oci: Generate composefs EROFS at pull time, track via config refs

.bootc-dev-infra-commit.txt

@@ -1 +1 @@
-a9c43f8d6fcc95ed00563878bf8632ffa159ee3c
+56e4f615d38cc4a923f6a7e2a174a0c05a962451

.devcontainer/debian/devcontainer.json

@@ -0,0 +1,30 @@
+{
+  "name": "bootc-devenv-debian",
+  "image": "ghcr.io/bootc-dev/devenv-debian",
+  "customizations": {
+    "vscode": {
+      // Arbitrary, but most of our code is in one of these two
+      "extensions": [
+        "rust-lang.rust-analyzer",
+        "golang.Go"
+      ]
+    },
+    "devaipod": {
+      // When running under devaipod, use minimal capabilities
+      // (SYS_ADMIN, NET_ADMIN, etc.) instead of full --privileged.
+      "nestedContainers": true
+    }
+  },
+  "features": {},
+  // Use privileged mode for broad compatibility (Codespaces, Docker,
+  // stock devcontainer CLI). devaipod overrides this with tighter
+  // security via the nestedContainers customization above.
+  "privileged": true,
+  "postCreateCommand": {
+    // Our init script
+    "devenv-init": "sudo /usr/local/bin/devenv-init.sh"
+  },
+  "remoteEnv": {
+    "PATH": "${containerEnv:PATH}:/usr/local/cargo/bin"
+  }
+}

.devcontainer/ubuntu/devcontainer.json

@@ -0,0 +1,30 @@
+{
+  "name": "bootc-devenv-ubuntu",
+  "image": "ghcr.io/bootc-dev/devenv-ubuntu",
+  "customizations": {
+    "vscode": {
+      // Arbitrary, but most of our code is in one of these two
+      "extensions": [
+        "rust-lang.rust-analyzer",
+        "golang.Go"
+      ]
+    },
+    "devaipod": {
+      // When running under devaipod, use minimal capabilities
+      // (SYS_ADMIN, NET_ADMIN, etc.) instead of full --privileged.
+      "nestedContainers": true
+    }
+  },
+  "features": {},
+  // Use privileged mode for broad compatibility (Codespaces, Docker,
+  // stock devcontainer CLI). devaipod overrides this with tighter
+  // security via the nestedContainers customization above.
+  "privileged": true,
+  "postCreateCommand": {
+    // Our init script
+    "devenv-init": "sudo /usr/local/bin/devenv-init.sh"
+  },
+  "remoteEnv": {
+    "PATH": "${containerEnv:PATH}:/usr/local/cargo/bin"
+  }
+}

.github/workflows/bootc-revdep.yml

@@ -44,3 +44,8 @@ jobs:
 
       - name: Build and test bootc with local composefs-rs
         run: just bootc/test
+        env:
+          # Use bootc branch with OpenConfig API compatibility
+          # TODO: revert to main once bootc-dev/bootc#2044 is merged
+          COMPOSEFS_BOOTC_REPO: https://github.com/cgwalters/bootc
+          COMPOSEFS_BOOTC_REF: prep-composefs-manifest

.github/workflows/ci.yml

@@ -47,6 +47,8 @@ jobs:
     name: Unprivileged smoke test
     runs-on: ubuntu-24.04
     steps:
+      - name: Enable fs-verity on /
+        run: sudo tune2fs -O verity $(findmnt -vno SOURCE /)
       - uses: actions/checkout@v5
       - uses: bootc-dev/actions/bootc-ubuntu-setup@main
       - uses: dtolnay/rust-toolchain@stable
@@ -91,12 +93,18 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - name: centos
+          - name: centos-stream9
+            base_image: quay.io/centos-bootc/centos-bootc:stream9
+            cfsctl_features: rhel9
+          - name: centos-stream10
             base_image: quay.io/centos-bootc/centos-bootc:stream10
+            cfsctl_features: pre-6.15
           - name: debian
             base_image: ghcr.io/bootcrew/debian-bootc:latest
+            cfsctl_features: oci
     env:
       COMPOSEFS_BASE_IMAGE: ${{ matrix.base_image }}
+      COMPOSEFS_CFSCTL_FEATURES: ${{ matrix.cfsctl_features }}
 
     steps:
       - uses: actions/checkout@v5

Containerfile

@@ -14,13 +14,15 @@
 # to clear stale build caches that may be incompatible across distros.
 
 ARG base_image=quay.io/centos-bootc/centos-bootc:stream10
+ARG cfsctl_features=pre-6.15
 
 # -- source snapshot (keeps layer graph clean) --
 FROM scratch AS src
 COPY . /src
 
 # -- build stage --
 FROM ${base_image} AS build
+ARG cfsctl_features
 
 COPY --from=src /src/contrib /src/contrib
 RUN /src/contrib/packaging/install-build-deps.sh
@@ -39,7 +41,7 @@ RUN --network=none \
     --mount=type=cache,target=/src/target \
     --mount=type=cache,target=/root/.cargo/registry \
     --mount=type=cache,target=/root/.cargo/git \
-    cargo build --release -p cfsctl -p integration-tests && \
+    cargo build --release -p cfsctl --features="${cfsctl_features}" -p integration-tests && \
     cp /src/target/release/cfsctl /usr/bin/cfsctl && \
     cp /src/target/release/cfsctl-integration-tests /usr/bin/cfsctl-integration-tests
 

Justfile

@@ -25,6 +25,8 @@ check-feature-combos:
     cargo clippy -p cfsctl --no-default-features -- -D warnings
     cargo clippy -p cfsctl --no-default-features --features oci -- -D warnings
     cargo clippy -p cfsctl --no-default-features --features http -- -D warnings
+    cargo clippy -p composefs-oci -- -D warnings
+    cargo clippy -p composefs-oci --features boot -- -D warnings
 
 # Run rustfmt check
 fmt-check:
@@ -42,16 +44,22 @@ check: clippy check-feature-combos fmt-check test
 #   just base_image=quay.io/centos-bootc/centos-bootc:stream10 test-integration-vm
 base_image := env("COMPOSEFS_BASE_IMAGE", "ghcr.io/bootcrew/debian-bootc:latest")
 
+# cfsctl feature flags for the container build.  Defaults match the base_image:
+#   debian (>= 6.15 kernel): no compat features needed
+#   centos stream10 (6.12):  pre-6.15
+#   centos stream9 (5.14):   rhel9
+cfsctl_features := env("COMPOSEFS_CFSCTL_FEATURES", "pre-6.15")
+
 # Derive test image name from base_image
-_test_image := if base_image =~ "debian" { "localhost/composefs-rs-test-debian:latest" } else { "localhost/composefs-rs-test:latest" }
+_test_image := if base_image =~ "debian" { "localhost/composefs-rs-test-debian:latest" } else if base_image =~ "stream9" { "localhost/composefs-rs-test-c9s:latest" } else { "localhost/composefs-rs-test:latest" }
 
 # Run unprivileged integration tests against the cfsctl binary (no root, no VM)
 test-integration: build
     CFSCTL_PATH=$(pwd)/target/debug/cfsctl cargo run -p integration-tests -- --skip privileged_
 
 # Build the test container image for VM-based integration tests
 _integration-container-build:
-    podman build --build-arg base_image={{base_image}} -t {{_test_image}} .
+    podman build --build-arg base_image={{base_image}} --build-arg cfsctl_features={{cfsctl_features}} -t {{_test_image}} .
 
 # Run all integration tests including privileged VM tests (requires podman + libvirt)
 test-integration-vm: build _integration-container-build

bootc/Justfile

@@ -45,24 +45,32 @@ patch: clone
     set -euo pipefail
     cd "$COMPOSEFS_BOOTC_PATH"
 
-    # Check if already patched
+    # Check if already patched by us (either the appended comment or the inline marker)
     if grep -q 'Patched by composefs-rs' Cargo.toml 2>/dev/null; then
         echo "bootc already patched for composefs-rs"
         exit 0
     fi
 
     echo "Patching bootc Cargo.toml to use $_COMPOSEFS_SRC"
 
-    # Add [patch] section with the real local path.
+    # Point the composefs-rs patch at the local checkout.
     # bootc only depends on `cfsctl` which re-exports the other composefs-rs crates.
     # bootc's Justfile will auto-detect this via `cargo xtask local-rust-deps`
     # and bind-mount it into the container build (mapping /home -> /var/home as needed)
-    {
-        echo ''
-        echo '# Patched by composefs-rs CI to test against local composefs-rs'
-        echo '[patch."https://github.com/composefs/composefs-rs"]'
-        echo "cfsctl = { path = \"$_COMPOSEFS_SRC/crates/cfsctl\" }"
-    } >> Cargo.toml
+    if grep -q '\[patch\."https://github.com/composefs/composefs-rs"\]' Cargo.toml; then
+        # Patch section already exists (e.g. on a dev branch) — replace the cfsctl line
+        sed -i '/\[patch\."https:\/\/github.com\/composefs\/composefs-rs"\]/,/^$\|^\[/{
+            s|^cfsctl = .*|cfsctl = { path = "'"$_COMPOSEFS_SRC"'/crates/cfsctl" } # Patched by composefs-rs|
+        }' Cargo.toml
+    else
+        # No patch section yet — append one
+        {
+            echo ''
+            echo '# Patched by composefs-rs CI to test against local composefs-rs'
+            echo '[patch."https://github.com/composefs/composefs-rs"]'
+            echo "cfsctl = { path = \"$_COMPOSEFS_SRC/crates/cfsctl\" }"
+        } >> Cargo.toml
+    fi
 
     # Patch the workspace lints to allow missing_docs for composefs-rs crates
     # bootc has workspace.lints.rust.missing_docs = "deny" but composefs-rs has undocumented items

crates/cfsctl/Cargo.toml

@@ -27,11 +27,12 @@ clap = { version = "4.5.0", default-features = false, features = ["std", "help",
 comfy-table = { version = "7.1", default-features = false }
 composefs = { workspace = true }
 composefs-boot = { workspace = true }
-composefs-oci = { workspace = true, optional = true }
+composefs-oci = { workspace = true, optional = true, features = ["boot"] }
 composefs-http = { workspace = true, optional = true }
 env_logger = { version = "0.11.0", default-features = false }
 hex = { version = "0.4.0", default-features = false }
 rustix = { version = "1.0.0", default-features = false, features = ["fs", "process"] }
+serde = { version = "1.0", default-features = false, features = ["derive"] }
 serde_json = { version = "1.0", default-features = false, features = ["std"] }
 tokio = { version = "1.24.2", default-features = false, features = ["io-std", "io-util"] }