51 lines
2.1 KiB
Plaintext
51 lines
2.1 KiB
Plaintext
# This is a relatively minimal base image build; it's intended as a derivation
|
|
# point.
|
|
#
|
|
# This container build uses nested containerization to construct
|
|
# a target rootfs from scratch; so you must build with e.g.
|
|
# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
|
|
|
|
# If you want to configure the input rpm-md repositories, just override this
|
|
# container image.
|
|
FROM quay.io/fedora/fedora:rawhide as repos
|
|
|
|
# BOOTSTRAPPING: This can be any image that has the following packages.
|
|
FROM quay.io/fedora/fedora:rawhide as builder
|
|
RUN dnf -y install rpm-ostree selinux-policy-targeted sqlite
|
|
# Copy in our source code.
|
|
COPY . /src
|
|
WORKDIR /src
|
|
RUN --mount=type=cache,target=/workdir \
|
|
--mount=type=bind,from=repos,target=/repos \
|
|
--mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
|
|
--mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
|
|
set -xeuo pipefail
|
|
# Synchronize the dnf/rpm configs from the repos container.
|
|
for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
|
|
rm -rf /"$x" && cp -a /repos/${x} /$x
|
|
done
|
|
# And copy to the workdir; TODO fix this in rpm-ostree
|
|
cp /etc/yum.repos.d/*.repo base
|
|
rpm-ostree compose image \
|
|
--cachedir=/workdir --format=ociarchive --initialize base/manifest.yaml \
|
|
--source-root=/repos /buildcontext/out.ociarchive
|
|
EORUN
|
|
|
|
# This pulls in the OCI archive generated in the previous step.
|
|
FROM oci-archive:./out.ociarchive
|
|
LABEL containers.bootc 1
|
|
# This is an ad-hoc way for us to reference bootc-image-builder in
|
|
# a way that in theory client tooling can inspect and find. Today
|
|
# it isn't widely used.
|
|
LABEL bootc.diskimage-builder quay.io/centos-bootc/bootc-image-builder
|
|
# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
|
|
ENV container=oci
|
|
# Make systemd the default
|
|
STOPSIGNAL SIGRTMIN+3
|
|
CMD ["/sbin/init"]
|
|
# Need to reference builder here to force ordering. But since we have to run
|
|
# something anyway, we might as well cleanup after ourselves.
|
|
RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
|
|
--mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
|
|
rm /buildcontext/out.ociarchive
|