initial debian support
This commit is contained in:
parent
4c5a458148
commit
904a1d01ba
36 changed files with 986 additions and 372 deletions
147
Containerfile
147
Containerfile
|
|
@ -1,69 +1,92 @@
|
|||
# In order to make a base image as part of a Dockerfile, this container build uses
|
||||
# nested containerization, so you must build with e.g.
|
||||
# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
|
||||
# Multi-stage build for Debian minimal bootc base images
|
||||
# Stage 1: Repository setup with apt-cache-ng proxy
|
||||
FROM debian:sid AS repos
|
||||
# Build argument for apt-cache-ng proxy (can be empty to disable)
|
||||
ARG APT_CACHER_NG_PROXY="http://192.168.1.101:3142"
|
||||
# Copy our repository configuration
|
||||
COPY debian.repo /etc/apt/sources.list.d/
|
||||
# Replace the proxy URL placeholder with the actual value
|
||||
RUN if [ -n "$APT_CACHER_NG_PROXY" ]; then \
|
||||
sed -i "s|__PROXY_URL__|$APT_CACHER_NG_PROXY|g" /etc/apt/sources.list.d/debian.repo; \
|
||||
echo "Acquire::http::Proxy \"$APT_CACHER_NG_PROXY\";" > /etc/apt/apt.conf.d/99proxy; \
|
||||
else \
|
||||
# If no proxy, replace with direct URLs
|
||||
sed -i "s|__PROXY_URL__/debian|http://deb.debian.org/debian|g" /etc/apt/sources.list.d/debian.repo; \
|
||||
sed -i "s|__PROXY_URL__/debian-security|http://security.debian.org/debian-security|g" /etc/apt/sources.list.d/debian.repo; \
|
||||
fi
|
||||
|
||||
# NOTE: This container build will output a single giant layer. It is strongly recommended
|
||||
# to run the "rechunker" on the output of this build, see
|
||||
# https://coreos.github.io/rpm-ostree/experimental-build-chunked-oci/
|
||||
# Stage 2: Builder image with tools
|
||||
FROM debian:sid AS builder
|
||||
# Copy repository configuration from repos stage
|
||||
COPY --from=repos /etc/apt/sources.list.d/ /etc/apt/sources.list.d/
|
||||
COPY --from=repos /etc/apt/apt.conf.d/ /etc/apt/apt.conf.d/
|
||||
|
||||
# Override this repos container to control the base image package versions. For
|
||||
# example, podman build --from=quay.io/fedora/fedora:41 will get you a system
|
||||
# that uses Fedora 41 packages. Or inject arbitrary yum repos (COPR, etc) here.
|
||||
#
|
||||
# Note we also support --build-arg REPOS_IMAGE=quay.io/fedora/fedora:41 here
|
||||
# since konflux doesn't yet support --from.
|
||||
ARG REPOS_IMAGE=quay.io/fedora/fedora:rawhide
|
||||
ARG BUILDER_IMAGE=quay.io/fedora/fedora:rawhide
|
||||
FROM $REPOS_IMAGE as repos
|
||||
# Install build dependencies (excluding apt-ostree since we'll copy it)
|
||||
RUN apt-get update && apt-get install -y \
|
||||
selinux-policy-default \
|
||||
python3 \
|
||||
polkitd \
|
||||
pkexec \
|
||||
libpolkit-gobject-1-0 \
|
||||
ostree \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# BOOTSTRAPPING: This can be any image that has rpm-ostree, selinux-policy-targeted
|
||||
# and python3 (for bootc-base-imagectl).
|
||||
FROM $BUILDER_IMAGE as builder
|
||||
RUN dnf -y install rpm-ostree selinux-policy-targeted python3
|
||||
ARG MANIFEST=fedora-standard
|
||||
# The input git repository has .repo files committed to git rpm-ostree has historically
|
||||
# emphasized that. But here, we are fetching the repos from the container base image.
|
||||
# So copy the source, and delete the hardcoded ones in git, and use the container base
|
||||
# image ones. We can drop the ones commited to git when we hard switch to Containerfile.
|
||||
COPY . /src
|
||||
# Avoid umask/permission leakage from the outer environment; ref e.g.
|
||||
# - https://github.com/coreos/coreos-assembler/pull/4277
|
||||
# - https://gitlab.com/fedora/bootc/base-images/-/merge_requests/254
|
||||
# This invocation preserves only the executable bit, and specifically we want to remove:
|
||||
# - setuid/setgid
|
||||
# - world writability
|
||||
# NOTE: This adds world-readability, which is what we intend here as all the content
|
||||
# is public; there's no secrets in our container build.
|
||||
RUN chmod -R a=rX,u+w /src
|
||||
WORKDIR /src
|
||||
RUN rm -vf /src/*.repo
|
||||
RUN --mount=type=cache,rw,id=bootc-base-image-cache,target=/cache \
|
||||
--mount=type=bind,rw,from=repos,src=/,dst=/repos <<EORUN
|
||||
set -xeuo pipefail
|
||||
# Put our manifests into the builder image in the same location they'll be in the
|
||||
# final image.
|
||||
./install-manifests
|
||||
# And embed the rebuild script
|
||||
install -m 0755 -t /usr/libexec ./bootc-base-imagectl
|
||||
# Verify that listing works
|
||||
/usr/libexec/bootc-base-imagectl list >/dev/null
|
||||
# Run the build script in the same way we expect custom images to do, and also
|
||||
# "re-inject" the manifests into the target, so secondary container builds can use it.
|
||||
/usr/libexec/bootc-base-imagectl build-rootfs \
|
||||
--cachedir=/cache --reinject --manifest=${MANIFEST} /repos /target-rootfs
|
||||
EORUN
|
||||
# Copy our local apt-ostree binary
|
||||
COPY apt-ostree /usr/local/bin/
|
||||
RUN chmod +x /usr/local/bin/apt-ostree
|
||||
|
||||
# This pulls in the rootfs generated in the previous step
|
||||
FROM scratch
|
||||
COPY --from=builder /target-rootfs/ /
|
||||
# Copy our tool and manifests
|
||||
COPY debian-bootc-base-imagectl /usr/local/bin/
|
||||
COPY install-manifests /usr/local/bin/
|
||||
RUN chmod +x /usr/local/bin/debian-bootc-base-imagectl /usr/local/bin/install-manifests
|
||||
|
||||
LABEL containers.bootc 1
|
||||
# This is an ad-hoc way for us to reference bootc-image-builder in
|
||||
# a way that in theory client tooling can inspect and find. Today
|
||||
# it isn't widely used.
|
||||
LABEL bootc.diskimage-builder quay.io/centos-bootc/bootc-image-builder
|
||||
# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
|
||||
# Copy the manifest directories and files
|
||||
COPY minimal/ /minimal/
|
||||
COPY standard/ /standard/
|
||||
COPY minimal-plus/ /minimal-plus/
|
||||
COPY iot/ /iot/
|
||||
COPY debian-includes/ /debian-includes/
|
||||
COPY *.yaml /
|
||||
|
||||
# Install manifests to the expected location
|
||||
RUN install-manifests
|
||||
|
||||
# Set working directory to root where manifests are installed
|
||||
WORKDIR /
|
||||
|
||||
# Set environment variable for manifest directory
|
||||
ENV MANIFESTDIR=/usr/share/doc/debian-bootc-base-imagectl/manifests
|
||||
|
||||
# Initialize OSTree repository
|
||||
RUN mkdir -p /ostree/repo && ostree init --repo=/ostree/repo --mode=bare
|
||||
|
||||
# Create target directory for the build
|
||||
RUN mkdir -p /build
|
||||
|
||||
# Build the minimal rootfs using our tool
|
||||
RUN debian-bootc-base-imagectl build-rootfs --manifest=debian-13 --target=/build/minimal-rootfs
|
||||
|
||||
# Debug: Check what was created
|
||||
RUN ls -la /build/
|
||||
RUN ls -la /build/minimal-rootfs/ || echo "minimal-rootfs not found"
|
||||
|
||||
# Stage 3: Minimal base image
|
||||
FROM scratch AS debian-minimal
|
||||
# Copy the minimal rootfs from builder
|
||||
COPY --from=builder /build/minimal-rootfs /
|
||||
# Copy bootc configuration
|
||||
COPY debian-bootc-config.json /etc/debian-bootc-config.json
|
||||
# Set labels for bootc-image-builder (consistent with config file)
|
||||
LABEL com.debian.bootc=true
|
||||
LABEL ostree.bootable=true
|
||||
LABEL containers.bootc=1
|
||||
LABEL bootc.diskimage-builder=quay.io/centos-bootc/bootc-image-builder
|
||||
LABEL debian.id=debian
|
||||
LABEL debian.version-id=sid
|
||||
LABEL org.opencontainers.image.title="Debian Minimal Bootc Base Image"
|
||||
LABEL org.opencontainers.image.description="Minimal Debian base image for bootc ecosystem"
|
||||
LABEL org.opencontainers.image.vendor="Debian Project"
|
||||
LABEL org.opencontainers.image.source="https://github.com/debian/bootc-base-images"
|
||||
# Set environment and stop signal from config
|
||||
ENV container=oci
|
||||
# Make systemd the default
|
||||
STOPSIGNAL SIGRTMIN+3
|
||||
CMD ["/sbin/init"]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue