Skip to content

Commit

Permalink
Merge pull request #8 from dubo-dubon-duponey/work
Browse files Browse the repository at this point in the history
Work
  • Loading branch information
dubo-dubon-duponey authored Mar 17, 2024
2 parents a7cbd8a + 2e26aa9 commit 9f6595c
Show file tree
Hide file tree
Showing 56 changed files with 150 additions and 2,640 deletions.
15 changes: 8 additions & 7 deletions .github/workflows/CI.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,17 @@ on: [push, pull_request]
jobs:
test:
# The type of runner that the job will run on
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- name: Checks-out repository
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
submodules: true

- name: Enable cache
uses: actions/cache@v2.1.1
uses: actions/cache@v4
with:
path: $GITHUB_WORKSPACE/cache
key: cache
Expand All @@ -28,11 +28,11 @@ jobs:
sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/apt"
sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/certs"
sudo chown -R $(id -u) "$GITHUB_WORKSPACE/cache/bin"
sudo chmod g+w "$GITHUB_WORKSPACE/cache"
sudo chown $(id -u) "$GITHUB_WORKSPACE/cache"
- name: Start apt proxy
run: |
# Hiding the read-only token base64 to avoid github disabling it...
echo OWMyMGVhYzk4N2NhYWQxYmI3MzhmNTZkODNmOGMwOGJjZjlhNDc4YQo= | base64 -d | docker login ghcr.io -u dubo-dubon-duponey --password-stdin
docker run --rm -d --expose 443 --expose 80 --pull always \
--name apt-front \
--read-only \
Expand All @@ -47,12 +47,13 @@ jobs:
--env ADDITIONAL_DOMAINS=*.debian.org \
--volume "$GITHUB_WORKSPACE/cache/certs":/certs \
--volume "$GITHUB_WORKSPACE/cache/apt":/data \
ghcr.io/dubo-dubon-duponey/aptutil:bullseye-2021-08-01
docker.io/dubodubonduponey/aptutil:bullseye-2021-08-01
- name: test
run: |
# Set the path and install the tools
BIN_LOCATION="$GITHUB_WORKSPACE/cache/bin" source ./hack/helpers/install-tools.sh
export PATH="$HOME/bin:$PATH"
./hack/helpers/install-tools.sh
# Start buildkit
bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"
# Sanity check
Expand Down
4 changes: 2 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
.DS_Store
/.idea
*/cache/*
cache
cache/
/xxx-*
4 changes: 2 additions & 2 deletions .gitmodules
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
[submodule "context/debootstrap/debuerreotype"]
path = context/debootstrap/debuerreotype
[submodule "context/debuerreotype"]
path = context/debuerreotype
url = https://github.com/debuerreotype/debuerreotype
12 changes: 6 additions & 6 deletions ADVANCED.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,20 @@
## Acknowledgements

The Dockerfile of this project relies heavily on
* [debuerreotype](https://github.com/debuerreotype/debuerreotype),
* [debuerreotype](https://github.com/debuerreotype/debuerreotype)
* [debootstrap](https://wiki.debian.org/Debootstrap)

The build toolchain relies on:
* [qemu](https://www.qemu.org/),
* [qemu](https://www.qemu.org/)
* [cue](https://cuelang.org/)
* [buildkit](https://github.com/moby/buildkit).
* [buildkit](https://github.com/moby/buildkit)

## Cue environment

The build supports advanced environment control, allowing you to use apt mirrors (or proxy cache), complete with TLS,
authentication and gpg signing.

To access these features, create a cue file, for example `env.cue`, as follow:
To access these features, create a cue file, for example `env.cue`, as follows:

```cue
package cake
Expand Down Expand Up @@ -123,9 +123,9 @@ If you experience any issue, please share configuration details.

The `context/cache` folder is part of the build context.

As such, if it grows really big (with many different versions), assembling the final image will become slooooooow.
As such, if it grows real big (with many different versions), assembling the final image will become slooooooow.

It is recommended to clean-up this folder from older / useless versions from time to time to avoid such adverse side-effects.
It is recommended to clean up this folder from older / useless versions from time to time to avoid such adverse side-effects.

You may also override the cue `input: context:` and `output: directory` to better control where these artifacts are going.

Expand Down
48 changes: 26 additions & 22 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
# FROM_REGISTRY controls the base location for the starting image for the debootstrap stage
# If set to "", the starting image will be scratch instead, and an already built local tarball will be used
ARG FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
# FROM_IMAGE_BUILDER further allow changing the image name, tag and digest for the debootstrap stage
ARG FROM_IMAGE_BUILDER=debian@sha256:d17b322f1920dd310d30913dd492cbbd6b800b62598f5b6a12d12684aad82296
# FROM_IMAGE_RUNTIME allows specifying a starting image for the final debian image (defaults to scratch)
# If FROM_REGISTRY is set, we will use FROM_REGISTRY/FROM_IMAGE_BUILDER as a starting point.
# If not set, we will use scratch (and use a local rootfs tarball insteaad)
ARG FROM_REGISTRY=docker.io
# FROM_IMAGE_BUILDER further allows changing the image being used for the first debootstrap
ARG FROM_IMAGE_BUILDER=debian:bookworm-20240211-slim
# FROM_IMAGE_RUNTIME controls what base image we are going to use for the final debian image (defaults to scratch)
ARG FROM_IMAGE_RUNTIME=scratch

# Private helper
ARG _private_df="${FROM_REGISTRY:+$FROM_REGISTRY/$FROM_IMAGE_BUILDER}"

########################################################################################################################
# The debootstrap stage is meant to prepare a Debian rootfs in the form of a tarball.
# The debootstrap stage is meant to prepare a Debian rootfs tarball.
# The starting point may be either an online Debian image (as defined by FROM_REGISTRY/FROM_IMAGE_BUILDER),
# or an already existing local debian rootfs (in case FROM_REGISTRY == "")
# or an already existing local debian rootfs (if FROM_REGISTRY == "")
# By default, snapshot.debian.org is being used as a source to debootstrap, for TARGET_SUITE and TARGET_DATE
# Alternatively, you can build from a private / specific Debian repository by specifying the TARGET_REPOSITORY secret
# In that case, TARGET_SUITE and TARGET_DATE are no-ops
Expand All @@ -23,17 +23,17 @@ FROM ${_private_df:-scratch}
SHELL ["/bin/bash", "-o", "errexit", "-o", "errtrace", "-o", "functrace", "-o", "nounset", "-o", "pipefail", "-c"]

# > If the image is built from snapshot.debian.org (eg: if the TARGET_REPOSITORY secret has NOT been set), this will fetch from that date
ARG TARGET_DATE="2021-07-01"
ARG TARGET_DATE="2024-03-01"
# > Which Debian suite to fetch (same as above)
ARG TARGET_SUITE="bullseye"
ARG TARGET_SUITE="bookworm"

# > This is tricky: repeat ARG, so that we can access the value of FROM_IMAGE_BUILDER below
ARG _private_df
# If _DEBOOTSTRAP_FROM is set, then set the tarball to nonexistent* (glob is here to prevent a hard error with Docker)
# Now, if there is no _DEBOOTSTRAP_FROM (which happens if FROM_REGISTRY is neutered), then use a bullseye tarball from 2021-07-01
# If _private_df is set, then set the tarball to .gitkeep (glob is here to prevent a hard error with Docker)
# Now, if there is no _private_df (which happens if FROM_REGISTRY is ""), then use a bookworm tarball from 2024-03-01
# (that is expected to have been built)
ENV FROM_TARBALL="${_private_df:+nonexistent*}"
ENV FROM_TARBALL="${FROM_TARBALL:-bullseye-2021-07-01.tar}"
ENV FROM_TARBALL="${_private_df:+.gitkeep}"
ENV FROM_TARBALL="${FROM_TARBALL:-bookworm-2024-03-01.tar}"

# > Optionally, the final content to commit to etc/apt/sources.list in the debootstrap
# If this is not set, /etc/apt/sources.list will point to either snapshot.debian.org or YOURREPO if you were using TARGET_REPOSITORY=TARGET_REPOSITORY/foo
Expand Down Expand Up @@ -61,11 +61,14 @@ ENV CURL_HOME=/run/secrets
# NOTE: for calls where we do NOT need our overrides (purge, etc), hence where we do not mount the corresponding secrets,
# apt will issue a warning about not finding the file
ENV APT_CONFIG=/run/secrets/APT_CONFIG
RUN mkdir -p "$(dirname "$APT_CONFIG")"
RUN touch "$APT_CONFIG"

# > STEP 1: install debootstrap
# Apt downgrades to _apt (uid 100) when doing the actual request
# NOTE: Using the extension .gpg is required for apt to consider it :s
# Note: debootstrapping from online non-us image means... we float on the package versions
# hadolint ignore=DL3008
RUN --mount=type=secret,uid=100,id=CA \
--mount=type=secret,uid=100,id=CERTIFICATE \
--mount=type=secret,uid=100,id=KEY \
Expand All @@ -74,17 +77,17 @@ RUN --mount=type=secret,uid=100,id=CA \
--mount=type=secret,id=APT_SOURCES \
--mount=type=secret,id=APT_CONFIG \
apt-get update -qq && apt-get install -qq --no-install-recommends \
debootstrap=1.0.123 \
curl=7.74.0-1.2 \
xz-utils=5.2.5-2
debootstrap \
curl \
xz-utils

# > STEP 2: add debuerreotype
COPY ./debuerreotype/scripts /usr/sbin/

# Copy over our deviation script
# Copy over our patched scripts
# See comments inline for reason to have this
# NOTE: other scripts insist in calling a script in the SAME dir, so /usr/sbin it is
COPY ./debuerreotype-chroot /usr/sbin/
COPY ./patch/* /usr/sbin/

# This is our simplified chroot for use-cases we do control
COPY ./dubo-chroot /usr/sbin/
Expand Down Expand Up @@ -186,8 +189,8 @@ FROM $FROM_IMAGE_RUNTIME
SHELL ["/bin/bash", "-o", "errexit", "-o", "errtrace", "-o", "functrace", "-o", "nounset", "-o", "pipefail", "-c"]

# What we want
ARG TARGET_SUITE="buster"
ARG TARGET_DATE="2020-07-01"
ARG TARGET_SUITE="bookworm"
ARG TARGET_DATE="2024-03-01"
ARG TARGETPLATFORM

# Load it!
Expand Down Expand Up @@ -229,14 +232,15 @@ ENV GNUTLS_FORCE_FIPS_MODE=1

# Little helper for our secrets
ENV APT_CONFIG=/run/secrets/APT_CONFIG
RUN mkdir -p "$(dirname "$APT_CONFIG")"
RUN touch "$APT_CONFIG"

# NOTE: this does not quite work as expected unfortunately - this cannot be overloaded in a dockerfile, but can be --build-arg-ed at build time
ONBUILD ARG PRELOAD_PACKAGES=""
ONBUILD ARG UNLOAD_PACKAGES=""
ONBUILD ARG L3=""

# hadolint ignore=DL3008
# hadolint ignore=DL3008,SC2086
ONBUILD RUN --mount=type=secret,uid=100,id=CA \
--mount=type=secret,uid=100,id=CERTIFICATE \
--mount=type=secret,uid=100,id=KEY \
Expand Down
40 changes: 23 additions & 17 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,7 @@ Features:
* resulting images are in the range of 25MB
* multi-architecture
* amd64
* 386
* arm64
* arm/v7
* arm/v6
* s390x
* ppc64le

## Important

Expand All @@ -36,29 +31,40 @@ Build

```bash
./hack/build.sh debootstrap \
--inject date="2021-08-01" \
--inject suite="bullseye"
--inject date="2024-03-01" \
--inject suite="bookworm"
```

Assemble and push
Assemble and push

```bash
./hack/build.sh debian \
--inject date="2021-08-01" \
--inject suite="bullseye" \
--inject tags=registry.com/name/image:tag
--inject date="2024-03-01" \
--inject suite="bookworm" \
```

Note that the above will by default try to push to `docker.io/dubodubonduponey/debian`.
Edit `recipe.cue`, or better, use an `env.cue` file (see [advanced](ADVANCED.md) for that) to control
the push destination.

## Configuration

You can control additional aspects of the build passing arguments:

Building a subset of architectures:
```bash
./hack/build.sh debootstrap \
--inject date="2024-03-01" \
--inject suite="bookworm" \
--inject platforms="linux/arm64"
```

Building from a private debian repository instead:
```bash
# Building a subset of architectures
./hack/build.sh debootstrap \
--inject date="2021-08-01" \
--inject suite="bullseye" \
--inject platforms="linux/arm/v6"
--inject date="2024-03-01" \
--inject suite="bookworm" \
--inject repository="https://private.deb.repo/debian/foo/bar"
```

Building offline:
Expand All @@ -69,8 +75,8 @@ Building offline:

# Now, you can build without access to a registry
./hack/build.sh debootstrap \
--inject date="2021-08-01" \
--inject suite="bullseye" \
--inject date="2024-03-01" \
--inject suite="bookworm" \
--inject registry=""

# You can further control networking and other build aspect through a cue environment (see ADVANCED)
Expand Down
Empty file.
Empty file.
1 change: 1 addition & 0 deletions context/debuerreotype
Submodule debuerreotype added at 60b625
11 changes: 0 additions & 11 deletions context/debuerreotype/.docker-image.sh

This file was deleted.

5 changes: 0 additions & 5 deletions context/debuerreotype/.dockerignore

This file was deleted.

62 changes: 0 additions & 62 deletions context/debuerreotype/.github/workflows/ci.yml

This file was deleted.

Loading

0 comments on commit 9f6595c

Please sign in to comment.