container: Add export --format=tar command

Implement bootc container export command to export container filesystems
as bootable tar archives with proper metadata preservation and bootc-
specific features.

Key features:
- Export container filesystems to tar format
- Preserve file permissions, ownership, and metadata using secure metadata calls
- Kernel relocation from /usr/lib/modules to /boot for legacy compatibility
- Support for output to file or stdout
- Comprehensive error handling and validation
- SELinux labeling support when policy is available
- Basic test coverage for core functionality

Security improvements:
- Use entry.entry.metadata() to get correct metadata for each walk entry
- Avoid symlink-following metadata calls that could leak host files
- Ensure proper metadata retrieval for directories, files, and symlinks

Code quality improvements:
- Extract relocate_kernel_artifact() helper to eliminate duplication
- Clean, maintainable kernel relocation logic
- Comprehensive documentation and help text

Fixes #1957

Assisted-by: OpenCode (Sonnet 4.5)

Author: cgwalters

Cargo.lock

@@ -101,7 +101,7 @@ test-tmt *ARGS: build
 [group('core')]
 test-container: build build-units
     podman run --rm --read-only localhost/bootc-units /usr/bin/bootc-units
-    podman run --rm --env=BOOTC_variant={{variant}} --env=BOOTC_base={{base}} {{base_img}} bootc-integration-tests container
+    podman run --rm --env=BOOTC_variant={{variant}} --env=BOOTC_base={{base}} --mount=type=image,source={{base_img}},target=/run/target {{base_img}} bootc-integration-tests container
 
 # Build and test sealed composefs images
 [group('core')]

Justfile

@@ -415,6 +415,45 @@ pub(crate) enum ContainerOpts {
         #[clap(last = true)]
         args: Vec<OsString>,
     },
+    /// Export container filesystem as a flattened tar archive, performing transformations
+    /// (such as SELinux labeling) that make it easier to consume by systems which expect
+    /// this format. The resulting tar archive has nothing related to bootc itself; the
+    /// semantics of system deployment are completely dependent on what consumes the tar archive.
+    ///
+    /// Typically, systems deployed this way are for mutable or in-memory use cases. This
+    /// operation is included in bootc as a "bridge" to more strictly immutable systems.
+    ///
+    /// The output is written to stdout by default or to a specified file.
+    ///
+    /// Example:
+    ///   bootc container export /target > output.tar
+    Export {
+        /// Format for export output
+        #[clap(long, default_value = "tar")]
+        format: ExportFormat,
+
+        /// Output file (defaults to stdout)
+        #[clap(long, short = 'o')]
+        output: Option<Utf8PathBuf>,
+
+        /// Copy kernel and initramfs from /usr/lib/modules to /boot for legacy compatibility.
+        /// This is useful for installers that expect the kernel in /boot.
+        #[clap(long)]
+        kernel_in_boot: bool,
+
+        /// Disable SELinux labeling in the exported archive.
+        #[clap(long)]
+        disable_selinux: bool,
+
+        /// Path to the container filesystem root
+        target: Utf8PathBuf,
+    },
+}
+
+#[derive(Debug, Clone, ValueEnum, PartialEq, Eq)]
+pub(crate) enum ExportFormat {
+    /// Export as tar archive
+    Tar,
 }
 
 /// Subcommands which operate on images.
@@ -1626,6 +1665,22 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 kargs,
                 args,
             } => crate::ukify::build_ukify(&rootfs, &kargs, &args),
+            ContainerOpts::Export {
+                format,
+                target,
+                output,
+                kernel_in_boot,
+                disable_selinux,
+            } => {
+                crate::container_export::export(
+                    &format,
+                    &target,
+                    output.as_deref(),
+                    kernel_in_boot,
+                    disable_selinux,
+                )
+                .await
+            }
         },
         Opt::Completion { shell } => {
             use clap_complete::aot::generate;