Error while running inside podman:

[shanemcd]

Hello. I am trying to get rpm-ostree running inside of a container. I'm invoking podman like this:

$ podman run -ti --tmpfs /tmp -v /var/tmp:/var/tmp --device /dev/fuse --security-opt label=disable --privileged registry.fedoraproject.org/fedora:34 bash

The first problem I ran into was:

note: --workdir is ignored for --unified-core
warning: boot-location: "new" is deprecated, use boot-location: modules
rpm-ostree version: 2021.6
No previous commit for fedora/rawhide/x86_64/iot
error: Unable to load SELinux policy from /

I was able to resolve this by installing selinux-policy.

After that, the RPMs finish downloading, pre-scripts and post-scripts run successfully, but then it blows up with:

Checking out packages... done
Running pre scripts... 16 done
Running post scripts... done
error: While applying overrides for pkg shadow-utils: Copyup usr/bin/chage: Setting xattrs: fsetxattr(security.selinux): Operation not supported

I have been banging my head on this for a couple hours with no luck. What am I missing? Any help would be appreciated.

[shanemcd]

Adding this seems to work:

-v ${PWD}:/mnt/ -w /mnt

I then ran the following commands, so that the files are written into the bind-mounted directory:

$ ostree init --repo=my-repo
$ sudo rpm-ostree compose tree --unified-core -r my-repo ostree-config/manifest.json

Is this the "right" way? If so, feel free to close this issue. I'll leave it open for now in case it warrants more discussion, or if a better solution exists. Thank you.

[cgwalters]

Hi, I'd look at https://github.com/coreos/coreos-assembler/ which is extensively oriented around running rpm-ostree in a container image (it also generates disk images).

[shanemcd]

Hi @cgwalters - thank you for replying. I actually did start there, but was hoping to pare things back to a more minimal setup.

If it helps anyone else in the future, this is the best I could do:

$ podman run -ti -v /build -w /build --privileged registry.fedoraproject.org/fedora:34 bash
[root@c7020147d5b6 build]# dnf install -y git rpm-ostree selinux-policy
# snip
[root@c7020147d5b6 build]# ostree init --repo=my-repo
[root@c7020147d5b6 build]# git clone https://pagure.io/fedora-iot/ostree.git
# snip
[root@c7020147d5b6 build]# rpm-ostree compose tree --unified-core -r my-repo ostree/fedora-iot.json
# snip
Committing... done
3058 metadata, 21614 content objects imported; 1.1 GB content written                                                                                                    
fedora/rawhide/x86_64/iot => b69bb2598a8e8324c509d05d15d1e62f09866aba2bbbc7206f514a3a65e7b74d
Metadata Total: 9447
Metadata Written: 3058
Content Total: 25154
Content Written: 1173
Content Cache Hits: 0
Content Bytes Written: 170947798
[root@c7020147d5b6 build]# echo $?
0

Notes:

• Unlike coreos-assembler, this runs as root (inside a rootless podman container).
• Bind-mounting is unnecessary, but at a minimum the build needs to happen in a directory marked as a volume (VOLUME in Containerfile or -v /somedir on the command line - notice lack of path on host)

I will go ahead and close this since the problem was with me and not with OSTree. 😄