Replace `rpm-ostree compose tree` with `rpm-ostree compose {install, postprocess, commit}`

Question

Replace `rpm-ostree compose tree` with `rpm-ostree compose {install, postprocess, commit}`

Opened this issue 9 months ago · 1 comments

Host system details

$ rpm-ostree status
State: idle
Deployments:
● ppos:fedora/38/x86_64/photon-pony
                  Version: PhotonPonyOS 38.20231013.0 (2023-10-13T12:59:24Z)
                   Commit: 1d880ff872d229c7e3496e0dd3924eaefacb2a0eef762a89a176b4f09934b0a9

Expected vs actual behavior

I'm building my own fedora Silverblue based OS. Since I want to sign all relevant parts for secure boot (kernel, kernel modules, bootloader, etc.) during compose, I need a way to temporarily import my secure boot keys.
Therefore I'm trying to split up my rpm-ostree compose tree command into multiple stages, as suggested by postprocess-script.

# Source
rpm-ostree compose tree --repo=repo --layer-repo=repo --cachedir=cache --unified-core --add-metadata-string="version=${variant_pretty} ${version}.${buildid}" "fedora-${variant}.yaml"

# Destination
rm -rf tmp
rpm-ostree compose install --repo=repo --cachedir=cache --unified-core --force-nocache "fedora-ppos.yaml" tmp

# Do everything that is required for signing
cp .. # Copy external files to tmp build root inside /tmp/rootfs
chroot ${baseDir} /bin/bash -x << 'EOF'
# [...] Do all the signing
EOF

# Finish up the commit/os
rpm-ostree compose postprocess --unified-core tmp/rootfs "fedora-${variant}.yaml"
rpm-ostree compose commit --repo=repo --unified-core --add-metadata-string="version=${variant_pretty} ${version}.${buildid}" "fedora-${variant}.yaml" tmp/rootfs

When I then take a look at the filesystem, it has a lot of files inside /etcwith the wrong ownership. They have (user:group) 1000:1000 instead of 0:0.

I guess this somehow happens since I'm executing everything with sudo and my user ID is 1000. rpm-ostree compose postprocess then does not fix those issues.

A full example is available here: https://github.com/AP-Sensing/PhotonPonyOS/blob/29b37eaf9b8536816807125ae1ca48a3ef198010/justfile#L251-L261

Expected:
Splitting up rpm-ostree compose tree should produce the same result.

Steps to reproduce it

git clone https://github.com/AP-Sensing/PhotonPonyOS.git
cd PhotonPonyOS
sudo just compose photon-pony

Would you like to work on the issue?

No. Don't know how.

Answer 1 · 2023-10-17T06:16:25.000Z

A workaround for now is to call the commads as root instead of sudo.