mirror of https://gitlab.archlinux.org/archlinux/archlinux-docker.git synced 2026-01-07 10:21:06 +01:00

Go to file

Emil Velikov 2f43fc413a scripts/make-dockerfile.sh: tweak sha256 sum handling

Drop the spurious cat, we already echo the value the like above so it's
pretty clear what it is in the logs.

While here, rename the file to the what's commonly used by us (see the
ISOs) and others, while removing the misleading "rootfs.tar" - we're
having a tar.zst tarball.

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>

2023-09-25 23:49:58 +01:00

Fail public download script on API / json parsing errors

2020-11-13 11:09:11 +01:00

rootfs/etc

Use C.UTF-8

2022-06-17 08:28:46 +03:00

scripts

scripts/make-rootfs.sh: move non-wrapper calls further up

2023-09-25 23:49:58 +01:00

.editorconfig

Add editor config

2017-05-26 09:45:16 +02:00

.gitignore

Deduplicate a lot of code

2020-10-19 03:32:25 +02:00

.gitlab-ci.yml

De-duplicate podman tag/push commands

2023-09-25 23:40:44 +01:00

docker-library.template

Remove my name from the template to reduce notification spam by Github

2021-04-04 13:56:19 +00:00

Dockerfile.template

scripts/make-dockerfile.sh: tweak sha256 sum handling

2023-09-25 23:49:58 +01:00

exclude

Deduplicate a lot of code

2020-10-19 03:32:25 +02:00

LICENSE

LICENSE: add license

2018-11-11 14:31:59 -05:00

Makefile

Move shell scripts out of the Makefile

2023-09-25 23:40:44 +01:00

pacman-conf.d-noextract.conf

Avoid creation of .pacnew files for every image

2023-06-14 14:06:27 +02:00

README.md

Install git, add to the README

2023-09-25 18:20:34 +00:00

renovate.json

Switch back to alpine to fix official DockerHub builds

2023-06-20 12:13:56 +02:00

sigstore-param-file.yaml

Sign the images with sigstore's fulcio/rekor

2023-09-16 15:55:50 +02:00

README.md

Arch Linux OCI Images

Arch Linux provides OCI-Compliant container images in multiple repositories:

Weekly in the official DockerHub library: podman pull docker.io/library/archlinux:latest or docker pull archlinux:latest
Daily in our DockerHub repository: podman pull docker.io/archlinux/archlinux:latest or docker pull archlinux/archlinux:latest
Daily in our quay.io repository: podman pull quay.io/archlinux/archlinux:latest or docker pull quay.io/archlinux/archlinux:latest
Daily in our ghcr.io repository: podman pull ghcr.io/archlinux/archlinux:latest or docker pull ghcr.io/archlinux/archlinux:latest

Two versions of the image are provided: base (approx. 150 MiB) and base-devel (approx. 260 MiB), containing the respective meta package. Both are available as tags with latest pointing to base. Additionally, images are tagged with their date and build job number, f.e. base-devel-20201118.0.9436.

While the images are regularly kept up to date it is strongly recommended running pacman -Syu right after starting a container due to the rolling release nature of Arch Linux.

All the images, with the exception of the official DockerHub library image, are signed by using cosign's keyless signing. The images can be verified with one of the following commands:

$ cosign verify docker.io/archlinux/archlinux:latest --certificate-identity-regexp="https://gitlab\.archlinux\.org/archlinux/archlinux-docker//\.gitlab-ci\.yml@refs/tags/v[0-9]+\.0\.[0-9]+" --certificate-oidc-issuer=https://gitlab.archlinux.org
$ cosign verify quay.io/archlinux/archlinux:latest --certificate-identity-regexp="https://gitlab\.archlinux\.org/archlinux/archlinux-docker//\.gitlab-ci\.yml@refs/tags/v[0-9]+\.0\.[0-9]+" --certificate-oidc-issuer=https://gitlab.archlinux.org
$ cosign verify ghcr.io/archlinux/archlinux:latest --certificate-identity-regexp="https://gitlab\.archlinux\.org/archlinux/archlinux-docker//\.gitlab-ci\.yml@refs/tags/v[0-9]+\.0\.[0-9]+" --certificate-oidc-issuer=https://gitlab.archlinux.org

Principles

Provide the Arch experience in a Docker image
Provide the simplest but complete image to base and base-devel on a regular basis
pacman needs to work out of the box
All installed packages have to be kept unmodified

 ⚠️⚠️⚠️ NOTE: For Security Reasons, these images strip the pacman lsign key.
 This is because the same key would be spread to all containers of the same
 image, allowing for malicious actors to inject packages (via, for example,
 a man-in-the-middle). In order to create an lsign-key run `pacman-key
 --init` on the first execution, but be careful to not redistribute that
 key.⚠️⚠️⚠️

Building your own image

This repository contains all scripts and files needed to create an OCI image for Arch Linux.

Dependencies

Install the following Arch Linux packages:

make
devtools (for the pacman.conf files)
git (to fetch the commit/revision number)
podman
fakechroot
fakeroot

Make sure your user can directly interact with Podman (i.e. podman info works).

Usage

Run make image-base to build the archlinux:base image with the base meta package installed. You can also run make image-base-devel to build the image archlinux:base-devel which additionally has the base-devel group installed.

Pipeline

Daily releases

Daily images are build with scheduled GitLab CI using our own runner infrastructure. Initially root filesystem archives are constructed and provided in our package registry. The released multi-stage Dockerfile downloads those archives and verifies their integrity before unpacking it into an OCI image layer. Images are built using podman, which also publishes them to our external repositories.

Weekly releases

Weekly releases to the official DockerHub library use the same pipeline as daily builds. Updates are provided as automatic pull requests to the official-images library, whose GitHub pipeline will build the images using our provided rootfs archives and Dockerfiles.

Development

Changes in Git feature branches are built and tested using the pipeline as well. Development images are uploaded to our GitLab Container Registry.