I originally filed this a while back as https://github.com/containers/ai-lab-recipes/issues/715

As of lately, bootc has support for https://containers.github.io/bootc/logically-bound-images.html which was explicitly created with RHELAI as an important use case.

Goal:

When a kernel (or other base RHEL) CVE comes out, it is much more efficient (on the network, but also on the registry) to download the update to RHELAI.

Today RHELAI uses "physically bound images" in e.g. https://github.com/RedHatOfficial/rhelai-dev-preview/blob/19ef39598b7d9293ffaed48c964cee3a65a745b7/training/nvidia-bootc/Containerfile#L178
where the inner containers are physically embedded in a single container.

With LBIs, they would be fetched separately from the registry, and crucially fetching an update for a kernel CVE would never mean re-fetching the vLLM or instructlab containers.
 
Acceptance Criteria:

RHELAI can successfully convert to using Logically Bound images.

Open questions:

One important thing to note here is this change will affect the user experience in some cases, most notably disconnected installations. The system administrator will have to know to fetch multiple containers, not just one.

Implementation

It should mostly be as simple as switching from "RUN podman pull" to just adding a symlink to a .image file per https://containers.github.io/bootc/logically-bound-images.html#using-logically-bound-images