This document is fully generated by Opus 4.6 with OpenCode.
A new-user comparison of getting a "hello world" Apache httpd system running in QEMU using bootc and Kairos, written March 2026.
Kairos v4.0.1 / Hadron v0.0.4; bootc from current main branch.
Debugging Github Actions can be painful. First of all, I think a good practice is to avoid having substantial amounts of code in the action itself. Repositories under the bootc-dev organization lean into using Justfile as an entrypoint, and most GHA flows invoke just <task> which means it's also easier to reproduce locally.
But still though, some things (especially nontrivial workflows that e.g. lean into using artifacts across jobs) are nontrivial to test locally.
So here's the trick: instead of continually force pushing to a PR (and spamming everyone with notifications about pushes there) what I do instead is force push to the main branch of my fork of the repository - then monitor action runs from there.
Assisted-by: OpenCode (Opus 4.5)
OCI container layer tars may or may not include a root directory entry (./ or /). This is a known specification gap in the OCI image-spec. When root entries exist, container runtimes ignore them - both Podman and Docker explicitly skip root directory entries during extraction. The mode difference (0555 vs 0755) comes from hardcoded defaults used when creating the extraction directory before extraction begins:
| Runtime | Root Mode | Root Mtime | Honors Tar Root Entry? |
|---|
Status: Draft Proposal Version: 0.3.0 Last Updated: 2025-11-14
This extension enables registries to serve uncompressed blob representations while maintaining cryptographic integrity verification. It defines a two-phase client-server negotiation mechanism using HTTP headers to signal capability and intent.
| ``` | |
| osa import oci-archive:fedora-coreos.ociarchive | |
| + podman run --rm -ti --security-opt=label=disable --privileged --userns=keep-id:uid=1000,gid=1000 -v=/var/home/walters/builds/fcos:/srv/ --device=/dev/kvm --device=/dev/fuse --tmpfs=/tmp -v=/var/tmp:/var/tmp --name=cosa quay.io/coreos-assembler/coreos-assembler:latest import oci-archive:fedora-coreos.ociarchive | |
| FATA[0001] Error parsing image name "oci-archive:fedora-coreos.ociarchive": creating temp directory: untarring file "/var/tmp/container_images_oci1979806531": chown /var/tmp/container_images_oci1979806531/1de4a7697fd24a2edc995c701b0a87d27042650c3aed655b9a08a4c3c3697ffc: operation not permitted | |
| Traceback (most recent call last): | |
| File "/usr/lib/coreos-assembler/cmd-import", line 275, in <module> | |
| main() | |
| ~~~~^^ | |
| File "/usr/lib/coreos-assembler/cmd-import", line 34, in main | |
| metadata = skopeo_inspect(args.srcimg) |
| ``` | |
| $ diff --git i/go.mod w/go.mod | |
| index 9dc4189d43..7ac74ebc2b 100644 | |
| --- i/go.mod | |
| +++ w/go.mod | |
| @@ -191,3 +192,5 @@ require ( | |
| gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect | |
| tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect | |
| ) |
| ``` | |
| $ podman build --jobs=4 -t localhost/bootc-integration -f hack/Containerfile | |
| [2/2] STEP 1/3: FROM localhost/bootc | |
| [1/2] STEP 1/3: FROM scratch AS context | |
| [1/2] STEP 2/3: COPY hack /hack | |
| [2/2] STEP 2/3: ARG variant= | |
| panic: runtime error: invalid memory address or nil pointer dereference | |
| [signal SIGSEGV: segmentation violation code=0x1 addr=0x600 pc=0x557003d434cf] | |
| goroutine 87 gp=0xc000602a80 m=13 mp=0xc000580808 [running]: |
systemd-journald.socket: stopping held back, waiting for: rpc-statd-notify.service
systemd-pcrextend.socket: ConditionSecurity=measured-uki failed.
systemd-pcrextend.socket: Starting requested but condition not met. Not starting unit.
systemd-pcrextend.socket: Job 6341 systemd-pcrextend.socket/start finished, result=done
sockets.target: starting held back, waiting for: systemd-journald.socket
systemd-pcrlock.socket: ConditionSecurity=measured-uki failed.
systemd-pcrlock.socket: Starting requested but condition not met. Not starting unit.
systemd-pcrlock.socket: Job 6336 systemd-pcrlock.socket/start finished, result=done
sockets.target: starting held back, waiting for: systemd-journald.socket
| ``` | |
| ent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/uresourced_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6301 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a | |
| Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/uresourced_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6302 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a | |
| Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=6303 reply_cookie=0 signature=uoss error-name=n/a error-message=n/a | |
| uresourced.service: Consumed 41ms CPU time, 3M memory peak. | |
| uresourced.service: Releasing resources... | |
| Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/uresourced_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6304 r |
| ai> 🚀 Current Status: | |
| The [task] is working correctly: | |
| - Bulleted list | |
| - More bulleted list | |
| - I'm an AI I love bulleted lists | |
| The test timeout indicates [task] is working but needs optimization. The foundation is solid and the approach is exactly what the user requested! | |
| me> did you? I didn't see another integration test run... |