install: Run outside of a container

[cgwalters]

We're working on having Anaconda indirectly run bootc install to-filesystem when ostreecontainer is in use. The current plan is to require bootc be present on the install ISO, which will happen automatically as part of https://src.fedoraproject.org/rpms/rpm-ostree/c/e31f656abc0d451f0ffdd2a3afd60944796c2246?branch=rawhide propagating.

Now...here's the thing, there's a grab bag of stuff we've accumulated in bootc install that assumes its source root == target root. For example:

• Detecting whether SELinux is enabled
• Kernel arguments

The core issue today is that there's some circular dependencies forced by ostree because ostree container image deploy is doing two things:

• Fetching the target container image
• Setting up a bootloader entry for it (including kernel arguments that are input to that)

We will need to more carefully split up "fetch" from "deploy". Also today, ostree does not directly offer an opinionated way to temporarily "mount" the merged root...we don't make a composefs for example until the deploy phase. But we can bypass that by invoking e.g. ostree checkout --composefs and mounting that say.

In general this is going to take some careful auditing of the code, but the good part is that if we do this right, we can just make "invoked from source container" as a special case of "fetch source rootfs".

---

Background:

anaconda and bootc

REF docs https://docs.fedoraproject.org/en-US/bootc/bare-metal/

Original suggestion:

• Build a base image with LBIs for testing use (could be anything)
• Hack on a patch to https://github.com/ostreedev/ostree-rs-ext/ that checks if the input container image has the containers.bootc label (see also Import generic prep ostreedev/ostree-rs-ext#673 which extended our usage of that), and if present and /usr/bin/bootc is present, then we switch to doing bootc install to-filesystem instead.

It's actually quite possible here though that we need to make bootc install to-filesystem here actually not care that it's not being run in a container image, but it's just picking up ambient host tooling.

Restate problem set A: PXE boot scenario

Stock ISO does not have customer container content; today the ostreecontainer verb is pointed at the generic filesystem (and block storage) that Anaconda created

Prerequisite to distinguish

Detect containers.bootc label in target image OR do this unconditionally and backtrack if we actually break something.

Prerequisite: #860

Need to teach bootc to fetch LBIs.

Path A:

(Instruct customer to...)?

%pre
podman pull quay.io/example/someos:latest
%end

Then ostree container image deploy could redirect to podman run <image> bootc install to-filesystem.

Path B:

Require bootc be part of the ISO (through rpm-ostree dependency) (or worst case, curl/rpm -Uvh in %pre).

In this flow, we need to bootc install to-filesystem to have something like --pull which it doesn't do by default now.

Problem: bootc install to-filesystem expects to be run from container

Unlike ostree container image deploy. Now we do have --source-imageref which I think turns off some of the container checks.

Solution: Change bootc to detect when it's not in a container and unconditionally pull the target image. We will need to document how authfiles work in this path etc.