Skip to content

Comments

Make Debian the official base?#11

Closed
JohnMertz wants to merge 12 commits intomainfrom
debian
Closed

Make Debian the official base?#11
JohnMertz wants to merge 12 commits intomainfrom
debian

Conversation

@JohnMertz
Copy link
Member

@JohnMertz JohnMertz commented Nov 7, 2025
edited
Loading

Images from this branch are now successfully building. We need a few things before we can be confident in this path over CentOS:

[x] - Successfully build images
[x] - Successfully test images
[x] - Successfully build disks
[x] - Successfully convert disks to all VM formats
[ ] - Boot the VM image in KVM.
[ ] - Successfully build iso
[ ] - Boot the iso image in KVM and install.
[ ] - Successfully test an upgrade.

A bare-metal deployment may be more difficult, but this hadn't even been tested with CentOS yet, so we can handle that down the road.

@JohnMertz
Nearly building
16a3b0e 
Just getting an SELinux error in the finalize step.

However, I'm getting fairly confident that Debian just isn't ready for
stable Bootc images yet. I'm going to abandon this branch for now, but
keep it around to look at later.
@JohnMertz
Change version to stable (13) add Exim version
724d251
@JohnMertz
Add Exim build stage
7191010 
Largely cloned from `st-exim`. This will supersede the need for that distinct project.
@JohnMertz
Major change to file structure
7b5ad79
@JohnMertz
Working build + clean up additional files
9b1c674 
`just build` now produces a Debian artifact!

Add stub files for SpamTagger builds.

Update README.md for Debian

Move ARCH definition to Justfile since it is now used for both Exim and
DCC.
@JohnMertz
No need to build Perl in Debian
3e867c7 
It comes with significantly fewer dependencies than in CentOS and is depended upon by other packages, so it is much simpler to just use Debian's version.
@JohnMertz
Copy cosign key instead of downloading
eb3927e 
Also move signing configuration to finalize stage.
@JohnMertz
Add SpamTagger and Zend repositories
ec86a44 
Also re-organize many elements to where they make more sense. 
Move any packages which will be common to both SpamTagger and SpamTagger plus to the main package script.
Prepare for per-variant package cleanup.
Fix Apt (broken by missing directories) since it is required for Distrobox.
@JohnMertz
Fix errors from distrobox-init
0aed943 
Now able to create and enter distrobox.
I'll be using this to run the Perl tests, since they are failing in CI.
@JohnMertz
Add missing Perl packages
4230d0c 
Tests should now pass in CI
@JohnMertz
Copy link
Member Author

JohnMertz commented Nov 8, 2025

As of the latest commit, the CI builds now work.

Currently just build-disk dies with the error:

error: Installing to filesystem: Creating ostree deployment: Preparing import: Fetching manifest: failed to invoke method OpenImage: invalid policy in "/etc/containers/policy.json": invalid character 'c' looking for beginning of value
Traceback (most recent call last):
File "/run/osbuild/bin/org.osbuild.bootc.install-to-filesystem", line 73, in <module>
    r = main(args["options"], args["inputs"], args["paths"])
  File "/run/osbuild/bin/org.osbuild.bootc.install-to-filesystem", line 68, in main
    subprocess.run(pargs, env=env, check=True)
    ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/subprocess.py", line 577, in run
    raise CalledProcessError(retcode, process.args,
                             output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['bootc', 'install', 'to-filesystem', '--source-imgref', 'containers-storage:[overlay@/run/osbuild/containers/storage+/run/containers/storage]257db3e53af57dcc4339aaf7a3dbb6ee428bc2b437181812ce44325dd1979b4d', '--skip-fetch-check', '--generic-image', '--karg', 'rw', '--karg', 'console=tty0', '--karg', 'console=ttyS0', '--target-imgref', 'localhost/spamtagger-bootc:spamtagger-plus-13', '/run/osbuild/mounts']' returned non-zero exit status 1.

It looks like it is a JSON parse error. It's not entirely clear if this is caused by the policy.json created in container/build_files/finalize. That file appears to be valid and even if it is removed (or never created) the error seems to still be identical. This output comes from bootc-image-builder, so I'll probably have to look there for more info.

@JohnMertz
Change build-disk method
fda46b9 
I was having trouble actually getting bootc-image-builder to work. It
appears to be fairly tightly integrated with RPM tools, so a different
(simpler) method will have to do.

This change just creates a virtual disk image, mounts it to a new
container and uses Bootc on that container to write to the virtual disk.

This works insofar as it builds seems to copy the appropriate bytes to
the image and then that image can be converted to VM disk formats. It
does not work insofar as the disk images are not bootable. I think this
is an issue in `build-container` not `build-disk`. We probably don't
have the bootloader configured properly. To be investigated next.
@JohnMertz
Copy link
Member Author

JohnMertz commented Nov 8, 2025

As noted in last commit, disk images are now buildable using a new method. However, the images fail to boot in KVM, so I'm not sure if bootc-image-builder isn't worth another look.

I do get very close to booting if I click to customize the installation, force it to use UEFI, then enter the EFI firmware settings and disable secureboot. At that point it starts to initialize with systemd-boot, but fails at initrd-switch-root.service.

Continuing with this method means that I'll definitely need to fix secureboot. Also, BIOS boot works for Cayo, so ideally I'll get this to work as well.

Also a few notes on the disk image before I finish for the day:

  • Mounting the disk in guestfish shows that 3 filesystems do exist:
><fs> list-filesystems
/dev/sda1: unknown
/dev/sda2: vfat
/dev/sda3: ext4

/dev/sda1 is a BIOS boot partition. /dev/sda2 is the EFI partition. /dev/sda3 contains the rootfs, with only boot, composefs, and state directories. Presumably the EFI partition, if mounted correctly should be able to mount the roofs. The EFI partition contains:

><fs> cat /boot/loader/entries/bootc-composefs-1.conf
title Debian GNU/Linux 13 (trixie)
version 13
linux /EFI/Linux/e646214cd8a4186c7cfa2a348625fb71ff3e10a8dea76b321ad33793c960a4e4138c8283db06b5957fa8f7118766d66f4a932d52113cea2bb9760996aaae3df6/vmlinuz
initrd /EFI/Linux/e646214cd8a4186c7cfa2a348625fb71ff3e10a8dea76b321ad33793c960a4e4138c8283db06b5957fa8f7118766d66f4a932d52113cea2bb9760996aaae3df6/initrd
options root=UUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 rw composefs=e646214cd8a4186c7cfa2a348625fb71ff3e10a8dea76b321ad33793c960a4e4138c8283db06b5957fa8f7118766d66f4a932d52113cea2bb9760996aaae3df6
sort-key 1

Those initrd and vmlinuz files exist at that path. The UUID matches get-e2uuid /dev/sda3. And the composefs image exists in /composefs/images/.

So, everything seems fine there. The problem appears to be within the BootC configuration.

Another note is that my workstation seems to be out-of-date with the latest BootC. Attempting to build bootcrew/debian-bootc to compare to that project fails because I don't have composefs-backend as an installation option. I may need to spend the weekend actually getting my dogwood project fully up-to-speed so that I'm on the latest Fedora 43.

@JohnMertz
Big overhaul!
a11863c 
Added a few stages to build process:

* bootc-base - This copies everything built by bootc-builder and will be
  re-used by spamtagger-base and bundler
* bundler - Mounts the product of spamtagger-base as /rootfs, then
  creates a composefs-compatible filesystem
* final - Mounts the composfs filesystem from bundler as the final image
  and runs the bootc lint on that

Changed back to using the bootc-image-builder method for building disk
images. I haven't tested this part yet, but it would be too annoying to
cut out.

Everything up to the bundler stage is working. I want to make sure that
I capture the state here before I break something.
@JohnMertz JohnMertz closed this Jan 8, 2026
@JohnMertz JohnMertz mentioned this pull request Jan 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JohnMertz