cli: Extend bootc container inspect with kernel info

The container-inspect command previously only reported kernel arguments.
Extend it to also report kernel information, including whether the image
contains a traditional kernel or a Unified Kernel Image (UKI).

This consolidates UKI detection logic previously in bootc_composefs::boot
into a new kernel module that can find kernels via either the traditional
/usr/lib/modules/<version>/vmlinuz path or UKI files in /boot/EFI/Linux/.

The ContainerInspect output now includes a "kernel" field with version
and unified (boolean) properties, enabling tooling to determine the
boot method before installation.

Assisted-by: OpenCode (Claude Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/lib/src/bootc_composefs/boot.rs

@@ -217,26 +217,6 @@ fi
     )
 }
 
-/// Returns `true` if detect the target rootfs carries a UKI.
-pub(crate) fn container_root_has_uki(root: &Dir) -> Result<bool> {
-    let Some(boot) = root.open_dir_optional(crate::install::BOOT)? else {
-        return Ok(false);
-    };
-    let Some(efi_linux) = boot.open_dir_optional(EFI_LINUX)? else {
-        return Ok(false);
-    };
-    for entry in efi_linux.entries()? {
-        let entry = entry?;
-        let name = entry.file_name();
-        let name = Path::new(&name);
-        let extension = name.extension().and_then(|v| v.to_str());
-        if extension == Some("efi") {
-            return Ok(true);
-        }
-    }
-    Ok(false)
-}
-
 pub fn get_esp_partition(device: &str) -> Result<(String, Option<String>)> {
     let device_info = bootc_blockdev::partitions_of(Utf8Path::new(device))?;
     let esp = crate::bootloader::esp_in(&device_info)?;
@@ -1295,32 +1275,6 @@ pub(crate) async fn setup_composefs_boot(
 #[cfg(test)]
 mod tests {
     use super::*;
-    use cap_std_ext::cap_std;
-
-    #[test]
-    fn test_root_has_uki() -> Result<()> {
-        // Test case 1: No boot directory
-        let tempdir = cap_std_ext::cap_tempfile::tempdir(cap_std::ambient_authority())?;
-        assert_eq!(container_root_has_uki(&tempdir)?, false);
-
-        // Test case 2: boot directory exists but no EFI/Linux
-        tempdir.create_dir(crate::install::BOOT)?;
-        assert_eq!(container_root_has_uki(&tempdir)?, false);
-
-        // Test case 3: boot/EFI/Linux exists but no .efi files
-        tempdir.create_dir_all("boot/EFI/Linux")?;
-        assert_eq!(container_root_has_uki(&tempdir)?, false);
-
-        // Test case 4: boot/EFI/Linux exists with non-.efi file
-        tempdir.atomic_write("boot/EFI/Linux/readme.txt", b"some file")?;
-        assert_eq!(container_root_has_uki(&tempdir)?, false);
-
-        // Test case 5: boot/EFI/Linux exists with .efi file
-        tempdir.atomic_write("boot/EFI/Linux/bootx64.efi", b"fake efi binary")?;
-        assert_eq!(container_root_has_uki(&tempdir)?, true);
-
-        Ok(())
-    }
 
     #[test]
     fn test_type1_filename_generation() {

crates/lib/src/cli.rs

@@ -1461,7 +1461,8 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 let root = &Dir::open_ambient_dir(&rootfs, cap_std::ambient_authority())?;
                 let kargs = crate::bootc_kargs::get_kargs_in_root(root, std::env::consts::ARCH)?;
                 let kargs: Vec<String> = kargs.iter_str().map(|s| s.to_owned()).collect();
-                let inspect = crate::spec::ContainerInspect { kargs };
+                let kernel = crate::kernel::find_kernel(root)?;
+                let inspect = crate::spec::ContainerInspect { kargs, kernel };
                 serde_json::to_writer_pretty(std::io::stdout().lock(), &inspect)?;
                 Ok(())
             }

crates/lib/src/install.rs

@@ -1341,10 +1341,6 @@ async fn verify_target_fetch(
     Ok(())
 }
 
-fn root_has_uki(root: &Dir) -> Result<bool> {
-    crate::bootc_composefs::boot::container_root_has_uki(root)
-}
-
 /// Preparation for an install; validates and prepares some (thereafter immutable) global state.
 async fn prepare_install(
     config_opts: InstallConfigOpts,
@@ -1418,7 +1414,9 @@ async fn prepare_install(
     tracing::debug!("Target image reference: {target_imgref}");
 
     let composefs_required = if let Some(root) = target_rootfs.as_ref() {
-        root_has_uki(root)?
+        crate::kernel::find_kernel(root)?
+            .map(|k| k.unified)
+            .unwrap_or(false)
     } else {
         false
     };

crates/lib/src/kernel.rs

@@ -0,0 +1,164 @@
+//! Kernel detection for container images.
+//!
+//! This module provides functionality to detect kernel information in container
+//! images, supporting both traditional kernels (with separate vmlinuz/initrd) and
+//! Unified Kernel Images (UKI).
+
+use std::path::Path;
+
+use anyhow::Result;
+use cap_std_ext::cap_std::fs::Dir;
+use cap_std_ext::dirext::CapStdExtDirExt;
+use serde::Serialize;
+
+use crate::bootc_composefs::boot::EFI_LINUX;
+
+/// Information about the kernel in a container image.
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "kebab-case")]
+pub(crate) struct Kernel {
+    /// The kernel version identifier. For traditional kernels, this is derived from the
+    /// /usr/lib/modules/<version> directory name. For UKI images, this is the UKI filename
+    /// (without the .efi extension).
+    pub(crate) version: String,
+    /// Whether the kernel is packaged as a UKI (Unified Kernel Image).
+    pub(crate) unified: bool,
+}
+
+/// Find the kernel in a container image root directory.
+///
+/// This function first attempts to find a traditional kernel layout with
+/// `/usr/lib/modules/<version>/vmlinuz`. If that doesn't exist, it falls back
+/// to looking for a UKI in `/boot/EFI/Linux/*.efi`.
+///
+/// Returns `None` if no kernel is found.
+pub(crate) fn find_kernel(root: &Dir) -> Result<Option<Kernel>> {
+    // First, try to find a traditional kernel via ostree_ext
+    if let Some(kernel_dir) = ostree_ext::bootabletree::find_kernel_dir_fs(root)? {
+        let version = kernel_dir
+            .file_name()
+            .ok_or_else(|| anyhow::anyhow!("kernel dir should have a file name: {kernel_dir}"))?
+            .to_owned();
+        return Ok(Some(Kernel {
+            version,
+            unified: false,
+        }));
+    }
+
+    // Fall back to checking for a UKI
+    if let Some(uki_filename) = find_uki_filename(root)? {
+        let version = uki_filename
+            .strip_suffix(".efi")
+            .unwrap_or(&uki_filename)
+            .to_owned();
+        return Ok(Some(Kernel {
+            version,
+            unified: true,
+        }));
+    }
+
+    Ok(None)
+}
+
+/// Returns the filename of the first UKI found in the container root, if any.
+///
+/// Looks in `/boot/EFI/Linux/*.efi`. If multiple UKIs are present, returns
+/// the first one in sorted order for determinism.
+fn find_uki_filename(root: &Dir) -> Result<Option<String>> {
+    let Some(boot) = root.open_dir_optional(crate::install::BOOT)? else {
+        return Ok(None);
+    };
+    let Some(efi_linux) = boot.open_dir_optional(EFI_LINUX)? else {
+        return Ok(None);
+    };
+
+    let mut uki_files = Vec::new();
+    for entry in efi_linux.entries()? {
+        let entry = entry?;
+        let name = entry.file_name();
+        let name_path = Path::new(&name);
+        let extension = name_path.extension().and_then(|v| v.to_str());
+        if extension == Some("efi") {
+            if let Some(name_str) = name.to_str() {
+                uki_files.push(name_str.to_owned());
+            }
+        }
+    }
+
+    // Sort for deterministic behavior when multiple UKIs are present
+    uki_files.sort();
+    Ok(uki_files.into_iter().next())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use cap_std_ext::{cap_std, cap_tempfile, dirext::CapStdExtDirExt};
+
+    #[test]
+    fn test_find_kernel_none() -> Result<()> {
+        let tempdir = cap_tempfile::tempdir(cap_std::ambient_authority())?;
+        assert!(find_kernel(&tempdir)?.is_none());
+        Ok(())
+    }
+
+    #[test]
+    fn test_find_kernel_traditional() -> Result<()> {
+        let tempdir = cap_tempfile::tempdir(cap_std::ambient_authority())?;
+        tempdir.create_dir_all("usr/lib/modules/6.12.0-100.fc41.x86_64")?;
+        tempdir.atomic_write(
+            "usr/lib/modules/6.12.0-100.fc41.x86_64/vmlinuz",
+            b"fake kernel",
+        )?;
+
+        let kernel = find_kernel(&tempdir)?.expect("should find kernel");
+        assert_eq!(kernel.version, "6.12.0-100.fc41.x86_64");
+        assert!(!kernel.unified);
+        Ok(())
+    }
+
+    #[test]
+    fn test_find_kernel_uki() -> Result<()> {
+        let tempdir = cap_tempfile::tempdir(cap_std::ambient_authority())?;
+        tempdir.create_dir_all("boot/EFI/Linux")?;
+        tempdir.atomic_write("boot/EFI/Linux/fedora-6.12.0.efi", b"fake uki")?;
+
+        let kernel = find_kernel(&tempdir)?.expect("should find kernel");
+        assert_eq!(kernel.version, "fedora-6.12.0");
+        assert!(kernel.unified);
+        Ok(())
+    }
+
+    #[test]
+    fn test_find_kernel_traditional_takes_precedence() -> Result<()> {
+        let tempdir = cap_tempfile::tempdir(cap_std::ambient_authority())?;
+        // Both traditional and UKI exist
+        tempdir.create_dir_all("usr/lib/modules/6.12.0-100.fc41.x86_64")?;
+        tempdir.atomic_write(
+            "usr/lib/modules/6.12.0-100.fc41.x86_64/vmlinuz",
+            b"fake kernel",
+        )?;
+        tempdir.create_dir_all("boot/EFI/Linux")?;
+        tempdir.atomic_write("boot/EFI/Linux/fedora-6.12.0.efi", b"fake uki")?;
+
+        let kernel = find_kernel(&tempdir)?.expect("should find kernel");
+        // Traditional kernel should take precedence
+        assert_eq!(kernel.version, "6.12.0-100.fc41.x86_64");
+        assert!(!kernel.unified);
+        Ok(())
+    }
+
+    #[test]
+    fn test_find_uki_filename_sorted() -> Result<()> {
+        let tempdir = cap_tempfile::tempdir(cap_std::ambient_authority())?;
+        tempdir.create_dir_all("boot/EFI/Linux")?;
+        tempdir.atomic_write("boot/EFI/Linux/zzz.efi", b"fake uki")?;
+        tempdir.atomic_write("boot/EFI/Linux/aaa.efi", b"fake uki")?;
+        tempdir.atomic_write("boot/EFI/Linux/mmm.efi", b"fake uki")?;
+
+        // Should return first in sorted order
+        let filename = find_uki_filename(&tempdir)?.expect("should find uki");
+        assert_eq!(filename, "aaa.efi");
+        Ok(())
+    }
+}

crates/lib/src/lib.rs

@@ -21,6 +21,7 @@ mod image;
 mod install;
 pub(crate) mod journal;
 mod k8sapitypes;
+mod kernel;
 mod lints;
 mod lsm;
 pub(crate) mod metadata;

crates/lib/src/spec.rs

@@ -303,6 +303,8 @@ pub(crate) struct DeploymentEntry<'a> {
 pub(crate) struct ContainerInspect {
     /// Kernel arguments embedded in the container image.
     pub(crate) kargs: Vec<String>,
+    /// Information about the kernel in the container image.
+    pub(crate) kernel: Option<crate::kernel::Kernel>,
 }
 
 impl Host {

crates/tests-integration/src/container.rs

@@ -32,6 +32,48 @@ pub(crate) fn test_bootc_container_inspect() -> Result<()> {
     assert!(kargs.iter().any(|arg| arg == "kargsd-othertest=2"));
     assert!(kargs.iter().any(|arg| arg == "testing-kargsd=3"));
 
+    // check kernel field
+    let kernel = inspect
+        .get("kernel")
+        .expect("kernel field should be present")
+        .as_object()
+        .expect("kernel should be an object");
+    let version = kernel
+        .get("version")
+        .expect("kernel.version should be present")
+        .as_str()
+        .expect("kernel.version should be a string");
+    // Verify version is non-empty (for traditional kernels it's uname-style, for UKI it's the filename)
+    assert!(!version.is_empty(), "kernel.version should not be empty");
+    let unified = kernel
+        .get("unified")
+        .expect("kernel.unified should be present")
+        .as_bool()
+        .expect("kernel.unified should be a boolean");
+    if let Some(variant) = std::env::var("BOOTC_variant").ok() {
+        match variant.as_str() {
+            "ostree" => {
+                assert!(!unified, "Expected unified=false for ostree variant");
+                // For traditional kernels, version should look like a uname (contains digits)
+                assert!(
+                    version.chars().any(|c| c.is_ascii_digit()),
+                    "version should contain version numbers for traditional kernel: {version}"
+                );
+            }
+            "composefs-sealeduki-sdboot" => {
+                assert!(unified, "Expected unified=true for UKI variant");
+                // For UKI, version is the filename without .efi extension (should not end with .efi)
+                assert!(
+                    !version.ends_with(".efi"),
+                    "version should not include .efi extension: {version}"
+                );
+                // Version should be non-empty after stripping extension
+                assert!(!version.is_empty(), "version should not be empty for UKI");
+            }
+            o => eprintln!("notice: Unhandled variant for kernel check: {o}"),
+        }
+    }
+
     Ok(())
 }
 

docs/src/man/bootc-container-inspect.8.md

@@ -8,7 +8,16 @@ bootc container inspect
 
 # DESCRIPTION
 
-Output JSON to stdout containing the container image metadata
+Output JSON to stdout containing the container image metadata.
+
+# OUTPUT
+
+The command outputs a JSON object with the following fields:
+
+- `kargs`: An array of kernel arguments embedded in the container image.
+- `kernel`: An object containing kernel information (or `null` if no kernel is found):
+  - `version`: The kernel version identifier. For traditional kernels, this is derived from the `/usr/lib/modules/<version>` directory name (equivalent to `uname -r`). For UKI images, this is is the UKI filename without the `.efi` extension - which should usually be the same as the uname.
+  - `unified`: A boolean indicating whether the kernel is packaged as a UKI (Unified Kernel Image).
 
 # OPTIONS
 
@@ -27,6 +36,33 @@ Inspect container image metadata:
 
     bootc container inspect
 
+Example output (traditional kernel):
+
+```json
+{
+  "kargs": [
+    "console=ttyS0",
+    "quiet"
+  ],
+  "kernel": {
+    "version": "6.12.0-0.rc6.51.fc42.x86_64",
+    "unified": false
+  }
+}
+```
+
+Example output (UKI):
+
+```json
+{
+  "kargs": [],
+  "kernel": {
+    "version": "7e11ac46e3e022053e7226a20104ac656bf72d1a",
+    "unified": true
+  }
+}
+```
+
 # SEE ALSO
 
 **bootc**(8)