install/aleph: include the image labels in aleph#2043
install/aleph: include the image labels in aleph#2043jbtrystram wants to merge 1 commit intobootc-dev:mainfrom
Conversation
github-actions
bot
added
area/install
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances the installation provenance data stored in .bootc-aleph.json. It adds the manifest digest, target image reference, and OCI labels of the installed image, providing more useful information about the image's origin. It also intelligently skips serializing the source image reference when it appears to be a temporary local path, which is common in build environments like osbuild. The changes are well-implemented, with corresponding updates to the data structures and documentation. The code looks correct and improves the utility of the provenance file.
Note: Security Review did not run due to the size of the PR.
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
Looks OK, just one nit. Could also use a test in the tmt readonly tests.
|
Missing DCO |
jbtrystram
force-pushed
the
aleph-labels
branch
from
ac5ce03 to
9078370
Compare
Added a test and signed-off the commit |
Until we get bootc-dev/bootc#2043 released let's use the osbuild aleph stage to get the data we want in the aleph. We can remove that stage entirely when bootc create a nicer aleph. See bootc-dev/bootc#2038
Until we get bootc-dev/bootc#2043 released let's use the osbuild aleph stage to get the data we want in the aleph. We can remove that stage entirely when bootc create a nicer aleph. See bootc-dev/bootc#2038
|
@jbtrystram failing tests |
jbtrystram
force-pushed
the
aleph-labels
branch
from
9078370 to
dd132be
Compare
Thanks for the ping @cgwalters . Fixed. But the remaining test failures highlight that in the composefs path, bootc does not write an aleph file. Is it an oversignt or intended ? |
Had a chat about this. We don't write one currently, but we should. For now I think we can put |
|
The more I think about the more I feel the aleph file is a legacy and we should actually be aiming to drop it. Like, among the CoreOS team, has anyone ever used it for anything that we know of recently? Maybe it's better to just intentionally not write it with composefs. |
jbtrystram
force-pushed
the
aleph-labels
branch
3 times, most recently
from
dca7f35 to
a8a3648
Compare
|
Ok so the two upgrade tests are failing because the base disk image is built with the published bootc base image, which don't contain the changes in this PR. So that base image will have an incomplete aleph in regard to the test added here. That will fix itself once this PR merges and a new base image will be published with theses changes. Not sure how to handle that. |
|
Yes this is an interesting corner case. Any time we introduce a change which only happens at install time and add a readonly test, the upgrade tests will by design not see that change. I think the simplest thing here is - skip those tests if (Although of course it's quite subtle because eventually of course we will have this change in the source base images right now...but per previous discussion I'd like to eventually have the upgrade tests be fixed to a version by default) |
Include the container labels in the aleph file, since they often contain
useful information about the image provenance, such as the source
commit the image was build from.
Also we skip serializing the source image reference if it start with
`/tmp` since this is a good signal it was source from a local copy
of an image, e.g. in an osbuild environnement.
Whith this, a build of Fedora CoreOS through osbuild goes from:
```
{
"image": "/tmp/tmpb29j6pi3/image",
"kernel": "6.18.12-200.fc43.x86_64",
"selinux": "disabled",
"timestamp": null,
"version": "43.20260301.20.dev1"
}
```
to
```
{
"digest": "sha256:07bf537cc4e4d208eb0b978f76e5046e55529ce6192b982d8c1a41fa1d61b95a",
"kernel": "6.18.13-200.fc43.x86_64",
"labels": {
"com.coreos.inputhash": "fe9883169714c593d98058606e886b9747710ed15ab1b9cdbd7fa538fb435b3c",
"com.coreos.osname": "fedora-coreos",
"com.coreos.stream": "testing-devel",
"containers.bootc": "1",
"io.buildah.version": "1.42.2",
"org.opencontainers.image.description": "Fedora CoreOS testing-devel",
"org.opencontainers.image.revision": "233fe18749c7d2749581e4307c4cac60967acde4",
"org.opencontainers.image.source": "git@github.com:jbtrystram/fedora-coreos-config.git",
"org.opencontainers.image.title": "Fedora CoreOS testing-devel",
"org.opencontainers.image.version": "43.20260301.20.dev1",
"ostree.bootable": "1",
"ostree.commit": "89635f7cba9de932fc60d71a6bded65ad0db06a35c9d016da03ca7ade9ba4736",
"ostree.final-diffid": "sha256:12787d84fa137cd5649a9005efe98ec9d05ea46245fdc50aecb7dd007f2035b1"
},
"selinux": "disabled",
"target-image": "ostree-image-signed:docker://quay.io/fedora/fedora-coreos:testing-devel",
"timestamp": null,
"version": "43.20260301.20.dev1"
}
```
which is way more useful.
We skip the test for composefs (no aleph) and for upgrade tests since
the original alpeh is written by an older bootc version. See [1]
Ref bootc-dev#2038
[1] bootc-dev#2043 (comment)
Assisted-by: OpenCode(Opus 4.6)
Signed-off-by: jbtrystram <jbtrystram@redhat.com>
jbtrystram
force-pushed
the
aleph-labels
branch
from
a8a3648 to
1150624
Compare
3 participants
Include the container labels in the aleph file, since they often contain useful information about the image provenance, such as the source commit the image was build from.
Also we skip serializing the source image reference if it start with
/tmpsince this is a good signal it was source from a local copy of an image, e.g. in an osbuild environnement.Whith this, a build of Fedora CoreOS through osbuild goes from:
to
which is way more useful.
See #2038
Assisted-by: OpenCode(Opus 4.6)