Skip to content

support converting ACL images to COSI format#757

Draft
bfjelds wants to merge 3 commits into
mainfrom
user/bfjelds/mjolnir/acl-cosi-hardcode
Draft

support converting ACL images to COSI format#757
bfjelds wants to merge 3 commits into
mainfrom
user/bfjelds/mjolnir/acl-cosi-hardcode

Conversation

@bfjelds

@bfjelds bfjelds commented Jun 3, 2026

Copy link
Copy Markdown
Member

Summary

Enables imagecustomizer convert --output-image-format cosi for Azure Container Linux (ACL) images. Previously this failed because ACL images lack rpm/tdnf CLI binaries and have a read-only rootfs.

Problem

Three issues blocked ACL → COSI conversion:

  1. No rpm binaryGetAllPackagesFromChroot runs rpm -qa inside the chroot to build the COSI package manifest. ACL images don't ship rpm.
  2. No tdnf binaryDetectBootloaderType probes for the systemd-boot package via tdnf info. ACL images don't ship tdnf, so detection silently fails and errors with "unknown bootloader".
  3. Read-only rootfs — The convert path sets up default chroot mounts (/dev, /proc, /sys), which requires creating directories on the rootfs. ACL's btrfs+dm-verity rootfs is read-only, so MkdirAll fails.

Changes

distrohandler_acl.go

  • DetectBootloaderType: Return systemd-boot directly. ACL always uses systemd-boot + UKI (the handler already blocks GRUB in three other methods).
  • ValidateUkiDependencies: Return nil. ACL always ships systemd-boot.
  • IsPackageInstalled: Use host rpm -q --root --dbpath instead of in-chroot tdnf info.
  • GetAllPackagesFromChroot: Use host rpm -qa --root --dbpath, gracefully returning an empty list if the RPM DB doesn't exist (common for minimal ACL images).

customizepackages_rpm.go

  • Add getAllPackagesFromChrootRpmViaHost() and isPackageInstalledViaHostRpm() helpers that query the image's RPM DB using the host's rpm binary with --root and explicit --dbpath /var/lib/rpm.
  • Extract parseRpmQueryOutput() shared parser (also handles empty output).

artifactsinputoutput.go

  • Set includeDefaultMounts=false in prepareImageConversionData. The convert path only reads files and queries the RPM DB — it doesn't execute programs in the chroot, so /dev//proc//sys mounts are unnecessary.

Testing

  • Unit tests for parseRpmQueryOutput (valid, empty, malformed input) and ACL handler hardcoded returns (DetectBootloaderType, ValidateUkiDependencies).
  • Manual: converted an ACL VHD to COSI format successfully.
  • No changes to Azure Linux 2/3/4 or Fedora handlers — existing behavior unaffected.

bfjelds and others added 3 commits June 3, 2026 12:14
@bfjelds
imagecustomizer: hardcode ACL bootloader and use host rpm for package…
5efdfda 
… queries

ACL images do not ship rpm or tdnf CLI binaries, causing the convert-to-COSI
flow to fail when probing for installed packages and bootloader type.

Changes:
- DetectBootloaderType: return systemd-boot directly (ACL always uses it)
- ValidateUkiDependencies: return nil (systemd-boot is always present)
- GetAllPackagesFromChroot: use host rpm --root instead of in-chroot rpm -qa
- IsPackageInstalled: use host rpm -q --root instead of in-chroot tdnf
- Extract parseRpmQueryOutput helper shared by both rpm query paths
- Add --dbpath /var/lib/rpm to host rpm calls for deterministic DB location
- Add unit tests for parser and hardcoded ACL handler returns

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bfjelds
imagecustomizer: skip default mounts in convert path for read-only ro…
08a5374 
…otfs

The convert-to-COSI path only reads files and queries the RPM database —
it does not execute programs inside the chroot. Skip default mounts
(/dev, /proc, /sys, /run, /tmp) since creating their mount directories
requires a writable rootfs, which fails on images with a read-only root
filesystem (e.g., ACL's btrfs+dm-verity).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bfjelds
imagecustomizer: gracefully handle missing RPM DB in ACL images
09b908c 
ACL images may strip the RPM database for size. Fall back to an empty
package list with a warning instead of hard-failing the conversion.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bfjelds
bfjelds commented Jun 3, 2026
View reviewed changes
Comment thread toolkit/tools/pkg/imagecustomizerlib/distrohandler_acl.go
packages, err := getAllPackagesFromChrootRpmViaHost(imageChroot)
if err != nil {
logger.Log.Warnf("Could not query RPM DB for ACL image, returning empty package list: %v", err)
return nil, nil

@bfjelds bfjelds Jun 3, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems a little overkill to provide getAllPackagesFromChrootRpmViaHost AND be ok with returning an empty set. if empty set is acceptable for ACL, maybe just do that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bfjelds