mirror of
https://gitlab.archlinux.org/archlinux/archlinux-docker.git
synced 2025-08-07 06:37:23 +02:00
Merge branch 'add-base-devel-tags' into 'master'
Add base-devel tag Closes #35 See merge request archlinux/archlinux-docker!39
This commit is contained in:
commit
4f076e8624
@ -1,3 +0,0 @@
|
|||||||
*
|
|
||||||
!archlinux.tar
|
|
||||||
!archlinux.tar.xz
|
|
8
.gitignore
vendored
8
.gitignore
vendored
@ -1,6 +1,2 @@
|
|||||||
*~
|
build
|
||||||
*.orig
|
output
|
||||||
/.idea
|
|
||||||
/archlinux.tar
|
|
||||||
/archlinux.tar.xz
|
|
||||||
rootfs/etc/pacman.conf
|
|
||||||
|
248
.gitlab-ci.yml
248
.gitlab-ci.yml
@ -1,45 +1,146 @@
|
|||||||
stages:
|
default:
|
||||||
- rootfs
|
image: "archlinux:latest"
|
||||||
- docker
|
|
||||||
- test
|
|
||||||
|
|
||||||
roofs:
|
stages:
|
||||||
stage: rootfs
|
- lint
|
||||||
image: archlinux:latest
|
- rootfs
|
||||||
|
- image
|
||||||
|
- test
|
||||||
|
- upload
|
||||||
|
- release
|
||||||
|
- publish
|
||||||
|
|
||||||
|
lint:
|
||||||
|
stage: lint
|
||||||
|
image: hadolint/hadolint:latest
|
||||||
|
# DL3007: We use the latest tag for multistage build
|
||||||
|
script: hadolint --ignore DL3007 --ignore DL3020 Dockerfile.template
|
||||||
|
|
||||||
|
get_version:
|
||||||
|
stage: .pre
|
||||||
script:
|
script:
|
||||||
|
- |
|
||||||
|
# If we're building a tagged release, use the tag (without the 'v' prefix) as the
|
||||||
|
# BUILD_VERSION. Otherwise, determine a new BUILD_VERSION.
|
||||||
|
if [[ -n "$CI_COMMIT_TAG" ]]; then
|
||||||
|
echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env
|
||||||
|
else
|
||||||
|
echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env
|
||||||
|
fi
|
||||||
|
- export $(< build.env)
|
||||||
|
- echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env
|
||||||
|
artifacts:
|
||||||
|
reports:
|
||||||
|
dotenv: build.env
|
||||||
|
|
||||||
|
.rootfs:
|
||||||
|
stage: rootfs
|
||||||
|
before_script:
|
||||||
- pacman -Syu --noconfirm make devtools fakechroot fakeroot
|
- pacman -Syu --noconfirm make devtools fakechroot fakeroot
|
||||||
- make compress-rootfs
|
|
||||||
artifacts:
|
artifacts:
|
||||||
paths:
|
paths:
|
||||||
- archlinux.tar.xz
|
- output/*
|
||||||
expire_in: 10m
|
expire_in: 2h
|
||||||
|
|
||||||
docker:
|
rootfs:
|
||||||
stage: docker
|
extends: .rootfs
|
||||||
|
except:
|
||||||
|
- master
|
||||||
|
- add-base-devel-tags
|
||||||
|
- schedules
|
||||||
|
- tags
|
||||||
|
parallel:
|
||||||
|
matrix:
|
||||||
|
- GROUP: [base, base-devel]
|
||||||
|
script:
|
||||||
|
- make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
|
||||||
|
|
||||||
|
rootfs:secure:
|
||||||
|
extends: .rootfs
|
||||||
|
tags:
|
||||||
|
- secure
|
||||||
|
only:
|
||||||
|
- master
|
||||||
|
- add-base-devel-tags
|
||||||
|
- schedules
|
||||||
|
except:
|
||||||
|
- tags
|
||||||
|
parallel:
|
||||||
|
matrix:
|
||||||
|
- GROUP: [base, base-devel]
|
||||||
|
script:
|
||||||
|
- make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
|
||||||
|
|
||||||
|
.image:
|
||||||
|
stage: image
|
||||||
image:
|
image:
|
||||||
name: gcr.io/kaniko-project/executor:debug
|
name: gcr.io/kaniko-project/executor:debug
|
||||||
entrypoint: [""]
|
entrypoint: [""]
|
||||||
script:
|
script:
|
||||||
- test -f archlinux.tar.xz
|
|
||||||
# kaniko can't process .tar.xz archives
|
|
||||||
# https://github.com/GoogleContainerTools/kaniko/issues/1107
|
|
||||||
- unxz archlinux.tar.xz
|
|
||||||
- test -f archlinux.tar
|
|
||||||
- sed -i 's/archlinux\.tar\.xz/archlinux\.tar/g' Dockerfile
|
|
||||||
- echo "Building ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}"
|
|
||||||
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
|
|
||||||
- /kaniko/executor
|
- /kaniko/executor
|
||||||
--whitelist-var-run="false"
|
--whitelist-var-run="false"
|
||||||
--context $CI_PROJECT_DIR
|
--context $CI_PROJECT_DIR/output
|
||||||
--dockerfile $CI_PROJECT_DIR/Dockerfile
|
--dockerfile $CI_PROJECT_DIR/output/Dockerfile.$GROUP
|
||||||
--destination ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}
|
--destination $CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG
|
||||||
|
|
||||||
test:
|
image:build:
|
||||||
|
extends: .image
|
||||||
|
except:
|
||||||
|
- master
|
||||||
|
- add-base-devel-tags
|
||||||
|
- schedules
|
||||||
|
- tags
|
||||||
|
parallel:
|
||||||
|
matrix:
|
||||||
|
- GROUP: [base, base-devel]
|
||||||
|
before_script:
|
||||||
|
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
|
||||||
|
|
||||||
|
image:build:secure:
|
||||||
|
extends: .image
|
||||||
|
tags:
|
||||||
|
- secure
|
||||||
|
only:
|
||||||
|
- master
|
||||||
|
- add-base-devel-tags
|
||||||
|
- schedules
|
||||||
|
except:
|
||||||
|
- tags
|
||||||
|
parallel:
|
||||||
|
matrix:
|
||||||
|
- GROUP: [base, base-devel]
|
||||||
|
before_script:
|
||||||
|
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$GITLAB_PROJECT_USER\",\"password\":\"$GITLAB_PROJECT_TOKEN\"}}}" > /kaniko/.docker/config.json
|
||||||
|
|
||||||
|
image:publish:secure:
|
||||||
|
extends: .image
|
||||||
|
tags:
|
||||||
|
- secure
|
||||||
|
only:
|
||||||
|
- tags
|
||||||
|
parallel:
|
||||||
|
matrix:
|
||||||
|
- GROUP: [base, base-devel]
|
||||||
|
before_script:
|
||||||
|
- echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"$DOCKER_USERNAME\",\"password\":\"$DOCKER_ACCESS_TOKEN\"}}}" > /kaniko/.docker/config.json
|
||||||
|
script:
|
||||||
|
- /kaniko/executor
|
||||||
|
--whitelist-var-run="false"
|
||||||
|
--context $CI_PROJECT_DIR/ci/$GROUP
|
||||||
|
--dockerfile $CI_PROJECT_DIR/ci/$GROUP/Dockerfile
|
||||||
|
--destination archlinux/archlinux:$GROUP-$BUILD_VERSION
|
||||||
|
|
||||||
|
.test:
|
||||||
stage: test
|
stage: test
|
||||||
image: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}
|
dependencies: []
|
||||||
needs:
|
only:
|
||||||
- job: docker
|
variables:
|
||||||
artifacts: false
|
# Workaround for https://gitlab.com/gitlab-org/gitlab/-/issues/259663
|
||||||
|
# This is fine as at this point we're sure that the release works anyway.
|
||||||
|
- $GITLAB_USER_EMAIL != "project10185_bot2@example.com"
|
||||||
|
except:
|
||||||
|
refs:
|
||||||
|
- tags
|
||||||
script:
|
script:
|
||||||
- pacman -Sy
|
- pacman -Sy
|
||||||
- pacman -Qqk
|
- pacman -Qqk
|
||||||
@ -48,3 +149,94 @@ test:
|
|||||||
- id -u http
|
- id -u http
|
||||||
- locale | grep -q UTF-8
|
- locale | grep -q UTF-8
|
||||||
|
|
||||||
|
test:base:
|
||||||
|
extends: .test
|
||||||
|
image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG
|
||||||
|
|
||||||
|
test:base-devel:
|
||||||
|
extends: .test
|
||||||
|
image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG
|
||||||
|
after_script:
|
||||||
|
- gcc -v
|
||||||
|
- g++ -v
|
||||||
|
- make -v
|
||||||
|
|
||||||
|
release:
|
||||||
|
stage: release
|
||||||
|
image: registry.gitlab.com/gitlab-org/release-cli:latest
|
||||||
|
tags:
|
||||||
|
- secure
|
||||||
|
only:
|
||||||
|
refs:
|
||||||
|
- schedules
|
||||||
|
variables:
|
||||||
|
- $SCHEDULED_PUBLISH == "TRUE"
|
||||||
|
before_script:
|
||||||
|
- apk add jq curl
|
||||||
|
script:
|
||||||
|
- |
|
||||||
|
for group in base base-devel; do
|
||||||
|
sed -i "s|${group}.tar.xz|${group}-${BUILD_VERSION}.tar.xz|" output/${group}.tar.xz.SHA256
|
||||||
|
echo "Uploading ${group}.tar.xz"
|
||||||
|
curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz
|
||||||
|
echo "Uploading ${group}.tar.xz.SHA256"
|
||||||
|
curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz.SHA256 ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz.SHA256
|
||||||
|
sed "/TEMPLATE_ROOTFS_FILE/d" Dockerfile.template > ci/${group}/Dockerfile
|
||||||
|
package_url=$(./ci/get-public-download-for-generic-package.sh ${group}-${BUILD_VERSION}.tar.xz)
|
||||||
|
sed -i "s|TEMPLATE_ROOTFS_URL|${package_url}|" ci/${group}/Dockerfile
|
||||||
|
sed -i "s|TEMPLATE_ROOTFS_HASH|$(cat output/${group}.tar.xz.SHA256)|" ci/${group}/Dockerfile
|
||||||
|
done
|
||||||
|
- >
|
||||||
|
curl -sSf --request POST
|
||||||
|
--header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
|
||||||
|
--form "branch=add-base-devel-tags"
|
||||||
|
--form "commit_message=Release ${BUILD_VERSION}"
|
||||||
|
--form "actions[][action]=update"
|
||||||
|
--form "actions[][file_path]=ci/base/Dockerfile"
|
||||||
|
--form "actions[][content]=<ci/base/Dockerfile"
|
||||||
|
--form "actions[][action]=update"
|
||||||
|
--form "actions[][file_path]=ci/base-devel/Dockerfile"
|
||||||
|
--form "actions[][content]=<ci/base-devel/Dockerfile"
|
||||||
|
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
|
||||||
|
- |
|
||||||
|
base_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz)
|
||||||
|
echo "${base_url}"
|
||||||
|
base_sha_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz.SHA256)
|
||||||
|
echo "${base_sha_url}"
|
||||||
|
base_devel_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz)
|
||||||
|
echo "${base_devel_url}"
|
||||||
|
base_devel_sha_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz.SHA256)
|
||||||
|
echo "${base_devel_sha_url}"
|
||||||
|
|
||||||
|
# TODO: We should actually be able to do something like \"url\":\"${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.xz\"
|
||||||
|
# But it doesn't appear that those downloads are public. I consider this a bug and hopefully it's fixed in a future version!
|
||||||
|
echo "Creating release"
|
||||||
|
release-cli create --name "Release ${BUILD_VERSION}" --description "Release ${BUILD_VERSION}" \
|
||||||
|
--tag-name v${BUILD_VERSION} --ref "add-base-devel-tags" \
|
||||||
|
--assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_url}\"}" \
|
||||||
|
--assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_sha_url}\"}" \
|
||||||
|
--assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_devel_url}\"}" \
|
||||||
|
--assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_devel_sha_url}\"}"
|
||||||
|
|
||||||
|
# Publish base to the Arch Linux group namespace: https://hub.docker.com/r/archlinux/archlinux
|
||||||
|
publish:
|
||||||
|
stage: publish
|
||||||
|
tags:
|
||||||
|
- secure
|
||||||
|
image:
|
||||||
|
name: gcr.io/go-containerregistry/crane:debug
|
||||||
|
entrypoint: [""]
|
||||||
|
variables:
|
||||||
|
GIT_STRATEGY: none
|
||||||
|
only:
|
||||||
|
- tags
|
||||||
|
before_script:
|
||||||
|
- echo $DOCKER_ACCESS_TOKEN | crane auth login -u $DOCKER_USERNAME --password-stdin index.docker.io
|
||||||
|
script:
|
||||||
|
- crane tag archlinux/archlinux:base-$BUILD_VERSION base
|
||||||
|
- crane tag archlinux/archlinux:base-$BUILD_VERSION latest
|
||||||
|
- crane tag archlinux/archlinux:base-devel-$BUILD_VERSION base-devel
|
||||||
|
|
||||||
|
# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
|
||||||
|
# publish:official:
|
||||||
|
# TODO No idea right now how we're going to automatically do the official Docker Hub pull request
|
||||||
|
15
Dockerfile
15
Dockerfile
@ -1,15 +0,0 @@
|
|||||||
FROM scratch
|
|
||||||
ADD archlinux.tar.xz /
|
|
||||||
|
|
||||||
# manually run all alpm hooks that can't be run inside the fakechroot
|
|
||||||
RUN ldconfig && update-ca-trust && locale-gen
|
|
||||||
RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
|
|
||||||
|
|
||||||
# update /etc/os-release
|
|
||||||
RUN ln -s /usr/lib/os-release /etc/os-release
|
|
||||||
|
|
||||||
# initialize the archlinux keyring, but discard any private key that may be shipped.
|
|
||||||
RUN pacman-key --init && pacman-key --populate archlinux && rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*
|
|
||||||
|
|
||||||
ENV LANG=en_US.UTF-8
|
|
||||||
CMD ["/usr/bin/bash"]
|
|
33
Dockerfile.template
Normal file
33
Dockerfile.template
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
# We're using a multistage Docker build here in order to allow us to release a self-verifying
|
||||||
|
# Docker image when built on the official Docker infrastructure.
|
||||||
|
# They require us to verify the source integrity in some way while making sure that this is a
|
||||||
|
# reproducible build.
|
||||||
|
# See https://github.com/docker-library/official-images#image-build
|
||||||
|
# In order to achieve this, we externally host the rootfs archives and their checksums and then
|
||||||
|
# just download and verify it in the first stage of this Dockerfile.
|
||||||
|
# The second stage is for actually configuring the system a little bit.
|
||||||
|
# Some templating is done in order to allow us to easily build different configurations and to
|
||||||
|
# allow us to automate the releaes process.
|
||||||
|
FROM archlinux:latest AS verify
|
||||||
|
COPY TEMPLATE_ROOTFS_FILE /
|
||||||
|
SHELL ["/bin/bash", "-c"]
|
||||||
|
RUN ROOTFS="$(curl -OJL --continue-at - -w "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \
|
||||||
|
sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \
|
||||||
|
mkdir /rootfs && \
|
||||||
|
tar -C /rootfs --extract --auto-compress --file "${ROOTFS}"
|
||||||
|
|
||||||
|
FROM scratch AS root
|
||||||
|
COPY --from=verify /rootfs/ /
|
||||||
|
|
||||||
|
# manually run all alpm hooks that can't be run inside the fakechroot
|
||||||
|
RUN ldconfig && update-ca-trust && locale-gen
|
||||||
|
RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
|
||||||
|
|
||||||
|
# update /etc/os-release
|
||||||
|
RUN ln -s /usr/lib/os-release /etc/os-release
|
||||||
|
|
||||||
|
# initialize the archlinux keyring, but discard any private key that may be shipped.
|
||||||
|
RUN pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"
|
||||||
|
|
||||||
|
ENV LANG=en_US.UTF-8
|
||||||
|
CMD ["/usr/bin/bash"]
|
77
Makefile
77
Makefile
@ -1,52 +1,57 @@
|
|||||||
DOCKER_USER:=pierres
|
BUILDDIR=$(shell pwd)/build
|
||||||
DOCKER_ORGANIZATION=archlinux
|
OUTPUTDIR=$(shell pwd)/output
|
||||||
DOCKER_IMAGE:=base
|
|
||||||
BUILDDIR=build
|
|
||||||
PWD=$(shell pwd)
|
|
||||||
|
|
||||||
XZ_THREADS ?= 0
|
define rootfs
|
||||||
|
mkdir -vp $(BUILDDIR)/alpm-hooks/usr/share/libalpm/hooks
|
||||||
|
find /usr/share/libalpm/hooks -exec ln -sf /dev/null $(BUILDDIR)/alpm-hooks{} \;
|
||||||
|
|
||||||
hooks:
|
mkdir -vp $(BUILDDIR)/var/lib/pacman/ $(OUTPUTDIR)
|
||||||
mkdir -p alpm-hooks/usr/share/libalpm/hooks
|
install -Dm644 /usr/share/devtools/pacman-extra.conf $(BUILDDIR)/etc/pacman.conf
|
||||||
find /usr/share/libalpm/hooks -exec ln -sf /dev/null $(PWD)/alpm-hooks{} \;
|
cat pacman-conf.d-noextract.conf >> $(BUILDDIR)/etc/pacman.conf
|
||||||
|
|
||||||
rootfs: hooks
|
|
||||||
mkdir -vp $(BUILDDIR)/var/lib/pacman/
|
|
||||||
cp /usr/share/devtools/pacman-extra.conf rootfs/etc/pacman.conf
|
|
||||||
cat pacman-conf.d-noextract.conf >> rootfs/etc/pacman.conf
|
|
||||||
fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \
|
fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \
|
||||||
--noconfirm --dbpath $(PWD)/$(BUILDDIR)/var/lib/pacman \
|
--noconfirm --dbpath $(BUILDDIR)/var/lib/pacman \
|
||||||
--config rootfs/etc/pacman.conf \
|
--config $(BUILDDIR)/etc/pacman.conf \
|
||||||
--noscriptlet \
|
--noscriptlet \
|
||||||
--hookdir $(PWD)/alpm-hooks/usr/share/libalpm/hooks/ $(shell cat packages)
|
--hookdir $(BUILDDIR)/alpm-hooks/usr/share/libalpm/hooks/ $(2)
|
||||||
cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/
|
cp --recursive --preserve=timestamps --backup --suffix=.pacnew rootfs/* $(BUILDDIR)/
|
||||||
|
|
||||||
# remove passwordless login for root (see CVE-2019-5021 for reference)
|
# remove passwordless login for root (see CVE-2019-5021 for reference)
|
||||||
sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"
|
sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"
|
||||||
|
|
||||||
# fakeroot to map the gid/uid of the builder process to root
|
# fakeroot to map the gid/uid of the builder process to root
|
||||||
# fixes #22
|
# fixes #22
|
||||||
fakeroot -- tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f archlinux.tar
|
fakeroot -- tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f $(OUTPUTDIR)/$(1).tar
|
||||||
rm -rf $(BUILDDIR) alpm-hooks
|
|
||||||
|
|
||||||
archlinux.tar: rootfs
|
cd $(OUTPUTDIR); xz -9 -T0 -f $(1).tar; sha256sum $(1).tar.xz > $(1).tar.xz.SHA256
|
||||||
|
endef
|
||||||
|
|
||||||
compress-rootfs: archlinux.tar
|
define dockerfile
|
||||||
xz -9 -T"$(XZ_THREADS)" -f archlinux.tar
|
sed -e "s|TEMPLATE_ROOTFS_FILE|$(1).tar.xz|" \
|
||||||
|
-e "s|TEMPLATE_ROOTFS_URL|file:///$(1).tar.xz|" \
|
||||||
|
-e "s|TEMPLATE_ROOTFS_HASH|$$(cat $(OUTPUTDIR)/$(1).tar.xz.SHA256)|" \
|
||||||
|
Dockerfile.template > $(OUTPUTDIR)/Dockerfile.$(1)
|
||||||
|
endef
|
||||||
|
|
||||||
docker-image: compress-rootfs
|
.PHONY: clean
|
||||||
docker build -t $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) .
|
clean:
|
||||||
|
rm -rf $(BUILDDIR) $(OUTPUTDIR)
|
||||||
|
|
||||||
docker-image-test: docker-image
|
$(OUTPUTDIR)/base.tar.xz:
|
||||||
# FIXME: /etc/mtab is hidden by docker so the stricter -Qkk fails
|
$(call rootfs,base,base)
|
||||||
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Sy && /usr/bin/pacman -Qqk"
|
|
||||||
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm docker && docker -v" # Ensure that the image does not include a private key
|
|
||||||
! docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) pacman-key --lsign-key pierre@archlinux.de
|
|
||||||
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/id -u http"
|
|
||||||
docker run --rm $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE) sh -c "/usr/bin/pacman -Syu --noconfirm grep && locale | grep -q UTF-8"
|
|
||||||
|
|
||||||
docker-push:
|
$(OUTPUTDIR)/base-devel.tar.xz:
|
||||||
docker login -u $(DOCKER_USER)
|
$(call rootfs,base-devel,base base-devel)
|
||||||
docker push $(DOCKER_ORGANIZATION)/$(DOCKER_IMAGE)
|
|
||||||
|
|
||||||
.PHONY: rootfs docker-image docker-image-test docker-push
|
$(OUTPUTDIR)/Dockerfile.base:
|
||||||
|
$(call dockerfile,base)
|
||||||
|
|
||||||
|
$(OUTPUTDIR)/Dockerfile.base-devel:
|
||||||
|
$(call dockerfile,base-devel)
|
||||||
|
|
||||||
|
.PHONY: docker-image-base
|
||||||
|
image-base: $(OUTPUTDIR)/base.tar.xz $(OUTPUTDIR)/Dockerfile.base
|
||||||
|
docker build -f $(OUTPUTDIR)/Dockerfile.base -t archlinux/archlinux:base $(OUTPUTDIR)
|
||||||
|
|
||||||
|
.PHONY: docker-image-base-devel
|
||||||
|
image-base-devel: $(OUTPUTDIR)/base-devel.tar.xz $(OUTPUTDIR)/Dockerfile.base-devel
|
||||||
|
docker build -f $(OUTPUTDIR)/Dockerfile.base-devel -t archlinux/archlinux:base-devel $(OUTPUTDIR)
|
||||||
|
20
README.md
20
README.md
@ -1,16 +1,26 @@
|
|||||||
# Docker Base Image for Arch Linux [](https://travis-ci.org/archlinux/archlinux-docker)
|
# Arch Linux Docker Image
|
||||||
This repository contains all scripts and files needed to create a Docker base image for the Arch Linux distribution.
|
[](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/commits/master)
|
||||||
|
|
||||||
|
This repository contains all scripts and files needed to create a Docker image for Arch Linux.
|
||||||
|
|
||||||
## Dependencies
|
## Dependencies
|
||||||
Install the following Arch Linux packages:
|
Install the following Arch Linux packages:
|
||||||
|
|
||||||
* make
|
* make
|
||||||
* devtools
|
* devtools
|
||||||
* docker
|
* docker
|
||||||
* fakechroot
|
* fakechroot
|
||||||
* fakeroot
|
* fakeroot
|
||||||
|
|
||||||
|
Make sure your user can directly interact with Docker (ie. `docker info` works).
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
Run `make docker-image` as root to build the base image.
|
Run `make docker-image-base` to build the image `archlinux/archlinux:base` with the
|
||||||
## Purpose
|
`base` group installed. You can also run `make docker-image-base-devel` to
|
||||||
* Provide the Arch experience in a Docker Image
|
build the image `archlinux/archlinux:base-devel` with the `base-devel` group installed.
|
||||||
|
|
||||||
|
## Principles
|
||||||
|
* Provide the Arch experience in a Docker image
|
||||||
* Provide the most simple but complete image to base every other upon
|
* Provide the most simple but complete image to base every other upon
|
||||||
* `pacman` needs to work out of the box
|
* `pacman` needs to work out of the box
|
||||||
* All installed packages have to be kept unmodified
|
* All installed packages have to be kept unmodified
|
||||||
|
32
ci/base-devel/Dockerfile
Normal file
32
ci/base-devel/Dockerfile
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
# We're using a multistage Docker build here in order to allow us to release a self-verifying
|
||||||
|
# Docker image when built on the official Docker infrastructure.
|
||||||
|
# They require us to verify the source integrity in some way while making sure that this is a
|
||||||
|
# reproducible build.
|
||||||
|
# See https://github.com/docker-library/official-images#image-build
|
||||||
|
# In order to achieve this, we externally host the rootfs archives and their checksums and then
|
||||||
|
# just download and verify it in the first stage of this Dockerfile.
|
||||||
|
# The second stage is for actually configuring the system a little bit.
|
||||||
|
# Some templating is done in order to allow us to easily build different configurations and to
|
||||||
|
# allow us to automate the releaes process.
|
||||||
|
FROM archlinux:latest AS verify
|
||||||
|
SHELL ["/bin/bash", "-c"]
|
||||||
|
RUN ROOTFS="$(curl -OJL --continue-at - -w "%{filename_effective}" https://gitlab.archlinux.org/archlinux/archlinux-docker/-/package_files/53/download)" && \
|
||||||
|
sha256sum -c <<< "452e26d9775a76e95bd582b96c742844a3e27b90147e1f6e1bc6dd3b82e8a558 base-devel-20201025.0.7220.tar.xz" && \
|
||||||
|
mkdir /rootfs && \
|
||||||
|
tar -C /rootfs --extract --auto-compress --file "${ROOTFS}"
|
||||||
|
|
||||||
|
FROM scratch AS root
|
||||||
|
COPY --from=verify /rootfs/ /
|
||||||
|
|
||||||
|
# manually run all alpm hooks that can't be run inside the fakechroot
|
||||||
|
RUN ldconfig && update-ca-trust && locale-gen
|
||||||
|
RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
|
||||||
|
|
||||||
|
# update /etc/os-release
|
||||||
|
RUN ln -s /usr/lib/os-release /etc/os-release
|
||||||
|
|
||||||
|
# initialize the archlinux keyring, but discard any private key that may be shipped.
|
||||||
|
RUN pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"
|
||||||
|
|
||||||
|
ENV LANG=en_US.UTF-8
|
||||||
|
CMD ["/usr/bin/bash"]
|
32
ci/base/Dockerfile
Normal file
32
ci/base/Dockerfile
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
# We're using a multistage Docker build here in order to allow us to release a self-verifying
|
||||||
|
# Docker image when built on the official Docker infrastructure.
|
||||||
|
# They require us to verify the source integrity in some way while making sure that this is a
|
||||||
|
# reproducible build.
|
||||||
|
# See https://github.com/docker-library/official-images#image-build
|
||||||
|
# In order to achieve this, we externally host the rootfs archives and their checksums and then
|
||||||
|
# just download and verify it in the first stage of this Dockerfile.
|
||||||
|
# The second stage is for actually configuring the system a little bit.
|
||||||
|
# Some templating is done in order to allow us to easily build different configurations and to
|
||||||
|
# allow us to automate the releaes process.
|
||||||
|
FROM archlinux:latest AS verify
|
||||||
|
SHELL ["/bin/bash", "-c"]
|
||||||
|
RUN ROOTFS="$(curl -OJL --continue-at - -w "%{filename_effective}" https://gitlab.archlinux.org/archlinux/archlinux-docker/-/package_files/51/download)" && \
|
||||||
|
sha256sum -c <<< "175387448f7992b2760e758bdb75bfd45de7d2bf5ad2940add9e19a96ffb4129 base-20201025.0.7220.tar.xz" && \
|
||||||
|
mkdir /rootfs && \
|
||||||
|
tar -C /rootfs --extract --auto-compress --file "${ROOTFS}"
|
||||||
|
|
||||||
|
FROM scratch AS root
|
||||||
|
COPY --from=verify /rootfs/ /
|
||||||
|
|
||||||
|
# manually run all alpm hooks that can't be run inside the fakechroot
|
||||||
|
RUN ldconfig && update-ca-trust && locale-gen
|
||||||
|
RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
|
||||||
|
|
||||||
|
# update /etc/os-release
|
||||||
|
RUN ln -s /usr/lib/os-release /etc/os-release
|
||||||
|
|
||||||
|
# initialize the archlinux keyring, but discard any private key that may be shipped.
|
||||||
|
RUN pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"
|
||||||
|
|
||||||
|
ENV LANG=en_US.UTF-8
|
||||||
|
CMD ["/usr/bin/bash"]
|
9
ci/get-public-download-for-generic-package.sh
Executable file
9
ci/get-public-download-for-generic-package.sh
Executable file
@ -0,0 +1,9 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
package_name=$1
|
||||||
|
|
||||||
|
package_id=$(curl -sSf --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages" | jq ".[] | select(.version == \"${BUILD_VERSION}\") | .id")
|
||||||
|
package_file_id=$(curl -sSf --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/${package_id}/package_files" | jq ".[] | select(.file_name == \"$package_name\") | .id")
|
||||||
|
echo "https://gitlab.archlinux.org/archlinux/archlinux-docker/-/package_files/${package_file_id}/download"
|
4
exclude
4
exclude
@ -5,6 +5,7 @@
|
|||||||
./dev
|
./dev
|
||||||
./etc/hostname
|
./etc/hostname
|
||||||
./etc/machine-id
|
./etc/machine-id
|
||||||
|
./etc/resolv.conf
|
||||||
./etc/pacman.d/gnupg/openpgp-revocs.d/*
|
./etc/pacman.d/gnupg/openpgp-revocs.d/*
|
||||||
./etc/pacman.d/gnupg/private-keys-v1.d/*
|
./etc/pacman.d/gnupg/private-keys-v1.d/*
|
||||||
./etc/pacman.d/gnupg/pubring.gpg~
|
./etc/pacman.d/gnupg/pubring.gpg~
|
||||||
@ -13,4 +14,5 @@
|
|||||||
./tmp/*
|
./tmp/*
|
||||||
./var/cache/pacman/pkg/*
|
./var/cache/pacman/pkg/*
|
||||||
./var/lib/pacman/sync/*
|
./var/lib/pacman/sync/*
|
||||||
./var/tmp/*
|
./var/tmp/*
|
||||||
|
./alpm-hooks
|
||||||
|
@ -1,2 +1,3 @@
|
|||||||
|
Server = https://mirror.pkgbuild.com/$repo/os/$arch
|
||||||
Server = https://mirror.rackspace.com/archlinux/$repo/os/$arch
|
Server = https://mirror.rackspace.com/archlinux/$repo/os/$arch
|
||||||
Server = https://mirror.leaseweb.net/archlinux/$repo/os/$arch
|
Server = https://mirror.leaseweb.net/archlinux/$repo/os/$arch
|
||||||
|
Loading…
Reference in New Issue
Block a user