feat(container): add finalize-rootfs subcommand for building base images

[andrewdunndev]

Summary

Adds bootc container finalize-rootfs and bootc container post-chroot-cleanup -- a way to build bootc base images using only dnf and standard tools, without rpm-ostree compose.

Motivation

Building bootc base images currently requires rpm-ostree compose. This PR extracts the minimal set of filesystem transforms that rpm-ostree compose applies and implements them as bootc subcommands, making bootc self-sufficient for base image creation.

The existing bootc container namespace already has precedent for build-time operations that modify the rootfs (ukify, export). finalize-rootfs fits the documented purpose: "Operations which can be executed as part of a container build."

Related: #215

What it does

Two new subcommands under bootc container:

• finalize-rootfs <path> [--check]: Applies ostree filesystem layout transforms to a dnf --installroot output -- toplevel symlinks, /var cleanup + tmpfiles.d generation, rpmdb relocation, config injection (prepare-root.conf, dracut.conf.d, kernel install.conf, dnf5 config, bootc install config, systemd presets).
• post-chroot-cleanup <path> [--check]: Cleans artifacts left by chroot operations (dracut, systemctl preset-all, bootupd) -- /var re-pollution, rpmdb WAL/SHM files, /run and /tmp contents.

Both support --check for dry-run reporting.

Testing

Built a Fedora 42 base image from scratch on a GCP VM (n2-standard-4, Fedora 42, nested virt for KVM). Full build + boot cycle with no rpm-ostree at any point.

Build pipeline

# 1. Package installation
dnf --use-host-config --installroot=$ROOTFS --releasever=42 \
  --setopt=install_weak_deps=False -y install \
  coreutils dnf selinux-policy-targeted container-selinux tpm2-tools \
  systemd systemd-pam bootc xfsprogs e2fsprogs dosfstools kernel \
  bootupd grub2 grub2-efi-x64 efibootmgr shim microcode_ctl \
  ostree nss-altfiles fedora-repos-archive systemd-resolved bubblewrap \
  openssh-server passwd sudo

# 2. Apply transforms
bootc-compose-finalize --skip-kernel --skip-presets $ROOTFS

# 3. Chroot operations
chroot $ROOTFS depmod $KVER
chroot $ROOTFS dracut --no-hostonly --kver $KVER --force /usr/lib/modules/$KVER/initramfs.img
chroot $ROOTFS systemctl preset-all
chroot $ROOTFS bootupctl backend generate-update-metadata

# 4. Post-chroot cleanup
bootc-compose-finalize --post-chroot $ROOTFS

# 5. Package as OCI
buildah from scratch + tar copy + buildah commit

Results

bootc container lint:        12/12 checks passed (1 cosmetic warning: .vmlinuz hmac in /boot)
bootc install to-disk:       Installation complete (GPT partitioning, XFS root, ostree deploy, GRUB via bootupd)

Boot test (QEMU + KVM)

Login prompt:                Reached at 41 seconds

bootc status output

Booted image: localhost/fedora-bootc-e2e:42
       Digest: sha256:4580cd48c8df617520b6da30cd4115d21e23db12e98dfd52bc21d5b350bdbfac (amd64)
    Timestamp: 2026-03-26T13:52:56Z

ostree and systemd status

# ostree admin status
* default 2c7a693a832cdd9c8bd02bfae894f5c19d68f7203e46d8cc0f29cd196883425b.0
    origin: <unknown origin type>

# systemctl is-system-running
running

Boot log (ostree/switch-root sequence)

Starting ostree-prepare-root.service - OSTree Prepare OS/...
Finished ostree-prepare-root.service - OSTree Prepare OS/.
Reached target initrd-switch-root.target - Switch Root.
Starting initrd-switch-root.service - Switch Root...
Stopped initrd-switch-root.service - Switch Root.
Starting ostree-remount.service - OSTree Remount OS/ Bind Mounts...
Finished ostree-remount.service - OSTree Remount OS/ Bind Mounts.

Reboot test

System rebooted cleanly. Second login prompt confirmed. Full boot -> login -> bootc status -> reboot -> login cycle validated.

[gemini-code-assist]

Code Review

This pull request introduces the finalize-rootfs and post-chroot-cleanup commands to the bootc CLI, enabling the transformation of a standard dnf --installroot output into a bootc-compatible layout. The implementation includes logic for managing toplevel symlinks, converting /var contents to tmpfiles.d entries, relocating the rpmdb, and injecting configuration for dracut, ostree, and systemd. Review feedback suggests simplifying the directory removal logic when replacing directories with symlinks and moving a use statement to the top of the file to follow Rust conventions.