fork
This commit is contained in:
parent
225d7af6a8
commit
187ba704fb
7
.editorconfig
Normal file
7
.editorconfig
Normal file
@ -0,0 +1,7 @@
|
||||
root = true
|
||||
[*]
|
||||
indent_style = space
|
||||
end_of_line = lf
|
||||
charset = utf-8
|
||||
[Makefile]
|
||||
indent_style = tab
|
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
build
|
||||
output
|
368
.gitlab-ci.yml
Normal file
368
.gitlab-ci.yml
Normal file
@ -0,0 +1,368 @@
|
||||
default:
|
||||
image: "archlinux/archlinux:latest"
|
||||
|
||||
stages:
|
||||
- cleanup
|
||||
- lint
|
||||
- rootfs
|
||||
- image
|
||||
- test
|
||||
- pre-release
|
||||
- release
|
||||
- publish
|
||||
|
||||
cleanup:
|
||||
stage: cleanup
|
||||
tags:
|
||||
- secure
|
||||
- docker
|
||||
only:
|
||||
refs:
|
||||
- schedules@archlinux/archlinux-docker
|
||||
variables:
|
||||
- $CLEANUP_PACKAGE_REGISTRY == "TRUE"
|
||||
before_script:
|
||||
- pacman -Syu --noconfirm jq
|
||||
script:
|
||||
- |
|
||||
for id in $(curl --silent --fail --show-error "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages?per_page=100&order_by=created_at&sort=asc" | jq '.[] | select(.created_at | split("T")[0] | . < (now-60*60*24*60|strflocaltime("%Y-%m-%d"))) | .id'); do
|
||||
curl --silent --fail --show-error --request DELETE --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/${id}"
|
||||
done
|
||||
|
||||
lint:
|
||||
stage: lint
|
||||
image: hadolint/hadolint:latest-alpine
|
||||
# DL3018: We don't need apk version pins, we use the bleeding edge
|
||||
script: hadolint --ignore DL3018 Dockerfile.template
|
||||
except:
|
||||
- releases
|
||||
- tags
|
||||
|
||||
# This is an implicit gitlab stage, with the build.env variables used by either
|
||||
# other stages or auxiliarry scripts.
|
||||
get_version:
|
||||
stage: .pre
|
||||
script:
|
||||
- |
|
||||
# If we're building a tagged release, use the tag (without the 'v' prefix) as the
|
||||
# BUILD_VERSION. Otherwise, determine a new BUILD_VERSION.
|
||||
if [[ -n "$CI_COMMIT_TAG" ]]; then
|
||||
echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env
|
||||
else
|
||||
echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env
|
||||
fi
|
||||
- export $(< build.env)
|
||||
- echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env
|
||||
artifacts:
|
||||
reports:
|
||||
dotenv: build.env
|
||||
|
||||
.rootfs:
|
||||
stage: rootfs
|
||||
parallel:
|
||||
matrix:
|
||||
- GROUP: [base, base-devel, multilib-devel]
|
||||
before_script:
|
||||
- pacman -Syu --noconfirm git make fakechroot fakeroot
|
||||
- pacman -Sdd --noconfirm devtools
|
||||
script:
|
||||
- make $PWD/output/Dockerfile.$GROUP
|
||||
artifacts:
|
||||
paths:
|
||||
- output/*
|
||||
exclude:
|
||||
- output/*.tar
|
||||
expire_in: 2h
|
||||
|
||||
rootfs:
|
||||
extends: .rootfs
|
||||
except:
|
||||
- master@archlinux/archlinux-docker
|
||||
- releases@archlinux/archlinux-docker
|
||||
- schedules@archlinux/archlinux-docker
|
||||
- tags@archlinux/archlinux-docker
|
||||
|
||||
rootfs:secure:
|
||||
extends: .rootfs
|
||||
tags:
|
||||
- secure
|
||||
- docker
|
||||
only:
|
||||
- master@archlinux/archlinux-docker
|
||||
- schedules@archlinux/archlinux-docker
|
||||
except:
|
||||
- tags
|
||||
- releases
|
||||
|
||||
.image:
|
||||
stage: image
|
||||
parallel:
|
||||
matrix:
|
||||
- GROUP: [base, base-devel, multilib-devel]
|
||||
tags:
|
||||
- vm
|
||||
id_tokens:
|
||||
SIGSTORE_ID_TOKEN:
|
||||
aud: sigstore
|
||||
script:
|
||||
- podman build
|
||||
-f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP"
|
||||
-t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
|
||||
"$CI_PROJECT_DIR/output"
|
||||
- podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
|
||||
|
||||
image:build:
|
||||
extends: .image
|
||||
except:
|
||||
- master@archlinux/archlinux-docker
|
||||
- releases
|
||||
- schedules@archlinux/archlinux-docker
|
||||
- tags
|
||||
before_script:
|
||||
- pacman -Syu --noconfirm podman
|
||||
- podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
|
||||
- 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
|
||||
|
||||
image:build:secure:
|
||||
extends: .image
|
||||
tags:
|
||||
- secure
|
||||
- vm
|
||||
only:
|
||||
- master@archlinux/archlinux-docker
|
||||
- schedules@archlinux/archlinux-docker
|
||||
except:
|
||||
- tags
|
||||
before_script:
|
||||
- pacman -Syu --noconfirm podman
|
||||
- podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY"
|
||||
- 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
|
||||
|
||||
# Build and publish to the Arch Linux group namespaces:
|
||||
# https://hub.docker.com/r/archlinux/archlinux
|
||||
# https://quay.io/repository/archlinux/archlinux
|
||||
image:publish:secure:
|
||||
extends: .image
|
||||
retry: 2
|
||||
tags:
|
||||
- secure
|
||||
- vm
|
||||
only:
|
||||
- tags@archlinux/archlinux-docker
|
||||
before_script:
|
||||
- pacman -Syu --noconfirm podman
|
||||
- podman login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_ACCESS_TOKEN" "docker.io"
|
||||
- podman login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" "quay.io"
|
||||
- podman login -u "$GHCR_USERNAME" -p "$GHCR_PASSWORD" "ghcr.io"
|
||||
- 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
|
||||
script:
|
||||
- podman build
|
||||
-f "$CI_PROJECT_DIR/Dockerfile.$GROUP"
|
||||
-t "archlinux:$GROUP-$BUILD_VERSION"
|
||||
"$CI_PROJECT_DIR"
|
||||
- |
|
||||
for host in "docker.io" "quay.io" "ghcr.io"; do
|
||||
podman tag "archlinux:$GROUP-$BUILD_VERSION" "$host/archlinux/archlinux:$GROUP"
|
||||
podman tag "archlinux:$GROUP-$BUILD_VERSION" "$host/archlinux/archlinux:$GROUP-$BUILD_VERSION"
|
||||
podman push "$host/archlinux/archlinux:$GROUP"
|
||||
podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$host/archlinux/archlinux:$GROUP-$BUILD_VERSION"
|
||||
|
||||
if [[ "$GROUP" == "base" ]]; then
|
||||
podman tag "archlinux:$GROUP-$BUILD_VERSION" "$host/archlinux/archlinux:latest"
|
||||
podman push "$host/archlinux/archlinux:latest"
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
.test:
|
||||
stage: test
|
||||
dependencies: []
|
||||
except:
|
||||
refs:
|
||||
- releases
|
||||
- tags
|
||||
|
||||
.test-script: &test-script
|
||||
- test "$(cat /etc/group | wc -l)" -gt 10
|
||||
- test "$(cat /etc/passwd | wc -l)" -gt 10
|
||||
- pacman -Sy
|
||||
- pacman -Qqk
|
||||
- pacman -Syu --noconfirm podman grep
|
||||
- podman -v
|
||||
- id -u http
|
||||
- locale | grep -q UTF-8
|
||||
|
||||
test:base:
|
||||
extends: .test
|
||||
image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG
|
||||
script:
|
||||
- *test-script
|
||||
|
||||
test:base-devel:
|
||||
extends: .test
|
||||
image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG
|
||||
script:
|
||||
- *test-script
|
||||
- gcc -v
|
||||
- g++ -v
|
||||
- make -v
|
||||
- test -u /usr/bin/sudo # issue 70
|
||||
- test -u /usr/bin/passwd
|
||||
|
||||
pre-release:
|
||||
stage: pre-release
|
||||
image: registry.gitlab.com/gitlab-org/release-cli:latest
|
||||
tags:
|
||||
- secure
|
||||
- docker
|
||||
only:
|
||||
refs:
|
||||
- schedules@archlinux/archlinux-docker
|
||||
variables:
|
||||
- $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE"
|
||||
- $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
|
||||
before_script:
|
||||
- apk update
|
||||
- apk add jq curl httpie bash
|
||||
script:
|
||||
- |
|
||||
echo "Update the description of our daily DockerHub repository at https://hub.docker.com/r/archlinux/archlinux"
|
||||
TOKEN="$(http --ignore-stdin POST https://hub.docker.com/v2/users/login username="${DOCKERHUB_USERNAME}" password="${DOCKERHUB_PASSWORD}" | jq -er .token)"
|
||||
http --ignore-stdin PATCH https://hub.docker.com/v2/repositories/archlinux/archlinux/ Authorization:"JWT ${TOKEN}" full_description="$(cat README.md)"
|
||||
|
||||
# Upload rootfs to the Generic Packages Repository
|
||||
for group in base base-devel multilib-devel; do
|
||||
rootfs_file="${group}-${BUILD_VERSION}.tar.zst"
|
||||
mv "output/${group}.tar.zst" "output/${rootfs_file}"
|
||||
mv "output/${group}.tar.zst.SHA256" "output/${rootfs_file}.SHA256"
|
||||
sed -i "s|${group}.tar.zst|${rootfs_file}|" "output/${rootfs_file}.SHA256"
|
||||
echo "Uploading ${rootfs_file}"
|
||||
curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "output/${rootfs_file}" "${PACKAGE_REGISTRY_URL}/"
|
||||
echo "Uploading ${rootfs_file}.SHA256"
|
||||
curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "output/${rootfs_file}.SHA256" "${PACKAGE_REGISTRY_URL}/"
|
||||
done
|
||||
|
||||
# Create the Dockerfiles, commit to the release branch
|
||||
for group in base base-devel multilib-devel; do
|
||||
rootfs_file="${group}-${BUILD_VERSION}.tar.zst"
|
||||
./scripts/make-dockerfile.sh "${rootfs_file}" "${group}" "output" "curl -sOJL \"${PACKAGE_REGISTRY_URL}/${rootfs_file}\"" "${group}"
|
||||
sed -i "/^COPY ${rootfs_file} \/$/d" output/Dockerfile.${group}
|
||||
done
|
||||
- >
|
||||
curl -sSf --request POST -o commit-response.json
|
||||
--header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
|
||||
--form "branch=releases"
|
||||
--form "commit_message=Release ${BUILD_VERSION}"
|
||||
--form "actions[][action]=update"
|
||||
--form "actions[][file_path]=Dockerfile.base"
|
||||
--form "actions[][content]=<output/Dockerfile.base"
|
||||
--form "actions[][action]=update"
|
||||
--form "actions[][file_path]=Dockerfile.base-devel"
|
||||
--form "actions[][content]=<output/Dockerfile.base-devel"
|
||||
--form "actions[][action]=update"
|
||||
--form "actions[][file_path]=Dockerfile.multilib-devel"
|
||||
--form "actions[][content]=<output/Dockerfile.multilib-devel"
|
||||
--form "actions[][action]=update"
|
||||
--form "actions[][file_path]=.gitlab-ci.yml"
|
||||
--form "actions[][content]=<.gitlab-ci.yml"
|
||||
--form "actions[][action]=update"
|
||||
--form "actions[][file_path]=sigstore-param-file.yaml"
|
||||
--form "actions[][content]=<sigstore-param-file.yaml"
|
||||
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
|
||||
- echo "BUILD_COMMIT=$(jq -r '.id' commit-response.json)" >> build.env
|
||||
artifacts:
|
||||
reports:
|
||||
dotenv: build.env
|
||||
|
||||
release:
|
||||
stage: release
|
||||
dependencies:
|
||||
- get_version
|
||||
image: registry.gitlab.com/gitlab-org/release-cli:latest
|
||||
tags:
|
||||
- secure
|
||||
- docker
|
||||
only:
|
||||
refs:
|
||||
- schedules@archlinux/archlinux-docker
|
||||
variables:
|
||||
- $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE"
|
||||
- $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
|
||||
script:
|
||||
- echo 'Creating release'
|
||||
release:
|
||||
name: 'Release ${BUILD_VERSION}'
|
||||
description: 'Release ${BUILD_VERSION}'
|
||||
tag_name: 'v${BUILD_VERSION}'
|
||||
ref: 'releases'
|
||||
assets:
|
||||
links:
|
||||
- name: 'base-${BUILD_VERSION}.tar.zst'
|
||||
url: '${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.zst'
|
||||
- name: 'base-${BUILD_VERSION}.tar.zst.SHA256'
|
||||
url: '${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.zst.SHA256'
|
||||
- name: 'base-devel-${BUILD_VERSION}.tar.zst'
|
||||
url: '${PACKAGE_REGISTRY_URL}/base-devel-${BUILD_VERSION}.tar.zst'
|
||||
- name: 'base-devel-${BUILD_VERSION}.tar.zst.SHA256'
|
||||
url: '${PACKAGE_REGISTRY_URL}/base-devel-${BUILD_VERSION}.tar.zst.SHA256'
|
||||
- name: 'multilib-devel-${BUILD_VERSION}.tar.zst'
|
||||
url: '${PACKAGE_REGISTRY_URL}/multilib-devel-${BUILD_VERSION}.tar.zst'
|
||||
- name: 'multilib-devel-${BUILD_VERSION}.tar.zst.SHA256'
|
||||
url: '${PACKAGE_REGISTRY_URL}/multilib-devel-${BUILD_VERSION}.tar.zst.SHA256'
|
||||
|
||||
# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
|
||||
# Note: The description is maintained here: https://github.com/docker-library/docs/tree/master/archlinux
|
||||
publish-dockerhub:
|
||||
stage: publish
|
||||
dependencies:
|
||||
- get_version
|
||||
- pre-release
|
||||
only:
|
||||
refs:
|
||||
- schedules
|
||||
variables:
|
||||
- $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
|
||||
before_script:
|
||||
- export | grep -q BUILD_VERSION=
|
||||
- export | grep -q BUILD_COMMIT=
|
||||
- test -n "$BUILD_VERSION"
|
||||
- test -n "$BUILD_COMMIT"
|
||||
- test -n "$GITHUB_TOKEN"
|
||||
- pacman -Syu --noconfirm github-cli git gettext
|
||||
- git config --global user.email "github@archlinux.org"
|
||||
- git config --global user.name "Arch Linux Technical User"
|
||||
script:
|
||||
- echo "Update the Docker library Github repo"
|
||||
- mkdir official-images
|
||||
- cd official-images
|
||||
- git init
|
||||
- 'git remote add origin "https://x-access-token:${GITHUB_TOKEN}@github.com/archlinux/official-images.git"'
|
||||
- git fetch https://github.com/docker-library/official-images.git
|
||||
- git reset --hard FETCH_HEAD
|
||||
- head="release/${BUILD_VERSION}"
|
||||
- git checkout -b "$head"
|
||||
- cp ../docker-library.template library/archlinux
|
||||
- |
|
||||
for group in base base-devel multilib-devel; do
|
||||
test "${group}" = "base" && extra="latest, " || extra=""
|
||||
echo "Tags: ${extra}${group}, ${group}-${BUILD_VERSION}" >> library/archlinux
|
||||
echo "GitCommit: ${BUILD_COMMIT}" >> library/archlinux
|
||||
echo "GitFetch: refs/tags/v${BUILD_VERSION}" >> library/archlinux
|
||||
echo "File: Dockerfile.${group}" >> library/archlinux
|
||||
echo >> library/archlinux
|
||||
done
|
||||
- git diff
|
||||
- git add library/archlinux
|
||||
- maintainers="$(grep \(@ ../docker-library.template | cut -d\( -f2 | cut -d\) -f1 | xargs)"
|
||||
- test -n "$maintainers"
|
||||
- 'git commit
|
||||
-m "archlinux: Release ${BUILD_VERSION}"
|
||||
-m "This is an automated release [1]."
|
||||
-m "[1] ${CI_PROJECT_URL}/-/blob/master/.gitlab-ci.yml"'
|
||||
- git push -u origin "$head"
|
||||
- 'gh pr create
|
||||
--repo docker-library/official-images
|
||||
--title "$(git show --no-patch --format="%s")"
|
||||
--body "$(printf "%s\n\n---\n\nMaintainers: ${maintainers}\n" "$(git show --no-patch --format="%b")")"
|
||||
--base master
|
||||
--head archlinux:"$head"'
|
43
Dockerfile.template
Normal file
43
Dockerfile.template
Normal file
@ -0,0 +1,43 @@
|
||||
# Docker image when built on the official Docker infrastructure.
|
||||
# They require us to verify the source integrity in some way while making sure that this is a
|
||||
# reproducible build.
|
||||
# See https://github.com/docker-library/official-images#image-build
|
||||
# In order to achieve this, we externally host the rootfs archives and their checksums and then
|
||||
# just download and verify it in the first stage of this Dockerfile.
|
||||
# The second stage is for actually configuring the system a little bit.
|
||||
# Some templating is done in order to allow us to easily build different configurations and to
|
||||
# allow us to automate the release process.
|
||||
|
||||
# Note: Only official DockerHub images are allowed, see https://gitlab.archlinux.org/archlinux/archlinux-docker/-/commit/daa67d18579024947d69a45e6d028c5adb1c8c23
|
||||
# While we could use archlinux:base it could also break our build process, so we avoid dog fooding here
|
||||
FROM alpine:3.19 AS verify
|
||||
COPY TEMPLATE_ROOTFS_FILE /
|
||||
|
||||
RUN apk add --no-cache curl tar zstd
|
||||
|
||||
RUN TEMPLATE_ROOTFS_DOWNLOAD && \
|
||||
echo "TEMPLATE_ROOTFS_HASH" > /tmp/sha256sums.txt && \
|
||||
sha256sum -c /tmp/sha256sums.txt && \
|
||||
mkdir /rootfs && \
|
||||
tar -C /rootfs --extract --file TEMPLATE_ROOTFS_FILE
|
||||
|
||||
FROM scratch AS root
|
||||
|
||||
LABEL org.opencontainers.image.title="TEMPLATE_TITLE"
|
||||
LABEL org.opencontainers.image.description="Official containerd image of Arch Linux, a simple, lightweight Linux distribution aimed for flexibility."
|
||||
LABEL org.opencontainers.image.authors="Santiago Torres-Arias <santiago@archlinux.org> (@SantiagoTorres), Christian Rebischke <Chris.Rebischke@archlinux.org> (@shibumi), Justin Kromlinger <hashworks@archlinux.org> (@hashworks)"
|
||||
LABEL org.opencontainers.image.url="https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/README.md"
|
||||
LABEL org.opencontainers.image.documentation="https://wiki.archlinux.org/title/Docker#Arch_Linux"
|
||||
LABEL org.opencontainers.image.source="https://gitlab.archlinux.org/archlinux/archlinux-docker"
|
||||
LABEL org.opencontainers.image.licenses="GPL-3.0-or-later"
|
||||
LABEL org.opencontainers.image.version="TEMPLATE_VERSION_ID"
|
||||
LABEL org.opencontainers.image.revision="TEMPLATE_REVISION"
|
||||
LABEL org.opencontainers.image.created="TEMPLATE_CREATED"
|
||||
|
||||
COPY --from=verify /rootfs/ /
|
||||
|
||||
RUN ldconfig && \
|
||||
sed -i '/BUILD_ID/a VERSION_ID=TEMPLATE_VERSION_ID' /etc/os-release
|
||||
|
||||
ENV LANG=C.UTF-8
|
||||
CMD ["/usr/bin/bash"]
|
21
Makefile
Normal file
21
Makefile
Normal file
@ -0,0 +1,21 @@
|
||||
OCITOOL=podman # or docker
|
||||
BUILDDIR=$(shell pwd)/build
|
||||
OUTPUTDIR=$(shell pwd)/output
|
||||
|
||||
.PHONY: clean
|
||||
clean:
|
||||
rm -rf $(BUILDDIR) $(OUTPUTDIR)
|
||||
|
||||
.PRECIOUS: $(OUTPUTDIR)/%.tar.zst
|
||||
$(OUTPUTDIR)/%.tar.zst:
|
||||
scripts/make-rootfs.sh $(*) $(BUILDDIR) $(OUTPUTDIR)
|
||||
|
||||
.PRECIOUS: $(OUTPUTDIR)/Dockerfile.%
|
||||
$(OUTPUTDIR)/Dockerfile.%: $(OUTPUTDIR)/%.tar.zst
|
||||
scripts/make-dockerfile.sh "$(*).tar.zst" $(*) $(OUTPUTDIR) "true" "Dev"
|
||||
|
||||
# The following is for local builds only, it is not used by the CI/CD pipeline
|
||||
|
||||
all: image-base image-base-devel image-multilib-devel
|
||||
image-%: $(OUTPUTDIR)/Dockerfile.%
|
||||
${OCITOOL} build -f $(OUTPUTDIR)/Dockerfile.$(*) -t archlinux/archlinux:$(*) $(OUTPUTDIR)
|
7
docker-library.template
Normal file
7
docker-library.template
Normal file
@ -0,0 +1,7 @@
|
||||
# https://gitlab.archlinux.org/archlinux/archlinux-docker
|
||||
|
||||
Maintainers: Santiago Torres-Arias <santiago@archlinux.org> (@SantiagoTorres),
|
||||
Christian Rebischke <Chris.Rebischke@archlinux.org> (@shibumi),
|
||||
Justin Kromlinger <hashworks@archlinux.org> (@hashworks)
|
||||
GitRepo: https://gitlab.archlinux.org/archlinux/archlinux-docker.git
|
||||
|
18
exclude
Normal file
18
exclude
Normal file
@ -0,0 +1,18 @@
|
||||
./.dockerenv
|
||||
./.dockerinit
|
||||
./sys
|
||||
./proc
|
||||
./dev
|
||||
./etc/hostname
|
||||
./etc/machine-id
|
||||
./etc/resolv.conf
|
||||
./etc/pacman.d/gnupg/openpgp-revocs.d/*
|
||||
./etc/pacman.d/gnupg/private-keys-v1.d/*
|
||||
./etc/pacman.d/gnupg/pubring.gpg~
|
||||
./etc/pacman.d/gnupg/S.*
|
||||
./root/*
|
||||
./tmp/*
|
||||
./var/cache/pacman/pkg/*
|
||||
./var/lib/pacman/sync/*
|
||||
./var/tmp/*
|
||||
./alpm-hooks
|
13
pacman-conf.d-noextract.conf
Normal file
13
pacman-conf.d-noextract.conf
Normal file
@ -0,0 +1,13 @@
|
||||
[options]
|
||||
NoExtract = usr/share/help/* !usr/share/help/en* !usr/share/help/C/*
|
||||
NoExtract = usr/share/gtk-doc/html/* usr/share/doc/*
|
||||
NoExtract = usr/share/locale/* usr/share/X11/locale/* usr/share/i18n/*
|
||||
NoExtract = !*locale*/en*/* !usr/share/i18n/charmaps/UTF-8.gz !usr/share/*locale*/locale.*
|
||||
NoExtract = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso*
|
||||
NoExtract = !usr/share/*locales/trans*
|
||||
NoExtract = !usr/share/X11/locale/C/*
|
||||
NoExtract = !usr/share/X11/locale/compose.dir !usr/share/X11/locale/iso8859-1/*
|
||||
NoExtract = !usr/share/*locales/C !usr/share/*locales/POSIX !usr/share/i18n/charmaps/ANSI_X3.4-1968.gz
|
||||
NoExtract = usr/share/man/* usr/share/info/*
|
||||
NoExtract = usr/share/vim/vim*/lang/*
|
||||
NoExtract = etc/pacman.conf etc/pacman.d/mirrorlist
|
6
renovate.json
Normal file
6
renovate.json
Normal file
@ -0,0 +1,6 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"extends": [
|
||||
"config:base"
|
||||
]
|
||||
}
|
1
rootfs/etc/locale.conf
Normal file
1
rootfs/etc/locale.conf
Normal file
@ -0,0 +1 @@
|
||||
LANG=C.UTF-8
|
3
rootfs/etc/pacman.d/mirrorlist
Normal file
3
rootfs/etc/pacman.d/mirrorlist
Normal file
@ -0,0 +1,3 @@
|
||||
Server = https://geo.mirror.pkgbuild.com/$repo/os/$arch
|
||||
Server = https://mirror.rackspace.com/archlinux/$repo/os/$arch
|
||||
Server = https://mirror.leaseweb.net/archlinux/$repo/os/$arch
|
22
scripts/make-dockerfile.sh
Executable file
22
scripts/make-dockerfile.sh
Executable file
@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
declare -r ROOTFS_FILE="$1"
|
||||
declare -r GROUP="$2"
|
||||
declare -r OUTPUTDIR="$3"
|
||||
declare -r DOWNLOAD="$4"
|
||||
declare -r TITLE="$5"
|
||||
|
||||
# Do not use these directly in the sed below - it will mask git failures
|
||||
BUILD_VERSION="${BUILD_VERSION:-dev}"
|
||||
CI_COMMIT_SHA="${CI_COMMIT_SHA:-$(git rev-parse HEAD)}"
|
||||
|
||||
sed -e "s|TEMPLATE_ROOTFS_FILE|$ROOTFS_FILE|" \
|
||||
-e "s|TEMPLATE_ROOTFS_DOWNLOAD|$DOWNLOAD|" \
|
||||
-e "s|TEMPLATE_ROOTFS_HASH|$(cat $OUTPUTDIR/$ROOTFS_FILE.SHA256)|" \
|
||||
-e "s|TEMPLATE_TITLE|Arch Linux $TITLE Image|" \
|
||||
-e "s|TEMPLATE_VERSION_ID|$BUILD_VERSION|" \
|
||||
-e "s|TEMPLATE_REVISION|$CI_COMMIT_SHA|" \
|
||||
-e "s|TEMPLATE_CREATED|$(date -Is)|" \
|
||||
Dockerfile.template > "$OUTPUTDIR/Dockerfile.$GROUP"
|
55
scripts/make-rootfs.sh
Executable file
55
scripts/make-rootfs.sh
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
declare -r WRAPPER="fakechroot -- fakeroot"
|
||||
|
||||
declare -r GROUP="$1"
|
||||
declare -r BUILDDIR="$2"
|
||||
declare -r OUTPUTDIR="$3"
|
||||
|
||||
mkdir -vp "$BUILDDIR/alpm-hooks/usr/share/libalpm/hooks"
|
||||
find /usr/share/libalpm/hooks -exec ln -sf /dev/null "$BUILDDIR/alpm-hooks"{} \;
|
||||
|
||||
mkdir -vp "$BUILDDIR/var/lib/pacman/" "$OUTPUTDIR"
|
||||
[[ "$GROUP" == "multilib-devel" ]] && pacman_conf=multilib.conf || pacman_conf=extra.conf
|
||||
install -Dm644 "/usr/share/devtools/pacman.conf.d/$pacman_conf" "$BUILDDIR/etc/pacman.conf"
|
||||
cat pacman-conf.d-noextract.conf >> "$BUILDDIR/etc/pacman.conf"
|
||||
|
||||
sed 's/Include = /&rootfs/g' < "$BUILDDIR/etc/pacman.conf" > pacman.conf
|
||||
|
||||
cp --recursive --preserve=timestamps rootfs/* "$BUILDDIR/"
|
||||
ln -fs /usr/lib/os-release "$BUILDDIR/etc/os-release"
|
||||
|
||||
$WRAPPER -- \
|
||||
pacman -Sy -r "$BUILDDIR" \
|
||||
--noconfirm --dbpath "$BUILDDIR/var/lib/pacman" \
|
||||
--config pacman.conf \
|
||||
--noscriptlet \
|
||||
--hookdir "$BUILDDIR/alpm-hooks/usr/share/libalpm/hooks/" base "$GROUP"
|
||||
|
||||
$WRAPPER -- chroot "$BUILDDIR" update-ca-trust
|
||||
$WRAPPER -- chroot "$BUILDDIR" pacman-key --init
|
||||
$WRAPPER -- chroot "$BUILDDIR" pacman-key --populate
|
||||
|
||||
# add system users
|
||||
$WRAPPER -- chroot "$BUILDDIR" /usr/bin/systemd-sysusers --root "/"
|
||||
|
||||
# remove passwordless login for root (see CVE-2019-5021 for reference)
|
||||
sed -i -e 's/^root::/root:!:/' "$BUILDDIR/etc/shadow"
|
||||
|
||||
# fakeroot to map the gid/uid of the builder process to root
|
||||
# fixes #22
|
||||
fakeroot -- \
|
||||
tar \
|
||||
--numeric-owner \
|
||||
--xattrs \
|
||||
--acls \
|
||||
--exclude-from=exclude \
|
||||
-C "$BUILDDIR" \
|
||||
-c . \
|
||||
-f "$OUTPUTDIR/$GROUP.tar"
|
||||
|
||||
cd "$OUTPUTDIR"
|
||||
zstd --long -T0 -8 "$GROUP.tar"
|
||||
sha256sum "$GROUP.tar.zst" > "$GROUP.tar.zst.SHA256"
|
6
sigstore-param-file.yaml
Normal file
6
sigstore-param-file.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
fulcio:
|
||||
fulcioURL: "https://fulcio.sigstore.dev"
|
||||
oidcMode: "staticToken"
|
||||
oidcIssuerURL: "https://gitlab.archlinux.org"
|
||||
oidcIDToken: "TEMPLATE_OIDC_ID_TOKEN"
|
||||
rekorURL: "https://rekor.sigstore.dev"
|
Loading…
x
Reference in New Issue
Block a user