Bootc Images
Rocky Linux from CIQ (RLC) provides bootable container images that enable immutable, transactional operating system deployments using OCI container technology.
What is Bootc?¶
Bootc is a deployment model where your entire operating system—kernel, bootloader, drivers, and userspace—is packaged as an OCI container image. Unlike traditional OS installation where you configure a system and then maintain it over time, bootc systems are deployed from known-good images and updated atomically.
This approach provides several advantages. Systems deploy identically every time from the same image, eliminating configuration drift. Updates replace the entire OS image rather than individual packages, so updates either succeed completely or fail cleanly with automatic rollback. Your infrastructure team can use familiar container tools like Podman to build, test, and deploy operating systems using the same workflows they use for applications.
The OCI container image serves as the single source of truth. From that image, you can deploy to bare metal, virtual machines, or cloud environments. You can also convert it to platform-specific formats like QCOW2, VMDK, or AMI when your infrastructure requires them.
Available Products and Versions¶
RLC bootc images are available for the following products:
| Product | Tag | Description |
|---|---|---|
| RLC 9 | 9 |
Latest RLC 9 release with rolling updates |
| RLC 9.6 LTS | 9.6 |
Long-term support release with extended maintenance |
Both products support x86_64 and aarch64 architectures.
Access to bootc images requires a subscription to RLC.
Image Variants¶
Each product includes three variants:
rlc-bootc is the full-featured image with a comprehensive package set. Use this for general-purpose workloads where you need a complete base system, or as a starting point when you're not sure which variant fits your use case. This is the default choice for most deployments.
rlc-bootc-cloud is optimized for cloud and virtualized environments. It includes cloud-init for automatic instance initialization, user provisioning, and configuration from cloud provider metadata services. Use this variant when deploying to AWS, Azure, GCP, OpenStack, or private clouds where you need automatic provisioning on first boot.
rlc-bootc-minimal provides the smallest possible bootable RLC system. It contains only the packages required to boot and run the bootc update mechanism. Use this as the base for building purpose-built appliances where you want to add only the specific packages your application requires, for security-focused deployments where minimizing attack surface is critical, or for resource-constrained environments where image size matters.
Accessing RLC Bootc Images¶
Authentication¶
Authenticate with CIQ Depot before pulling images:
podman login depot.ciq.com
You can find your Depot credentials in the CIQ Portal.
Repository Locations¶
Bootc images are available from CIQ Depot. The repository path follows this pattern:
depot.ciq.com/<product-repo>/<oci-images-repo>/<variant>:<tag>
For example, RLC 9 images for x86_64:
# Standard image
podman pull depot.ciq.com/rlc-9-images/rlc-9-oci-images.x86_64/rlc-bootc:9
# Cloud image
podman pull depot.ciq.com/rlc-9-images/rlc-9-oci-images.x86_64/rlc-bootc-cloud:9
# Minimal image
podman pull depot.ciq.com/rlc-9-images/rlc-9-oci-images.x86_64/rlc-bootc-minimal:9
The exact repository paths for your subscribed products are available in the CIQ Portal.
OCI Images vs QCOW2 Disk Images¶
RLC provides both OCI container images and pre-built QCOW2 disk images. Understanding when to use each helps you choose the right deployment path.
OCI Bootc Images¶
OCI images are the source of truth for bootc deployments. Use them when you want a single image reference deployable across bare metal, VMs, and cloud environments, when your tooling supports bootc-aware installation (Anaconda, PXE installers, bootc-image-builder), or when you want registry-driven lifecycle management with bootc upgrade, bootc switch, and rollback capabilities.
QCOW2 Disk Images¶
QCOW2 images are ready-to-run VM disks derived from the OCI images. Use them when your platform expects a VM disk image (KVM/libvirt, OpenStack, Proxmox), when you want plug-and-play deployment without running bootc or any installer at first boot, or when you need a fixed, versioned VM image for a specific platform.
QCOW2 is a deployment convenience—you can always regenerate QCOW2 (and other formats) from the OCI image using bootc-image-builder.
Pre-Built QCOW2 Images¶
Pre-built QCOW2 disk images are available for the standard and cloud variants through CIQ Portal. Log in to Portal with your RLC subscription and navigate to your product to find the current QCOW2 downloads.
Standard QCOW2 images are configured for local testing and console access. They include a built-in rocky user with no password. This user can only log in through the console while the password remains blank. Once you set a password or configure SSH keys, you can access the system through your preferred method.
Cloud QCOW2 images are configured for cloud-init provisioning. They do not include the rocky user—instead, you provide user configuration through cloud-init data sources (user-data, meta-data) when launching the instance. Cloud-init handles user creation, SSH key injection, and initial configuration automatically.
Deploying QCOW2 Images¶
Deploy a standard QCOW2 image with libvirt:
sudo virt-install \
--name rlc-bootc-vm \
--memory 4096 \
--vcpus 2 \
--noreboot \
--disk /path/to/rlc-bootc.qcow2 \
--import \
--os-variant rocky9
Deploy a cloud image with cloud-init:
sudo virt-install \
--name rlc-bootc-vm \
--memory 4096 \
--vcpus 2 \
--noreboot \
--disk /path/to/rlc-bootc-cloud.qcow2 \
--cloud-init user-data="$(pwd)/user-data,meta-data=$(pwd)/meta-data" \
--os-variant rocky9
Converting OCI to Other Disk Formats¶
Use bootc-image-builder to convert OCI images to QCOW2, raw, VMDK, VHD, AMI, ISO, or anaconda-iso:
sudo podman run \
--rm -it --privileged --pull=newer \
--security-opt label=type:unconfined_t \
-v ./output:/output \
-v /var/lib/containers/storage:/var/lib/containers/storage \
quay.io/centos-bootc/bootc-image-builder:latest \
--type qcow2 \
depot.ciq.com/rlc-9-images/rlc-9-oci-images.x86_64/rlc-bootc-cloud:9
The converted image will be written to ./output/.
Note
If you need to bake users or credentials directly into the image (rather than configuring them at boot time via cloud-init), mount a config.toml file: -v ./config.toml:/config.toml:ro
A minimal example that creates a user with SSH access:
[[customizations.user]]
name = "admin"
groups = ["wheel"]
ssh_authorized_keys = ["ssh-ed25519 AAAA... user@example"]
For more configuration options, see the bootc-image-builder documentation.
Release Cadence and Updates¶
Update Schedule¶
| Image Type | Cadence | Trigger |
|---|---|---|
| OCI Images | Monthly | Scheduled release or critical CVE |
| QCOW2 Disk Images | Monthly | Scheduled release |
No-Change Policy¶
If no packages have changed and no build configuration updates exist since the previous release, no new image is published for that cycle. This is expected behavior—some release cycles may not produce new images.
Critical CVE Response¶
Critical security vulnerabilities trigger a rebuild ahead of the normal monthly cadence. Systems running bootc images receive these updates through the standard bootc upgrade workflow.
Updating and Rolling Back¶
Once a system is running from a bootc image, updates are atomic operations pulled from the container registry.
Checking for Updates¶
bootc upgrade --check
Applying Updates¶
bootc upgrade
systemctl reboot
The system downloads the new image, stages it, and activates it on reboot. The previous image remains available for rollback.
Rolling Back¶
If an update causes problems, roll back to the previous image:
bootc rollback
systemctl reboot
Switching Images¶
Switch a running system to a different image entirely:
# Switch to a different variant or version
# Example: switch from standard to cloud variant
bootc switch depot.ciq.com/rlc-9-images/rlc-9-oci-images.x86_64/rlc-bootc-cloud:9
systemctl reboot
Building Derived Images¶
Create customized images by building on top of RLC bootc base images using a Containerfile.
Before running DNF in a derived image or on a deployed system, you must register with CIQ Depot:
depot-image-register -u <user> -t <token>
The depot-image-register command registers your system with CIQ Depot, enables your subscribed RLC products for package installation, and configures authentication for pulling bootc image updates. Your Depot username and token are available in the CIQ Portal.
Example Containerfile¶
FROM depot.ciq.com/rlc-9-images/rlc-9-oci-images.x86_64/rlc-bootc:9
# Register with Depot, install packages, clean up credentials
RUN --mount=type=secret,id=depot_user --mount=type=secret,id=depot_token \
depot-image-register -u $(cat /run/secrets/depot_user) -t $(cat /run/secrets/depot_token) \
&& dnf install -y httpd \
&& dnf clean all \
&& rm -rf /etc/yum.repos.d/depot-*.repo /etc/ostree/auth.json /root/.depot
# Add custom configuration
COPY httpd.conf /etc/httpd/conf/httpd.conf
# Enable services
RUN systemctl enable httpd
Building with Secrets¶
Pass Depot credentials as build secrets to avoid embedding them in the image:
DEPOT_USER="your-depot-username" \
DEPOT_TOKEN="your-depot-token" \
podman build \
--secret id=depot_user,env=DEPOT_USER \
--secret id=depot_token,env=DEPOT_TOKEN \
-t my-custom-rlc-bootc:latest .
Push your derived image to your container registry, then deploy or convert to disk images as needed.
Package Set¶
The bootc images follow upstream best practices with a streamlined package set. The following components are not included in the base images:
- GUI applications and libraries
- Cockpit
- Firewalld
- VirtIO Windows drivers
If you require these packages, add them in a derived image.
FAQ¶
Why is there no minimal QCOW2 image?¶
The minimal variant exists as a starting point for building derived images, not as a deployment target. The expected workflow is to use rlc-bootc-minimal as your FROM base, add only the packages your appliance requires, then deploy your custom image directly or convert it to QCOW2.
A pre-built minimal QCOW2 would boot into an almost unusable system with no clear path to customize it while maintaining immutability. If you need a minimal QCOW2, build your derived image from rlc-bootc-minimal and convert it using bootc-image-builder.
Support¶
For access to RLC bootc images or technical support:
- CIQ Portal: portal.ciq.com
- Contact: ciq.com/company/contact-us