feat: add QEMU_ADDITIONAL_PACKAGES environment variable

[antitree]

Summary

This PR adds support for the QEMU_ADDITIONAL_PACKAGES environment variable, which allows users to specify additional packages to include in the initramfs image during QEMU VM initialization. This complements the existing TESTING environment variable feature gate.

Changes

• Added QEMU_ADDITIONAL_PACKAGES support in pkg/container/qemu_runner.go
• Packages are added to the initramfs image build specification
• Accepts comma-separated list of package names (e.g., hello-wolfi,nginx-stable,strace)
• Packages are baked into the initramfs for immediate availability at boot
• Input validation prevents injection attacks (regex: ^[a-zA-Z0-9_,.-]+$)
• Cache invalidation: different package lists create separate cached initramfs files

How It Works

Without QEMU_ADDITIONAL_PACKAGES:

spec := apko_types.ImageConfiguration{
    Contents: apko_types.ImageContents{
        Packages: []string{"microvm-init"},
    },
}

With QEMU_ADDITIONAL_PACKAGES=hello-wolfi,strace:

spec := apko_types.ImageConfiguration{
    Contents: apko_types.ImageContents{
        Packages: []string{"microvm-init", "hello-wolfi", "strace"},
    },
}

Packages are installed into the initramfs during the apko build, so they're available immediately when the VM boots - no runtime apk add needed!

Usage

# Single package
QEMU_ADDITIONAL_PACKAGES=hello-wolfi melange build mypackage.yaml --runner qemu

# Multiple packages
QEMU_ADDITIONAL_PACKAGES=strace,gdb,tcpdump melange build mypackage.yaml --runner qemu

Use Cases

• Testing/debugging: Install tools like strace, gdb, tcpdump for debugging builds
• Runtime dependencies: Install packages needed during the build that aren't in the build environment
• Development: Quick iteration without modifying build configurations\
• Init.d hooks: Install packages that provide init.d scripts for custom initialization

Security

The implementation validates input to prevent shell injection attacks. Only alphanumeric characters, hyphens, underscores, commas, and dots are allowed in package names. Suspicious input is rejected with a warning.

Test Results

Verified that packages are successfully added to the initramfs:

2025/12/10 12:05:59 INFO qemu: QEMU_ADDITIONAL_PACKAGES env set to hello-wolfi, adding to initramfs
2025/12/10 12:06:00 INFO     packages:     [microvm-init hello-wolfi]
2025/12/10 12:06:02 INFO installing hello-wolfi (2.12.2-r2)

The package is installed in the initramfs and available at boot time ✅

[egibs]

Would it be worth moving this to a new function (getAdditionalPackages) and writing a test to make sure this does what it's supposed to?

[egibs]

(and likely the new TESTING code as well although it's not doing nearly as much)

[89luca89]

Agree on the separate function and tests
Also I'd avoid shadowing variables in general

[antitree]

On it. Added a new function and tests for it

[egibs]

Can we foresee hitting the edge case where we install enough packages to make this consistent even though we're installing new/different packages after the cutoff?

Would something like a checksum work better?

[89luca89]

Agree on checksum, makes it simpler and less likely to have strange chars in it

[antitree]

Yeah I think that smart and gets us out of dealing with the 4K cmdline problem I think