Merge pull request #4671 from ggiguash/bootc-use-read-only-storage-preloaded

openshift-merge-bot[bot] · web-flow · commit 3da083c534e3 · 2025-03-14T09:34:38.000Z
OCPBUGS-52420: Bootc images to use the /usr read-only storage for preloaded container images
diff --git a/docs/config/Containerfile.bootc-embedded-rhel9 b/docs/config/Containerfile.bootc-embedded-rhel9
@@ -2,50 +2,15 @@ ARG USHIFT_BASE_IMAGE_NAME
 ARG USHIFT_BASE_IMAGE_TAG
 FROM $USHIFT_BASE_IMAGE_NAME:$USHIFT_BASE_IMAGE_TAG
 
-# Pull the container image dependencies into /var/lib/containers/storage-preloaded
+# Pull the container image dependencies into /usr/lib/containers/storage
 RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \
     images=$(jq -r '.images | .[]' "/usr/share/microshift/release/release-$(uname -m).json") ; \
     for i in ${images} ; do \
         podman pull \
             --authfile /run/secrets/pull-secret.json \
-            --root /var/lib/containers/storage-preloaded \
+            --root /usr/lib/containers/storage \
             "docker://${i}" ; \
     done
 
 # Edit the container storage configuration file to include the new path
-RUN sed -i '/^additionalimagestores.*/a\   "/var/lib/containers/storage-preloaded",' /etc/containers/storage.conf
-
-# Apply a workaround to set the SELinux context on the new storage directory and
-# also restore 'NET_BIND_SERVICE' capability that is currently lost when including
-# images in the container.
-#
-# Note: This requires setting the additional image stores path to a read-write
-# location on the file system. The images will still be treated as read-only by
-# the container subsystem.
-# See https://github.com/ostreedev/ostree-rs-ext/issues/654
-#
-# hadolint ignore=DL3059
-RUN cat > /usr/bin/microshift-imagestore-config <<'EOF'
-#!/bin/bash
-set -euxo pipefail
-DEF_IMGPATH="$1"
-NEW_IMGPATH="$2"
-semanage fcontext -a -e "${DEF_IMGPATH}" "${NEW_IMGPATH}"
-restorecon -R "${NEW_IMGPATH}"
-find "${NEW_IMGPATH}" -type f -path "*/usr/sbin/haproxy" -exec setcap "cap_net_bind_service=+ep" {} \;
-EOF
-
-# hadolint ignore=DL3059
-RUN cat > /etc/systemd/system/microshift-imagestore-config.service <<'EOF'
-[Unit]
-Description=Configure the image store directory for MicroShift
-Before=microshift.service
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/microshift-imagestore-config /var/lib/containers/storage /var/lib/containers/storage-preloaded
-[Install]
-WantedBy=multi-user.target
-EOF
-
-RUN chmod 755 /usr/bin/microshift-imagestore-config && \
-    systemctl enable microshift-imagestore-config.service
+RUN sed -i '/^additionalimagestores.*/a\   "/usr/lib/containers/storage",' /etc/containers/storage.conf
diff --git a/docs/config/Containerfile.bootc-rhel9 b/docs/config/Containerfile.bootc-rhel9
@@ -1,6 +1,6 @@
-FROM registry.redhat.io/rhel9-eus/rhel-9.4-bootc:9.4
+FROM registry.redhat.io/rhel9-eus/rhel-9.6-bootc:9.6
 
-ARG USHIFT_VER=4.18
+ARG USHIFT_VER=4.19
 # hadolint ignore=SC1091
 RUN . /etc/os-release && dnf upgrade -y --releasever="${VERSION_ID}" && \
     dnf config-manager \
diff --git a/test/image-blueprints-bootc/layer2-source/group2/microshift-imagestore-config.service.template b/test/image-blueprints-bootc/layer2-source/group2/microshift-imagestore-config.service.template
diff --git a/test/image-blueprints-bootc/layer2-source/group2/microshift-imagestore-config.sh.template b/test/image-blueprints-bootc/layer2-source/group2/microshift-imagestore-config.sh.template
diff --git a/test/image-blueprints-bootc/layer2-source/group2/rhel96-bootc-source-ai-model-serving.containerfile b/test/image-blueprints-bootc/layer2-source/group2/rhel96-bootc-source-ai-model-serving.containerfile
@@ -54,7 +54,7 @@ RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \
         for i in 1 2 3; do \
             GOMAXPROCS=8 podman pull \
                 --authfile /run/secrets/pull-secret.json \
-                --root /var/lib/containers/storage-preloaded \
+                --root /usr/lib/containers/storage \
                 "docker://${img}" && break; \
             if [ $i -eq 3 ] ; then \
                 echo "ERROR: Failed to pull ${img} image after 3 attempts"; \
@@ -79,7 +79,7 @@ RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \
         for i in 1 2 3; do \
             GOMAXPROCS=8 podman pull \
                 --authfile /run/secrets/pull-secret.json \
-                --root /var/lib/containers/storage-preloaded \
+                --root /usr/lib/containers/storage \
                 "docker://${img}" && break; \
             if [ $i -eq 3 ] ; then \
                 echo "ERROR: Failed to pull ${img} image after 3 attempts"; \
@@ -91,19 +91,7 @@ RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \
 
 
 # Edit the container storage configuration file to include the new path
-RUN sed -i '/^additionalimagestores.*/a\   "/var/lib/containers/storage-preloaded",' /etc/containers/storage.conf
-
-# Apply a workaround to set the SELinux context on the new storage directory and
-# also restore 'NET_BIND_SERVICE' capability that is currently lost when including
-# images in the container.
-#
-# Note: This requires setting the additional image stores path to a read-write
-# location on the file system. The images will still be treated as read-only by
-# the container subsystem.
-# See https://github.com/ostreedev/ostree-rs-ext/issues/654
-COPY --chmod=755 ./bootc-images/microshift-imagestore-config.sh /usr/bin/microshift-imagestore-config
-COPY --chmod=644 ./bootc-images/microshift-imagestore-config.service /etc/systemd/system/microshift-imagestore-config.service
-RUN systemctl enable microshift-imagestore-config.service
+RUN sed -i '/^additionalimagestores.*/a\   "/usr/lib/containers/storage",' /etc/containers/storage.conf
 
 # Create test data
 COPY --chmod=755 ./bootc-images/ai-model-serving-test-data.sh /tmp/ai-model-serving-test-data.sh
diff --git a/test/image-blueprints-bootc/layer2-source/group2/rhel96-bootc-source-isolated.containerfile b/test/image-blueprints-bootc/layer2-source/group2/rhel96-bootc-source-isolated.containerfile
@@ -32,7 +32,7 @@ RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \
     for i in 1 2 3; do \
         GOMAXPROCS=8 podman pull \
             --authfile /run/secrets/pull-secret.json \
-            --root /var/lib/containers/storage-preloaded \
+            --root /usr/lib/containers/storage \
             "docker://{{ . }}" && break; \
         if [ $i -eq 3 ] ; then \
             echo "ERROR: Failed to pull {{ . }} image after 3 attempts"; \
@@ -43,16 +43,4 @@ RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \
 # {{ end }}
 
 # Edit the container storage configuration file to include the new path
-RUN sed -i '/^additionalimagestores.*/a\   "/var/lib/containers/storage-preloaded",' /etc/containers/storage.conf
-
-# Apply a workaround to set the SELinux context on the new storage directory and
-# also restore 'NET_BIND_SERVICE' capability that is currently lost when including
-# images in the container.
-#
-# Note: This requires setting the additional image stores path to a read-write
-# location on the file system. The images will still be treated as read-only by
-# the container subsystem.
-# See https://github.com/ostreedev/ostree-rs-ext/issues/654
-COPY --chmod=755 ./bootc-images/microshift-imagestore-config.sh /usr/bin/microshift-imagestore-config
-COPY --chmod=644 ./bootc-images/microshift-imagestore-config.service /etc/systemd/system/microshift-imagestore-config.service
-RUN systemctl enable microshift-imagestore-config.service
+RUN sed -i '/^additionalimagestores.*/a\   "/usr/lib/containers/storage",' /etc/containers/storage.conf
diff --git a/test/image-blueprints-bootc/layer2-source/group3/cos9-bootc-source-isolated.containerfile b/test/image-blueprints-bootc/layer2-source/group3/cos9-bootc-source-isolated.containerfile
@@ -12,7 +12,7 @@ RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \
     for i in 1 2 3; do \
         GOMAXPROCS=8 podman pull \
             --authfile /run/secrets/pull-secret.json \
-            --root /var/lib/containers/storage-preloaded \
+            --root /usr/lib/containers/storage \
             "docker://{{ . }}" && break; \
         if [ $i -eq 3 ] ; then \
             echo "ERROR: Failed to pull {{ . }} image after 3 attempts"; \
@@ -23,23 +23,4 @@ RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \
 # {{ end }}
 
 # Edit the container storage configuration file to include the new path
-RUN sed -i '/^additionalimagestores.*/a\   "/var/lib/containers/storage-preloaded",' /etc/containers/storage.conf
-
-# Apply a workaround to set the SELinux context on the new storage directory and
-# also restore 'NET_BIND_SERVICE' capability that is currently lost when including
-# images in the container.
-#
-# Note: This requires setting the additional image stores path to a read-write
-# location on the file system. The images will still be treated as read-only by
-# the container subsystem.
-# See https://github.com/ostreedev/ostree-rs-ext/issues/654
-COPY --chmod=755 ./bootc-images/microshift-imagestore-config.sh /usr/bin/microshift-imagestore-config
-RUN printf '[Unit]\n\
-Description=Configure the image store directory for MicroShift\n\
-Before=microshift.service\n\
-[Service]\n\
-Type=oneshot\n\
-ExecStart=/usr/bin/microshift-imagestore-config /var/lib/containers/storage /var/lib/containers/storage-preloaded\n\
-[Install]\n\
-WantedBy=multi-user.target\n' > /etc/systemd/system/microshift-imagestore-config.service && \
-    systemctl enable microshift-imagestore-config.service
+RUN sed -i '/^additionalimagestores.*/a\   "/usr/lib/containers/storage",' /etc/containers/storage.conf
