Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

"bootc compatible" images

It is a toplevel goal of this project to tightly integrate with the OCI ecosystem and make booting containers a normal activity.

However, there are a number of basic requirements and integration points, some of which have distribution-specific variants.

Generic requirements (composefs or ostree backends)

/sysroot

Your container image must have a /sysroot directory - this is where the "physical root" will be mounted. The permissions (mode) should generally be the same as /usr i.e. 0755 or similar.

LABEL containers.bootc=1

The rationale for this required label is that many higher level tools which expect to operate only on bootc-compatible OCI images will want to be able to present only compatible images.

Kernel (split)

The Linux kernel (and optionally initramfs) is embedded in the container image; the canonical location is /usr/lib/modules/$kver/vmlinuz, and the initramfs should be in initramfs.img in that directory. You should not include any content in /boot in your container image. Bootc will take care of copying the kernel/initramfs as needed from the container image to /boot.

Kernel (sealed UKI)

For the composefs backend, the UKI must be located at /boot/EFI/Linux/$kver.efi.

This is a bug: currently a /ostree -> /sysroot/ostree symlink is required just for bootc container lint to pass, even though it's not required for /sysroot/ostree to exist.

composefs backend

There are no strict additional basic filesystem/layout requirements for images which plan to deploy with composefs. However, see also bootloaders.

ostree backend

prepare-root.conf

The upstream ostree builds today do not default to composefs. You must enable this via a prepare-root.conf:

[composefs]
enabled = true

This is checked by bootc container lint.

Historical usage of /ostree

Some images include a /ostree directory. A requirement for this was dropped in bootc 1.1.3, and it is recommended that new images do not include it.

Suggested image content

The bootc project provides a baseimage reference set of configuration files for base images. In particular at the current time the content defined by base must be used (or recreated). There is also suggested integration there with e.g. dracut to ensure the initramfs is set up, etc.

The bootc container lint command will check this.

SELinux

The default mechanism for labeling today is that bootc will load the file contexts from the image (e.g. /etc/selinux/policy) and apply labels dynamically. This is the only mechanism that will work today with a generic bootc-unaware build tooling.

It is not supported to add security.selinux extended attributes into the OCI tar layers, though support for this may be added if requested.

More details

Container runtimes such as podman and docker commonly apply a "coarse" SELinux policy to running containers. See container-selinux. It is very important to understand that non-bootc base images do not (usually) have any embedded security.selinux metadata at all; all labels on the toplevel container image are dynamically generated per container invocation, and there are no individually distinct e.g. etc_t and usr_t types.

/ostree

Only with the ostree backend, there is support for including the ostree commit metadata in the OCI image, which includes all xattrs. File content in derived layers will be labeled using the default file contexts (from /etc/selinux). For example, you can do this (as of bootc 1.1.0):

RUN semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"

(This command will write to /etc/selinux/$policy/policy/.)

It will currently not work to do e.g.:

RUN chcon -t foo_t /usr/bin/foo

Because the container runtime state will deny the attempt to "physically" set the security.selinux extended attribute.


The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see Trademark Usage.