[PATCH 0/8] guestfs / base_images: fixes

[PATCH 0/8] guestfs / base_images: fixes

[Luis Chamberlain]

Here's a series of fixes I've found along the way while doing a fresh
bringup of guestfs images. The only one not so much a fix is the
"base_image: relax base image permissions" patch which will be useful
for allowing systemd services read guestfs images for a future patchset
I'll post next.

Luis Chamberlain (8):
  guestfs: Fix Debian 13 (Trixie) APT sources file path
  guestfs: Don't delete APT sources copied from host
  guestfs: Fix dracut-config-rescue removal for Debian systems
  base_image: put a guard check before adding kdevops user
  base_image: relax base image permissions
  guestfs: Use sudo for base image copy with system libvirt
  guestfs: Fix base_image_pathname for custom images
  playbooks: Fix host pattern for single-node setups

 kconfigs/Kconfig.guestfs                       |  1 +
 playbooks/devconfig.yml                        |  2 +-
 .../roles/base_image/tasks/base-image.yml      | 18 ++++++++++++++++++
 .../roles/base_image/tasks/custom-image.yml    |  6 ++++--
 .../roles/base_image/templates/virt-builder.j2 |  8 +++-----
 playbooks/roles/guestfs/tasks/bringup/main.yml | 13 ++++++++++++-
 playbooks/roles/guestfs/tasks/main.yml         | 14 +-------------
 playbooks/update_etc_hosts.yml                 |  2 +-
 8 files changed, 41 insertions(+), 23 deletions(-)

-- 
2.51.0

[PATCH 1/8] guestfs: Fix Debian 13 (Trixie) APT sources file path

[Luis Chamberlain]

Debian 13 (Trixie) changed from using a single /etc/apt/sources.list
file to the new DEB822 format in /etc/apt/sources.list.d/debian.sources.

This was causing virt-customize to fail during base image creation with:
  virt-customize: error: libguestfs error: source '/etc/apt/sources.list'
  does not exist (or cannot be read)

Add a conditional default for GUESTFS_DISTRO_SOURCE_AND_DEST_FILE that
uses the new path for Debian Trixie while preserving the old path for
other Debian versions.

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 kconfigs/Kconfig.guestfs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kconfigs/Kconfig.guestfs b/kconfigs/Kconfig.guestfs
index 52506a3b..01f68eec 100644
--- a/kconfigs/Kconfig.guestfs
+++ b/kconfigs/Kconfig.guestfs
@@ -64,6 +64,7 @@ config GUESTFS_DISTRO_SOURCE_AND_DEST_FILE
 	string
 	depends on GUESTFS_COPY_SOURCES_FROM_HOST_TO_GUEST
 	output yaml
+	default "/etc/apt/sources.list.d/debian.sources" if GUESTFS_DEBIAN_TRIXIE
 	default "/etc/apt/sources.list" if GUESTFS_DEBIAN
 
 endif
-- 
2.51.0

[PATCH 2/8] guestfs: Don't delete APT sources copied from host

[Luis Chamberlain]

The virt-builder template was deleting the APT sources file after copying
it from the host and using it for package installation. This left the guest
with NO package sources configured, causing firstboot "apt update" commands
to fail.

The delete logic appeared to assume the guest would fall back to default
Debian repos, but there was no fallback mechanism. If the user explicitly
enables CONFIG_GUESTFS_COPY_SOURCES_FROM_HOST_TO_GUEST, they want their
guest to use their local mirror configuration.

Remove the delete command so the copied sources file persists in the guest.
This allows firstboot apt commands to succeed and enables the guest to use
the same mirror as the host.

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 playbooks/roles/base_image/templates/virt-builder.j2 | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/playbooks/roles/base_image/templates/virt-builder.j2 b/playbooks/roles/base_image/templates/virt-builder.j2
index 608dc31f..b5de57d4 100644
--- a/playbooks/roles/base_image/templates/virt-builder.j2
+++ b/playbooks/roles/base_image/templates/virt-builder.j2
@@ -77,9 +77,5 @@ firstboot-command update-locale LANG=en_US.UTF-8
 firstboot-command systemctl stop ssh
 firstboot-command systemctl start ssh
 
-{% if guestfs_copy_sources_from_host_to_guest %}
-delete /etc/apt/sources.list.d/debian.sources
-{% endif %}
-
 {% endif %}
 {% endif %}
-- 
2.51.0

[PATCH 3/8] guestfs: Fix dracut-config-rescue removal for Debian systems

[Luis Chamberlain]

The virt-builder template was trying to uninstall dracut-config-rescue
package unconditionally, but this package only exists on Fedora/RHEL
systems. Debian uses initramfs-tools instead of dracut.

This was causing base image customization to fail with:
  E: Unable to locate package dracut-config-rescue
  virt-customize: error: apt-get remove 'dracut-config-rescue': command
  exited with an error

Conditionalize the dracut cleanup section to only run on non-Debian
systems. This allows Debian Trixie base images to be created successfully
while preserving the cleanup behavior for Fedora/RHEL/openSUSE systems
that use dracut.

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 playbooks/roles/base_image/templates/virt-builder.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/playbooks/roles/base_image/templates/virt-builder.j2 b/playbooks/roles/base_image/templates/virt-builder.j2
index b5de57d4..5e3e4cd8 100644
--- a/playbooks/roles/base_image/templates/virt-builder.j2
+++ b/playbooks/roles/base_image/templates/virt-builder.j2
@@ -14,10 +14,12 @@ copy-in {{ guestfs_distro_source_and_dest_file }}:{{ target_dir }}
 
 install sudo,qemu-guest-agent,python3,bash,policycoreutils-python-utils
 
+{% if not (distro_debian_based is defined and distro_debian_based) %}
 # get rid of any rescue initramfs images, and prevent new ones from being generated
 uninstall dracut-config-rescue
 delete /boot/*rescue*
 delete /boot/loader/entries/*rescue*
+{% endif %}
 
 run-command useradd {{ kdevops_uid }} -s /bin/bash -m kdevops
 append-line /etc/sudoers.d/kdevops:kdevops   ALL=(ALL)       NOPASSWD: ALL
-- 
2.51.0

[PATCH 4/8] base_image: put a guard check before adding kdevops user

[Luis Chamberlain]

Use getent to check for the kdevop user before trying to add it.
This will be useful for cloud image instances, which may already
have some customizations on it.

Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 playbooks/roles/base_image/templates/virt-builder.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/playbooks/roles/base_image/templates/virt-builder.j2 b/playbooks/roles/base_image/templates/virt-builder.j2
index 5e3e4cd8..c56eefae 100644
--- a/playbooks/roles/base_image/templates/virt-builder.j2
+++ b/playbooks/roles/base_image/templates/virt-builder.j2
@@ -21,7 +21,7 @@ delete /boot/*rescue*
 delete /boot/loader/entries/*rescue*
 {% endif %}
 
-run-command useradd {{ kdevops_uid }} -s /bin/bash -m kdevops
+run-command getent passwd kdevops || useradd {{ kdevops_uid }} -s /bin/bash -m kdevops
 append-line /etc/sudoers.d/kdevops:kdevops   ALL=(ALL)       NOPASSWD: ALL
 edit /etc/default/grub:s/^GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0"/
 run-command {{ update_grub_cmd }}
-- 
2.51.0

[PATCH 5/8] base_image: relax base image permissions

[Luis Chamberlain]

Base images created by virt-builder have default root:root 600
permissions which prevent the systemd services from reading them.
We want to let others and systemd services be able to read these
base images.

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 .../roles/base_image/tasks/base-image.yml      | 18 ++++++++++++++++++
 .../roles/base_image/tasks/custom-image.yml    |  6 ++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/playbooks/roles/base_image/tasks/base-image.yml b/playbooks/roles/base_image/tasks/base-image.yml
index d1f99a77..fc022649 100644
--- a/playbooks/roles/base_image/tasks/base-image.yml
+++ b/playbooks/roles/base_image/tasks/base-image.yml
@@ -72,6 +72,24 @@
   when:
     - not libvirt_uri_system|bool
 
+- name: Set proper ownership on base image for rcloud access (system libvirt)
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.builtin.file:
+    path: "{{ base_image_pathname }}"
+    owner: root
+    group: "{{ libvirt_qemu_group | default('libvirt-qemu') }}"
+    mode: "0640"
+  when:
+    - libvirt_uri_system|bool
+
+- name: Set proper permissions on base image (user libvirt)
+  ansible.builtin.file:
+    path: "{{ base_image_pathname }}"
+    mode: "0644"
+  when:
+    - not libvirt_uri_system|bool
+
 - name: Clean up the virt-builder command file
   ansible.builtin.file:
     path: "{{ command_file.path }}"
diff --git a/playbooks/roles/base_image/tasks/custom-image.yml b/playbooks/roles/base_image/tasks/custom-image.yml
index 121fa112..75c48e8f 100644
--- a/playbooks/roles/base_image/tasks/custom-image.yml
+++ b/playbooks/roles/base_image/tasks/custom-image.yml
@@ -347,11 +347,13 @@
     - custom_image_stat.stat.exists or custom_image_download is changed
     - custom_image != base_image_pathname
 
-- name: Set proper permissions on base image
+- name: Set proper ownership on base image for rcloud access
   become: true
   become_method: ansible.builtin.sudo
   ansible.builtin.file:
     path: "{{ base_image_pathname }}"
-    mode: "u=rw,g=r,o=r"
+    owner: root
+    group: "{{ libvirt_qemu_group | default('libvirt-qemu') }}"
+    mode: "0640"
   when:
     - custom_image_stat.stat.exists or custom_image_download is changed
-- 
2.51.0

[PATCH 6/8] guestfs: Use sudo for base image copy with system libvirt

[Luis Chamberlain]

When using system libvirt (qemu:///system), the storage pool paths are
typically owned by root or the libvirt group, requiring elevated
privileges to copy base images.

Add conditional sudo support for image duplication:
- System libvirt (libvirt_uri_system=true): Use become/sudo
- Session libvirt (libvirt_uri_system=false): No privilege escalation

This fixes permission denied errors when copying base images to storage
pools like /xfs1/libvirt/kdevops/ that are not writable by the regular
user.

The --reflink=auto flag is preserved in both code paths to enable
efficient copy-on-write when the filesystem supports it (btrfs, XFS
with reflink).

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 playbooks/roles/guestfs/tasks/bringup/main.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/playbooks/roles/guestfs/tasks/bringup/main.yml b/playbooks/roles/guestfs/tasks/bringup/main.yml
index 81bac7ce..510e1a7d 100644
--- a/playbooks/roles/guestfs/tasks/bringup/main.yml
+++ b/playbooks/roles/guestfs/tasks/bringup/main.yml
@@ -50,10 +50,21 @@
         state: directory
       delegate_to: localhost
 
-    - name: Duplicate the root disk image for each target node
+    - name: Duplicate the root disk image for each target node (as root)
+      become: true
+      become_method: ansible.builtin.sudo
+      ansible.builtin.command:
+        cmd: "cp --reflink=auto {{ base_image }} {{ root_image }}"
+      delegate_to: localhost
+      when:
+        - libvirt_uri_system|bool
+
+    - name: Duplicate the root disk image for each target node (non-root)
       ansible.builtin.command:
         cmd: "cp --reflink=auto {{ base_image }} {{ root_image }}"
       delegate_to: localhost
+      when:
+        - not libvirt_uri_system|bool
 
     - name: Get the timezone of the control host
       ansible.builtin.command:
-- 
2.51.0

[PATCH 7/8] guestfs: Fix base_image_pathname for custom images

[Luis Chamberlain]

Fix a bug in the guestfs role where base_image_pathname was set to
point to the custom_images directory instead of the base_images
directory when using custom raw images.

The Bug:
--------
When guestfs_has_custom_raw_image is true, the guestfs role was setting:
  base_image = "{{ storagedir }}/custom_images/{{ virtbuilder_os_version }}/..."

This path was then passed as base_image_pathname to the base_image role.

The base_image role's custom-image.yml has a task that copies the
custom image from custom_images/ to base_images/:

  - name: Copy custom image to base image location
    command: cp --reflink=auto '{{ custom_image }}' '{{ base_image_pathname }}'
    when:
      - custom_image_stat.stat.exists or custom_image_download is changed
      - custom_image != base_image_pathname

However, both custom_image and base_image_pathname were set to the
SAME PATH (in custom_images/), so the condition "custom_image !=
base_image_pathname" was always false, causing the copy task to be
skipped.

This meant base images were never created in the base_images directory,
breaking workflows that expect base images there (like rcloud).

The Fix:
--------
Changed guestfs role to always set base_image to the base_images
directory location, regardless of whether custom images are used:

  base_image = "{{ storagedir }}/base_images/{{ virtbuilder_os_version }}.raw"

Now for custom images:
- custom_image = /path/to/custom_images/image/image.raw (source)
- base_image_pathname = /path/to/base_images/image.raw (destination)
- These are different paths, so the copy runs correctly

For non-custom images:
- virt-builder creates directly at base_images/image.raw
- No copy needed (same behavior as before)

Impact:
-------
This fix ensures that when using custom raw images:
1. Images are properly customized in custom_images/ directory
2. Customized images are copied to base_images/ directory
3. Other roles and workflows can find base images in the expected location
4. Permissions are set correctly (root:libvirt-qemu 0640)

Fixes: 7af0e602e8c8 ("guestfs: bringup: fix ssh key injection")
Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 playbooks/roles/guestfs/tasks/main.yml | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/playbooks/roles/guestfs/tasks/main.yml b/playbooks/roles/guestfs/tasks/main.yml
index 6618687e..e5960946 100644
--- a/playbooks/roles/guestfs/tasks/main.yml
+++ b/playbooks/roles/guestfs/tasks/main.yml
@@ -25,24 +25,12 @@
     storagedir: "{{ kdevops_storage_pool_path }}/guestfs"
   delegate_to: localhost
 
-- name: Set the pathname of the OS base image
+- name: Set the pathname of the base image in base_images directory
   tags:
     - base_image
     - bringup
   ansible.builtin.set_fact:
     base_image: "{{ storagedir }}/base_images/{{ virtbuilder_os_version }}.raw"
-  when:
-    - not guestfs_has_custom_raw_image|bool
-  delegate_to: localhost
-
-- name: Set the pathname of the custom OS base image
-  tags:
-    - base_image
-    - bringup
-  ansible.builtin.set_fact:
-    base_image: "{{ storagedir }}/custom_images/{{ virtbuilder_os_version }}/{{ virtbuilder_os_version }}.raw"
-  when:
-    - guestfs_has_custom_raw_image|bool
   delegate_to: localhost
 
 - name: Ensure the required base OS image exists
-- 
2.51.0

[PATCH 8/8] playbooks: Fix host pattern for single-node setups

[Luis Chamberlain]

Change devconfig.yml and update_etc_hosts.yml to use "all:!localhost"
instead of "baseline:dev:service" as the host pattern. This fixes
warnings about unmatched host groups during bringup for single-node
configurations like rcloud-guest-test.

The hardcoded "baseline:dev:service" pattern only works for A/B testing
setups with dedicated service nodes. Single-node setups don't have these
groups defined, causing Ansible to emit warnings:

  [WARNING]: Could not match supplied host pattern, ignoring: baseline
  [WARNING]: Could not match supplied host pattern, ignoring: dev
  [WARNING]: Could not match supplied host pattern, ignoring: service

Using "all:!localhost" works for all deployment scenarios:
- Single-node: runs on the node, skips localhost
- A/B testing: runs on baseline and dev nodes, skips localhost
- With service nodes: includes service nodes, skips localhost

Commmit 1cf0800c9ffce ("gen_hosts: templates: include localhost in the
all group") introduced this new warning and commit 94d0e3157a017
("devconfig: include the "service" group in theplaybooks hosts list")
extended it with the service group.

Generated-by: Claude AI
Fixes: 1cf0800c9ffce ("gen_hosts: templates: include localhost in the all group")
Fxies: 94d0e3157a017 ("devconfig: include the "service" group in theplaybooks hosts list")
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 playbooks/devconfig.yml        | 2 +-
 playbooks/update_etc_hosts.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/playbooks/devconfig.yml b/playbooks/devconfig.yml
index f0ca7d76..e1d97138 100644
--- a/playbooks/devconfig.yml
+++ b/playbooks/devconfig.yml
@@ -1,6 +1,6 @@
 ---
 - name: Configure developer environment on target systems
-  hosts: baseline:dev:service
+  hosts: all:!localhost
   gather_facts: false
   roles:
     - role: devconfig
diff --git a/playbooks/update_etc_hosts.yml b/playbooks/update_etc_hosts.yml
index a8e9bc26..5a7d83d6 100644
--- a/playbooks/update_etc_hosts.yml
+++ b/playbooks/update_etc_hosts.yml
@@ -1,6 +1,6 @@
 ---
 - name: Update target /etc/hosts with all targets and disable cloud-init
-  hosts: baseline:dev:service
+  hosts: all:!localhost
   gather_facts: false
   roles:
     - role: update_etc_hosts
-- 
2.51.0

Re: [PATCH 3/8] guestfs: Fix dracut-config-rescue removal for Debian systems

[Chuck Lever]

On 10/17/25 10:31 PM, Luis Chamberlain wrote:
> The virt-builder template was trying to uninstall dracut-config-rescue
> package unconditionally, but this package only exists on Fedora/RHEL
> systems. Debian uses initramfs-tools instead of dracut.
> 
> This was causing base image customization to fail with:
>   E: Unable to locate package dracut-config-rescue
>   virt-customize: error: apt-get remove 'dracut-config-rescue': command
>   exited with an error
> 
> Conditionalize the dracut cleanup section to only run on non-Debian
> systems. This allows Debian Trixie base images to be created successfully
> while preserving the cleanup behavior for Fedora/RHEL/openSUSE systems
> that use dracut.
> 
> Generated-by: Claude AI
> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
> ---
>  playbooks/roles/base_image/templates/virt-builder.j2 | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/playbooks/roles/base_image/templates/virt-builder.j2 b/playbooks/roles/base_image/templates/virt-builder.j2
> index b5de57d4..5e3e4cd8 100644
> --- a/playbooks/roles/base_image/templates/virt-builder.j2
> +++ b/playbooks/roles/base_image/templates/virt-builder.j2
> @@ -14,10 +14,12 @@ copy-in {{ guestfs_distro_source_and_dest_file }}:{{ target_dir }}
>  
>  install sudo,qemu-guest-agent,python3,bash,policycoreutils-python-utils
>  
> +{% if not (distro_debian_based is defined and distro_debian_based) %}

Claude copied a bug I introduced. You want this:

{% if guestfs_debian is defined and guestfs_debian %}

instead, but it will work only after applying "base_image: Replace
distro checks" which is in the cel-fixes branch. I can merge that
right now.

With that change, for the series:

Reviewed-by: Chuck Lever <chuck.lever@oracle.com>


>  # get rid of any rescue initramfs images, and prevent new ones from being generated
>  uninstall dracut-config-rescue
>  delete /boot/*rescue*
>  delete /boot/loader/entries/*rescue*
> +{% endif %}
>  
>  run-command useradd {{ kdevops_uid }} -s /bin/bash -m kdevops
>  append-line /etc/sudoers.d/kdevops:kdevops   ALL=(ALL)       NOPASSWD: ALL


-- 
Chuck Lever

Re: [PATCH 3/8] guestfs: Fix dracut-config-rescue removal for Debian systems

[Luis Chamberlain]

On Sat, Oct 18, 2025 at 02:16:03PM -0400, Chuck Lever wrote:
> On 10/17/25 10:31 PM, Luis Chamberlain wrote:
> > The virt-builder template was trying to uninstall dracut-config-rescue
> > package unconditionally, but this package only exists on Fedora/RHEL
> > systems. Debian uses initramfs-tools instead of dracut.
> > 
> > This was causing base image customization to fail with:
> >   E: Unable to locate package dracut-config-rescue
> >   virt-customize: error: apt-get remove 'dracut-config-rescue': command
> >   exited with an error
> > 
> > Conditionalize the dracut cleanup section to only run on non-Debian
> > systems. This allows Debian Trixie base images to be created successfully
> > while preserving the cleanup behavior for Fedora/RHEL/openSUSE systems
> > that use dracut.
> > 
> > Generated-by: Claude AI
> > Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
> > ---
> >  playbooks/roles/base_image/templates/virt-builder.j2 | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/playbooks/roles/base_image/templates/virt-builder.j2 b/playbooks/roles/base_image/templates/virt-builder.j2
> > index b5de57d4..5e3e4cd8 100644
> > --- a/playbooks/roles/base_image/templates/virt-builder.j2
> > +++ b/playbooks/roles/base_image/templates/virt-builder.j2
> > @@ -14,10 +14,12 @@ copy-in {{ guestfs_distro_source_and_dest_file }}:{{ target_dir }}
> >  
> >  install sudo,qemu-guest-agent,python3,bash,policycoreutils-python-utils
> >  
> > +{% if not (distro_debian_based is defined and distro_debian_based) %}
> 
> Claude copied a bug I introduced. You want this:
> 
> {% if guestfs_debian is defined and guestfs_debian %}
> 
> instead, but it will work only after applying "base_image: Replace
> distro checks" which is in the cel-fixes branch. I can merge that
> right now.
> 
> With that change, for the series:
> 
> Reviewed-by: Chuck Lever <chuck.lever@oracle.com>

Great, I'll rebase and merge this shortly.

  Luis