From aae17241d8963666834ac02af32f81a2df0c3608 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 30 Jan 2025 17:23:20 -0500
Subject: [PATCH 1/4] Rework to stop using removed buildah feature

We can't rely on https://github.com/containers/buildah/issues/5952
anymore.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 .gitlab-ci.yml     | 13 ++++++++++---
 Containerfile      | 19 +------------------
 Containerfile.base | 22 +++++++---------------
 3 files changed, 18 insertions(+), 36 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ef4c96e..54c9329 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,12 +6,19 @@ variables:
 
 .build-image:
   stage: build
-  image: quay.io/buildah/stable:v1.38.0
+  # For newer rpm-ostree
+  image: registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide
   needs: []
 
 build:
   extends: .build-image
   stage: build
   script: |
-    buildah bud -f Containerfile.base --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base .
-    buildah bud -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard .
+    # Necessary for nested containerization
+    export BUILDAH_ISOLATION=chroot
+    podman build -f Containerfile.base --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base:tmp .
+    rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
+           --from=${IMAGE_PREFIX}-base:tmp --output containers-storage:${IMAGE_PREFIX}-base
+    podman build -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard:tmp .
+    rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
+           --from=${IMAGE_PREFIX}-standard:tmp --output containers-storage:${IMAGE_PREFIX}-standard
diff --git a/Containerfile b/Containerfile
index f21a91e..49bd956 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,7 +1,7 @@
 # This generates the default base image.
 
 # This is a local reference by default because we haven't shipped this image yet.
-FROM localhost/fedora-bootc:base as rootfs
+FROM localhost/fedora-bootc:base
 # Drop our package sets into /usr/share/doc, so that other things can parse it
 COPY packages*.txt /usr/share/doc/fedora-bootc/
 # Overlay our defaults
@@ -40,20 +40,3 @@ dnf clean all
 rm -vrf /var/log /var/cache /var/lib/dnf
 bootc container lint
 EORUN
-
-# This image just needs rpm-ostree in the end that has
-# https://github.com/coreos/rpm-ostree/issues/5221
-FROM registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide as builder
-RUN --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=from=rootfs,dst=/rootfs <<EORUN
-set -xeuo pipefail
-rm /buildcontext/out.oci -rf
-rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
-           --rootfs=/rootfs --output /buildcontext/out.oci
-EORUN
-
-FROM oci:./out.oci
-# Need to reference builder here to force ordering. But since we have to run
-# something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.oci -rf
diff --git a/Containerfile.base b/Containerfile.base
index 689976a..c29b1ec 100644
--- a/Containerfile.base
+++ b/Containerfile.base
@@ -10,15 +10,12 @@
 FROM quay.io/fedora/fedora:rawhide as repos
 
 # BOOTSTRAPPING: This can be any image that has the following packages.
-FROM quay.io/fedora/fedora:rawhide as builder
+FROM registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide as builder
 RUN dnf -y install rpm-ostree selinux-policy-targeted sqlite
 # Copy in our source code.
 COPY . /src
 WORKDIR /src
-RUN --mount=type=cache,target=/workdir \
-    --mount=type=bind,from=repos,target=/repos \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
+RUN --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
 set -xeuo pipefail
 # Synchronize the dnf/rpm configs from the repos container.
 for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
@@ -26,13 +23,12 @@ for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
 done
 # And copy to the workdir; TODO fix this in rpm-ostree
 cp /etc/yum.repos.d/*.repo base
-rpm-ostree compose image \
-    --cachedir=/workdir --format=ociarchive --initialize base/manifest.yaml \
-    --source-root=/repos /buildcontext/out.ociarchive
+env RUST_LOG=debug rpm-ostree experimental compose rootfs --source-root=/repos base/manifest.yaml /target-rootfs
 EORUN
 
-# This pulls in the OCI archive generated in the previous step.
-FROM oci-archive:./out.ociarchive
+# This pulls in the rootfs generated in the previous step
+FROM scratch
+COPY --from=builder /target-rootfs/ /
 LABEL containers.bootc 1
 # This is an ad-hoc way for us to reference bootc-image-builder in
 # a way that in theory client tooling can inspect and find. Today
@@ -43,8 +39,4 @@ ENV container=oci
 # Make systemd the default
 STOPSIGNAL SIGRTMIN+3
 CMD ["/sbin/init"]
-# Need to reference builder here to force ordering. But since we have to run
-# something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-      rm /buildcontext/out.ociarchive
+

From 468b4134816070695f0e5d60370f7231de6b3797 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 7 Feb 2025 13:19:45 -0500
Subject: [PATCH 2/4] Containerfile.base: Work around rpmdb location

This took me an unreasonably long time to figure out.
See https://github.com/coreos/rpm-ostree/issues/3397

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile.base | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Containerfile.base b/Containerfile.base
index c29b1ec..250c98a 100644
--- a/Containerfile.base
+++ b/Containerfile.base
@@ -8,6 +8,8 @@
 # If you want to configure the input rpm-md repositories, just override this
 # container image.
 FROM quay.io/fedora/fedora:rawhide as repos
+# See https://github.com/coreos/rpm-ostree/issues/3397
+RUN ln -sr /usr/lib/sysimage/rpm /usr/share/rpm
 
 # BOOTSTRAPPING: This can be any image that has the following packages.
 FROM registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide as builder

From 9415176fdbab64594b745e7b8381a4b0b6e3ed1c Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 7 Feb 2025 13:35:00 -0500
Subject: [PATCH 3/4] base: Embed config in image

The idea here is this can be reused by later builds.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile.base | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Containerfile.base b/Containerfile.base
index 250c98a..1b4a796 100644
--- a/Containerfile.base
+++ b/Containerfile.base
@@ -25,7 +25,9 @@ for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
 done
 # And copy to the workdir; TODO fix this in rpm-ostree
 cp /etc/yum.repos.d/*.repo base
-env RUST_LOG=debug rpm-ostree experimental compose rootfs --source-root=/repos base/manifest.yaml /target-rootfs
+rpm-ostree experimental compose rootfs --source-root=/repos base/manifest.yaml /target-rootfs
+# Embed the configuration in the image itself, so that it can be used by later builds as well
+cp -a base /target-rootfs/usr/lib/sysimage/base-image-manifests
 EORUN
 
 # This pulls in the rootfs generated in the previous step

From 2de6c663456b7765b40cc29c2e3b307509c4007b Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 6 Feb 2025 21:01:20 -0500
Subject: [PATCH 4/4] ci: Test

Signed-off-by: Colin Walters <walters@verbum.org>
---
 .gitlab-ci.yml | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 54c9329..52bb706 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,19 +6,18 @@ variables:
 
 .build-image:
   stage: build
-  # For newer rpm-ostree
-  image: registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide
+  image: quay.io/buildah/stable:v1.38.1
   needs: []
 
 build:
   extends: .build-image
   stage: build
   script: |
-    # Necessary for nested containerization
-    export BUILDAH_ISOLATION=chroot
-    podman build -f Containerfile.base --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base:tmp .
+    set -xeuo pipefail
+    curl -L --fail -o /etc/yum.repos.d/coreos-continuous.repo https://copr.fedorainfracloud.org/coprs/g/CoreOS/continuous/repo/fedora-42/group_CoreOS-continuous-fedora-42.repo
+    dnf -y install rpm-ostree
+    buildah build "${hostbuildopts[@]}" -f Containerfile.base --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base:tmp .
+    # Rechunk
     rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
            --from=${IMAGE_PREFIX}-base:tmp --output containers-storage:${IMAGE_PREFIX}-base
-    podman build -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard:tmp .
-    rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
-           --from=${IMAGE_PREFIX}-standard:tmp --output containers-storage:${IMAGE_PREFIX}-standard
+    buildah build "${hostbuildopts[@]}" -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard:tmp .