:
+  summary: Test bootc install on coreos
+  duration: 30m
+  adjust:
+  - when: VARIANT_ID != coreos
+    enabled: false
+    because: this needs to start an ostree OS firstly
+  test: bash examples/test-on-ostree/test-install-on-ostree.sh