manifest: use experimentalflags.String("bootstrap")

[mvo5]

This commit allows to use a container to bootstrap the buildroot via the experimtnal "bootstrap" flag:

$ IMAGE_BUILDER_EXPERIMENTAL=bootstrap=ghcr.io/mvo5/fedora-buildroot:41 \
   image-builder manifest --arch=riscv64 minimal-raw --distro=fedora-41

and it will use the given container to bootstap the buildroot.

This will allow to do cross-arch building for riscv. The generated manifest can be build with osbuild (as long as qemu-user is installed) and will generate a minimal-raw for riscv64.

Cross-building is useful because qemu-user is a lot faster (and easier to setup) than full riscv system emulation. A minimal raw build on a really fast AWS machine takes about 100 minutes. A full minimal-raw build on my (moderate) PC takes about 20min - which is fast enough so that we can run this in GH workflows as part of the CI.

The approach with the bootstrap buildroot [0] allows us to generalize this later so that each distro would (in addition to the repos) an upstream container ref. With that we could auto-detect cross builds and we would just add this upstream container to bootstrap the buildroot.

[0] Thanks to Ondrej, Achilleas, Thozza, Simon and Florian.

P.S. With that we can also do:

$ IMAGE_BUILDER_EXPERIMENTAL=bootstrap=registry.fedoraproject.org/fedora-toolbox:41 image-builder manifest --arch=aarch64 --distro fedora-41 minimal-raw
# or
IMAGE_BUILDER_EXPERIMENTAL=bootstrap=registry.access.redhat.com/ubi9/ubi:latest image-builder manifest --arch=ppc64le --distro centos-9 qcow2

so we will not have to maintain our own containers (there are still some assumption like that the container contains python3 for the runners).

[bcl]

typo 'if if'

[mvo5]

Thank you! Fixed now (and while reading this again expanded about what a bootstrap container actually needs).

[bcl]

Looks good to me other than the small typo.
What's the plan for documenting the experimental flags? Is the commit message + function docstring enough or should there be a central document listing them all?

[supakeen]

Looks good to me other than the small typo. What's the plan for documenting the experimental flags? Is the commit message + function docstring enough or should there be a central document listing them all?

As we don't want to share these to the public in general (unless we specifically request someone to tinker) I think just internalized knowledge of them is fine :)

[mvo5]

Looks good to me other than the small typo. What's the plan for documenting the experimental flags? Is the commit message + function docstring enough or should there be a central document listing them all?

For now I agree with @supakeen - we can keep this internal. I would love to see this generalized eventually (see also the commit message) so that a user just types (on their x86_64 box) image-builder --arch=aarch64 minimal-raw --distro fedora-41 and we detect internally that its a cross arch build and we would add the bootstrap container registry.fedoraproject.org/fedora-toolbox:41 automatically. But baby-steps :)

[ondrejbudai]

Awesome! :) It might be a good idea to also cover the selinux special case: a test that checks that the bootstrap pipeline doesn't have an selinux stage.

[ondrejbudai]

The second commit invalidates this.

[mvo5]

Unless I miss something this is still true. The flow is:

1. bootstrap buildroot gets mounted, no selinux stage is generated here (so host does not need to have setfiles
2. buildroot is generated, it uses the boostrap buildroot for that, a bunch of rpms get installed, then "setfiles" is run because the buildroot is expected to contain valid selinux config. but this uses the setfiles binary from the bootstrap env not from the just created buildroot
   Maybe I need to explain this better? (fwiw, to test just use the IMAGE_BUILDER_EXPERIMENTAL=bootstrap=fedora.riscv.rocks:3000/davidlt/fedora-toolbox:41 container which does not contain setfiles (policycoreutils) - here the buildroot generation fails.