Add boot test infrastructure using osbuild/images library (HMS-10336)#85
Draft
thozza wants to merge 22 commits into
Draft
Add boot test infrastructure using osbuild/images library (HMS-10336)#85thozza wants to merge 22 commits into
osbuild/images library (HMS-10336)#85thozza wants to merge 22 commits into
Conversation
thozza
force-pushed
the
HMS-10336
branch
7 times, most recently
from
5d7a38c to
8f820e5
Compare
lzap
reviewed
May 7, 2026
thozza
force-pushed
the
HMS-10336
branch
4 times, most recently
from
aad6cfc to
b9c4d06
Compare
lzap
reviewed
May 13, 2026
| "aarch64": "arm64", | ||
| } | ||
|
|
||
| COPY_RE = re.compile(r"^COPY\s+(\S+)\s+(\S+)") |
Collaborator
There was a problem hiding this comment.
COPY verb supports various arguments, this is not captured here which is fine - we do not use it AFAIK. However, this will silently ignore them which is dangerous.
Member
Author
There was a problem hiding this comment.
Thanks. I've added a detection logic to the generator and it produces hard failure.
lzap
reviewed
May 13, 2026
| rules.extend(copy_dirs) | ||
| rules.append("test/**/*") | ||
| rules.append("Schutzfile") | ||
| return rules |
Collaborator
There was a problem hiding this comment.
Why this only cares about directories and not files? Like COPY file1 /file1.
This is very fragile, if there is a bug here or we add something that is not covered, this will be painful to figure out.
Member
Author
There was a problem hiding this comment.
The generator now handles files and directories. The original version was handling only the bare minimum currently used by the Containerfiles in this repo.
Collaborator
|
Tests makes assumptions we can possibly break in the future making tests to pass incorrectly. If we are doing this, let's write some validator/linter that will enforce these, for example:
|
thozza
force-pushed
the
HMS-10336
branch
3 times, most recently
from
4e9a536 to
ed4d03b
Compare
The Schutzfile pins the images library commit that the boot test infrastructure uses. The update script fetches the latest commit from GitHub and updates the ref, mirroring the pattern from the images library's update-schutzfile-osbuild. Assisted-by: Claude Code Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Clone the images library at the Schutzfile-pinned ref, then delegate to its setup-osbuild-repo (which auto-detects the host distro and reads the per-distro osbuild commit from the images library's own Schutzfile) and install-dependencies scripts. The images repo URL is overridable via IMAGES_REPO_URL for cross-testing with draft PRs in the images library. Assisted-by: Claude Code Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Build a container from a Containerfile into local podman storage
at quay.io/redhat-services-prod/insights-management-tenant/image-builder-bootc-foundry/${CONTAINERFILE}:latest,
which is consistent with the location for prod container images. Using
the same tag is important to make the installer images work out of the
box.
This script is isolated from build.sh so the container source can be
swapped to a registry pull without changing the build logic.
Assisted-by: Claude Code
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
thozza
changed the title
osbuild/images library (HMS-10336)
Build a disk image using the images library's cmd/build tool. Create the build config JSON (with optional installer payload ref), invoke cmd/build with the bootc container ref, and write info.json into the output directory for boot-image to consume. Assisted-by: Claude Code Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Discover the build output directory and config, then delegate to the images library's boot-image script. boot-image reads info.json to determine the boot method (QEMU, ISO, cloud) and runs check-host-config for post-boot validation. Assisted-by: Claude Code Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Add scripts that update GitHub PR with the GitLab CI pipeline status and unregister a RHEL host. Also add the file with terraform ref and also team SSH keys, which get configured as trusted on the CI runner. These files were taken from the osbuild/images and osbuild/osbuild-composer repositories and amended for the use in this repo. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Parse COPY directives from Containerfiles to extract source paths
for CI change detection rules. Validate each source against the
filesystem to classify it as a directory (producing glob patterns)
or a plain file. Support single-source and multi-source COPY commands
(e.g. COPY src1 src2 /dest/). Handle ${TARGETARCH} substitution,
skip heredoc COPYs, and reject COPY with options (--chmod, --from,
etc.).
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Build change rules from parsed COPY directives, compose CI job dictionaries with runner tags and script sections, and assemble the full GitLab CI config. Installer entries with a payload containerfile get extra container build steps and expanded change detection rules. Assisted-by: Claude Code Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Wire up main() to read config, parse all referenced Containerfiles, generate CI jobs, and emit YAML to stdout. Assisted-by: Claude Code Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Allow individual containerfile entries in config.yml to specify a runner, overriding the distro-level default. This is needed for image types like installers that require nested virtualization for boot tests. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Building RHEL derived bootc container images needs accessing RHEL repositories to install additional packages. Add a subscription-needed flag support to the test config, propagate it as a CI variable, and register the system with subscription-manager when the flag is set. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Allow authenticating podman with registry.redhat.io when the rh-registry-login-needed flag is set in the test config. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Define the central test matrix for boot tests. Each distro maps to a list of Containerfiles with their target image type and supported architectures. The generator reads this to produce the GitLab CI configuration. The osbuild/images CI runs only on Fedora. As a consequence, it uses packages for boot-testing, which are not available on RHEL or CentOS Stream. To not complicate the setup in this repository, let's use Fedora runner as well for all distros. For the purpose of boot-testing the disk images built from derived containers, there is no downside in doing it all on Fedora. Use rhos-01 runner for boot-testing image types which require nested virtualization. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Generated from test/config.yml by test/generate_ci.py. This file is committed so it is reviewable in PRs. Regenerate with 'python3 test/generate_ci.py > .gitlab-ci.yml' after changing the config or generator. Update .yamllint.yaml to use consistent 2-space indentation for sequences, matching PyYAML's default output format. This ensures the generated .gitlab-ci.yml passes yamllint validation. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Regenerate .gitlab-ci.yml on every PR to 'main', and fail if the result differs from what is committed. This catches forgotten regeneration after config or generator changes. Assisted-by: Claude Code Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Automatically fetch the latest images library main branch commit, update the Schutzfile ref, and open a PR. The resulting PR triggers the normal GitLab CI pipeline so the updated images library version is boot-tested before merging. Assisted-by: Claude Code Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Add 'make test' to run the generator unit tests and 'make generate-ci' to regenerate .gitlab-ci.yml from the test config. Assisted-by: Claude Code Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Switch the bootc kickstart source from pulling the upstream centos-bootc image via registry to using the foundry-built stream10-qcow2 image from containers-storage, and drop the now-unnecessary --target-imgref. This is consistent with the rhel-10-installer. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
When the booted Anaconda installer deploys the bootc payload from containers-storage, the container runtime attempts to use overlayfs on a filesystem that is already overlay-backed, which the kernel does not support. Adding fuse-overlayfs provides a userspace overlay implementation that avoids this limitation. This aligns with the rhel-10-installer which already includes fuse-overlayfs. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Fix the ostreecontainer --url to include the :latest tag and correct the commented-out bootc --source-imgref to use containers-storage: transport, consistent with stream10-installer. The previous local-storage:// transport does not exist. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Marked as draft until osbuild/images#2335 is merged.
Add end-to-end boot testing for derived bootc container images by reusing the existing test tooling from the
osbuild/imagesrepository. Instead of building custom test infrastructure, the pipeline clones the images library at a pinned commit, builds disk images using itscmd/buildtool, and validates them with itsboot-imagescript. A Python-based CI generator produces the GitLab CI configuration from a declarative test matrix, keeping job definitions maintainable as new image types and distros are added.Note that the images library does not yet support boot-testing all image types - notably
qcow2onaarch64andGCPimages. For those, the pipeline still builds the container and disk images (validating the build succeeds), but skips the boot validation step. Once the images library gains boot-test support for these types, it will be automatically picked up when theSchutzfileref is updated.Architectural Changes
The test pipeline is split into four composable shell scripts (
setup.sh→get-container.sh→build.sh→boot.sh), each handling one stage of the build-and-boot flow. This separation allows swapping the container source (e.g., from a local build to a registry pull) without touching the build or boot logic.The GitLab CI configuration is generated from
test/config.ymlbytest/generate_ci.pyrather than hand-maintained. The generator parsesContainerfileCOPYdirectives to produce per-job change detection rules, so CI jobs only run when relevant files change. A GitHub Actions staleness check enforces that the committed.gitlab-ci.ymlstays in sync with the generator output.Key Changes
Schutzfileand delegate setup, dependency installation, and boot validation to its scriptsget-container.sh(podman build),build.sh(disk image viacmd/build+ info.json for boot-image),boot.sh(delegates toboot-image)test/config.yml, parses Containerfile COPY sources for change detection rules, and emits.gitlab-ci.ymlSchutzfileref update with auto-PRstream10-installerandrhel-10-installerto usecontainers-storagetransport for the bootc payload, and addfuse-overlayfsfor overlay-on-overlay supportBreaking Changes
This PR is fully backward compatible.
Testing
${TARGETARCH}substitution, error cases), change rule construction, job building, and end-to-end config generation.gitlab-ci.ymlon every PR tomainand fails if the committed file diverges from the generator output