Making changes to bootc systems
In this lab, you will learn how to make configuration or software changes in images and apply them to bootc hosts.
Changing the bootc image
We’ve created our first system but there are a few things that might be missing we typically do to our systems. Not requiring a password every time we use sudo might be something we allow admins to do. We may also need to put notices on logins or present info in the MOTD. Let’s make some changes to how the system behaves. While we’re at it, lets update the index page too.
First, let’s set up a directory structure that mimics /etc and create the
files we need inside it. This allows us to add all the configs at once with a single command and in
a single layer of the image.
This is a local directory, relative to the location of the Containerfile, not the system /etc/.
|
mkdir -p etc/sudoers.dSince the motd file lives in the top level of /etc, that one command creates all the paths
we need for this exercise. RHEL supports drop-in directories for several services and applications, including
sudo privileges.
Drop-in support lets us add a file to a <servicename>.d directory rather than editing
the main configuration file. You might already be familiar with drop-in config files from working with Apache and it’s /etc/httpd/conf.d/ directory. Using drop-in files lets us affect the configuration of a system, without needing to edit a file in place, or carry a full configuration file in the image.
Let’s address the sudoers password first, by allowing users in the wheel group to not need to enter their password.
nano etc/sudoers.d/wheelAdd the following and save the file
# Enable passwordless sudo for the wheel group
%wheel ALL=(ALL) NOPASSWD: ALLAnd let’s provide a message of the day!
nano etc/motdAdd the following and save the file
Welcome to the image mode lifestyle!Now that we have our new configs, we can add them to the Containerfile and rebuild the image.
FROM registry.redhat.io/rhel9/rhel-bootc:9.5
RUN dnf install -y httpd
ADD etc/ /etc (1)
RUN echo "Hello Red Hat Summit 2025!!" > /var/www/html/index.html (2)
RUN systemctl enable httpd.service| 1 | Copies all the local etc/ contents we just created into /etc in the image |
| 2 | Update the text in the index.html too |
If you aren’t familiar, the ADD directive has some extra capabilities over the COPY command. Where COPY only works on a single file, ADD can work on complete directories or even unpack tar files. This can be very useful when dealing with multiple files and directories that all start from the same place, but could make the Containerfile a little opaque if folks are unfamiliar with the syntax and the results.
We rebuild the image with our updates the same way we originally built it.
podman build --file Containerfile --tag {registry_hostname}/httpdAnd make sure to push it to the registry:
podman push {registry_hostname}/httpdWe now have replaced the original image in the registry we used to create the virtual machine with a new image. This is the standard workflow for making changes to an image mode host. All of our updates, additions, or changes are done via the build systems we use, and are then published to be used by the hosts. We’ll talk more about updates and how to differentiate them in a later exercise.
Updating the virtual machine
The virtual machine you have created in the previous exercise should still be running. You can check this with:
virsh --connect qemu:///system listAnd the output should list the virtual machine called qcow-vm as running.
Now you can ssh into the virtual machine:
ssh core@qcow-vmThe bootc update command will download and prepare a detected update for use at the next boot. This means updates are offline, and can be applied at any time. Changes will only take effect when the system reboots.
(Reminder, the password for sudo is LB1054!)
sudo bootc updateNotice that bootc update provides information about the layers that have been modified and a progress indicator. The update mechanism also uses container tools to pull the image from the registry to the host for preparation. This means we only pull down the layers that were changed, not the full image if not needed. Later versions of bootc will expand this idea of delta updated to further reduce the time and bandwidth used for updates.
The final output should look something like this:
layers already present: 67; layers needed: 4 (185.1 MB) Fetched layers: 176.49 MiB in 28 seconds (6.26 MiB/s) Deploying: done (5 seconds) Queued for next boot: node.cxdrb.cxdrb.gcp.redhatworkshops.io/httpd Version: 9.20250326.0 Digest: sha256:737be173b45120c062473e9a88d020bc33c32a9069d4c257b74e4f5ab7241e41 Total new layers: 71 Size: 1.2 GB Removed layers: 3 Size: 185.1 MB Added layers: 4 Size: 185.1 MB
Let’s check the current status of the host.
sudo bootc statusCurrent staged image: node.cxdrb.cxdrb.gcp.redhatworkshops.io/httpd (1)
Image version: 9.20250326.0 (2025-04-04 14:28:06.536999208 UTC)
Image digest: sha256:737be173b45120c062473e9a88d020bc33c32a9069d4c257b74e4f5ab7241e41
Current booted image: node.cxdrb.cxdrb.gcp.redhatworkshops.io/httpd
Image version: 9.20250326.0 (2025-04-04 14:11:45.808515934 UTC)
Image digest: sha256:1e69b8a519eccf248e235960dd5eef3c5c546226c0000c655126e00e11438519
No rollback image present
| 1 | The SHA in the staged block should match the Digest from the output of bootc update. You will also see the timestamp of the change. Since the base image is the same, no change shows up in the version output. |
Updates to bootc hosts are offline in nature, meaning the new image has been readied for deployment, but no other changes have been made to the running system.
The last step for the change to take is to reboot the virtual machine. Before doing so, please make sure you are logged in to the virtual machine and not the hypervisor, the prompt should look like [core@localhost ~]$.
sudo systemctl rebootTesting the changes
After a short wait, log back into the system and and you should see the message of the day after logging in successfully.
ssh core@qcow-vmWe can check on our sudoers policy change as well. You shouldn’t be prompted for a password for any sudo commands since the user is in the wheel group.
sudo cat /etc/motdWhat about the change to the index page?
curl http://localhost
sudo cat /var/www/html/index.htmlHello Red Hat
The new text doesn’t appear, and it’s also not in the file on disk. This is expected based on
how bootc handles directories and image contents during changes.
Stay logged into the VM to explore how bootc manages file updates in the next module.